├── .gitignore ├── AUTHORS ├── BUILD ├── ChangeLog ├── Makefile.am ├── NEWS ├── README ├── README.md ├── README_OLD.md ├── TODO ├── configure.in ├── dracut ├── Fedora17 │ └── crypt-tpm │ │ ├── crypt-cleanup.sh │ │ ├── crypt-lib.sh │ │ ├── cryptroot-ask-tpm.sh │ │ ├── cryptroot-ask.sh │ │ ├── module-setup.sh │ │ ├── parse-crypt.sh │ │ ├── parse-keydev.sh │ │ ├── probe-keydev.sh │ │ └── tpm-try-authless-indexes.sh ├── Makefile.am ├── RHEL6 │ └── plymouth-tpm │ │ ├── .auditing-0 │ │ ├── check │ │ ├── cryptroot-ask-tpm.sh │ │ ├── cryptroot-ask.sh │ │ ├── install │ │ ├── installkernel │ │ ├── plymouth-emergency.sh │ │ ├── plymouth-newroot.sh │ │ ├── plymouth-populate-initrd │ │ └── plymouth-pretrigger.sh ├── RHEL7 │ └── crypt-tpm │ │ ├── crypt-cleanup.sh │ │ ├── crypt-lib.sh │ │ ├── crypt-run-generator.sh │ │ ├── cryptroot-ask-tpm.sh │ │ ├── cryptroot-ask.sh │ │ ├── module-setup.sh │ │ ├── parse-crypt.sh │ │ ├── parse-keydev.sh │ │ └── probe-keydev.sh ├── dracut-key ├── expand-initrd-key └── tpm-luks.conf.in ├── swtpm-utils ├── Makefile.am ├── getcapability.c ├── include │ ├── hmac.h │ ├── newserialize.h │ ├── oiaposap.h │ ├── pcrs.h │ ├── tpm.h │ ├── tpm_constants.h │ ├── tpm_error.h │ ├── tpm_lowlevel.h │ ├── tpm_structures.h │ ├── tpm_types.h │ ├── tpmfunc.h │ ├── tpmkeys.h │ └── tpmutil.h ├── lib │ ├── Makefile.am │ ├── auditing.c │ ├── bind.c │ ├── chgauth.c │ ├── context.c │ ├── counter.c │ ├── daa.c │ ├── debug.c │ ├── delegation.c │ ├── dir.c │ ├── eviction.c │ ├── hmac.c │ ├── hmac.h │ ├── identity.c │ ├── keys.c │ ├── keyswap.c │ ├── maintenance.c │ ├── management.c │ ├── migrate.c │ ├── miscfunc.c │ ├── newserialize.h │ ├── nv.c │ ├── oiaposap.c │ ├── oiaposap.h │ ├── optin.c │ ├── owner.c │ ├── ownertpmdiag.c │ ├── pcrs.c │ ├── pcrs.h │ ├── raw.c │ ├── rng.c │ ├── seal.c │ ├── serialize.c │ ├── session.c │ ├── sha.c │ ├── signature.c │ ├── startup.c │ ├── testing.c │ ├── ticks.c │ ├── tpm.h │ ├── tpm_constants.h │ ├── tpm_error.h │ ├── tpm_lowlevel.h │ ├── tpm_structures.h │ ├── tpm_types.h │ ├── tpmfunc.h │ ├── tpmkeys.h │ ├── tpmutil.c │ ├── tpmutil.h │ ├── tpmutil_sock.c │ ├── tpmutil_tty.c │ ├── tpmutil_unixio.c │ └── transport.c └── nv_readvalue.c ├── tpm-luks.conf.in ├── tpm-luks.spec.in ├── tpm-luks ├── tpm-luks-ctl ├── tpm-luks-gen-tgrub2-pcr-values └── tpm-luks-svc ├── xtra └── rhel7 │ ├── TrustedGRUB2.spec │ ├── build_tpm-luks.sh │ ├── build_tpm-tools.sh │ ├── build_trousers.sh │ ├── build_trustedgrub2.sh │ ├── deploy.sh │ ├── install.sh │ └── rhel.cfg └── yum ├── post-transaction-actions.conf ├── post-transaction-actions.py └── tpm-luks.action.in /.gitignore: -------------------------------------------------------------------------------- 1 | *.o 2 | *.lo 3 | Makefile 4 | Makefile.in 5 | aclocal.m4 6 | autom4te.cache 7 | config.* 8 | configure 9 | cscope.out 10 | depcomp 11 | dracut/Makefile 12 | dracut/Makefile.in 13 | dracut/tpm-luks.conf 14 | install-sh 15 | libtool 16 | ltmain.sh 17 | m4 18 | missing 19 | swtpm-utils/.deps/ 20 | swtpm-utils/Makefile 21 | swtpm-utils/Makefile.in 22 | swtpm-utils/getcapability 23 | swtpm-utils/lib/.deps/ 24 | swtpm-utils/lib/.libs/ 25 | swtpm-utils/lib/libtpm.la 26 | swtpm-utils/lib/Makefile 27 | swtpm-utils/lib/Makefile.in 28 | swtpm-utils/nv_readvalue 29 | tpm-luks.spec 30 | yum/tpm-luks.action 31 | tpm-luks/tpm-luks-parse-config 32 | *~ 33 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | tpm-luks: 2 | Kent Yoder 3 | 4 | The swtpm-utils code was written by: 5 | Ken Goldman and Stefan Berger 6 | -------------------------------------------------------------------------------- /BUILD: -------------------------------------------------------------------------------- 1 | 2 | = build pre-reqs = 3 | 4 | Packages: automake, autoconf, libtool, gcc, openssl-devel, make 5 | 6 | = build steps = 7 | 8 | $ autoreconf -ivf 9 | $ ./configure 10 | $ make 11 | # make install 12 | 13 | = runtime pre-reqs = 14 | 15 | For using tpm-luks with a LUKS key on your rootfs volume: dracut grubby 16 | 17 | All uses: cryptsetup gawk coreutils tpm-tools-1.3.8 trousers-0.3.9 18 | 19 | tpm-luks requires very recent tpm-tools and trousers versions, likely not 20 | included in your distro. To get these versions, you'll need to install them 21 | from their upstream repositories: 22 | 23 | $ git clone git://trousers.git.sourceforge.net/gitroot/trousers/trousers trousers.git 24 | $ git clone git://trousers.git.sourceforge.net/gitroot/trousers/tpm-tools tpm-tools.git 25 | $ cd trousers.git 26 | $ sh bootstrap.sh 27 | $ ./configure 28 | $ make 29 | # make install 30 | $ cd ../tpm-tools.git 31 | $ sh bootstrap.sh 32 | $ ./configure 33 | $ make 34 | # make install 35 | 36 | EOF 37 | -------------------------------------------------------------------------------- /ChangeLog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/momiji/tpm-luks/1ea9ad32ca938fcc04f753f8970558a9906fe22b/ChangeLog -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | SUBDIRS = swtpm-utils dracut . 2 | 3 | if FEDORA17 4 | plymouthdir=/usr/lib/dracut/modules.d/90crypt-tpm 5 | dist_plymouth_SCRIPTS=dracut/Fedora17/crypt-tpm/cryptroot-ask.sh \ 6 | dracut/Fedora17/crypt-tpm/crypt-cleanup.sh \ 7 | dracut/Fedora17/crypt-tpm/cryptroot-ask-tpm.sh \ 8 | dracut/Fedora17/crypt-tpm/crypt-lib.sh \ 9 | dracut/Fedora17/crypt-tpm/module-setup.sh \ 10 | dracut/Fedora17/crypt-tpm/parse-crypt.sh \ 11 | dracut/Fedora17/crypt-tpm/parse-keydev.sh \ 12 | dracut/Fedora17/crypt-tpm/probe-keydev.sh \ 13 | dracut/Fedora17/crypt-tpm/tpm-try-authless-indexes.sh 14 | endif 15 | 16 | if RHEL6 17 | plymouthdir=/usr/share/dracut/modules.d/50plymouth-tpm 18 | dist_plymouth_SCRIPTS=dracut/RHEL6/plymouth-tpm/install \ 19 | dracut/RHEL6/plymouth-tpm/check \ 20 | dracut/RHEL6/plymouth-tpm/plymouth-newroot.sh \ 21 | dracut/RHEL6/plymouth-tpm/cryptroot-ask.sh \ 22 | dracut/RHEL6/plymouth-tpm/installkernel \ 23 | dracut/RHEL6/plymouth-tpm/plymouth-populate-initrd \ 24 | dracut/RHEL6/plymouth-tpm/cryptroot-ask-tpm.sh \ 25 | dracut/RHEL6/plymouth-tpm/plymouth-emergency.sh \ 26 | dracut/RHEL6/plymouth-tpm/plymouth-pretrigger.sh 27 | endif 28 | 29 | if RHEL7 30 | plymouthdir=/usr/lib/dracut/modules.d/90crypt-tpm 31 | dist_plymouth_SCRIPTS=dracut/RHEL7/crypt-tpm/cryptroot-ask.sh \ 32 | dracut/RHEL7/crypt-tpm/cryptroot-ask-tpm.sh \ 33 | dracut/RHEL7/crypt-tpm/crypt-cleanup.sh \ 34 | dracut/RHEL7/crypt-tpm/crypt-lib.sh \ 35 | dracut/RHEL7/crypt-tpm/module-setup.sh \ 36 | dracut/RHEL7/crypt-tpm/parse-crypt.sh \ 37 | dracut/RHEL7/crypt-tpm/parse-keydev.sh \ 38 | dracut/RHEL7/crypt-tpm/probe-keydev.sh 39 | endif 40 | 41 | dist_sbin_SCRIPTS=tpm-luks/tpm-luks-gen-tgrub2-pcr-values \ 42 | tpm-luks/tpm-luks-ctl \ 43 | tpm-luks/tpm-luks-svc 44 | 45 | #yumpluginconfdir=/etc/yum/pluginconf.d 46 | #dist_yumpluginconf_SCRIPTS=yum/post-transaction-actions.conf 47 | 48 | #yumpluginsdir=/usr/lib/yum-plugins 49 | #dist_yumplugins_SCRIPTS=yum/post-transaction-actions.py 50 | 51 | #yumpostactionsdir=/etc/yum/post-actions 52 | #dist_yumpostactions_SCRIPTS=yum/tpm-luks.action 53 | 54 | confdir=/etc 55 | conf_SCRIPTS=tpm-luks.conf 56 | 57 | CLEANFILES = yum/tpm-luks.action tpm-luks.conf 58 | 59 | yum/tpm-luks.action: yum/tpm-luks.action.in 60 | @SED@ -e s!\@sbindir\@!"@sbindir@"!g < $< > $@-t 61 | mv $@-t $@ 62 | 63 | EXTRA_DIST = tpm-luks.conf.in yum/tpm-luks.action.in 64 | 65 | tpm-luks.conf: tpm-luks.conf.in 66 | @SED@ -e s!\@sbindir\@!"@sbindir@"!g < $< > $@-t 67 | mv $@-t $@ 68 | 69 | install-exec-hook: 70 | if test ! -e ${DESTDIR}/etc/tpm-luks.conf; then cp tpm-luks.conf ${DESTDIR}/etc; fi 71 | 72 | -------------------------------------------------------------------------------- /NEWS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/momiji/tpm-luks/1ea9ad32ca938fcc04f753f8970558a9906fe22b/NEWS -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | This is the new documentation on how to use LUKS with TPM enabled on RHEL7. 2 | 3 | As of 2015-11-02, TrustedGRUB2 1.2.1 + tpm-luks + tpm-tools is working on HP desktop with TPM enabled. 4 | 5 | As of 2016-02-01, installed on HP Apollo production servers, with two additions: reuse TPM NVRAM index as TPM is not big enough for 24 disks + tpm-luks-svc to open devices after boot time, for data disks, to prevent grub.cfg modification - see C. Notes. 6 | 7 | Old documentation can be found here: [README_OLD] 8 | 9 | ## Introduction 10 | 11 | This project objective is to save the LUKS keys in the TPM NVRAM on RHEL7 systems, **and only RHEL7**. 12 | 13 | To acomplish this, we will use: 14 | * [trousers]: allows to read and write the TPM 15 | * [tpm-tools]: a utility that ease the use of the TPM 16 | * [tpm-luks]: a dracut extension that reads the TPM NVRAM to get the key to use by LUKS 17 | * [TrustedGRUB2]: a secure boot loader that fills PCR based on boot configuration 18 | 19 | Unfortunately, the default **tpm-tools** you can find in the RHEL repo does not work, **tpm-luks** is not compatible with RHEL7 and **TrustedGRUB2** is not available as an RPM. 20 | 21 | Note that **trousers** is only necessary because we need the trousers-devel to build tpm-tools. 22 | 23 | So, you will have to build your own RPMs, but this is very easy after all. 24 | 25 | ## A. Building 26 | 27 | You will find in `xtra/rhel7` the necessary scripts to compile and build your own RPMs of **tpm-tools**, **tpm-luks** and **TrustedGRUB2**. 28 | 29 | It is recommended to start with a fresh minimal install of rhel7. This is one possible procedure to do so: 30 | * create a new virtual box virtual machine with 512MB of RAM and 8GB of disk 31 | * install rhel from the rhel 7.1 iso cdrom you can download from redhat.com 32 | * configure network so it can access the internet 33 | * mount the cdrom to /mnt/cdrom: `mkdir /mnt/cdrom ; mount /dev/sr0 /mnt/cdrom` 34 | * create a cdrom repo: 35 | ``` 36 | cat < /etc/yum.repos.d/cdrom.repo 37 | [cdrom] 38 | name=cdrom 39 | baseurl=file:///mnt/cdrom 40 | enabled=1 41 | gpgcheck=0 42 | EOF 43 | ``` 44 | 45 | * verify it works: `yum update` 46 | * install git : `yum install -y git` 47 | 48 | You can now configure the system using the scripts in xtra/rhel7 folder: 49 | ``` 50 | git clone https://github.com/momiji/tpm-luks 51 | cd tpm-luks/xtra/rhel7 52 | ./install.sh -d 53 | sudo su - makerpm 54 | git clone https://github.com/momiji/tpm-luks 55 | cd tpm-luks/xtra/rhel7 56 | ./install.sh -d 57 | ``` 58 | 59 | When successfull, you can start building the RPMS: 60 | ``` 61 | ./build_trousers.sh -d 62 | ./build_tpm-tools.sh -d 63 | ./build_tpm-luks.sh -d 64 | ./build_trustedgrub2.sh -d 65 | ``` 66 | 67 | ## B. Installing 68 | 69 | You need a RHEL7 system with TPM hardware, **installed without EFI**, because TrustedGRUB2 is not compatible with EFI. 70 | System partitions must be encrypted at install with LUKS. 71 | 72 | Remember you should only use basic ascii characters for TPM AUTH and OWNER passwords, like `A-Z`, `a-z`, `0-9`, plus some other chars that do not need to be escaped in bash shell. Do not use characters like `'` or `"`. 73 | 74 | Before installing, you need to copy on the server the 3 packages we build in previous section: **tpm-tools**, **tpm-luks** and **TrustedGRUB2**. 75 | 76 | From there, you can simply call the deploy.sh script, it will install and configure the system: 77 | * configure yum to not automatically update these 3 packages 78 | * install the packages 79 | * configure the packages 80 | ``` 81 | curl https://raw.githubusercontent.com/momiji/tpm-luks/master/xtra/rhel7/deploy.sh -o deploy.sh 82 | sh deploy.sh 83 | ``` 84 | 85 | You can now generate new LUKS keys and seal them: 86 | ``` 87 | tpm-luks-ctl init to generate new LUKS keys and save them in the TPM NVRAM 88 | tpm-luks-ctl backup to dump the LUKS keys and backup them in a safe place 89 | dracut --force to update initramfs 90 | reboot to verify it works and have all PCRs computed correctly 91 | tpm-luks-ctl seal to seal the TPM NVRAM 92 | reboot to verify it restarts automatically 93 | tpm-luks-ctl check to be sure 94 | ``` 95 | 96 | For the first boot, keys are not sealed and no password is required. 97 | For the second boot, keys are sealed and automatically read. 98 | 99 | Remember that modifying the `/etc/tpm-luks.conf` requires to update the boot: 100 | ``` 101 | dracut --force` 102 | ``` 103 | 104 | ## C. Notes 105 | 106 | When initialized or unsealed, the TPM NVRAM is readable directly without having to enter a password. If you want an AUTH password, you can use the `-a` or `--auth-password` option. For the OWNER password, you can use `-o` or `--owner-password`. 107 | 108 | If you want to use over PCRs than the defaults, you can modify them directly in the script `/usr/sbin/tpm-luks-gen-tgrub2-pcr-values`, or change the 109 | scripts defined for each devices in `/etc/tpm-luks.conf`. 110 | 111 | You can check if tpm-luks is configured correctly: 112 | * `tpm-luks-ctl check` 113 | 114 | If you want to unseal the TPM, before a reboot for example, remember to seal after the reboot: 115 | * unseal: `tpm-luks-ctl unseal` 116 | * `reboot` 117 | * seal: `tpm-luks-ctl seal` 118 | 119 | To add new LUKS partitions at boot time: 120 | * modify `/etc/default/grub` file with new partitions info 121 | * unseal: `tpm-luks-ctl unseal` 122 | * add new partitions: `tpm-luks-ctl init` 123 | * save backup: `tpm-luks-ctl backup` 124 | * update grub: `grub-mkconfig -o /boot/grub/grub.cfg` 125 | * update iniramfs: `dracut --force` 126 | * reboot: `reboot` 127 | * seal: `tpm-luks-ctl seal` 128 | * `reboot` to verify everything is ok 129 | 130 | To add new LUKS partitions (i.e. for data) just after boot time, with tpm-luks-svc - beware, the size of TPM NVRAM is limited, so it might be usefull to use the same TPM NVRAM for all data disks -- here I'm using index 1: 131 | * format all data disks using `cyptsetup luksFormat` with a very simple text password for example, and get it's UUID 132 | ``` 133 | echo -n "abc" > luks.key 134 | cryptsetup luksFormat /dev/sdx --key-file luks.key 135 | cryptsetup luksDump /dev/sdx | grep UUID: | awk '{print $2}' 136 | ``` 137 | * add the new disks in `/etc/crypttab` with `noauto` option 138 | ``` 139 | data0x UUID=x*** none noauto 140 | ``` 141 | * add new paritions with index 1: `tpm-luks-ctl init -i 1` 142 | * save backup: `tpm-luks-ctl backup` 143 | * start service automatically: `chkconfig --add tpm-luks-svc` 144 | * unseal: `tpm-luks-ctl unseal` 145 | * reboot: `reboot` 146 | * seal: `tpm-luks-ctl seal` 147 | * reboot: `reboot` 148 | 149 | [README_OLD]: README_OLD.md 150 | [trousers]: http://sourceforge.net/projects/trousers/ 151 | [tpm-tools]: http://sourceforge.net/projects/trousers/ 152 | [tpm-luks]: https://github.com/shpedoikal/tpm-luks/ 153 | [TrustedGRUB2]: https://github.com/Sirrix-AG/TrustedGRUB2/ 154 | [mock]: http://fedoraproject.org/wiki/Projects/Mock 155 | -------------------------------------------------------------------------------- /TODO: -------------------------------------------------------------------------------- 1 | 2 | TODO: 3 | 4 | - implement a separate "NV" initramfs for all NV manipulation 5 | o create initramfs with all NV tools included 6 | o lock all new NV areas for write to this initramfs state (or Owner write) 7 | o write the operation to do on next reboot to a /boot/tpm-luks.conf, measure 8 | in tgrub 9 | o lock nvram for write to tpm-luks.conf state 10 | o when NV initramfs comes up, parse tpm-luks.conf, act accordingly, reboot 11 | 12 | - Improve interface between nv-perms creation, grub.conf and tpm_luks 13 | -------------------------------------------------------------------------------- /configure.in: -------------------------------------------------------------------------------- 1 | AC_INIT(tpm-luks, 0.8, shpedoikal@gmail.com) 2 | 3 | AM_INIT_AUTOMAKE([foreign 1.6]) 4 | 5 | AC_PROG_SED 6 | AC_PROG_LIBTOOL 7 | AC_CONFIG_MACRO_DIR([m4]) 8 | 9 | CFLAGS="$CFLAGS -W -Wall -Wno-unused-parameter -Wsign-compare" 10 | AC_PROG_CC 11 | 12 | if `egrep -q "Red Hat Enterprise Linux.