balena-init-flasher-tpm: write LUKS passphrase to TPM nvram

Change-type: minor Signed-off-by: Joseph Kogut <joseph@balena.io>
balena-os · Sep 30, 2024 · 19336fa · 19336fa
1 parent a4d3fea
commit 19336fa
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 8 deletions.
diff --git a/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-efi b/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-efi
@@ -116,8 +116,6 @@ bootpart_split() {
 
     # Store files necessary for TPM decryption to the EFI partitions
     mv "$TPM_RESULT_DIR/policies"* "$NONENC_BOOT_MOUNT_DIR/" && sync
-    mv "$TPM_RESULT_DIR/persistent.ctx" "$NONENC_BOOT_MOUNT_DIR/balena-luks.ctx" && sync
-    mv "$TPM_RESULT_DIR/passphrase.enc" "$NONENC_BOOT_MOUNT_DIR/balena-luks.enc" && sync
 
     rm -rf "$TPM_RESULT_DIR"
 

diff --git a/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm b/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm
@@ -20,8 +20,9 @@ diskenc_setup() {
         fi
 
         # Generate a random passphrase
+        PASSPHRASE_SZ=32
         PASSPHRASE_FILE="$(mktemp)"
-        hw_gen_passphrase > "$PASSPHRASE_FILE"
+        hw_gen_passphrase "$PASSPHRASE_SZ" > "$PASSPHRASE_FILE"
 
         # Create two policies to ensure the newly flashed system boots. One with
         # the EFI binaries measured into PCR7 as specified in the TCG spec, one
@@ -88,9 +89,30 @@ diskenc_setup() {
 		-L "$POLICY_DIR/policy.secondary"
 	COMBINED_POLICY=$(mktemp -t)
 	SESSION_CTX=$(mktemp -t)
-	tpm2_startauthsession -S "${SESSION_CTX}"
-	tpm2_policyor -S "${SESSION_CTX}" -L "${COMBINED_POLICY}" \
-		"sha256:${POLICY_DIR}/policy.primary,${POLICY_DIR}/policy.secondary"
-	tpm2_flushcontext "${SESSION_CTX}"
-	hw_encrypt_passphrase "$PASSPHRASE_FILE" "$COMBINED_POLICY" "$TPM_RESULT_DIR"
+	tpm2_startauthsession -S "$SESSION_CTX"
+	tpm2_policypassword -S "$SESSION_CTX" -L "${POLICY_DIR}/policy.password"
+	tpm2_flushcontext "$SESSION_CTX"
+
+	POLICIES="$(find "${POLICY_DIR}" -type f | sort | xargs)"
+	tpm2_startauthsession -S "$SESSION_CTX"
+	tpm2_policyor -S "$SESSION_CTX" -L "${COMBINED_POLICY}" \
+		"sha256:$(echo "${POLICIES}" | sed 's/ /,/g')"
+	tpm2_flushcontext "$SESSION_CTX"
+
+	# The PCR policy can't be satisfied until the next boot, so associate a
+	# password with the nvindex that will allow us to write the LUKS
+	# passphrase immediately
+	POLICY_PASSWORD="str:$(hw_gen_passphrase $PASSPHRASE_SZ)"
+	PASSPHRASE_HANDLE=0x1500000
+	tpm2_nvdefine "$PASSPHRASE_HANDLE" --size "$PASSPHRASE_SZ" \
+					   --attributes "authwrite|policyread|policywrite" \
+					   --policy "$COMBINED_POLICY" \
+					   --index-auth "$POLICY_PASSWORD"
+
+	tpm2_startauthsession --policy-session -S "$SESSION_CTX"
+	tpm2_policypassword -S "$SESSION_CTX"
+	tpm2_nvwrite "$PASSPHRASE_HANDLE" --input "$PASSPHRASE_FILE" \
+					  --auth "$POLICY_PASSWORD"
+	tpm2_flushcontext "$SESSION_CTX"
+	tpm2_shutdown
 }