From 19336fa3461f59bf0cd3d226352f440cec6f26fe Mon Sep 17 00:00:00 2001 From: Joseph Kogut Date: Thu, 22 Aug 2024 15:18:27 -0700 Subject: [PATCH] balena-init-flasher-tpm: write LUKS passphrase to TPM nvram Change-type: minor Signed-off-by: Joseph Kogut --- .../balena-init-flasher-efi | 2 -- .../balena-init-flasher-tpm | 34 +++++++++++++++---- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-efi b/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-efi index e472037a07..79639295b1 100644 --- a/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-efi +++ b/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-efi @@ -116,8 +116,6 @@ bootpart_split() { # Store files necessary for TPM decryption to the EFI partitions mv "$TPM_RESULT_DIR/policies"* "$NONENC_BOOT_MOUNT_DIR/" && sync - mv "$TPM_RESULT_DIR/persistent.ctx" "$NONENC_BOOT_MOUNT_DIR/balena-luks.ctx" && sync - mv "$TPM_RESULT_DIR/passphrase.enc" "$NONENC_BOOT_MOUNT_DIR/balena-luks.enc" && sync rm -rf "$TPM_RESULT_DIR" diff --git a/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm b/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm index 00450c0ed9..8b292a86a0 100644 --- a/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm +++ b/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm @@ -20,8 +20,9 @@ diskenc_setup() { fi # Generate a random passphrase + PASSPHRASE_SZ=32 PASSPHRASE_FILE="$(mktemp)" - hw_gen_passphrase > "$PASSPHRASE_FILE" + hw_gen_passphrase "$PASSPHRASE_SZ" > "$PASSPHRASE_FILE" # Create two policies to ensure the newly flashed system boots. One with # the EFI binaries measured into PCR7 as specified in the TCG spec, one @@ -88,9 +89,30 @@ diskenc_setup() { -L "$POLICY_DIR/policy.secondary" COMBINED_POLICY=$(mktemp -t) SESSION_CTX=$(mktemp -t) - tpm2_startauthsession -S "${SESSION_CTX}" - tpm2_policyor -S "${SESSION_CTX}" -L "${COMBINED_POLICY}" \ - "sha256:${POLICY_DIR}/policy.primary,${POLICY_DIR}/policy.secondary" - tpm2_flushcontext "${SESSION_CTX}" - hw_encrypt_passphrase "$PASSPHRASE_FILE" "$COMBINED_POLICY" "$TPM_RESULT_DIR" + tpm2_startauthsession -S "$SESSION_CTX" + tpm2_policypassword -S "$SESSION_CTX" -L "${POLICY_DIR}/policy.password" + tpm2_flushcontext "$SESSION_CTX" + + POLICIES="$(find "${POLICY_DIR}" -type f | sort | xargs)" + tpm2_startauthsession -S "$SESSION_CTX" + tpm2_policyor -S "$SESSION_CTX" -L "${COMBINED_POLICY}" \ + "sha256:$(echo "${POLICIES}" | sed 's/ /,/g')" + tpm2_flushcontext "$SESSION_CTX" + + # The PCR policy can't be satisfied until the next boot, so associate a + # password with the nvindex that will allow us to write the LUKS + # passphrase immediately + POLICY_PASSWORD="str:$(hw_gen_passphrase $PASSPHRASE_SZ)" + PASSPHRASE_HANDLE=0x1500000 + tpm2_nvdefine "$PASSPHRASE_HANDLE" --size "$PASSPHRASE_SZ" \ + --attributes "authwrite|policyread|policywrite" \ + --policy "$COMBINED_POLICY" \ + --index-auth "$POLICY_PASSWORD" + + tpm2_startauthsession --policy-session -S "$SESSION_CTX" + tpm2_policypassword -S "$SESSION_CTX" + tpm2_nvwrite "$PASSPHRASE_HANDLE" --input "$PASSPHRASE_FILE" \ + --auth "$POLICY_PASSWORD" + tpm2_flushcontext "$SESSION_CTX" + tpm2_shutdown }