*release 6" /etc/*-release`; then 13 | AM_CONDITIONAL([RHEL6], true) 14 | AM_CONDITIONAL([RHEL7], false) 15 | AM_CONDITIONAL([FEDORA17], false) 16 | AC_SUBST(DRACUT_MODULE_NAME, [plymouth]) 17 | AC_SUBST(DRACUT_KERNEL_MODULES, [""]) 18 | elif `egrep -q "Red Hat Enterprise Linux.*release 7" /etc/*-release`; then 19 | AM_CONDITIONAL([RHEL6], false) 20 | AM_CONDITIONAL([RHEL7], true) 21 | AM_CONDITIONAL([FEDORA17], false) 22 | AC_SUBST(DRACUT_MODULE_NAME, [crypt]) 23 | AC_SUBST(DRACUT_KERNEL_MODULES, [""]) 24 | elif `egrep -q "CentOS release 6" /etc/*-release`; then 25 | AM_CONDITIONAL([RHEL6], true) 26 | AM_CONDITIONAL([RHEL7], false) 27 | AM_CONDITIONAL([FEDORA17], false) 28 | AC_SUBST(DRACUT_MODULE_NAME, [plymouth]) 29 | AC_SUBST(DRACUT_KERNEL_MODULES, [""]) 30 | else 31 | AM_CONDITIONAL([RHEL6], false) 32 | AM_CONDITIONAL([RHEL7], false) 33 | AM_CONDITIONAL([FEDORA17], true) 34 | AC_SUBST(DRACUT_MODULE_NAME, [crypt]) 35 | AC_SUBST(DRACUT_KERNEL_MODULES, ["tpm_bios tpm tpm_tis"]) 36 | fi 37 | 38 | AC_CONFIG_FILES([Makefile \ 39 | swtpm-utils/Makefile \ 40 | swtpm-utils/lib/Makefile \ 41 | dracut/Makefile \ 42 | dracut/tpm-luks.conf \ 43 | tpm-luks.spec]) 44 | 45 | AC_OUTPUT 46 | -------------------------------------------------------------------------------- /dracut/Fedora17/crypt-tpm/crypt-cleanup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | # close everything which is not busy 5 | rm -f /etc/udev/rules.d/70-luks.rules >/dev/null 2>&1 6 | 7 | if ! getarg rd.luks.uuid rd_LUKS_UUID >/dev/null 2>&1 && getargbool 1 rd.luks -n rd_NO_LUKS >/dev/null 2>&1; then 8 | while true; do 9 | local do_break="y" 10 | for i in /dev/mapper/luks-*; do 11 | cryptsetup luksClose $i >/dev/null 2>&1 && do_break=n 12 | done 13 | [ "$do_break" = "y" ] && break 14 | done 15 | fi 16 | -------------------------------------------------------------------------------- /dracut/Fedora17/crypt-tpm/crypt-lib.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | command -v getarg >/dev/null || . /lib/dracut-lib.sh 6 | 7 | # ask_for_password 8 | # 9 | # Wraps around plymouth ask-for-password and adds fallback to tty password ask 10 | # if plymouth is not present. 11 | # 12 | # --cmd command 13 | # Command to execute. Required. 14 | # --prompt prompt 15 | # Password prompt. Note that function already adds ':' at the end. 16 | # Recommended. 17 | # --tries n 18 | # How many times repeat command on its failure. Default is 3. 19 | # --ply-[cmd|prompt|tries] 20 | # Command/prompt/tries specific for plymouth password ask only. 21 | # --tty-[cmd|prompt|tries] 22 | # Command/prompt/tries specific for tty password ask only. 23 | # --tty-echo-off 24 | # Turn off input echo before tty command is executed and turn on after. 25 | # It's useful when password is read from stdin. 26 | ask_for_password() { 27 | local cmd; local prompt; local tries=3 28 | local ply_cmd; local ply_prompt; local ply_tries=3 29 | local tty_cmd; local tty_prompt; local tty_tries=3 30 | local ret 31 | 32 | while [ $# -gt 0 ]; do 33 | case "$1" in 34 | --cmd) ply_cmd="$2"; tty_cmd="$2" shift;; 35 | --ply-cmd) ply_cmd="$2"; shift;; 36 | --tty-cmd) tty_cmd="$2"; shift;; 37 | --prompt) ply_prompt="$2"; tty_prompt="$2" shift;; 38 | --ply-prompt) ply_prompt="$2"; shift;; 39 | --tty-prompt) tty_prompt="$2"; shift;; 40 | --tries) ply_tries="$2"; tty_tries="$2"; shift;; 41 | --ply-tries) ply_tries="$2"; shift;; 42 | --tty-tries) tty_tries="$2"; shift;; 43 | --tty-echo-off) tty_echo_off=yes;; 44 | esac 45 | shift 46 | done 47 | 48 | { flock -s 9; 49 | # Prompt for password with plymouth, if installed and running. 50 | if [ -x /bin/plymouth ] && /bin/plymouth --ping; then 51 | /bin/plymouth ask-for-password \ 52 | --prompt "$ply_prompt" --number-of-tries=$ply_tries \ 53 | --command="$ply_cmd" 54 | ret=$? 55 | else 56 | if [ "$tty_echo_off" = yes ]; then 57 | stty_orig="$(stty -g)" 58 | stty -echo 59 | fi 60 | 61 | local i=1 62 | while [ $i -le $tty_tries ]; do 63 | [ -n "$tty_prompt" ] && \ 64 | printf "$tty_prompt [$i/$tty_tries]:" >&2 65 | eval "$tty_cmd" && ret=0 && break 66 | ret=$? 67 | i=$(($i+1)) 68 | [ -n "$tty_prompt" ] && printf '\n' >&2 69 | done 70 | 71 | [ "$tty_echo_off" = yes ] && stty $stty_orig 72 | fi 73 | } 9>/.console_lock 74 | 75 | [ $ret -ne 0 ] && echo "Wrong password" >&2 76 | return $ret 77 | } 78 | 79 | # Try to mount specified device (by path, by UUID or by label) and check 80 | # the path with 'test'. 81 | # 82 | # example: 83 | # test_dev -f LABEL="nice label" /some/file1 84 | test_dev() { 85 | local test_op=$1; local dev="$2"; local f="$3" 86 | local ret=1; local mount_point=$(mkuniqdir /mnt testdev) 87 | local path 88 | 89 | [ -n "$dev" -a -n "$*" ] || return 1 90 | [ -d "$mount_point" ] || die 'Mount point does not exist!' 91 | 92 | if mount -r "$dev" "$mount_point" >/dev/null 2>&1; then 93 | test $test_op "${mount_point}/${f}" 94 | ret=$? 95 | umount "$mount_point" 96 | fi 97 | 98 | rmdir "$mount_point" 99 | 100 | return $ret 101 | } 102 | 103 | # match_dev devpattern dev 104 | # 105 | # Returns true if 'dev' matches 'devpattern'. Both 'devpattern' and 'dev' are 106 | # expanded to kernel names and then compared. If name of 'dev' is on list of 107 | # names of devices matching 'devpattern', the test is positive. 'dev' and 108 | # 'devpattern' may be anything which function 'devnames' recognizes. 109 | # 110 | # If 'devpattern' is empty or '*' then function just returns true. 111 | # 112 | # Example: 113 | # match_dev UUID=123 /dev/dm-1 114 | # Returns true if /dev/dm-1 UUID starts with "123". 115 | match_dev() { 116 | [ -z "$1" -o "$1" = '*' ] && return 0 117 | local devlist; local dev 118 | 119 | devlist="$(devnames "$1")" || return 255 120 | dev="$(devnames "$2")" || return 255 121 | 122 | strstr " 123 | $devlist 124 | " " 125 | $dev 126 | " 127 | } 128 | 129 | # getkey keysfile for_dev 130 | # 131 | # Reads file produced by probe-keydev and looks for first line to 132 | # which device matches. The successful result is printed in format 133 | # ":". When nothing found, just false is returned. 134 | # 135 | # Example: 136 | # getkey /tmp/luks.keys /dev/sdb1 137 | # May print: 138 | # /dev/sdc1:/keys/some.key 139 | getkey() { 140 | local keys_file="$1"; local for_dev="$2" 141 | local luks_dev; local key_dev; local key_path 142 | 143 | [ -z "$keys_file" -o -z "$for_dev" ] && die 'getkey: wrong usage!' 144 | [ -f "$keys_file" ] || return 1 145 | 146 | local IFS=: 147 | while read luks_dev key_dev key_path; do 148 | if match_dev "$luks_dev" "$for_dev"; then 149 | echo "${key_dev}:${key_path}" 150 | return 0 151 | fi 152 | done < "$keys_file" 153 | 154 | return 1 155 | } 156 | 157 | # readkey keypath keydev device 158 | # 159 | # Mounts , reads key from file , optionally processes it (e.g. 160 | # if encrypted with GPG) and prints to standard output which is supposed to be 161 | # read by cryptsetup. is just passed to helper function for 162 | # informational purpose. 163 | readkey() { 164 | local keypath="$1" 165 | local keydev="$2" 166 | local device="$3" 167 | 168 | local mntp=$(mkuniqdir /mnt keydev) 169 | mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!' 170 | 171 | case "${keypath##*.}" in 172 | gpg) 173 | if [ -f /lib/dracut-crypt-gpg-lib.sh ]; then 174 | . /lib/dracut-crypt-gpg-lib.sh 175 | gpg_decrypt "$mntp" "$keypath" "$keydev" "$device" 176 | else 177 | die "No GPG support to decrypt '$keypath' on '$keydev'." 178 | fi 179 | ;; 180 | *) cat "$mntp/$keypath" ;; 181 | esac 182 | 183 | umount "$mntp" 184 | rmdir "$mntp" 185 | } 186 | -------------------------------------------------------------------------------- /dracut/Fedora17/crypt-tpm/cryptroot-ask-tpm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # package reqs: od, getcapability, nv_readvalue, dd 4 | # 5 | # Author: Kent Yoder 6 | # 7 | CRYPTSETUP=/sbin/cryptsetup 8 | MOUNT=/bin/mount 9 | UMOUNT=/bin/umount 10 | TPM_NVREAD=/usr/bin/nv_readvalue 11 | GETCAP=/usr/bin/getcapability 12 | AWK=/bin/awk 13 | DEVICE=${1} 14 | NAME=${2} 15 | TPM_LUKS_MAX_NV_INDEX=128 16 | 17 | set -x 18 | 19 | VIABLE_INDEXES="" 20 | 21 | # 22 | # An index is viable if its composite hash matches current PCR state, or if 23 | # it doesn't require PCR state at all 24 | # 25 | ALL_INDEXES=$($GETCAP -cap 0xd | ${AWK} -F: '$1 ~ /Index/ {print $2 }' | ${AWK} -F= '{ print $1 }') 26 | for i in $ALL_INDEXES; do 27 | MATCH1=$($GETCAP -cap 0x11 -scap $i | ${AWK} -F ": " '$1 ~ /Matches/ { print $2 }') 28 | SIZE=$($GETCAP -cap 0x11 -scap $i | ${AWK} -F= '$1 ~ /dataSize/ { print $2 }') 29 | if [ -n "${MATCH1}" -a "${MATCH1}" = "Yes" ]; then 30 | # Add this index at the beginning, since its especially likely to be 31 | # the index we're looking for 32 | VIABLE_INDEXES="$i $VIABLE_INDEXES" 33 | echo "PCR composite matches for index: $i" 34 | continue 35 | elif [ $i -gt ${TPM_LUKS_MAX_NV_INDEX} ]; then 36 | continue 37 | fi 38 | 39 | # Add this index at the end of the list 40 | VIABLE_INDEXES="$VIABLE_INDEXES $i" 41 | echo "Viable index: $i" 42 | done 43 | 44 | TMPFS_MNT=/tmp/cryptroot-mnt 45 | if [ ! -d ${TMPFS_MNT} ]; then 46 | mkdir ${TMPFS_MNT} || exit -1 47 | fi 48 | 49 | $MOUNT -t tmpfs -o size=16K tmpfs ${TMPFS_MNT} 50 | if [ $? -ne 0 ]; then 51 | echo "Unable to mount tmpfs area to securely use TPM NVRAM data." 52 | exit 255 53 | fi 54 | 55 | # plymouth feeds in this password for us 56 | if [ ! -n "${NVPASS}" ]; then 57 | read NVPASS 58 | fi 59 | 60 | KEYFILE=${TMPFS_MNT}/key 61 | 62 | for NVINDEX in $VIABLE_INDEXES; do 63 | NVSIZE=$($GETCAP -cap 0x11 -scap ${NVINDEX} | ${AWK} -F= '$1 ~ /dataSize/ { print $2 }') 64 | 65 | $TPM_NVREAD -ix ${NVINDEX} -pwdd ${NVPASS} \ 66 | -sz ${NVSIZE} -of ${KEYFILE} >/dev/null 2>&1 67 | RC=$? 68 | if [ ${RC} -eq 1 ]; then 69 | echo "TPM NV index ${NVINDEX}: Bad password." 70 | continue 71 | elif [ ${RC} -eq 24 ]; then 72 | echo "TPM NV index ${NVINDEX}: PCR mismatch." 73 | continue 74 | elif [ ${RC} -eq 2 ]; then 75 | echo "TPM NV index ${NVINDEX}: Invalid NVRAM Index." 76 | continue 77 | elif [ ${RC} -ne 0 ]; then 78 | echo "TPM NV index ${NVINDEX}: Unknown error (${RC})" 79 | continue 80 | fi 81 | 82 | echo "Trying data read from NV index $NVINDEX" 83 | $CRYPTSETUP luksOpen ${DEVICE} ${NAME} --key-file ${KEYFILE} --keyfile-size ${NVSIZE} 84 | RC=$? 85 | # Zeroize keyfile regardless of success/fail 86 | dd if=/dev/zero of=${KEYFILE} bs=1c count=${NVSIZE} >/dev/null 2>&1 87 | if [ ${RC} -ne 0 ]; then 88 | echo "Cryptsetup failed, trying next index..." 89 | continue 90 | fi 91 | echo "Success." 92 | ${UMOUNT} ${TMPFS_MNT} 93 | 94 | exit 0 95 | done 96 | 97 | # NVRAM cannot be accessed. Fall back to LUKS passphrase 98 | echo "Unable to unlock an NVRAM area." 99 | ${UMOUNT} ${TMPFS_MNT} 100 | exit 255 101 | -------------------------------------------------------------------------------- /dracut/Fedora17/crypt-tpm/cryptroot-ask.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | PATH=/usr/sbin:/usr/bin:/sbin:/bin 6 | NEWROOT=${NEWROOT:-"/sysroot"} 7 | 8 | # do not ask, if we already have root 9 | [ -f $NEWROOT/proc ] && exit 0 10 | 11 | # check if destination already exists 12 | [ -b /dev/mapper/$2 ] && exit 0 13 | 14 | # we already asked for this device 15 | [ -f /tmp/cryptroot-asked-$2 ] && exit 0 16 | 17 | # load dm_crypt if it is not already loaded 18 | [ -d /sys/module/dm_crypt ] || modprobe dm_crypt 19 | 20 | . /lib/dracut-crypt-lib.sh 21 | 22 | # default luksname - luks-UUID 23 | luksname=$2 24 | 25 | # fallback to passphrase 26 | ask_passphrase=1 27 | 28 | # if device name is /dev/dm-X, convert to /dev/mapper/name 29 | if [ "${1##/dev/dm-}" != "$1" ]; then 30 | device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")" 31 | else 32 | device="$1" 33 | fi 34 | 35 | # TODO: improve to support what cmdline does 36 | if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -n rd_NO_CRYPTTAB; then 37 | while read name dev luksfile rest; do 38 | # ignore blank lines and comments 39 | if [ -z "$name" -o "${name#\#}" != "$name" ]; then 40 | continue 41 | fi 42 | 43 | # UUID used in crypttab 44 | if [ "${dev%%=*}" = "UUID" ]; then 45 | if [ "luks-${dev##UUID=}" = "$2" ]; then 46 | luksname="$name" 47 | break 48 | fi 49 | 50 | # path used in crypttab 51 | else 52 | cdev=$(readlink -f $dev) 53 | mdev=$(readlink -f $device) 54 | if [ "$cdev" = "$mdev" ]; then 55 | luksname="$name" 56 | break 57 | fi 58 | fi 59 | done < /etc/crypttab 60 | unset name dev rest 61 | fi 62 | 63 | # 64 | # Open LUKS device 65 | # 66 | 67 | info "luksOpen $device $luksname $luksfile" 68 | 69 | if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then 70 | if cryptsetup --key-file "$luksfile" luksOpen "$device" "$luksname"; then 71 | ask_passphrase=0 72 | fi 73 | else 74 | while [ -n "$(getarg rd.luks.key)" ]; do 75 | if tmp=$(getkey /tmp/luks.keys $device); then 76 | keydev="${tmp%%:*}" 77 | keypath="${tmp#*:}" 78 | else 79 | if [ $# -eq 3 ]; then 80 | if [ $3 -eq 0 ]; then 81 | info "No key found for $device. Fallback to passphrase mode." 82 | break 83 | fi 84 | info "No key found for $device. Will try $3 time(s) more later." 85 | set -- "$1" "$2" "$(($3 - 1))" 86 | else 87 | info "No key found for $device. Will try later." 88 | fi 89 | initqueue --unique --onetime --settled \ 90 | --name cryptroot-ask-$luksname \ 91 | $(command -v cryptroot-ask) "$@" 92 | exit 0 93 | fi 94 | unset tmp 95 | 96 | info "Using '$keypath' on '$keydev'" 97 | readkey "$keypath" "$keydev" "$device" \ 98 | | cryptsetup -d - luksOpen "$device" "$luksname" 99 | unset keypath keydev 100 | ask_passphrase=0 101 | break 102 | done 103 | fi 104 | 105 | if [ $ask_passphrase -ne 0 ]; then 106 | tpm-try-authless-indexes $device $luksname 107 | if [ $? -ne 0 ]; then 108 | ask_for_password --tries 3 \ 109 | --cmd "cryptroot-ask-tpm $device $luksname" \ 110 | --prompt "TPM NVRAM Password ($device)" 111 | fi 112 | 113 | if [ $? -ne 0 ]; then 114 | luks_open="$(command -v cryptsetup) luksOpen" 115 | ask_for_password --ply-tries 5 \ 116 | --ply-cmd "$luks_open -T1 $device $luksname" \ 117 | --ply-prompt "Password ($device)" \ 118 | --tty-tries 1 \ 119 | --tty-cmd "$luks_open -T5 $device $luksname" 120 | unset luks_open 121 | fi 122 | fi 123 | 124 | unset device luksname luksfile 125 | 126 | # mark device as asked 127 | >> /tmp/cryptroot-asked-$2 128 | 129 | need_shutdown 130 | udevsettle 131 | 132 | exit 0 133 | -------------------------------------------------------------------------------- /dracut/Fedora17/crypt-tpm/module-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | check() { 6 | local _rootdev 7 | # if cryptsetup is not installed, then we cannot support encrypted devices. 8 | type -P cryptsetup >/dev/null || return 1 9 | 10 | . $dracutfunctions 11 | 12 | check_crypt() { 13 | local dev=$1 fs=$2 14 | [[ $fs = "crypto_LUKS" ]] || return 1 15 | ID_FS_UUID=$(udevadm info --query=property --name=$dev \ 16 | | while read line; do 17 | [[ ${line#ID_FS_UUID} = $line ]] && continue 18 | eval "$line" 19 | echo $ID_FS_UUID 20 | break 21 | done) 22 | [[ ${ID_FS_UUID} ]] || return 1 23 | if ! [[ $kernel_only ]]; then 24 | echo " rd.luks.uuid=luks-${ID_FS_UUID} " >> "${initdir}/etc/cmdline.d/90crypt.conf" 25 | fi 26 | return 0 27 | } 28 | 29 | [[ $hostonly ]] || [[ $mount_needs ]] && { 30 | for_each_host_dev_fs check_crypt || return 1 31 | } 32 | 33 | return 0 34 | } 35 | 36 | depends() { 37 | echo dm rootfs-block 38 | return 0 39 | } 40 | 41 | installkernel() { 42 | instmods dm_crypt =crypto 43 | } 44 | 45 | install() { 46 | dracut_install cryptsetup rmdir readlink umount 47 | inst "$moddir"/cryptroot-ask.sh /sbin/cryptroot-ask 48 | inst "$moddir"/probe-keydev.sh /sbin/probe-keydev 49 | inst_hook cmdline 10 "$moddir/parse-keydev.sh" 50 | inst_hook cmdline 30 "$moddir/parse-crypt.sh" 51 | inst_hook pre-pivot-cleanup 30 "$moddir/crypt-cleanup.sh" 52 | inst_simple /etc/crypttab 53 | inst "$moddir/crypt-lib.sh" "/lib/dracut-crypt-lib.sh" 54 | # tpm-luks dependencies 55 | inst "$moddir"/cryptroot-ask-tpm.sh /sbin/cryptroot-ask-tpm 56 | inst "$moddir"/tpm-try-authless-indexes.sh /sbin/tpm-try-authless-indexes 57 | inst_binary getcapability 58 | inst_binary awk 59 | inst_binary od 60 | inst_binary nv_readvalue 61 | inst_binary dd 62 | } 63 | 64 | -------------------------------------------------------------------------------- /dracut/Fedora17/crypt-tpm/parse-crypt.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | if ! getargbool 1 rd.luks -n rd_NO_LUKS; then 5 | info "rd.luks=0: removing cryptoluks activation" 6 | rm -f /etc/udev/rules.d/70-luks.rules 7 | else 8 | { 9 | echo 'SUBSYSTEM!="block", GOTO="luks_end"' 10 | echo 'ACTION!="add|change", GOTO="luks_end"' 11 | } > /etc/udev/rules.d/70-luks.rules.new 12 | 13 | LUKS=$(getargs rd.luks.uuid rd_LUKS_UUID) 14 | tout=$(getarg rd.luks.key.tout) 15 | 16 | if [ -n "$LUKS" ]; then 17 | for luksid in $LUKS; do 18 | luksid=${luksid##luks-} 19 | { 20 | printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", ' 21 | printf -- 'ENV{ID_FS_UUID}=="*%s*", ' $luksid 22 | printf -- 'RUN+="%s --unique --onetime ' $(command -v initqueue) 23 | printf -- '--name cryptroot-ask-%%k %s ' $(command -v cryptroot-ask) 24 | printf -- '$env{DEVNAME} luks-$env{ID_FS_UUID} %s"\n' $tout 25 | } >> /etc/udev/rules.d/70-luks.rules.new 26 | 27 | uuid=$luksid 28 | while [ "$uuid" != "${uuid#*-}" ]; do uuid=${uuid%%-*}${uuid#*-}; done 29 | printf -- '[ -e /dev/disk/by-id/dm-uuid-CRYPT-LUKS?-*%s*-* ] || exit 1\n' $uuid \ 30 | >> $hookdir/initqueue/finished/90-crypt.sh 31 | 32 | { 33 | printf -- '[ -e /dev/disk/by-uuid/*%s* ] || ' $luksid 34 | printf -- 'warn "crypto LUKS UUID "%s" not found"\n' $luksid 35 | } >> $hookdir/emergency/90-crypt.sh 36 | done 37 | else 38 | { 39 | printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="%s ' $(command -v initqueue) 40 | printf -- '--unique --onetime --name cryptroot-ask-%%k ' 41 | printf -- '%s $env{DEVNAME} luks-$env{ID_FS_UUID} %s"\n' $(command -v cryptroot-ask) $tout 42 | } >> /etc/udev/rules.d/70-luks.rules.new 43 | fi 44 | 45 | echo 'LABEL="luks_end"' >> /etc/udev/rules.d/70-luks.rules.new 46 | mv /etc/udev/rules.d/70-luks.rules.new /etc/udev/rules.d/70-luks.rules 47 | fi 48 | -------------------------------------------------------------------------------- /dracut/Fedora17/crypt-tpm/parse-keydev.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | if getargbool 1 rd.luks -n rd_NO_LUKS && \ 6 | [ -n "$(getarg rd.luks.key)" ]; then 7 | exec 7>/etc/udev/rules.d/65-luks-keydev.rules 8 | echo 'SUBSYSTEM!="block", GOTO="luks_keydev_end"' >&7 9 | echo 'ACTION!="add|change", GOTO="luks_keydev_end"' >&7 10 | 11 | for arg in $(getargs rd.luks.key); do 12 | unset keypath keydev luksdev 13 | splitsep : "$arg" keypath keydev luksdev 14 | 15 | info "rd.luks.key: keypath='$keypath' keydev='$keydev' luksdev='$luksdev'" 16 | 17 | if [ -z "$keypath" ]; then 18 | warn 'keypath required!' 19 | continue 20 | fi 21 | 22 | if [ -n "$keydev" ]; then 23 | udevmatch "$keydev" >&7 || { 24 | warn 'keydev incorrect!' 25 | continue 26 | } 27 | printf ', ' >&7 28 | fi 29 | 30 | { 31 | printf -- 'RUN+="%s --unique --onetime ' $(command -v initqueue) 32 | printf -- '--name probe-keydev-%%k ' 33 | printf -- '%s /dev/%%k %s %s"\n' \ 34 | $(command -v probe-keydev) "${keypath}" "${luksdev}" 35 | } >&7 36 | done 37 | unset arg keypath keydev luksdev 38 | 39 | echo 'LABEL="luks_keydev_end"' >&7 40 | exec 7>&- 41 | fi 42 | -------------------------------------------------------------------------------- /dracut/Fedora17/crypt-tpm/probe-keydev.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | . /lib/dracut-crypt-lib.sh 6 | 7 | 8 | real_keydev="$1"; keypath="$2"; luksdev="$3" 9 | 10 | [ -z "$real_keydev" -o -z "$keypath" ] && die 'probe-keydev: wrong usage!' 11 | [ -z "$luksdev" ] && luksdev='*' 12 | 13 | info "Probing $real_keydev for $keypath..." 14 | test_dev -f "$real_keydev" "$keypath" || exit 1 15 | 16 | info "Found $keypath on $real_keydev" 17 | echo "$luksdev:$real_keydev:$keypath" >> /tmp/luks.keys 18 | -------------------------------------------------------------------------------- /dracut/Fedora17/crypt-tpm/tpm-try-authless-indexes.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # package reqs: od, getcapability, nv_readvalue, dd 4 | # 5 | # Author: Kent Yoder 6 | # 7 | CRYPTSETUP=/sbin/cryptsetup 8 | MOUNT=/bin/mount 9 | UMOUNT=/bin/umount 10 | TPM_NVREAD=/usr/bin/nv_readvalue 11 | GETCAP=/usr/bin/getcapability 12 | AWK=/bin/awk 13 | DEVICE=${1} 14 | NAME=${2} 15 | TPM_LUKS_MAX_NV_INDEX=128 16 | TPM_NV_PER_AUTHREAD=0x00040000 17 | TPM_NV_PER_OWNERREAD=0x00020000 18 | NOAUTH_INDEXES="" 19 | 20 | #set -x 21 | 22 | # 23 | # An index is viable if its composite hash matches current PCR state, or if 24 | # it doesn't require PCR state at all 25 | # 26 | #ALL_INDEXES=$($GETCAP -cap 0xd | ${AWK} -F "= " '$1 ~ /Index/ {print $2 }' | ${AWK} -F "." '{ print $1 }') 27 | ALL_INDEXES=$($GETCAP -cap 0xd | ${AWK} -F: '$1 ~ /Index/ {print $2 }' | ${AWK} -F= '{ print $1 }') 28 | for i in $ALL_INDEXES; do 29 | MATCH1=$($GETCAP -cap 0x11 -scap $i | ${AWK} -F ": " '$1 ~ /Matches/ { print $2 }') 30 | SIZE=$($GETCAP -cap 0x11 -scap $i | ${AWK} -F= '$1 ~ /dataSize/ { print $2 }') 31 | AUTH_BITS=0x$($GETCAP -cap 0x11 -scap $i | ${AWK} '$1 ~ /Result/ { print $11 }') 32 | if [ $i -gt ${TPM_LUKS_MAX_NV_INDEX} ]; then 33 | continue 34 | else 35 | AUTHREAD=$(( ${AUTH_BITS} & ${TPM_NV_PER_AUTHREAD} )) 36 | OWNERREAD=$(( ${AUTH_BITS} & ${TPM_NV_PER_OWNERREAD} )) 37 | 38 | if [ ${AUTHREAD} -eq 0 -a ${OWNERREAD} -eq 0 ];then 39 | NOAUTH_INDEXES="$i $NOAUTH_INDEXES" 40 | echo "No auth index: $i" 41 | continue 42 | fi 43 | fi 44 | done 45 | 46 | if [ -z "${NOAUTH_INDEXES}" ]; then 47 | echo "No TPM authless indexes found" 48 | exit 255 49 | fi 50 | 51 | TMPFS_MNT=/tmp/cryptroot-mnt 52 | if [ ! -d ${TMPFS_MNT} ]; then 53 | mkdir ${TMPFS_MNT} || exit -1 54 | fi 55 | 56 | $MOUNT -t tmpfs -o size=16K tmpfs ${TMPFS_MNT} 57 | if [ $? -ne 0 ]; then 58 | echo "Unable to mount tmpfs area to securely use TPM NVRAM data." 59 | exit 255 60 | fi 61 | 62 | KEYFILE=${TMPFS_MNT}/key 63 | 64 | for NVINDEX in $NOAUTH_INDEXES; do 65 | NVSIZE=$($GETCAP -cap 0x11 -scap ${NVINDEX} | ${AWK} -F= '$1 ~ /dataSize/ { print $2 }') 66 | 67 | $TPM_NVREAD -ix ${NVINDEX} -sz ${NVSIZE} -of ${KEYFILE} >/dev/null 2>&1 68 | RC=$? 69 | if [ ${RC} -ne 0 ]; then 70 | echo "No auth TPM NV index ${NVINDEX}: error (${RC})" 71 | continue 72 | fi 73 | 74 | echo "Trying data read from NV index $NVINDEX" 75 | $CRYPTSETUP luksOpen ${DEVICE} ${NAME} --key-file ${KEYFILE} --keyfile-size ${NVSIZE} 76 | RC=$? 77 | # Zeroize keyfile regardless of success/fail 78 | dd if=/dev/zero of=${KEYFILE} bs=1c count=${NVSIZE} >/dev/null 2>&1 79 | if [ ${RC} -ne 0 ]; then 80 | echo "Cryptsetup failed, trying next index..." 81 | continue 82 | fi 83 | echo "Success." 84 | ${UMOUNT} ${TMPFS_MNT} 85 | 86 | exit 0 87 | done 88 | 89 | # NVRAM cannot be accessed. Fall back to LUKS passphrase 90 | echo "Unable to unlock an NVRAM area." 91 | ${UMOUNT} ${TMPFS_MNT} 92 | exit 255 93 | 94 | -------------------------------------------------------------------------------- /dracut/Makefile.am: -------------------------------------------------------------------------------- 1 | dracutdir=/etc/dracut.conf.d 2 | dist_dracut_DATA=tpm-luks.conf 3 | -------------------------------------------------------------------------------- /dracut/RHEL6/plymouth-tpm/.auditing-0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/momiji/tpm-luks/1ea9ad32ca938fcc04f753f8970558a9906fe22b/dracut/RHEL6/plymouth-tpm/.auditing-0 -------------------------------------------------------------------------------- /dracut/RHEL6/plymouth-tpm/check: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | [[ $1 = -d ]] && which cryptsetup &>/dev/null && echo crypt 3 | [[ -x /sbin/plymouthd && -x /bin/plymouth && -x /usr/sbin/plymouth-set-default-theme ]] 4 | -------------------------------------------------------------------------------- /dracut/RHEL6/plymouth-tpm/cryptroot-ask-tpm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # package reqs: od, getcapability, nv_readvalue 4 | # 5 | # Author: Kent Yoder 6 | # 7 | CRYPTSETUP=/sbin/cryptsetup 8 | MOUNT=/bin/mount 9 | UMOUNT=/bin/umount 10 | TPM_NVREAD=/usr/bin/nv_readvalue 11 | GETCAP=/usr/bin/getcapability 12 | AWK=/bin/awk 13 | DEVICE=${1} 14 | NAME=${2} 15 | TPM_LUKS_MAX_NV_INDEX=128 16 | 17 | #set -x 18 | 19 | VIABLE_INDEXES="" 20 | 21 | # 22 | # An index is viable if its composite hash matches current PCR state, or if 23 | # it doesn't require PCR state at all 24 | # 25 | ALL_INDEXES=$($GETCAP -cap 0xd | ${AWK} -F: '$1 ~ /Index/ {print $2 }' | ${AWK} -F= '{ print $1 }') 26 | for i in $ALL_INDEXES; do 27 | MATCH1=$($GETCAP -cap 0x11 -scap $i | ${AWK} -F ": " '$1 ~ /Matches/ { print $2 }') 28 | if [ -n "${MATCH1}" -a "${MATCH1}" = "Yes" ]; then 29 | # Add this index at the beginning, since its especially likely to be 30 | # the index we're looking for 31 | VIABLE_INDEXES="$i $VIABLE_INDEXES" 32 | echo "PCR composite matches for index: $i" 33 | continue 34 | elif [ $i -gt ${TPM_LUKS_MAX_NV_INDEX} ]; then 35 | continue 36 | fi 37 | 38 | # Add this index at the end of the list 39 | VIABLE_INDEXES="$VIABLE_INDEXES $i" 40 | echo "Viable index: $i" 41 | done 42 | 43 | TMPFS_MNT=/tmp/cryptroot-mnt 44 | if [ ! -d ${TMPFS_MNT} ]; then 45 | mkdir ${TMPFS_MNT} || exit -1 46 | fi 47 | 48 | $MOUNT -t tmpfs -o size=16K tmpfs ${TMPFS_MNT} 49 | if [ $? -ne 0 ]; then 50 | echo "Unable to mount tmpfs area to securely save TPM NVRAM data." 51 | exit 255 52 | fi 53 | 54 | # plymouth feeds in this password for us 55 | if [ ! -n "${NVPASS}" ]; then 56 | read NVPASS 57 | fi 58 | 59 | KEYFILE=${TMPFS_MNT}/key 60 | SUCCESS=0 61 | 62 | for NVINDEX in $VIABLE_INDEXES; do 63 | NVSIZE=$($GETCAP -cap 0x11 -scap ${NVINDEX} | ${AWK} -F= '$1 ~ /dataSize/ { print $2 }') 64 | 65 | $TPM_NVREAD -ix ${NVINDEX} -pwdd ${NVPASS} \ 66 | -sz ${NVSIZE} -of ${KEYFILE} >/dev/null 2>&1 67 | RC=$? 68 | if [ ${RC} -eq 1 ]; then 69 | echo "TPM NV index ${NVINDEX}: Bad password." 70 | continue 71 | elif [ ${RC} -eq 24 ]; then 72 | echo "TPM NV index ${NVINDEX}: PCR mismatch." 73 | continue 74 | elif [ ${RC} -eq 2 ]; then 75 | echo "TPM NV index ${NVINDEX}: Invalid NVRAM Index." 76 | continue 77 | elif [ ${RC} -ne 0 ]; then 78 | echo "TPM NV index ${NVINDEX}: Unknown error (${RC})" 79 | continue 80 | fi 81 | 82 | echo "Trying data read from NV index ${NVINDEX}..." 83 | $CRYPTSETUP luksOpen ${DEVICE} ${NAME} --key-file ${KEYFILE} --keyfile-size ${NVSIZE} 84 | RC=$? 85 | # Zeroize keyfile regardless of success/fail 86 | dd if=/dev/zero of=${KEYFILE} bs=1c count=${NVSIZE} >/dev/null 2>&1 87 | if [ ${RC} -ne 0 ]; then 88 | echo "Cryptsetup failed, trying next index..." 89 | continue 90 | fi 91 | echo "Success." 92 | ${UMOUNT} ${TMPFS_MNT} 93 | 94 | SUCCESS=1 95 | break 96 | done 97 | 98 | # NVRAM cannot be accessed. Fall back to LUKS passphrase 99 | if [ ${SUCCESS} -eq 0 ]; then 100 | echo "Unable to unlock an NVRAM area." 101 | ${UMOUNT} ${TMPFS_MNT} 102 | exit 255 103 | fi 104 | 105 | exit 0 106 | 107 | 108 | -------------------------------------------------------------------------------- /dracut/RHEL6/plymouth-tpm/cryptroot-ask.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # do not ask, if we already have root 4 | [ -f /sysroot/proc ] && exit 0 5 | 6 | # check if destination already exists 7 | [ -b /dev/mapper/$2 ] && exit 0 8 | 9 | # we already asked for this device 10 | [ -f /tmp/cryptroot-asked-$2 ] && exit 0 11 | 12 | . /lib/dracut-lib.sh 13 | 14 | # default luksname - luks-UUID 15 | luksname=$2 16 | 17 | # if device name is /dev/dm-X, convert to /dev/mapper/name 18 | if [ "${1##/dev/dm-}" != "$1" ]; then 19 | device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")" 20 | else 21 | device="$1" 22 | fi 23 | 24 | if [ -f /etc/crypttab ] && ! getargs rd_NO_CRYPTTAB; then 25 | while read name dev rest; do 26 | # ignore blank lines and comments 27 | if [ -z "$name" -o "${name#\#}" != "$name" ]; then 28 | continue 29 | fi 30 | 31 | # UUID used in crypttab 32 | if [ "${dev%%=*}" = "UUID" ]; then 33 | if [ "luks-${dev##UUID=}" = "$2" ]; then 34 | luksname="$name" 35 | break 36 | fi 37 | 38 | # path used in crypttab 39 | else 40 | cdev=$(readlink -f $dev) 41 | mdev=$(readlink -f $device) 42 | if [ "$cdev" = "$mdev" ]; then 43 | luksname="$name" 44 | break 45 | fi 46 | fi 47 | done < /etc/crypttab 48 | unset name dev rest 49 | fi 50 | 51 | prompt="TPM NVRAM password for [$device ($luksname)]:" 52 | if [ ${#luksname} -gt 8 ]; then 53 | sluksname=${sluksname##luks-} 54 | sluksname=${luksname%%${luksname##????????}} 55 | prompt="TPM NVRAM password for $device ($sluksname...)" 56 | fi 57 | 58 | # flock against other interactive activities 59 | { flock -s 9; 60 | /bin/plymouth ask-for-password \ 61 | --number-of-tries=3 \ 62 | --prompt "$prompt" \ 63 | --command="/sbin/cryptroot-ask-tpm $device $luksname" 64 | 65 | if [ $? -ne 0 ]; then 66 | prompt="LUKS password for [$device ($luksname)]:" 67 | /bin/plymouth ask-for-password \ 68 | --prompt "$prompt" \ 69 | --command="/sbin/cryptsetup luksOpen -T1 $device $luksname" 70 | fi 71 | } 9>/.console.lock 72 | 73 | unset ask device luksname 74 | 75 | # mark device as asked 76 | >> /tmp/cryptroot-asked-$2 77 | 78 | udevsettle 79 | 80 | exit 0 81 | # vim:ts=8:sw=4:sts=4:et 82 | -------------------------------------------------------------------------------- /dracut/RHEL6/plymouth-tpm/install: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if grep -q nash /usr/libexec/plymouth/plymouth-populate-initrd \ 4 | || ! grep -q PLYMOUTH_POPULATE_SOURCE_FUNCTIONS /usr/libexec/plymouth/plymouth-populate-initrd \ 5 | || [ ! -x /usr/libexec/plymouth/plymouth-populate-initrd ]; then 6 | . "$moddir"/plymouth-populate-initrd 7 | else 8 | PLYMOUTH_POPULATE_SOURCE_FUNCTIONS="$dracutfunctions" \ 9 | /usr/libexec/plymouth/plymouth-populate-initrd -t $initdir 10 | fi 11 | 12 | inst_hook pre-pivot 90 "$moddir"/plymouth-newroot.sh 13 | inst_hook pre-trigger 10 "$moddir"/plymouth-pretrigger.sh 14 | inst_hook emergency 00 "$moddir"/plymouth-emergency.sh 15 | inst "$moddir"/cryptroot-ask.sh /sbin/cryptroot-ask 16 | inst readlink 17 | # tpm-luks dependencies 18 | inst "$moddir"/cryptroot-ask-tpm.sh /sbin/cryptroot-ask-tpm 19 | inst_binary getcapability 20 | inst_binary awk 21 | inst_binary od 22 | inst_binary nv_readvalue 23 | -------------------------------------------------------------------------------- /dracut/RHEL6/plymouth-tpm/installkernel: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Include KMS capable drm drivers 3 | for modname in $(find "$srcmods/kernel/drivers/gpu/drm" -name '*.ko' 2>/dev/null); do 4 | grep -q drm_crtc_init $modname && instmods $modname 5 | done 6 | -------------------------------------------------------------------------------- /dracut/RHEL6/plymouth-tpm/plymouth-emergency.sh: -------------------------------------------------------------------------------- 1 | [ -x /bin/plymouth ] && /bin/plymouth --hide-splash 2 | -------------------------------------------------------------------------------- /dracut/RHEL6/plymouth-tpm/plymouth-newroot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ -x /bin/plymouth ]; then 4 | /bin/plymouth --newroot=$NEWROOT 5 | fi 6 | -------------------------------------------------------------------------------- /dracut/RHEL6/plymouth-tpm/plymouth-populate-initrd: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if ldd /sbin/plymouthd |grep -q lib64; then 3 | LIBDIR="/usr/lib64" 4 | else 5 | LIBDIR="/usr/lib" 6 | fi 7 | PLYMOUTH_LOGO_FILE="/usr/share/pixmaps/system-logo-white.png" 8 | PLYMOUTH_THEME=$(plymouth-set-default-theme) 9 | 10 | inst /sbin/plymouthd /bin/plymouthd 11 | dracut_install /bin/plymouth \ 12 | "${PLYMOUTH_LOGO_FILE}" \ 13 | /etc/system-release 14 | 15 | mkdir -p "${initdir}/usr/share/plymouth" 16 | 17 | if [[ $hostonly ]]; then 18 | dracut_install "${LIBDIR}/plymouth/text.so" \ 19 | "${LIBDIR}/plymouth/details.so" \ 20 | "/usr/share/plymouth/themes/details/details.plymouth" \ 21 | "/usr/share/plymouth/themes/text/text.plymouth" \ 22 | 23 | if [[ -d /usr/share/plymouth/themes/${PLYMOUTH_THEME} ]]; then 24 | for x in "/usr/share/plymouth/themes/${PLYMOUTH_THEME}"/* ; do 25 | [[ -f "$x" ]] || break 26 | inst $x 27 | done 28 | fi 29 | 30 | if [ -L /usr/share/plymouth/themes/default.plymouth ]; then 31 | inst /usr/share/plymouth/themes/default.plymouth 32 | # Install plugin for this theme 33 | PLYMOUTH_PLUGIN=$(grep "^ModuleName=" /usr/share/plymouth/themes/default.plymouth | while read a b c; do echo $b; done;) 34 | inst ${LIBDIR}/plymouth/${PLYMOUTH_PLUGIN}.so 35 | fi 36 | else 37 | for x in /usr/share/plymouth/themes/{text,details}/* ; do 38 | [[ -f "$x" ]] || continue 39 | THEME_DIR=$(dirname "$x") 40 | mkdir -p "${initdir}/$THEME_DIR" 41 | dracut_install "$x" 42 | done 43 | for x in ${LIBDIR}/plymouth/{text,details}.so ; do 44 | [[ -f "$x" ]] || continue 45 | [[ "$x" != "${x%%/label.so}" ]] && continue 46 | dracut_install "$x" 47 | done 48 | ( 49 | cd ${initdir}/usr/share/plymouth/themes; 50 | ln -s text/text.plymouth default.plymouth 2>&1; 51 | ) 52 | fi 53 | 54 | # vim:ts=8:sw=4:sts=4:et 55 | -------------------------------------------------------------------------------- /dracut/RHEL6/plymouth-tpm/plymouth-pretrigger.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if ! getarg rd_NO_PLYMOUTH; then 4 | [ -c /dev/null ] || mknod -m 0666 /dev/null c 1 3 5 | # first trigger graphics subsystem 6 | udevadm trigger --attr-match=class=0x030000 >/dev/null 2>&1 7 | # first trigger graphics and tty subsystem 8 | udevadm trigger --subsystem-match=graphics --subsystem-match=drm --subsystem-match=tty >/dev/null 2>&1 9 | 10 | udevadm settle --timeout=30 2>&1 | vinfo 11 | [ -c /dev/zero ] || mknod -m 0666 /dev/zero c 1 5 12 | [ -c /dev/tty0 ] || mknod -m 0620 /dev/tty0 c 4 0 13 | [ -e /dev/systty ] || ln -s tty0 /dev/systty 14 | [ -c /dev/fb0 ] || mknod -m 0660 /dev/fb0 c 29 0 15 | [ -e /dev/fb ] || ln -s fb0 /dev/fb 16 | [ -c /dev/hvc0 ] || mknod -m 0600 /dev/hvc0 c 229 0 17 | 18 | info "Starting plymouth daemon" 19 | [ -x /bin/plymouthd ] && /bin/plymouthd --attach-to-session 20 | /lib/udev/console_init tty0 21 | /bin/plymouth --show-splash 2>&1 | vinfo 22 | fi 23 | 24 | 25 | # vim:ts=8:sw=4:sts=4:et 26 | -------------------------------------------------------------------------------- /dracut/RHEL7/crypt-tpm/crypt-cleanup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | # close everything which is not busy 5 | rm -f -- /etc/udev/rules.d/70-luks.rules >/dev/null 2>&1 6 | 7 | if ! getarg rd.luks.uuid -d rd_LUKS_UUID >/dev/null 2>&1 && getargbool 1 rd.luks -d -n rd_NO_LUKS >/dev/null 2>&1; then 8 | while true; do 9 | local do_break="y" 10 | for i in /dev/mapper/luks-*; do 11 | cryptsetup luksClose $i >/dev/null 2>&1 && do_break=n 12 | done 13 | [ "$do_break" = "y" ] && break 14 | done 15 | fi 16 | -------------------------------------------------------------------------------- /dracut/RHEL7/crypt-tpm/crypt-run-generator.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | . /lib/dracut-lib.sh 6 | type crypttab_contains >/dev/null 2>&1 || . /lib/dracut-crypt-lib.sh 7 | 8 | dev=$1 9 | luks=$2 10 | 11 | crypttab_contains "$luks" && exit 0 12 | 13 | allowdiscards="-" 14 | 15 | # parse for allow-discards 16 | if strstr "$(cryptsetup --help)" "allow-discards"; then 17 | if discarduuids=$(getargs "rd.luks.allow-discards"); then 18 | discarduuids=$(str_replace "$discarduuids" 'luks-' '') 19 | if strstr " $discarduuids " " ${luks##luks-}"; then 20 | allowdiscards="allow-discards" 21 | fi 22 | elif getargbool 0 rd.luks.allow-discards; then 23 | allowdiscards="allow-discards" 24 | fi 25 | fi 26 | 27 | echo "$luks $dev - timeout=0,$allowdiscards" >> /etc/crypttab 28 | 29 | if command -v systemctl >/dev/null; then 30 | systemctl daemon-reload 31 | systemctl start cryptsetup.target 32 | fi 33 | exit 0 34 | -------------------------------------------------------------------------------- /dracut/RHEL7/crypt-tpm/cryptroot-ask-tpm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # package reqs: od, getcapability, nv_readvalue, dd 4 | # 5 | # Author: Kent Yoder 6 | # 7 | PATH=/usr/sbin:/usr/bin:/sbin:/bin 8 | . /lib/dracut-crypt-lib.sh 9 | 10 | TPM_LUKS_CONF=/etc/tpm-luks.conf 11 | TPM_NV_PER_AUTHREAD=0x00040000 12 | TPM_NV_PER_OWNERREAD=0x00020000 13 | TMPFS_MNT=/tmp/cryptroot-mnt 14 | KEYFILE=$TMPFS_MNT/key 15 | 16 | DEVICE=$1 17 | NAME=$2 18 | PASS=$3 19 | 20 | if [ "$PASS" == "" -o "$PASS" == "read" ]; then 21 | 22 | # Find the device index based on the device name 23 | NVINDEX=$(cat $TPM_LUKS_CONF | grep -v "^\s*#" | grep $DEVICE | cut -d: -f2) 24 | 25 | if [ -z "$NVINDEX" ]; then 26 | cryptroot-ask-tpm $DEVICE $NAME input 27 | exit 0 28 | fi 29 | 30 | NVINDEX=$(printf "0x%x" $NVINDEX) 31 | 32 | NVMATCH=$(getcapability -cap 0x11 -scap $NVINDEX | awk -F ": " '$1 ~ /Matches/ { print $2 }') 33 | NVSIZE=$(getcapability -cap 0x11 -scap $NVINDEX | awk -F= '$1 ~ /dataSize/ { print $2 }') 34 | NVRESULT=$(getcapability -cap 0x11 -scap $NVINDEX | awk '$1 ~ /Result/ { print $11 }') 35 | 36 | # An index is viable if its composite hash matches current PCR state, or if 37 | # it doesn't require PCR state at all 38 | if [ -z "$NVSIZE" ]; then 39 | cryptroot-ask-tpm $DEVICE $NAME input 40 | exit 0 41 | fi 42 | 43 | if [ -n "$MATCH1" -a "$MATCH1" != "Yes" ]; then 44 | warn "TPM NV index does not match PCR state." 45 | cryptroot-ask-tpm $DEVICE $NAME input 46 | exit 0 47 | fi 48 | 49 | # An index needs a password if authentication bits matches AUTHREAD or OWNERREAD 50 | if [ -n "$NVRESULT" -a -z "$PASS" ]; then 51 | AUTHREAD=$(( 0x$NVRESULT & $TPM_NV_PER_AUTHREAD )) 52 | OWNERREAD=$(( 0x$NVRESULT & $TPM_NV_PER_OWNERREAD )) 53 | 54 | if [ $AUTHREAD -ne 0 -o $OWNERREAD -ne 0 ]; then 55 | ask_for_password --tries 3 --tty-echo-off \ 56 | --cmd "cryptroot-ask-tpm $DEVICE $NAME read" \ 57 | --prompt "Enter TPM NVRAM password for device: $DEVICE\nESC to show, '' to skip\n" 58 | exit 0 59 | fi 60 | fi 61 | 62 | # Plymouth feeds in this password for us, if we need a password 63 | NVPASS_OPTIONS= 64 | if [ -n "$PASS" ]; then 65 | readpass NVPASS 66 | if [ -z "$NVPASS" ]; then 67 | warn "TPM NVRAM password is empty, fall back to regular password." 68 | cryptroot-ask-tpm $DEVICE $NAME input 69 | exit 0 70 | fi 71 | NVPASS_OPTIONS="-pwdd $NVPASS" 72 | fi 73 | 74 | # Mount tmpfs to store luks keys 75 | if [ ! -d $TMPFS_MNT ]; then 76 | mkdir $TMPFS_MNT 77 | if [ $? -ne 0 ]; then 78 | warn "Unable to create $TMPFS_MNT folder to securely store TPM NVRAM data." 79 | exit 255 80 | fi 81 | fi 82 | 83 | mount -t tmpfs -o size=16K tmpfs $TMPFS_MNT 84 | if [ $? -ne 0 ]; then 85 | warn "Unable to mount tmpfs area to securely store TPM NVRAM data." 86 | exit 255 87 | fi 88 | 89 | # Read key from TPM NVRAM into keyfile 90 | info "Reading from NV index $NVINDEX." 91 | nv_readvalue -ix $NVINDEX $NVPASS_OPTIONS -sz $NVSIZE -of $KEYFILE >/dev/null 2>&1 92 | RC=$? 93 | if [ $RC -eq 1 ]; then 94 | warn "TPM NV index $NVINDEX: Bad password." 95 | elif [ $RC -eq 24 ]; then 96 | warn "TPM NV index $NVINDEX: PCR mismatch." 97 | elif [ $RC -eq 2 ]; then 98 | warn "TPM NV index $NVINDEX: Invalid NVRAM Index." 99 | elif [ $RC -ne 0 ]; then 100 | warn "TPM NV index $NVINDEX: Unknown error ($RC)" 101 | fi 102 | 103 | if [ $RC -ne 0 ]; then 104 | umount $TMPFS_MNT 105 | [ "$PASS" == "read" ] && exit 255 106 | cryptroot-ask-tpm $DEVICE $NAME input 107 | exit 0 108 | fi 109 | 110 | # Open the luks partition using the key 111 | info "Opening LUKS partition $DEVICE using TPM key." 112 | cryptsetup luksOpen $DEVICE $NAME --key-file $KEYFILE --keyfile-size $NVSIZE 113 | RC=$? 114 | # Zeroize keyfile regardless of success/fail and unmount 115 | dd if=/dev/zero of=$KEYFILE bs=1c count=$NVSIZE >/dev/null 2>&1 116 | umount $TMPFS_MNT 117 | # if error 118 | if [ $RC -ne 0 ]; then 119 | warn "cryptsetup failed." 120 | [ "$PASS" == "read" ] && exit 255 121 | cryptroot-ask-tpm $DEVICE $NAME input 122 | exit 0 123 | fi 124 | 125 | #success 126 | exit 0 127 | 128 | fi 129 | 130 | if [ "$PASS" == "input" ]; then 131 | 132 | ask_for_password --tries 3 --tty-echo-off \ 133 | --cmd "cryptroot-ask-tpm $DEVICE $NAME pass" \ 134 | --prompt "Enter LUKS password for device $DEVICE\nESC to show, '' to skip, start with '=' for base64, '==' to escape\n" 135 | exit 0 136 | 137 | fi 138 | 139 | if [ "$PASS" == "pass" ]; then 140 | 141 | # Mount tmpfs to store luks keys 142 | if [ ! -d $TMPFS_MNT ]; then 143 | mkdir $TMPFS_MNT 144 | if [ $? -ne 0 ]; then 145 | warn "Unable to create $TMPFS_MNT folder to securely store TPM NVRAM data." 146 | exit 0 147 | fi 148 | fi 149 | 150 | mount -t tmpfs -o size=16K tmpfs $TMPFS_MNT 151 | if [ $? -ne 0 ]; then 152 | warn "Unable to mount tmpfs area to securely store TPM NVRAM data." 153 | exit 0 154 | fi 155 | 156 | # Save input key into key file 157 | readpass NVPASS 158 | if [ -z "$NVPASS" ]; then 159 | warn "Regular password is empty, abort." 160 | exit 0 161 | elif [[ "$NVPASS" == ==* ]]; then 162 | NVPASS=${NVPASS:1} 163 | echo -n "$NVPASS" > $KEYFILE 164 | elif [[ "$NVPASS" == =* ]]; then 165 | NVPASS=${NVPASS:1} 166 | echo -n "$NVPASS" | base64 -d > $KEYFILE 167 | if [ $? -ne 0 ]; then 168 | warn "Invalid base64 password." 169 | exit 255 170 | fi 171 | else 172 | echo -n "$NVPASS" > $KEYFILE 173 | fi 174 | 175 | NVSIZE=$(stat -c%s $KEYFILE) 176 | 177 | # Open the luks partition using the key 178 | info "Opening LUKS partition $DEVICE using input password." 179 | cryptsetup luksOpen $DEVICE $NAME --key-file $KEYFILE --keyfile-size $NVSIZE 180 | RC=$? 181 | # Zeroize keyfile regardless of success/fail and unmount 182 | dd if=/dev/zero of=$KEYFILE bs=1c count=$NVSIZE >/dev/null 2>&1 183 | umount $TMPFS_MNT 184 | # if error 185 | if [ $RC -ne 0 ]; then 186 | warn "cryptsetup failed." 187 | exit 255 188 | fi 189 | 190 | #success 191 | exit 0 192 | 193 | fi 194 | -------------------------------------------------------------------------------- /dracut/RHEL7/crypt-tpm/cryptroot-ask.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | PATH=/usr/sbin:/usr/bin:/sbin:/bin 6 | NEWROOT=${NEWROOT:-"/sysroot"} 7 | 8 | # do not ask, if we already have root 9 | [ -f $NEWROOT/proc ] && exit 0 10 | 11 | # check if destination already exists 12 | [ -b /dev/mapper/$2 ] && exit 0 13 | 14 | # we already asked for this device 15 | [ -f /tmp/cryptroot-asked-$2 ] && exit 0 16 | 17 | # load dm_crypt if it is not already loaded 18 | [ -d /sys/module/dm_crypt ] || modprobe dm_crypt 19 | 20 | . /lib/dracut-crypt-lib.sh 21 | 22 | # default luksname - luks-UUID 23 | luksname=$2 24 | 25 | # fallback to passphrase 26 | ask_passphrase=1 27 | 28 | # if device name is /dev/dm-X, convert to /dev/mapper/name 29 | if [ "${1##/dev/dm-}" != "$1" ]; then 30 | device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")" 31 | else 32 | device="$1" 33 | fi 34 | 35 | # number of tries 36 | numtries=${3:-10} 37 | 38 | # TODO: improve to support what cmdline does 39 | if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; then 40 | while read name dev luksfile luksoptions; do 41 | # ignore blank lines and comments 42 | if [ -z "$name" -o "${name#\#}" != "$name" ]; then 43 | continue 44 | fi 45 | 46 | # UUID used in crypttab 47 | if [ "${dev%%=*}" = "UUID" ]; then 48 | if [ "luks-${dev##UUID=}" = "$2" ]; then 49 | luksname="$name" 50 | break 51 | fi 52 | 53 | # path used in crypttab 54 | else 55 | cdev=$(readlink -f $dev) 56 | mdev=$(readlink -f $device) 57 | if [ "$cdev" = "$mdev" ]; then 58 | luksname="$name" 59 | break 60 | fi 61 | fi 62 | done < /etc/crypttab 63 | unset name dev 64 | fi 65 | 66 | # 67 | # Open LUKS device 68 | # 69 | 70 | info "luksOpen $device $luksname $luksfile $luksoptions" 71 | 72 | OLD_IFS="$IFS" 73 | IFS=, 74 | set -- $luksoptions 75 | IFS="$OLD_IFS" 76 | 77 | while [ $# -gt 0 ]; do 78 | case $1 in 79 | noauto) 80 | # skip this 81 | exit 0 82 | ;; 83 | swap) 84 | # skip this 85 | exit 0 86 | ;; 87 | tmp) 88 | # skip this 89 | exit 0 90 | ;; 91 | allow-discards) 92 | allowdiscards="--allow-discards" 93 | esac 94 | shift 95 | done 96 | 97 | # parse for allow-discards 98 | if strstr "$(cryptsetup --help)" "allow-discards"; then 99 | if discarduuids=$(getargs "rd.luks.allow-discards"); then 100 | discarduuids=$(str_replace "$discarduuids" 'luks-' '') 101 | if strstr " $discarduuids " " ${luksdev##luks-}"; then 102 | allowdiscards="--allow-discards" 103 | fi 104 | elif getargbool 0 rd.luks.allow-discards; then 105 | allowdiscards="--allow-discards" 106 | fi 107 | fi 108 | 109 | if strstr "$(cryptsetup --help)" "allow-discards"; then 110 | cryptsetupopts="$cryptsetupopts $allowdiscards" 111 | fi 112 | 113 | unset allowdiscards 114 | 115 | if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then 116 | if cryptsetup --key-file "$luksfile" $cryptsetupopts luksOpen "$device" "$luksname"; then 117 | ask_passphrase=0 118 | fi 119 | else 120 | while [ -n "$(getarg rd.luks.key)" ]; do 121 | if tmp=$(getkey /tmp/luks.keys $device); then 122 | keydev="${tmp%%:*}" 123 | keypath="${tmp#*:}" 124 | else 125 | if [ $numtries -eq 0 ]; then 126 | warn "No key found for $device. Fallback to passphrase mode." 127 | break 128 | fi 129 | sleep 1 130 | info "No key found for $device. Will try $numtries time(s) more later." 131 | initqueue --unique --onetime --settled \ 132 | --name cryptroot-ask-$luksname \ 133 | $(command -v cryptroot-ask) "$device" "$luksname" "$(($numtries-1))" 134 | exit 0 135 | fi 136 | unset tmp 137 | 138 | info "Using '$keypath' on '$keydev'" 139 | readkey "$keypath" "$keydev" "$device" \ 140 | | cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname" 141 | unset keypath keydev 142 | ask_passphrase=0 143 | break 144 | done 145 | fi 146 | 147 | if [ $ask_passphrase -ne 0 ]; then 148 | cryptroot-ask-tpm $device $luksname 149 | fi 150 | 151 | unset device luksname luksfile 152 | 153 | # mark device as asked 154 | >> /tmp/cryptroot-asked-$2 155 | 156 | need_shutdown 157 | udevsettle 158 | 159 | exit 0 160 | -------------------------------------------------------------------------------- /dracut/RHEL7/crypt-tpm/module-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | check() { 6 | local _rootdev 7 | # if cryptsetup is not installed, then we cannot support encrypted devices. 8 | type -P cryptsetup >/dev/null || return 1 9 | 10 | [[ $hostonly ]] || [[ $mount_needs ]] && { 11 | for fs in "${host_fs_types[@]}"; do 12 | [[ $fs = "crypto_LUKS" ]] && return 0 13 | done 14 | return 255 15 | } 16 | 17 | return 0 18 | } 19 | 20 | depends() { 21 | echo dm rootfs-block 22 | return 0 23 | } 24 | 25 | installkernel() { 26 | instmods dm_crypt =crypto 27 | } 28 | 29 | cmdline() { 30 | local dev UUID 31 | for dev in "${!host_fs_types[@]}"; do 32 | [[ "${host_fs_types[$dev]}" != "crypto_LUKS" ]] && continue 33 | 34 | UUID=$( 35 | blkid -u crypto -o export $dev \ 36 | | while read line; do 37 | [[ ${line#UUID} = $line ]] && continue 38 | printf "%s" "${line#UUID=}" 39 | break 40 | done 41 | ) 42 | [[ ${UUID} ]] || continue 43 | printf "%s" " rd.luks.uuid=luks-${UUID}" 44 | done 45 | } 46 | 47 | install() { 48 | 49 | if [[ $hostonly_cmdline == "yes" ]]; then 50 | cmdline >> "${initdir}/etc/cmdline.d/90crypt.conf" 51 | echo >> "${initdir}/etc/cmdline.d/90crypt.conf" 52 | fi 53 | 54 | inst_multiple getcapability nv_readvalue awk od dd cut cat grep stat mkdir read base64 55 | inst_script "$moddir"/cryptroot-ask-tpm.sh /sbin/cryptroot-ask-tpm 56 | 57 | inst_multiple cryptsetup rmdir readlink umount 58 | inst_script "$moddir"/cryptroot-ask.sh /sbin/cryptroot-ask 59 | inst_script "$moddir"/probe-keydev.sh /sbin/probe-keydev 60 | inst_hook cmdline 10 "$moddir/parse-keydev.sh" 61 | inst_hook cmdline 30 "$moddir/parse-crypt.sh" 62 | # if ! dracut_module_included "systemd"; then 63 | inst_hook cleanup 30 "$moddir/crypt-cleanup.sh" 64 | # fi 65 | 66 | if [[ $hostonly ]] && [[ -f /etc/crypttab ]]; then 67 | cp -f /etc/crypttab $initdir/etc/crypttab 68 | fi 69 | 70 | if [[ $hostonly ]] && [[ -f /etc/tpm-luks.conf ]]; then 71 | # copy file as-is 72 | cp /etc/tpm-luks.conf $initdir/etc/tpm-luks.conf 73 | fi 74 | 75 | inst_simple "$moddir/crypt-lib.sh" "/lib/dracut-crypt-lib.sh" 76 | 77 | inst_multiple -o \ 78 | $systemdutildir/system-generators/systemd-cryptsetup-generator \ 79 | $systemdutildir/systemd-cryptsetup \ 80 | $systemdsystemunitdir/systemd-ask-password-console.path \ 81 | $systemdsystemunitdir/systemd-ask-password-console.service \ 82 | $systemdsystemunitdir/cryptsetup.target \ 83 | $systemdsystemunitdir/sysinit.target.wants/cryptsetup.target \ 84 | systemd-ask-password systemd-tty-ask-password-agent 85 | # inst_script "$moddir"/crypt-run-generator.sh /sbin/crypt-run-generator 86 | dracut_need_initqueue 87 | } 88 | -------------------------------------------------------------------------------- /dracut/RHEL7/crypt-tpm/parse-crypt.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | type crypttab_contains >/dev/null 2>&1 || . /lib/dracut-crypt-lib.sh 6 | 7 | if ! getargbool 1 rd.luks -d -n rd_NO_LUKS; then 8 | info "rd.luks=0: removing cryptoluks activation" 9 | rm -f -- /etc/udev/rules.d/70-luks.rules 10 | else 11 | { 12 | echo 'SUBSYSTEM!="block", GOTO="luks_end"' 13 | echo 'ACTION!="add|change", GOTO="luks_end"' 14 | } > /etc/udev/rules.d/70-luks.rules.new 15 | 16 | LUKS=$(getargs rd.luks.uuid -d rd_LUKS_UUID) 17 | tout=$(getarg rd.luks.key.tout) 18 | 19 | if [ -n "$LUKS" ]; then 20 | for luksid in $LUKS; do 21 | 22 | luksid=${luksid##luks-} 23 | 24 | # if [ -z "$DRACUT_SYSTEMD" ]; then 25 | { 26 | printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", ' 27 | printf -- 'ENV{ID_FS_UUID}=="*%s*", ' $luksid 28 | printf -- 'RUN+="%s --settled --unique --onetime ' $(command -v initqueue) 29 | printf -- '--name cryptroot-ask-%%k %s ' $(command -v cryptroot-ask) 30 | printf -- '$env{DEVNAME} luks-$env{ID_FS_UUID} %s"\n' $tout 31 | } >> /etc/udev/rules.d/70-luks.rules.new 32 | # else 33 | # if ! crypttab_contains "$luksid"; then 34 | # { 35 | # printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", ' 36 | # printf -- 'ENV{ID_FS_UUID}=="*%s*", ' $luksid 37 | # printf -- 'RUN+="%s --settled --unique --onetime ' $(command -v initqueue) 38 | # printf -- '--name systemd-cryptsetup-%%k %s start ' $(command -v systemctl) 39 | # printf -- 'systemd-cryptsetup@luks$$(dev_unit_name -$env{ID_FS_UUID}).service"\n' 40 | # } >> /etc/udev/rules.d/70-luks.rules.new 41 | # fi 42 | # fi 43 | 44 | uuid=$luksid 45 | while [ "$uuid" != "${uuid#*-}" ]; do uuid=${uuid%%-*}${uuid#*-}; done 46 | printf -- '[ -e /dev/disk/by-id/dm-uuid-CRYPT-LUKS?-*%s*-* ] || exit 1\n' $uuid \ 47 | >> $hookdir/initqueue/finished/90-crypt.sh 48 | 49 | { 50 | printf -- '[ -e /dev/disk/by-uuid/*%s* ] || ' $luksid 51 | printf -- 'warn "crypto LUKS UUID "%s" not found"\n' $luksid 52 | } >> $hookdir/emergency/90-crypt.sh 53 | done 54 | elif getargbool 0 rd.auto; then 55 | # if [ -z "$DRACUT_SYSTEMD" ]; then 56 | { 57 | printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="%s ' $(command -v initqueue) 58 | printf -- '--unique --settled --onetime --name cryptroot-ask-%%k ' 59 | printf -- '%s $env{DEVNAME} luks-$env{ID_FS_UUID} %s"\n' $(command -v cryptroot-ask) $tout 60 | } >> /etc/udev/rules.d/70-luks.rules.new 61 | # else 62 | # { 63 | # printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="%s ' $(command -v initqueue) 64 | # printf -- '--unique --settled --onetime --name crypt-run-generator-%%k ' 65 | # printf -- '%s $env{DEVNAME} luks-$env{ID_FS_UUID}"\n' $(command -v crypt-run-generator) 66 | # } >> /etc/udev/rules.d/70-luks.rules.new 67 | # fi 68 | fi 69 | 70 | echo 'LABEL="luks_end"' >> /etc/udev/rules.d/70-luks.rules.new 71 | mv /etc/udev/rules.d/70-luks.rules.new /etc/udev/rules.d/70-luks.rules 72 | fi 73 | -------------------------------------------------------------------------------- /dracut/RHEL7/crypt-tpm/parse-keydev.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | if getargbool 1 rd.luks -n rd_NO_LUKS && \ 6 | [ -n "$(getarg rd.luks.key)" ]; then 7 | exec 7>/etc/udev/rules.d/65-luks-keydev.rules 8 | echo 'SUBSYSTEM!="block", GOTO="luks_keydev_end"' >&7 9 | echo 'ACTION!="add|change", GOTO="luks_keydev_end"' >&7 10 | 11 | for arg in $(getargs rd.luks.key); do 12 | unset keypath keydev luksdev 13 | splitsep : "$arg" keypath keydev luksdev 14 | 15 | info "rd.luks.key: keypath='$keypath' keydev='$keydev' luksdev='$luksdev'" 16 | 17 | if [ -z "$keypath" ]; then 18 | warn 'keypath required!' 19 | continue 20 | fi 21 | 22 | if [ -n "$keydev" ]; then 23 | udevmatch "$keydev" >&7 || { 24 | warn 'keydev incorrect!' 25 | continue 26 | } 27 | printf ', ' >&7 28 | fi 29 | 30 | { 31 | printf -- 'RUN+="%s --unique --onetime ' $(command -v initqueue) 32 | printf -- '--name probe-keydev-%%k ' 33 | printf -- '%s /dev/%%k %s %s"\n' \ 34 | $(command -v probe-keydev) "${keypath}" "${luksdev}" 35 | } >&7 36 | done 37 | unset arg keypath keydev luksdev 38 | 39 | echo 'LABEL="luks_keydev_end"' >&7 40 | exec 7>&- 41 | fi 42 | -------------------------------------------------------------------------------- /dracut/RHEL7/crypt-tpm/probe-keydev.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | . /lib/dracut-crypt-lib.sh 6 | 7 | 8 | real_keydev="$1"; keypath="$2"; luksdev="$3" 9 | 10 | [ -z "$real_keydev" -o -z "$keypath" ] && die 'probe-keydev: wrong usage!' 11 | [ -z "$luksdev" ] && luksdev='*' 12 | 13 | info "Probing $real_keydev for $keypath..." 14 | test_dev -f "$real_keydev" "$keypath" || exit 1 15 | 16 | info "Found $keypath on $real_keydev" 17 | echo "$luksdev:$real_keydev:$keypath" >> /tmp/luks.keys 18 | -------------------------------------------------------------------------------- /dracut/dracut-key: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | dracut -o plymouth -a plymouth-tpm $* 3 | -------------------------------------------------------------------------------- /dracut/expand-initrd-key: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat ${1:??} | gunzip -c | cpio -i -d --no-absolute-filenames 3 | -------------------------------------------------------------------------------- /dracut/tpm-luks.conf.in: -------------------------------------------------------------------------------- 1 | # tpm-luks dracut config file 2 | 3 | # Specific list of dracut modules to use 4 | #dracutmodules+="" 5 | 6 | # Dracut modules to omit 7 | omit_dracutmodules+="@DRACUT_MODULE_NAME@ systemd plymouth" 8 | 9 | # Dracut modules to add to the default 10 | add_dracutmodules+="@DRACUT_MODULE_NAME@-tpm" 11 | 12 | # additional kernel modules to the default 13 | add_drivers+="@DRACUT_KERNEL_MODULES@" 14 | 15 | # list of kernel filesystem modules to be included in the generic initramfs 16 | #filesystems+="" 17 | 18 | # build initrd only to boot current hardware 19 | #hostonly="yes" 20 | # 21 | 22 | # install local /etc/mdadm.conf 23 | mdadmconf="yes" 24 | 25 | # install local /etc/lvm/lvm.conf 26 | lvmconf="yes" 27 | -------------------------------------------------------------------------------- /swtpm-utils/Makefile.am: -------------------------------------------------------------------------------- 1 | ################################################################################# 2 | # # 3 | # Makefile for libtpm/utils # 4 | # # 5 | # $Id: Makefile.am 4073 2010-04-30 14:44:14Z kgoldman $ # 6 | # # 7 | # (c) Copyright IBM Corporation 2006, 2010. # 8 | # # 9 | # All rights reserved. # 10 | # # 11 | # Redistribution and use in source and binary forms, with or without # 12 | # modification, are permitted provided that the following conditions are # 13 | # met: # 14 | # # 15 | # Redistributions of source code must retain the above copyright notice, # 16 | # this list of conditions and the following disclaimer. # 17 | # # 18 | # Redistributions in binary form must reproduce the above copyright # 19 | # notice, this list of conditions and the following disclaimer in the # 20 | # documentation and/or other materials provided with the distribution. # 21 | # # 22 | # Neither the names of the IBM Corporation nor the names of its # 23 | # contributors may be used to endorse or promote products derived from # 24 | # this software without specific prior written permission. # 25 | # # 26 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # 27 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # 28 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR # 29 | # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT # 30 | # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # 31 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT # 32 | # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # 33 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # 34 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # 35 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # 36 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # 37 | # # 38 | ################################################################################# 39 | SUBDIRS = lib . 40 | 41 | AM_CFLAGS = -I/usr/linux/include -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -static -W -Wuninitialized -DTPM_POSIX -DTPM_V12 -DTPM_NV_DISK -DTPM_AES -DTPM_USE_TAG_IN_STRUCTURE=1 -DTPM_USE_CHARDEV 42 | 43 | INCLUDES = -Ilib 44 | #LDADD = lib/.libs/libtpm.a /usr/local/ssl/lib/libcrypto.a 45 | LDADD = lib/.libs/libtpm.a 46 | 47 | AM_CONDITIONAL = TPM_VTPM 48 | #AM_LDFLAGS = -all-static 49 | AM_LDFLAGS = -lc -ldl -lcrypto 50 | # These must go into /usr/bin because they'll be gathered up by dracut's 51 | # scripts as part of bnuilding the initramfs. The 'inst_binary' script 52 | # only looks in a few places, and /usr/local/bin isn't one of them 53 | bindir=/usr/bin 54 | bin_PROGRAMS = getcapability nv_readvalue 55 | 56 | getcapability_SOURCES = getcapability.c 57 | nv_readvalue_SOURCES = nv_readvalue.c 58 | 59 | noinst_HEADERS = \ 60 | include/hmac.h \ 61 | include/newserialize.h \ 62 | include/oiaposap.h \ 63 | include/pcrs.h \ 64 | include/tpm.h \ 65 | include/tpm_constants.h \ 66 | include/tpm_error.h \ 67 | include/tpm_lowlevel.h \ 68 | include/tpm_structures.h \ 69 | include/tpm_types.h \ 70 | include/tpmfunc.h \ 71 | include/tpmkeys.h \ 72 | include/tpmutil.h 73 | 74 | -------------------------------------------------------------------------------- /swtpm-utils/include/hmac.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM HMAC */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: hmac.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef HMAC_H 41 | #define HMAC_H 42 | 43 | #include 44 | 45 | uint32_t TSS_authhmac(unsigned char *digest, unsigned char *key, unsigned int keylen, 46 | unsigned char *h1, unsigned char *h2, unsigned char h3,...); 47 | uint32_t TSS_checkhmac1(const struct tpm_buffer *tb, uint32_t command, unsigned char *ononce, 48 | unsigned char *key, unsigned int keylen, ...); 49 | uint32_t TSS_checkhmac1New(const struct tpm_buffer *tb, uint32_t command, session *sess, unsigned char *ononce, 50 | unsigned char *key, unsigned int keylen, ...); 51 | uint32_t TSS_checkhmac2(const struct tpm_buffer *tb, uint32_t command, 52 | unsigned char *ononce1, 53 | unsigned char *key1, unsigned int keylen1, 54 | unsigned char *ononce2, 55 | unsigned char *key2, unsigned int keylen2, ...); 56 | uint32_t TSS_rawhmac(unsigned char *digest, const unsigned char *key, unsigned int keylen, ...); 57 | 58 | #endif 59 | -------------------------------------------------------------------------------- /swtpm-utils/include/oiaposap.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Session Routines */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: oiaposap.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef OIAPOSAP_H 41 | #define OIAPOSAP_H 42 | #include 43 | #include 44 | 45 | typedef struct osapsess 46 | { 47 | uint32_t handle; 48 | unsigned char enonce[TPM_NONCE_SIZE]; 49 | unsigned char enonceOSAP[TPM_NONCE_SIZE]; 50 | unsigned char ononceOSAP[TPM_NONCE_SIZE]; 51 | unsigned char ssecret[TPM_HASH_SIZE]; 52 | unsigned char ononce[TPM_NONCE_SIZE]; 53 | uint16_t etype; 54 | } osapsess; 55 | 56 | typedef struct dsapsess 57 | { 58 | uint32_t handle; 59 | unsigned char enonce[TPM_NONCE_SIZE]; 60 | unsigned char enonceDSAP[TPM_NONCE_SIZE]; 61 | unsigned char ononceDSAP[TPM_NONCE_SIZE]; 62 | unsigned char ssecret[TPM_HASH_SIZE]; 63 | unsigned char ononce[TPM_NONCE_SIZE]; 64 | uint16_t etype; 65 | } dsapsess; 66 | 67 | typedef struct oiapsess 68 | { 69 | uint32_t handle; 70 | unsigned char enonce[TPM_NONCE_SIZE]; 71 | } oiapsess; 72 | 73 | typedef struct transess 74 | { 75 | uint32_t handle; 76 | unsigned char enonce[TPM_NONCE_SIZE]; 77 | } transess; 78 | 79 | typedef struct session 80 | { 81 | uint32_t sess_type; // see below 82 | union { 83 | oiapsess oiap; 84 | osapsess osap; 85 | dsapsess dsap; 86 | transess tran; 87 | } type; 88 | unsigned char authdata[TPM_AUTHDATA_SIZE]; 89 | } session; 90 | 91 | 92 | #define SESSION_OIAP 1 93 | #define SESSION_OSAP 2 94 | #define SESSION_DSAP 4 95 | #define SESSION_TRAN 8 96 | 97 | uint32_t TSS_HANDclose(uint32_t handle, TPM_RESOURCE_TYPE); 98 | uint32_t TSS_OIAPopen(uint32_t *handle, unsigned char *enonce); 99 | uint32_t TSS_OIAPclose(uint32_t handle); 100 | uint32_t TSS_OSAPopen(osapsess *sess,const unsigned char *key, uint16_t etype, uint32_t evalue); 101 | uint32_t TSS_OSAPclose(osapsess *sess); 102 | uint32_t TSS_DSAPopen(dsapsess *sess, 103 | unsigned char *key, 104 | uint16_t etype, 105 | uint32_t keyhandle, 106 | unsigned char * evalue, uint32_t evalueSize); 107 | uint32_t TSS_DSAPclose(dsapsess *sess); 108 | 109 | uint32_t TSS_SessionOpen(uint32_t allowed_type, 110 | session * sess, 111 | unsigned char *passHash, uint16_t etype, uint32_t evalue); 112 | uint32_t TSS_SessionClose(session * sess); 113 | uint32_t TSS_Session_CreateTransport(session *sess, 114 | unsigned char *transAuth, 115 | uint32_t transHandle, 116 | unsigned char *transNonce); 117 | unsigned char * TSS_Session_GetAuth(session * sess); 118 | unsigned char * TSS_Session_GetENonce(session * sess); 119 | void TSS_Session_SetENonce(session * sess, const unsigned char *enonce); 120 | uint32_t TSS_Session_GetHandle(session * sess); 121 | 122 | #endif 123 | -------------------------------------------------------------------------------- /swtpm-utils/include/pcrs.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM PCR Routines */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: pcrs.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef PCRS_H 41 | #define PCRS_H 42 | 43 | #define TPM_PCR_NUM 16 /* number of PCR registers supported */ 44 | #define TPM_PCR_MASK_SIZE 2 /* size in bytes of PCR bit mask */ 45 | 46 | uint32_t TPM_PcrRead(uint32_t pcrindex, unsigned char *pcrvalue); 47 | //uint32_t TSS_GenPCRInfo(uint32_t pcrmap, unsigned char *pcrinfo, unsigned int *len); 48 | 49 | #endif 50 | -------------------------------------------------------------------------------- /swtpm-utils/include/tpm.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Utilities */ 4 | /* Written by J. Kravitz */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: tpm.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef TPM_H 41 | #define TPM_H 42 | 43 | #include 44 | #include 45 | #ifdef TPM_POSIX 46 | #include 47 | #endif 48 | #ifdef TPM_WINDOWS 49 | #include 50 | #endif 51 | 52 | #define ERR_MASK 0x80000000 /* mask to define error state */ 53 | /* keep 0x8001000 unassigned since the bash only sees the lowest byte! */ 54 | #define ERR_DUMMY 0x80001000 55 | #define ERR_HMAC_FAIL 0x80001001 /* HMAC authorization verification failed */ 56 | #define ERR_NULL_ARG 0x80001002 /* An argument was NULL that shouldn't be */ 57 | #define ERR_BAD_ARG 0x80001003 /* An argument had an invalid value */ 58 | #define ERR_CRYPT_ERR 0x80001004 /* An error occurred in an OpenSSL library call */ 59 | #define ERR_IO 0x80001005 /* An I/O Error occured */ 60 | #define ERR_MEM_ERR 0x80001006 /* A memory allocation error occurred */ 61 | #define ERR_BAD_FILE 0x80001007 /* File error occurred */ 62 | #define ERR_BAD_DATA 0x80001008 /* data read from a stream were bad */ 63 | #define ERR_BAD_SIZE 0x80001009 /* the size of the data to send to the TPM is too large */ 64 | #define ERR_BUFFER 0x8000100a /* the size of the buffer is too small */ 65 | #define ERR_STRUCTURE 0x8000100b /* this is not the stream for the structure to be parsed */ 66 | #define ERR_NOT_FOUND 0x8000100c /* searched item could not be found */ 67 | #define ERR_ENV_VARIABLE 0x8000100d /* environment varaible is not set */ 68 | #define ERR_NO_TRANSPORT 0x8000100e /* no transport allowed for this ordinal */ 69 | #define ERR_BADRESPONSETAG 0x8000100f /* bad response tag in message */ 70 | #define ERR_SIGNATURE 0x80001010 /* bad signature */ 71 | #define ERR_PCR_LIST_NOT_IMA 0x80001011 /* PCR values do not correspond to that in IMA */ 72 | #define ERR_CHECKSUM 0x80001012 /* Checksum not correct */ 73 | #define ERR_BAD_RESP 0x80001013 /* response from TPM not formatted correctly */ 74 | #define ERR_BAD_SESSION_TYPE 0x80001014 /* session type choice is not good */ 75 | 76 | #define ERR_LAST 0x80001015 /* keep this as the last error code !!!! */ 77 | 78 | #define TPM_MAX_BUFF_SIZE 4096 79 | #define TPM_HASH_SIZE 20 80 | #define TPM_NONCE_SIZE 20 81 | 82 | #define TPM_U16_SIZE 2 83 | #define TPM_U32_SIZE 4 84 | 85 | #define TPM_PARAMSIZE_OFFSET TPM_U16_SIZE 86 | #define TPM_RETURN_OFFSET ( TPM_U16_SIZE + TPM_U32_SIZE ) 87 | #define TPM_DATA_OFFSET ( TPM_RETURN_OFFSET + TPM_U32_SIZE ) 88 | 89 | #define STORE32(buffer,offset,value) { *(uint32_t *)&buffer[offset] = htonl(value); } 90 | #define STORE16(buffer,offset,value) { *(uint16_t *)&buffer[offset] = htons(value); } 91 | #define STORE32N(buffer,offset,value) { *(uint32_t *)&buffer[offset] = value; } 92 | #define STORE16N(buffer,offset,value) { *(uint16_t *)&buffer[offset] = value; } 93 | #define LOAD32(buffer,offset) ( ntohl(*(uint32_t *)&buffer[offset]) ) 94 | #define LOAD16(buffer,offset) ( ntohs(*(uint16_t *)&buffer[offset]) ) 95 | #define LOAD32N(buffer,offset) ( *(uint32_t *)&buffer[offset] ) 96 | #define LOAD16N(buffer,offset) ( *(uint16_t *)&buffer[offset] ) 97 | 98 | #define TPM_CURRENT_TICKS_SIZE (sizeof(TPM_STRUCTURE_TAG)+2*TPM_U32_SIZE+TPM_U16_SIZE+TPM_NONCE_SIZE) 99 | 100 | struct tpm_buffer 101 | { 102 | uint32_t size; 103 | uint32_t used; 104 | uint32_t flags; 105 | unsigned char buffer[TPM_MAX_BUFF_SIZE]; 106 | }; 107 | 108 | enum { 109 | BUFFER_FLAG_ON_STACK = 1, 110 | }; 111 | 112 | #define STACK_TPM_BUFFER(X) \ 113 | struct tpm_buffer X = { \ 114 | .size = sizeof( X.buffer ), \ 115 | .used = 0, \ 116 | .flags = BUFFER_FLAG_ON_STACK, \ 117 | .buffer = ""}; 118 | #define RESET_TPM_BUFFER(X) \ 119 | (X)->used = 0 120 | #define ALLOC_TPM_BUFFER(X,S) \ 121 | struct tpm_buffer *X = TSS_AllocTPMBuffer(S); 122 | #define FREE_TPM_BUFFER(X) \ 123 | TSS_FreeTPMBuffer(X) 124 | #define SET_TPM_BUFFER(X, src, len) \ 125 | do { \ 126 | uint32_t to_copy = (X)->size > len ? len : (X)->size; \ 127 | memcpy((X)->buffer, src, to_copy); \ 128 | (X)->used = to_copy; \ 129 | } while (0); 130 | #define IS_TPM_BUFFER_EMPTY(X) \ 131 | ((X)->used == 0) 132 | 133 | struct tpm_buffer *TSS_AllocTPMBuffer(int len); 134 | 135 | static inline struct tpm_buffer *clone_tpm_buffer(struct tpm_buffer *orig) { 136 | struct tpm_buffer * buf = TSS_AllocTPMBuffer(orig->used + 20); 137 | if (buf) { 138 | SET_TPM_BUFFER(buf, orig->buffer, orig->used); 139 | } 140 | return buf; 141 | } 142 | 143 | #if defined (__x86_64__) 144 | #define OUT_FORMAT(a,b) b 145 | #else 146 | #define OUT_FORMAT(a,b) a 147 | #endif 148 | 149 | #endif 150 | -------------------------------------------------------------------------------- /swtpm-utils/include/tpm_constants.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/momiji/tpm-luks/1ea9ad32ca938fcc04f753f8970558a9906fe22b/swtpm-utils/include/tpm_constants.h -------------------------------------------------------------------------------- /swtpm-utils/include/tpm_lowlevel.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Low Level Transport */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: tpm_lowlevel.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef TPM_LOWLEVEL_H 41 | #define TPM_LOWLEVEL_H 42 | 43 | #include "tpm.h" 44 | 45 | struct tpm_transport 46 | { 47 | uint32_t (*open)(int *fd); 48 | uint32_t (*close)(int fd); 49 | uint32_t (*send)(int fd, struct tpm_buffer *tb, const char *msg); 50 | uint32_t (*recv)(int fd, struct tpm_buffer *tb); 51 | }; 52 | 53 | enum { 54 | TPM_LOWLEVEL_TRANSPORT_CHARDEV = 1, 55 | TPM_LOWLEVEL_TRANSPORT_TCP_SOCKET, 56 | TPM_LOWLEVEL_TRANSPORT_UNIXIO, 57 | TPM_LOWLEVEL_TRANSPORT_CCA 58 | }; 59 | 60 | void TPM_LowLevel_TransportSocket_Set(void); 61 | void TPM_LowLevel_TransportUnixIO_Set(void); 62 | void TPM_LowLevel_TransportCharDev_Set(void); 63 | void TPM_LowLevel_Transport_Init(int choice); 64 | int TPM_LowLevel_Use_VTPM(void); 65 | int TPM_LowLevel_VTPM_Set(int state); 66 | 67 | #endif 68 | -------------------------------------------------------------------------------- /swtpm-utils/include/tpmkeys.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Key Structures */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: tpmkeys.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef TPMKEYS_H 41 | #define TPMKEYS_H 42 | #include "tpm.h" 43 | #include "tpm_structures.h" 44 | #include 45 | 46 | #ifndef TPM_MAXIMUM_KEY_SIZE 47 | #define TPM_MAXIMUM_KEY_SIZE 4096 48 | #endif 49 | 50 | 51 | #define TPM_SIZED_BUFFER_EMB(SIZE_OF_BUFFER,uniq,name) \ 52 | struct uniq { \ 53 | uint32_t size; \ 54 | BYTE buffer[SIZE_OF_BUFFER]; \ 55 | } name 56 | 57 | 58 | typedef struct tdTPM_RSA_KEY_PARMS_EMB { 59 | uint32_t keyLength; 60 | uint32_t numPrimes; 61 | uint32_t exponentSize; 62 | BYTE exponent[3]; 63 | } TPM_RSA_KEY_PARMS_EMB; 64 | 65 | 66 | typedef struct tdTPM_SYMMETRIC_KEY_PARMS_EMB { 67 | uint32_t keyLength; 68 | uint32_t blockSize; 69 | uint32_t ivSize; 70 | BYTE IV[256]; 71 | } TPM_SYMMETRIC_KEY_PARMS_EMB; 72 | 73 | typedef struct tdTPM_KEY_PARMS_EMB { 74 | TPM_ALGORITHM_ID algorithmID; /* This SHALL be the key algorithm in use */ 75 | TPM_ENC_SCHEME encScheme; /* This SHALL be the encryption scheme that the key uses to encrypt 76 | information */ 77 | TPM_SIG_SCHEME sigScheme; /* This SHALL be the signature scheme that the key uses to perform 78 | digital signatures */ 79 | union { 80 | TPM_RSA_KEY_PARMS_EMB rsaKeyParms; 81 | TPM_SYMMETRIC_KEY_PARMS_EMB symKeyParms; 82 | } u; 83 | } TPM_KEY_PARMS_EMB; 84 | 85 | 86 | typedef struct tdTPM_STORE_PUBKEY_EMB { 87 | uint32_t keyLength; 88 | BYTE modulus[TPM_MAXIMUM_KEY_SIZE/8]; 89 | } TPM_STORE_PUBKEY_EMB; 90 | 91 | 92 | typedef struct tdTPM_KEY_EMB { 93 | TPM_STRUCT_VER ver; 94 | TPM_KEY_USAGE keyUsage; 95 | TPM_KEY_FLAGS keyFlags; 96 | TPM_AUTH_DATA_USAGE authDataUsage; 97 | TPM_KEY_PARMS_EMB algorithmParms; 98 | TPM_SIZED_BUFFER_EMB(256, 99 | pcrInfo_TPM_KEY_EMB, pcrInfo); 100 | TPM_STORE_PUBKEY_EMB pubKey; 101 | TPM_SIZED_BUFFER_EMB(1024, encData_TPM_KEY_EMB, encData); 102 | } TPM_KEY_EMB; 103 | 104 | 105 | typedef struct tdTPM_KEY12_EMB { 106 | TPM_STRUCTURE_TAG tag; 107 | uint16_t fill; 108 | TPM_KEY_USAGE keyUsage; 109 | TPM_KEY_FLAGS keyFlags; 110 | TPM_AUTH_DATA_USAGE authDataUsage; 111 | TPM_KEY_PARMS_EMB algorithmParms; 112 | TPM_SIZED_BUFFER_EMB(256, 113 | pcrInfo_TPM_KEY12_EMB, pcrInfo); 114 | TPM_STORE_PUBKEY_EMB pubKey; 115 | TPM_SIZED_BUFFER_EMB(1024, encData_TPM_KEY12_EMB, encData); 116 | } TPM_KEY12_EMB; 117 | 118 | typedef struct pubkeydata 119 | { 120 | TPM_KEY_PARMS_EMB algorithmParms; 121 | TPM_STORE_PUBKEY_EMB pubKey; 122 | TPM_SIZED_BUFFER_EMB(256, 123 | pcrInfo_pubkeydata, pcrInfo); 124 | } pubkeydata; 125 | 126 | typedef struct keydata 127 | { 128 | union { 129 | TPM_STRUCT_VER ver; 130 | TPM_STRUCTURE_TAG tag; // 1 131 | } v; 132 | TPM_KEY_USAGE keyUsage; // 2 133 | TPM_KEY_FLAGS keyFlags; // 3 134 | TPM_AUTH_DATA_USAGE authDataUsage; // 4 135 | pubkeydata pub; 136 | TPM_SIZED_BUFFER_EMB(1024, encData_keydata, encData); 137 | } keydata; 138 | 139 | 140 | #endif 141 | -------------------------------------------------------------------------------- /swtpm-utils/include/tpmutil.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Utilities */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: tpmutil.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef TPMUTIL_H 41 | #define TPMUTIL_H 42 | 43 | #include 44 | 45 | #include 46 | 47 | #include 48 | 49 | #include 50 | 51 | #ifdef MIN 52 | #undef MIN 53 | #endif 54 | 55 | #define MIN(x,y) (x) < (y) ? (x) : (y) 56 | 57 | #define TPM_COUNTER_VALUE_SIZE 10 58 | 59 | #define TPM_MAX_TRANSPORTS 10 60 | 61 | /* AES requires data lengths that are a multiple of the block size */ 62 | #define TPM_AES_BITS 128 63 | /* The AES block size is always 16 bytes */ 64 | #define TPM_AES_BLOCK_SIZE 16 65 | 66 | 67 | struct tpm_buffer; 68 | 69 | uint32_t TSS_getsize(unsigned char *rsp); 70 | int TSS_gennonce(unsigned char *nonce); 71 | int TSS_buildbuff(char *format,struct tpm_buffer *, ...); 72 | int TSS_parsebuff(char *format,const struct tpm_buffer *, uint32_t offset, ...); 73 | uint32_t TPM_Transmit(struct tpm_buffer *,const char *msg); 74 | uint32_t TPM_Send(struct tpm_buffer *,const char *); 75 | int TPM_setlog(int flag); 76 | void TSS_sha1(void *input, unsigned int len, unsigned char *output); 77 | uint32_t TSS_SHAFile(const char *filename, unsigned char *hash); 78 | void showBuff(unsigned char* buff, char* string); 79 | 80 | uint32_t TPM_GetDelegationBlob(uint32_t etype, 81 | uint32_t keyhandle, 82 | unsigned char *passHash, 83 | unsigned char *buffer, uint32_t *bufferSize); 84 | uint32_t TPM_AddDelegationBlob(uint32_t etype, 85 | uint32_t keyhandle, 86 | unsigned char *oldPassHash, 87 | unsigned char *newPassHash, 88 | unsigned char *buffer, uint32_t bufferSize); 89 | uint32_t TPM_ResetDelegation(void); 90 | 91 | 92 | uint32_t _TPM_AuditInputstream(const struct tpm_buffer *req, int is_encrypted); 93 | uint32_t _TPM_AuditOutputstream(const struct tpm_buffer *res, uint32_t ord, 94 | int is_encrypted); 95 | uint32_t _TPM_IsAuditedOrdinal(uint32_t ord, uint32_t *rc); 96 | uint32_t TPM_SetAuditedOrdinal(uint32_t ord); 97 | uint32_t TPM_ClearAuditedOrdinal(uint32_t ord); 98 | uint32_t TPM_SetAuditingCounterValue(TPM_COUNTER_VALUE *cv); 99 | uint32_t TPM_ResetAuditing(void); 100 | 101 | uint32_t getNumHandles(uint32_t ord); 102 | uint32_t getNumRespHandles(uint32_t ord); 103 | #if 0 104 | uint32_t TPM_OpenClientSocket(int *sock_fd); 105 | uint32_t TPM_CloseClientSocket(int sock_fd); 106 | uint32_t TPM_TransmitSocket(int sock_fd, struct tpm_buffer *tb); 107 | uint32_t TPM_ReceiveSocket(int sock_fd, struct tpm_buffer *tb); 108 | uint32_t TPM_ReceiveBytes(int sock_fd, 109 | unsigned char *buffer, 110 | size_t nbytes); 111 | #endif 112 | 113 | uint32_t tpm_buffer_load32 (const struct tpm_buffer *tb, uint32_t offset, uint32_t *val); 114 | uint32_t tpm_buffer_load32N(const struct tpm_buffer *tb, uint32_t offset, uint32_t *val); 115 | uint32_t tpm_buffer_load16 (const struct tpm_buffer *tb, uint32_t offset, uint16_t *val); 116 | uint32_t tpm_buffer_load16N(const struct tpm_buffer *tb, uint32_t offset, uint16_t *val); 117 | uint32_t tpm_buffer_store32(struct tpm_buffer *tb, uint32_t val); 118 | uint32_t tpm_buffer_store(struct tpm_buffer *dest, struct tpm_buffer *src, uint32_t soff, uint32_t slen); 119 | 120 | uint32_t parseHash(char *string, unsigned char *hash); 121 | TPM_RESULT TPM_AES_ctr128_Encrypt(unsigned char *data_out, 122 | const unsigned char *data_in, 123 | unsigned long data_size, 124 | const AES_KEY *aes_enc_key, 125 | unsigned char ctr[TPM_AES_BLOCK_SIZE]); 126 | TPM_RESULT TPM_MGF1(unsigned char *mask, 127 | uint32_t maskLen, 128 | const unsigned char *mgfSeed, 129 | uint32_t mgfSeedlen); 130 | TPM_RESULT TPM_SHA1(TPM_DIGEST md, ...); 131 | TPM_RESULT TPM_SHA1Init(void **context); 132 | TPM_RESULT TPM_SHA1_Update(void *context, const unsigned char *data, uint32_t length); 133 | TPM_RESULT TPM_SHA1Final(unsigned char *md, void *context); 134 | TPM_RESULT TPM_SHA1Delete(void **context); 135 | 136 | 137 | #if 0 138 | void TPM_XOR(unsigned char *out, 139 | const unsigned char *in1, 140 | const unsigned char *in2, 141 | size_t length); 142 | #endif 143 | 144 | int allowsTransport(uint32_t ord); 145 | 146 | void _TPM_getTransportAlgIdEncScheme(TPM_ALGORITHM_ID *algId, 147 | TPM_ENC_SCHEME *encScheme); 148 | void TPM_DetermineSessionEncryption(const session *, int *); 149 | 150 | struct tpm_transport *TPM_LowLevel_Transport_Set(struct tpm_transport *new_tp); 151 | void TPM_LowLevel_Transport_Init(int choice); 152 | 153 | uint32_t needKeysRoom(uint32_t key1, uint32_t key2, uint32_t key3, 154 | uint32_t room); 155 | uint32_t needKeysRoom_Stacked(uint32_t key1); 156 | 157 | 158 | #endif 159 | -------------------------------------------------------------------------------- /swtpm-utils/lib/Makefile.am: -------------------------------------------------------------------------------- 1 | ################################################################################# 2 | # # 3 | # Makefile for libtpm/lib # 4 | # # 5 | # $Id: Makefile.am 4073 2010-04-30 14:44:14Z kgoldman $ # 6 | # # 7 | # (c) Copyright IBM Corporation 2006, 2010. # 8 | # # 9 | # All rights reserved. # 10 | # # 11 | # Redistribution and use in source and binary forms, with or without # 12 | # modification, are permitted provided that the following conditions are # 13 | # met: # 14 | # # 15 | # Redistributions of source code must retain the above copyright notice, # 16 | # this list of conditions and the following disclaimer. # 17 | # # 18 | # Redistributions in binary form must reproduce the above copyright # 19 | # notice, this list of conditions and the following disclaimer in the # 20 | # documentation and/or other materials provided with the distribution. # 21 | # # 22 | # Neither the names of the IBM Corporation nor the names of its # 23 | # contributors may be used to endorse or promote products derived from # 24 | # this software without specific prior written permission. # 25 | # # 26 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # 27 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # 28 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR # 29 | # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT # 30 | # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # 31 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT # 32 | # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # 33 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # 34 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # 35 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # 36 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # 37 | # # 38 | ################################################################################# 39 | 40 | AM_CFLAGS = -I/usr/linux/include -I../include -Wall -ggdb -Wuninitialized -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -W -DTPM_POSIX -DTPM_V12 -DTPM_NV_DISK -DTPM_AES -DTPM_USE_TAG_IN_STRUCTURE=1 -DTPM_USE_CHARDEV 41 | noinst_LTLIBRARIES = libtpm.la 42 | 43 | 44 | noinst_HEADERS = tpmfunc.h \ 45 | tpm.h \ 46 | tpmkeys.h \ 47 | tpm_constants.h \ 48 | tpm_error.h \ 49 | tpm_structures.h \ 50 | tpmutil.h \ 51 | tpm_types.h \ 52 | tpm_lowlevel.h \ 53 | oiaposap.h 54 | 55 | libtpm_la_SOURCES = auditing.c bind.c chgauth.c context.c \ 56 | counter.c daa.c debug.c delegation.c dir.c \ 57 | eviction.c hmac.c identity.c keys.c keyswap.c \ 58 | maintenance.c management.c migrate.c miscfunc.c nv.c \ 59 | oiaposap.c optin.c owner.c ownertpmdiag.c \ 60 | pcrs.c raw.c rng.c seal.c serialize.c session.c \ 61 | sha.c signature.c startup.c testing.c \ 62 | ticks.c tpmutil.c tpmutil_sock.c tpmutil_tty.c tpmutil_unixio.c \ 63 | transport.c 64 | 65 | -------------------------------------------------------------------------------- /swtpm-utils/lib/context.c: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Context Management Routines */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: context.c 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #include 41 | #include 42 | #include 43 | #ifdef TPM_POSIX 44 | #include 45 | #endif 46 | #ifdef TPM_WINDOWS 47 | #include 48 | #endif 49 | #include 50 | #include 51 | #include 52 | #include 53 | #include 54 | #include 55 | #include 56 | 57 | uint32_t TPM_SaveKeyContext(uint32_t keyhandle, 58 | struct tpm_buffer *context) 59 | { 60 | uint32_t ret; 61 | uint32_t ordinal_no = htonl(TPM_ORD_SaveKeyContext); 62 | STACK_TPM_BUFFER(tpmdata) 63 | uint32_t keyhandle_no = htonl(keyhandle); 64 | uint32_t len; 65 | 66 | ret = needKeysRoom(keyhandle, 0, 0, 0); 67 | if (ret != 0) { 68 | return ret; 69 | } 70 | 71 | ret = TSS_buildbuff("00 c1 T l l",&tpmdata, 72 | ordinal_no, 73 | keyhandle_no); 74 | if (( ret & ERR_MASK )!= 0) { 75 | return ret; 76 | } 77 | 78 | ret = TPM_Transmit(&tpmdata,"SaveKeyContext"); 79 | 80 | if (ret != 0) { 81 | return ret; 82 | } 83 | 84 | ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET, &len); 85 | if ((ret & ERR_MASK)) { 86 | return ret; 87 | } 88 | 89 | if (NULL != context) { 90 | SET_TPM_BUFFER(context, 91 | &tpmdata.buffer[TPM_DATA_OFFSET+TPM_U32_SIZE], 92 | len); 93 | } 94 | 95 | return ret; 96 | } 97 | 98 | 99 | uint32_t TPM_LoadKeyContext(struct tpm_buffer *context, 100 | uint32_t *keyhandle) 101 | { 102 | uint32_t ret; 103 | uint32_t ordinal_no = htonl(TPM_ORD_LoadKeyContext); 104 | STACK_TPM_BUFFER(tpmdata); 105 | 106 | ret = TSS_buildbuff("00 c1 T l @",&tpmdata, 107 | ordinal_no, 108 | context->used, context->buffer); 109 | if ((ret & ERR_MASK) != 0) { 110 | return ret; 111 | } 112 | 113 | ret = TPM_Transmit(&tpmdata,"LoadKeyContext"); 114 | 115 | if (ret != 0) { 116 | return ret; 117 | } 118 | 119 | ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET, keyhandle); 120 | if ((ret & ERR_MASK)) { 121 | return ret; 122 | } 123 | 124 | return ret; 125 | } 126 | 127 | 128 | 129 | 130 | uint32_t TPM_SaveAuthContext(uint32_t authhandle, 131 | unsigned char * authContextBlob, uint32_t * authContextSize) 132 | { 133 | uint32_t ret; 134 | uint32_t ordinal_no = htonl(TPM_ORD_SaveAuthContext); 135 | STACK_TPM_BUFFER(tpmdata) 136 | uint32_t authhandle_no = htonl(authhandle); 137 | uint32_t len; 138 | 139 | ret = TSS_buildbuff("00 c1 T l l",&tpmdata, 140 | ordinal_no, 141 | authhandle_no); 142 | if (( ret & ERR_MASK )!= 0) { 143 | return ret; 144 | } 145 | 146 | ret = TPM_Transmit(&tpmdata,"SaveAuthContext"); 147 | 148 | if (ret != 0) { 149 | return ret; 150 | } 151 | 152 | ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET, &len); 153 | if ((ret & ERR_MASK)) { 154 | return ret; 155 | } 156 | 157 | if (NULL != authContextBlob) { 158 | *authContextSize = MIN(*authContextSize, len); 159 | memcpy(authContextBlob, 160 | &tpmdata.buffer[TPM_DATA_OFFSET+TPM_U32_SIZE], 161 | *authContextSize); 162 | } 163 | 164 | return ret; 165 | } 166 | 167 | 168 | uint32_t TPM_LoadAuthContext(unsigned char *authContextBlob, uint32_t authContextSize, 169 | uint32_t *authhandle) 170 | { 171 | uint32_t ret; 172 | uint32_t ordinal_no = htonl(TPM_ORD_LoadAuthContext); 173 | STACK_TPM_BUFFER(tpmdata); 174 | 175 | ret = TSS_buildbuff("00 c1 T l @",&tpmdata, 176 | ordinal_no, 177 | authContextSize, authContextBlob); 178 | if ( ( ret & ERR_MASK ) != 0) { 179 | return ret; 180 | } 181 | 182 | ret = TPM_Transmit(&tpmdata,"LoadAuthContext"); 183 | 184 | if (ret != 0) { 185 | return ret; 186 | } 187 | 188 | ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET, authhandle); 189 | if ((ret & ERR_MASK)) { 190 | return ret; 191 | } 192 | 193 | return ret; 194 | } 195 | -------------------------------------------------------------------------------- /swtpm-utils/lib/debug.c: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Debug */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: debug.c 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | 41 | #include 42 | #include 43 | 44 | #include "tpmfunc.h" 45 | 46 | void print_array(const char *name, const unsigned char *data, unsigned int len) 47 | { 48 | unsigned int i = 0; 49 | printf("%s \n",name); 50 | while (i < len) { 51 | printf("0x%02X ",data[i]); 52 | i++; 53 | if (0 == (i & 0xf)) { 54 | printf("\n"); 55 | } 56 | } 57 | printf("\n"); 58 | } 59 | -------------------------------------------------------------------------------- /swtpm-utils/lib/dir.c: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Dir Routines */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: dir.c 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #include 41 | #include 42 | #include 43 | #ifdef TPM_POSIX 44 | #include 45 | #endif 46 | #ifdef TPM_WINDOWS 47 | #include 48 | #endif 49 | #include 50 | #include 51 | #include 52 | #include 53 | #include 54 | #include 55 | #include 56 | 57 | uint32_t TPM_DirWriteAuth(uint32_t dirIndex, 58 | unsigned char * newValue, 59 | unsigned char * ownerAuth) 60 | { 61 | STACK_TPM_BUFFER(tpmdata) 62 | uint32_t ordinal_no = htonl(TPM_ORD_DirWriteAuth); 63 | uint32_t ret; 64 | uint32_t dirIndex_no = htonl(dirIndex); 65 | 66 | unsigned char nonceodd[TPM_NONCE_SIZE]; 67 | unsigned char authdata[TPM_NONCE_SIZE]; 68 | session sess; 69 | int c = 0; 70 | 71 | /* check input arguments */ 72 | if (NULL == ownerAuth || 73 | NULL == newValue) { 74 | return ERR_NULL_ARG; 75 | } 76 | 77 | 78 | /* Open OSAP Session */ 79 | ret = TSS_SessionOpen(SESSION_DSAP | SESSION_OSAP | SESSION_OIAP, 80 | &sess, 81 | ownerAuth, TPM_ET_OWNER, 0); 82 | 83 | if (ret != 0) 84 | return ret; 85 | 86 | /* generate odd nonce */ 87 | ret = TSS_gennonce(nonceodd); 88 | if (0 == ret) 89 | return ERR_CRYPT_ERR; 90 | 91 | /* move Network byte order data to varaible for hmac calcualtion */ 92 | ret = TSS_authhmac(authdata,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE,TSS_Session_GetENonce(&sess),nonceodd,c, 93 | TPM_U32_SIZE,&ordinal_no, 94 | TPM_U32_SIZE,&dirIndex_no, 95 | TPM_HASH_SIZE, newValue, 96 | 0,0); 97 | 98 | if (0 != ret) { 99 | TSS_SessionClose(&sess); 100 | return ret; 101 | } 102 | /* build the request buffer */ 103 | ret = TSS_buildbuff("00 c2 T l l % L % o %", &tpmdata, 104 | ordinal_no, 105 | dirIndex_no, 106 | TPM_HASH_SIZE, newValue, 107 | TSS_Session_GetHandle(&sess), 108 | TPM_HASH_SIZE, nonceodd, 109 | c, 110 | TPM_HASH_SIZE, authdata); 111 | 112 | 113 | if ((ret & ERR_MASK)) { 114 | TSS_SessionClose(&sess); 115 | return ret; 116 | } 117 | 118 | /* transmit the request buffer to the TPM device and read the reply */ 119 | ret = TPM_Transmit(&tpmdata,"DirWriteAuth"); 120 | TSS_SessionClose(&sess); 121 | 122 | if (ret != 0) { 123 | return ret; 124 | } 125 | /* check the HMAC in the response */ 126 | 127 | ret = TSS_checkhmac1(&tpmdata,ordinal_no,nonceodd,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE, 128 | 0,0); 129 | 130 | return ret; 131 | } 132 | 133 | 134 | uint32_t TPM_DirRead(uint32_t dirIndex, 135 | unsigned char * dirValueBuffer) 136 | { 137 | uint32_t ret; 138 | uint32_t ordinal_no = htonl(TPM_ORD_DirRead); 139 | STACK_TPM_BUFFER(tpmdata) 140 | uint32_t dirIndex_no = htonl(dirIndex); 141 | 142 | ret = TSS_buildbuff("00 c1 T l l",&tpmdata, 143 | ordinal_no, 144 | dirIndex_no); 145 | if ((ret & ERR_MASK)) { 146 | return ret; 147 | } 148 | 149 | ret = TPM_Transmit(&tpmdata,"DirRead"); 150 | 151 | if (ret != 0) { 152 | return ret; 153 | } 154 | 155 | if (tpmdata.used != 30) { 156 | ret = ERR_BAD_RESP; 157 | } 158 | 159 | if (NULL != dirValueBuffer) { 160 | memcpy(dirValueBuffer, 161 | &tpmdata.buffer[TPM_DATA_OFFSET], 162 | 20); 163 | } 164 | 165 | return ret; 166 | } 167 | -------------------------------------------------------------------------------- /swtpm-utils/lib/eviction.c: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Eviction Routines */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: eviction.c 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #include 41 | #include 42 | #include 43 | #ifdef TPM_POSIX 44 | #include 45 | #endif 46 | #ifdef TPM_WINDOWS 47 | #include 48 | #endif 49 | #include 50 | #include 51 | #include 52 | #include 53 | #include 54 | #include 55 | #include 56 | 57 | uint32_t TPM_FlushSpecific(uint32_t handle, 58 | uint32_t resourceType) 59 | { 60 | uint32_t ret; 61 | uint32_t ordinal_no = htonl(TPM_ORD_FlushSpecific); 62 | uint32_t handle_no = htonl(handle); 63 | uint32_t resourceType_no = htonl(resourceType); 64 | STACK_TPM_BUFFER(tpmdata) 65 | 66 | #if 0 67 | if (resourceType == TPM_RT_KEY) { 68 | ret = needKeysRoom(handle, 0, 0, 0); 69 | if (ret != 0) { 70 | return ret; 71 | } 72 | } 73 | #endif 74 | 75 | ret = TSS_buildbuff("00 c1 T l l l",&tpmdata, 76 | ordinal_no, 77 | handle_no, 78 | resourceType_no); 79 | if ((ret & ERR_MASK)) { 80 | return ret; 81 | } 82 | 83 | ret = TPM_Transmit(&tpmdata,"FlushSpecific"); 84 | 85 | return ret; 86 | } 87 | -------------------------------------------------------------------------------- /swtpm-utils/lib/hmac.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM HMAC */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: hmac.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef HMAC_H 41 | #define HMAC_H 42 | 43 | #include 44 | 45 | uint32_t TSS_authhmac(unsigned char *digest, unsigned char *key, unsigned int keylen, 46 | unsigned char *h1, unsigned char *h2, unsigned char h3,...); 47 | uint32_t TSS_checkhmac1(const struct tpm_buffer *tb, uint32_t command, unsigned char *ononce, 48 | unsigned char *key, unsigned int keylen, ...); 49 | uint32_t TSS_checkhmac1New(const struct tpm_buffer *tb, uint32_t command, session *sess, unsigned char *ononce, 50 | unsigned char *key, unsigned int keylen, ...); 51 | uint32_t TSS_checkhmac2(const struct tpm_buffer *tb, uint32_t command, 52 | unsigned char *ononce1, 53 | unsigned char *key1, unsigned int keylen1, 54 | unsigned char *ononce2, 55 | unsigned char *key2, unsigned int keylen2, ...); 56 | uint32_t TSS_rawhmac(unsigned char *digest, const unsigned char *key, unsigned int keylen, ...); 57 | 58 | #endif 59 | -------------------------------------------------------------------------------- /swtpm-utils/lib/management.c: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Administrative Routines */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: management.c 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #include 41 | #include 42 | #include 43 | #ifdef TPM_POSIX 44 | #include 45 | #endif 46 | #ifdef TPM_WINDOWS 47 | #include 48 | #endif 49 | #include 50 | #include 51 | #include 52 | #include 53 | #include 54 | #include 55 | #include 56 | 57 | 58 | uint32_t TPM_SetRedirection(uint32_t keyhandle, 59 | uint32_t redirCmd, 60 | unsigned char * inputData, uint32_t inputDataSize, 61 | unsigned char * ownerAuth, 62 | unsigned char * usageAuth) 63 | { 64 | uint32_t ret = 0; 65 | STACK_TPM_BUFFER(tpmdata) 66 | unsigned char nonceodd[TPM_HASH_SIZE]; /* odd nonce */ 67 | unsigned char authdata[TPM_HASH_SIZE]; /* auth data */ 68 | session sess; 69 | uint32_t ordinal_no = htonl(TPM_ORD_SetRedirection); 70 | uint32_t redirCmd_no = htonl(redirCmd); 71 | uint32_t inputDataSize_no = htonl(inputDataSize); 72 | uint32_t keyHandle_no = htonl(keyhandle); 73 | TPM_BOOL c = FALSE; 74 | (void)usageAuth; 75 | 76 | ret = needKeysRoom(keyhandle, 0, 0, 0); 77 | if (ret != 0) { 78 | return ret; 79 | } 80 | 81 | /* generate the odd nonce */ 82 | ret = TSS_gennonce(nonceodd); 83 | if (ret == 0) 84 | return ret; 85 | 86 | /* initiate the OSAP protocol */ 87 | ret = TSS_SessionOpen(SESSION_DSAP|SESSION_OSAP,&sess,ownerAuth,TPM_ET_OWNER,keyhandle); 88 | if (ret != 0) { 89 | return ret; 90 | } 91 | /* calculate the Authorization Data */ 92 | ret = TSS_authhmac(authdata,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE,TSS_Session_GetENonce(&sess),nonceodd,0, 93 | TPM_U32_SIZE,&ordinal_no, 94 | TPM_U32_SIZE,&redirCmd_no, 95 | TPM_U32_SIZE,&inputDataSize_no, 96 | inputDataSize, inputData, 97 | 0,0); 98 | if (ret != 0) { 99 | TSS_SessionClose(&sess); 100 | return ret; 101 | } 102 | 103 | /* insert all the calculated fields into the request buffer */ 104 | ret = TSS_buildbuff("00 c2 T l l l @ L % o %",&tpmdata, 105 | ordinal_no, 106 | keyHandle_no, 107 | redirCmd_no, 108 | inputDataSize, inputData, 109 | TSS_Session_GetHandle(&sess), 110 | TPM_HASH_SIZE, nonceodd, 111 | c, 112 | TPM_HASH_SIZE, authdata); 113 | if ((ret & ERR_MASK)) { 114 | TSS_SessionClose(&sess); 115 | return ret; 116 | } 117 | /* transmit the request buffer to the TPM device and read the reply */ 118 | ret = TPM_Transmit(&tpmdata,"SetRedirection"); 119 | TSS_SessionClose(&sess); 120 | if (ret != 0) { 121 | return ret; 122 | } 123 | 124 | ret = TSS_checkhmac1(&tpmdata,ordinal_no,nonceodd,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE, 125 | 0,0); 126 | 127 | return ret; 128 | } 129 | 130 | uint32_t TPM_ResetLockValue(unsigned char * ownerAuth) 131 | { 132 | STACK_TPM_BUFFER(tpmdata) 133 | uint32_t ordinal_no = htonl(TPM_ORD_ResetLockValue); 134 | uint32_t ret; 135 | 136 | /* check input arguments */ 137 | 138 | unsigned char nonceodd[TPM_NONCE_SIZE]; 139 | unsigned char authdata[TPM_NONCE_SIZE]; 140 | TPM_BOOL c = 0; 141 | session sess; 142 | 143 | 144 | /* generate odd nonce */ 145 | ret = TSS_gennonce(nonceodd); 146 | if (0 == ret) 147 | return ERR_CRYPT_ERR; 148 | 149 | /* Open OIAP Session */ 150 | ret = TSS_SessionOpen(SESSION_DSAP|SESSION_OSAP|SESSION_OIAP, 151 | &sess, 152 | ownerAuth, TPM_ET_OWNER, 0); 153 | 154 | if (ret != 0) 155 | return ret; 156 | 157 | /* move Network byte order data to varaible for hmac calculation */ 158 | ret = TSS_authhmac(authdata,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE,TSS_Session_GetENonce(&sess),nonceodd,c, 159 | TPM_U32_SIZE,&ordinal_no, 160 | 0,0); 161 | 162 | if (0 != ret) { 163 | TSS_SessionClose(&sess); 164 | return ret; 165 | } 166 | /* build the request buffer */ 167 | ret = TSS_buildbuff("00 c2 T l L % o %", &tpmdata, 168 | ordinal_no, 169 | TSS_Session_GetHandle(&sess), 170 | TPM_HASH_SIZE, nonceodd, 171 | c, 172 | TPM_HASH_SIZE, authdata); 173 | 174 | 175 | if ((ret & ERR_MASK) != 0) { 176 | TSS_SessionClose(&sess); 177 | return ret; 178 | } 179 | 180 | /* transmit the request buffer to the TPM device and read the reply */ 181 | ret = TPM_Transmit(&tpmdata,"ResetLockValue"); 182 | TSS_SessionClose(&sess); 183 | 184 | if (ret != 0) { 185 | return ret; 186 | } 187 | /* check the HMAC in the response */ 188 | ret = TSS_checkhmac1(&tpmdata,ordinal_no,nonceodd,TSS_Session_GetAuth(&sess),TPM_HASH_SIZE, 189 | 0,0); 190 | 191 | return ret; 192 | } 193 | -------------------------------------------------------------------------------- /swtpm-utils/lib/oiaposap.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Session Routines */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: oiaposap.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef OIAPOSAP_H 41 | #define OIAPOSAP_H 42 | #include 43 | #include 44 | 45 | typedef struct osapsess 46 | { 47 | uint32_t handle; 48 | unsigned char enonce[TPM_NONCE_SIZE]; 49 | unsigned char enonceOSAP[TPM_NONCE_SIZE]; 50 | unsigned char ononceOSAP[TPM_NONCE_SIZE]; 51 | unsigned char ssecret[TPM_HASH_SIZE]; 52 | unsigned char ononce[TPM_NONCE_SIZE]; 53 | uint16_t etype; 54 | } osapsess; 55 | 56 | typedef struct dsapsess 57 | { 58 | uint32_t handle; 59 | unsigned char enonce[TPM_NONCE_SIZE]; 60 | unsigned char enonceDSAP[TPM_NONCE_SIZE]; 61 | unsigned char ononceDSAP[TPM_NONCE_SIZE]; 62 | unsigned char ssecret[TPM_HASH_SIZE]; 63 | unsigned char ononce[TPM_NONCE_SIZE]; 64 | uint16_t etype; 65 | } dsapsess; 66 | 67 | typedef struct oiapsess 68 | { 69 | uint32_t handle; 70 | unsigned char enonce[TPM_NONCE_SIZE]; 71 | } oiapsess; 72 | 73 | typedef struct transess 74 | { 75 | uint32_t handle; 76 | unsigned char enonce[TPM_NONCE_SIZE]; 77 | } transess; 78 | 79 | typedef struct session 80 | { 81 | uint32_t sess_type; // see below 82 | union { 83 | oiapsess oiap; 84 | osapsess osap; 85 | dsapsess dsap; 86 | transess tran; 87 | } type; 88 | unsigned char authdata[TPM_AUTHDATA_SIZE]; 89 | } session; 90 | 91 | 92 | #define SESSION_OIAP 1 93 | #define SESSION_OSAP 2 94 | #define SESSION_DSAP 4 95 | #define SESSION_TRAN 8 96 | 97 | uint32_t TSS_HANDclose(uint32_t handle, TPM_RESOURCE_TYPE); 98 | uint32_t TSS_OIAPopen(uint32_t *handle, unsigned char *enonce); 99 | uint32_t TSS_OIAPclose(uint32_t handle); 100 | uint32_t TSS_OSAPopen(osapsess *sess,const unsigned char *key, uint16_t etype, uint32_t evalue); 101 | uint32_t TSS_OSAPclose(osapsess *sess); 102 | uint32_t TSS_DSAPopen(dsapsess *sess, 103 | unsigned char *key, 104 | uint16_t etype, 105 | uint32_t keyhandle, 106 | unsigned char * evalue, uint32_t evalueSize); 107 | uint32_t TSS_DSAPclose(dsapsess *sess); 108 | 109 | uint32_t TSS_SessionOpen(uint32_t allowed_type, 110 | session * sess, 111 | unsigned char *passHash, uint16_t etype, uint32_t evalue); 112 | uint32_t TSS_SessionClose(session * sess); 113 | uint32_t TSS_Session_CreateTransport(session *sess, 114 | unsigned char *transAuth, 115 | uint32_t transHandle, 116 | unsigned char *transNonce); 117 | unsigned char * TSS_Session_GetAuth(session * sess); 118 | unsigned char * TSS_Session_GetENonce(session * sess); 119 | void TSS_Session_SetENonce(session * sess, const unsigned char *enonce); 120 | uint32_t TSS_Session_GetHandle(session * sess); 121 | 122 | #endif 123 | -------------------------------------------------------------------------------- /swtpm-utils/lib/pcrs.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM PCR Routines */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: pcrs.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef PCRS_H 41 | #define PCRS_H 42 | 43 | #define TPM_PCR_NUM 16 /* number of PCR registers supported */ 44 | #define TPM_PCR_MASK_SIZE 2 /* size in bytes of PCR bit mask */ 45 | 46 | uint32_t TPM_PcrRead(uint32_t pcrindex, unsigned char *pcrvalue); 47 | //uint32_t TSS_GenPCRInfo(uint32_t pcrmap, unsigned char *pcrinfo, unsigned int *len); 48 | 49 | #endif 50 | -------------------------------------------------------------------------------- /swtpm-utils/lib/raw.c: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Test Routines to detect bugs */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: raw.c 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #include 41 | #include 42 | #include 43 | #ifdef TPM_POSIX 44 | #include 45 | #endif 46 | #ifdef TPM_WINDOWS 47 | #include 48 | #endif 49 | #include 50 | #include 51 | #include 52 | #include 53 | #include 54 | #include 55 | #include 56 | 57 | 58 | uint32_t TPM_RawDataRaw(uint32_t ordinal, 59 | unsigned char * data, 60 | uint32_t datalen) 61 | { 62 | STACK_TPM_BUFFER(tpmdata) 63 | uint32_t ordinal_no = ntohl(ordinal); 64 | uint32_t ret; 65 | 66 | ret = TSS_buildbuff("00 c1 T l %", &tpmdata, 67 | ordinal_no, 68 | datalen, data); 69 | 70 | if ((ret & ERR_MASK)) { 71 | return ret; 72 | } 73 | 74 | ret = TPM_Transmit(&tpmdata,"* RawData - Raw *"); 75 | 76 | return ret; 77 | } 78 | 79 | 80 | uint32_t TPM_RawDataOIAP(uint32_t ordinal, 81 | unsigned char * ownerauth, 82 | unsigned char * data, 83 | uint32_t datalen) 84 | { 85 | unsigned char enonce[TPM_HASH_SIZE]; 86 | unsigned char nonceodd[TPM_HASH_SIZE]; 87 | unsigned char authdata[TPM_HASH_SIZE]; 88 | STACK_TPM_BUFFER(tpmdata) 89 | unsigned char c = 0; 90 | uint32_t ordinal_no = ntohl(ordinal); 91 | uint32_t ret; 92 | uint32_t authhandle; 93 | 94 | ret = TSS_OIAPopen(&authhandle,enonce); 95 | if (ret != 0) { 96 | printf("Could not open OIAP session!\n"); 97 | return ret; 98 | } 99 | 100 | /* generate odd nonce */ 101 | ret = TSS_gennonce(nonceodd); 102 | if (0 == ret) { 103 | TSS_OIAPclose(authhandle); 104 | return ERR_CRYPT_ERR; 105 | } 106 | 107 | ret = TSS_authhmac(authdata,ownerauth,TPM_HASH_SIZE,enonce,nonceodd,c, 108 | TPM_U32_SIZE,&ordinal_no, 109 | datalen,data, 110 | 0,0); 111 | 112 | if (0 != ret) { 113 | printf("Error calculating MAC.\n"); 114 | TSS_OIAPclose(authhandle); 115 | return ret; 116 | } 117 | 118 | ret = TSS_buildbuff("00 c1 T l % l % o %", &tpmdata, 119 | ordinal_no, 120 | datalen, data, 121 | authhandle, 122 | TPM_NONCE_SIZE, nonceodd, 123 | c, 124 | TPM_HASH_SIZE,authdata); 125 | 126 | if ((ret & ERR_MASK)) { 127 | TSS_OIAPclose(authhandle); 128 | return ret; 129 | } 130 | 131 | ret = TPM_Transmit(&tpmdata,"* RawData - OIAP*"); 132 | 133 | TSS_OIAPclose(authhandle); 134 | 135 | return ret; 136 | } 137 | 138 | uint32_t TPM_RawDataOSAP(uint32_t keyhandle, 139 | uint32_t ordinal, 140 | unsigned char * ownerauth, 141 | unsigned char * data, 142 | uint32_t datalen) 143 | { 144 | unsigned char nonceodd[TPM_HASH_SIZE]; 145 | unsigned char authdata[TPM_HASH_SIZE]; 146 | STACK_TPM_BUFFER(tpmdata) 147 | unsigned char encauth[TPM_HASH_SIZE]; 148 | unsigned char dummy[TPM_HASH_SIZE]; 149 | unsigned char c = 0; 150 | uint32_t ordinal_no = ntohl(ordinal); 151 | uint32_t ret; 152 | session sess; 153 | osapsess *osap = &sess.type.osap; 154 | uint16_t keytype; 155 | unsigned char *passptr1; 156 | 157 | if (keyhandle == 0x40000000) keytype = TPM_ET_SRK; 158 | else keytype = TPM_ET_OWNER; 159 | 160 | ret = needKeysRoom(keyhandle, 0 ,0, 0); 161 | if (ret != 0) { 162 | return ret; 163 | } 164 | 165 | memset(dummy,0x0,sizeof(dummy)); 166 | 167 | if (NULL != ownerauth) 168 | passptr1 = ownerauth; 169 | else 170 | passptr1 = dummy; 171 | 172 | sess.sess_type = SESSION_OSAP; 173 | ret = TSS_OSAPopen(osap,ownerauth,keytype,keyhandle); 174 | if (ret != 0) { 175 | printf("Could not open OIAP session!\n"); 176 | return ret; 177 | } 178 | 179 | /* calculate encrypted authorization value */ 180 | TPM_CreateEncAuth(&sess, passptr1, encauth, 0); 181 | 182 | /* generate odd nonce */ 183 | ret = TSS_gennonce(nonceodd); 184 | if (0 == ret) { 185 | TSS_OSAPclose(osap); 186 | return ERR_CRYPT_ERR; 187 | } 188 | 189 | ret = TSS_authhmac(authdata,osap->ssecret,TPM_HASH_SIZE,osap->enonce,nonceodd,c, 190 | TPM_U32_SIZE,&ordinal_no, 191 | datalen,data, 192 | 0,0); 193 | 194 | if (0 != ret) { 195 | printf("Error calculating MAC.\n"); 196 | TSS_OSAPclose(osap); 197 | return ret; 198 | } 199 | 200 | ret = TSS_buildbuff("00 c1 T l % l % o %", &tpmdata, 201 | ordinal_no, 202 | datalen, data, 203 | osap->handle, 204 | TPM_NONCE_SIZE, nonceodd, 205 | c, 206 | TPM_HASH_SIZE,authdata); 207 | 208 | if ((ret & ERR_MASK)) { 209 | TSS_OSAPclose(osap); 210 | return ret; 211 | } 212 | 213 | ret = TPM_Transmit(&tpmdata,"* RawData - OIAP*"); 214 | 215 | TSS_OSAPclose(osap); 216 | 217 | return ret; 218 | } 219 | -------------------------------------------------------------------------------- /swtpm-utils/lib/rng.c: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Random Number Generator Routines */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: rng.c 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #include 41 | #include 42 | #include 43 | #ifdef TPM_POSIX 44 | #include 45 | #endif 46 | #ifdef TPM_WINDOWS 47 | #include 48 | #endif 49 | #include 50 | #include 51 | #include 52 | #include 53 | #include 54 | #include 55 | #include 56 | 57 | 58 | /****************************************************************************/ 59 | /* */ 60 | /* Get Random Number */ 61 | /* */ 62 | /* The parameters are... */ 63 | /* */ 64 | /* numbytes : The number of bytes requested */ 65 | /* buffer : a buffer to hold the amount of requested bytes */ 66 | /* bytesret : The actual number of bytes that were returned */ 67 | /****************************************************************************/ 68 | uint32_t TPM_GetRandom(uint32_t bytesreq, 69 | unsigned char * buffer, uint32_t * bytesret) 70 | { 71 | uint32_t ret; 72 | STACK_TPM_BUFFER( tpmdata ) 73 | 74 | uint32_t ordinal_no = htonl(TPM_ORD_GetRandom); 75 | uint32_t numbytes_no = htonl(bytesreq); 76 | 77 | TSS_buildbuff("00 c1 T l l",&tpmdata, 78 | ordinal_no, 79 | numbytes_no); 80 | 81 | ret = TPM_Transmit(&tpmdata,"GetRandom"); 82 | 83 | if (0 != ret) { 84 | return ret; 85 | } 86 | 87 | ret = tpm_buffer_load32(&tpmdata, TPM_DATA_OFFSET, bytesret); 88 | if ((ret & ERR_MASK)) { 89 | return ret; 90 | } 91 | memcpy(buffer, 92 | &tpmdata.buffer[TPM_DATA_OFFSET + TPM_U32_SIZE], 93 | *bytesret); 94 | 95 | return ret; 96 | } 97 | 98 | 99 | 100 | /****************************************************************************/ 101 | /* */ 102 | /* Stir Random Number Generator */ 103 | /* */ 104 | /* The parameters are... */ 105 | /* */ 106 | /* data : Data to add entropy to the random number generator's state */ 107 | /* datalen : The number of bytes; must be < 256 */ 108 | /****************************************************************************/ 109 | uint32_t TPM_StirRandom(unsigned char * data, uint32_t datalen) 110 | { 111 | uint32_t ret; 112 | STACK_TPM_BUFFER(tpmdata) 113 | uint32_t ordinal_no = htonl(TPM_ORD_StirRandom); 114 | 115 | TSS_buildbuff("00 c1 T l @",&tpmdata, 116 | ordinal_no, 117 | (datalen & 0xff), data); 118 | 119 | ret = TPM_Transmit(&tpmdata,"StirRandom"); 120 | return ret; 121 | } 122 | 123 | -------------------------------------------------------------------------------- /swtpm-utils/lib/startup.c: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Startup Routines */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: startup.c 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #include 41 | #include 42 | #include 43 | #ifdef TPM_POSIX 44 | #include 45 | #endif 46 | #ifdef TPM_WINDOWS 47 | #include 48 | #endif 49 | #include 50 | #include 51 | #include 52 | #include 53 | #include 54 | #include 55 | #include 56 | 57 | uint32_t TPM_Startup(uint16_t type) 58 | { 59 | uint32_t ret; 60 | uint32_t ordinal_no = htonl(TPM_ORD_Startup); 61 | STACK_TPM_BUFFER(tpmdata) 62 | uint16_t type_no = htons(type); 63 | 64 | ret = TSS_buildbuff("00 c1 T l s",&tpmdata, 65 | ordinal_no, 66 | type_no); 67 | if ((ret & ERR_MASK)) { 68 | return ret; 69 | } 70 | 71 | ret = TPM_Transmit(&tpmdata,"Startup"); 72 | 73 | if (ret == 0 && tpmdata.used != 10) { 74 | ret = ERR_BAD_RESP; 75 | } 76 | 77 | return ret; 78 | } 79 | 80 | uint32_t TPM_SaveState() 81 | { 82 | uint32_t ret; 83 | uint32_t ordinal_no = htonl(TPM_ORD_SaveState); 84 | STACK_TPM_BUFFER(tpmdata) 85 | 86 | ret = TSS_buildbuff("00 c1 T l",&tpmdata, 87 | ordinal_no); 88 | if ((ret & ERR_MASK)) { 89 | return ret; 90 | } 91 | 92 | ret = TPM_Transmit(&tpmdata,"SaveState"); 93 | 94 | if (ret == 0 && tpmdata.used != 10) { 95 | ret = ERR_BAD_RESP; 96 | } 97 | 98 | return ret; 99 | } 100 | 101 | uint32_t TPM_Init() 102 | { 103 | uint32_t ret; 104 | uint32_t ordinal_no = htonl(TPM_ORD_Init); 105 | STACK_TPM_BUFFER(tpmdata); 106 | 107 | ret = TSS_buildbuff("00 c1 T l",&tpmdata, 108 | ordinal_no); 109 | if ((ret & ERR_MASK)) { 110 | return ret; 111 | } 112 | 113 | ret = TPM_Transmit(&tpmdata,"Init"); 114 | 115 | return ret; 116 | } 117 | -------------------------------------------------------------------------------- /swtpm-utils/lib/tpm.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Utilities */ 4 | /* Written by J. Kravitz */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: tpm.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef TPM_H 41 | #define TPM_H 42 | 43 | #include 44 | #include 45 | #ifdef TPM_POSIX 46 | #include 47 | #endif 48 | #ifdef TPM_WINDOWS 49 | #include 50 | #endif 51 | 52 | #define ERR_MASK 0x80000000 /* mask to define error state */ 53 | /* keep 0x8001000 unassigned since the bash only sees the lowest byte! */ 54 | #define ERR_DUMMY 0x80001000 55 | #define ERR_HMAC_FAIL 0x80001001 /* HMAC authorization verification failed */ 56 | #define ERR_NULL_ARG 0x80001002 /* An argument was NULL that shouldn't be */ 57 | #define ERR_BAD_ARG 0x80001003 /* An argument had an invalid value */ 58 | #define ERR_CRYPT_ERR 0x80001004 /* An error occurred in an OpenSSL library call */ 59 | #define ERR_IO 0x80001005 /* An I/O Error occured */ 60 | #define ERR_MEM_ERR 0x80001006 /* A memory allocation error occurred */ 61 | #define ERR_BAD_FILE 0x80001007 /* File error occurred */ 62 | #define ERR_BAD_DATA 0x80001008 /* data read from a stream were bad */ 63 | #define ERR_BAD_SIZE 0x80001009 /* the size of the data to send to the TPM is too large */ 64 | #define ERR_BUFFER 0x8000100a /* the size of the buffer is too small */ 65 | #define ERR_STRUCTURE 0x8000100b /* this is not the stream for the structure to be parsed */ 66 | #define ERR_NOT_FOUND 0x8000100c /* searched item could not be found */ 67 | #define ERR_ENV_VARIABLE 0x8000100d /* environment varaible is not set */ 68 | #define ERR_NO_TRANSPORT 0x8000100e /* no transport allowed for this ordinal */ 69 | #define ERR_BADRESPONSETAG 0x8000100f /* bad response tag in message */ 70 | #define ERR_SIGNATURE 0x80001010 /* bad signature */ 71 | #define ERR_PCR_LIST_NOT_IMA 0x80001011 /* PCR values do not correspond to that in IMA */ 72 | #define ERR_CHECKSUM 0x80001012 /* Checksum not correct */ 73 | #define ERR_BAD_RESP 0x80001013 /* response from TPM not formatted correctly */ 74 | #define ERR_BAD_SESSION_TYPE 0x80001014 /* session type choice is not good */ 75 | 76 | #define ERR_LAST 0x80001015 /* keep this as the last error code !!!! */ 77 | 78 | #define TPM_MAX_BUFF_SIZE 4096 79 | #define TPM_HASH_SIZE 20 80 | #define TPM_NONCE_SIZE 20 81 | 82 | #define TPM_U16_SIZE 2 83 | #define TPM_U32_SIZE 4 84 | 85 | #define TPM_PARAMSIZE_OFFSET TPM_U16_SIZE 86 | #define TPM_RETURN_OFFSET ( TPM_U16_SIZE + TPM_U32_SIZE ) 87 | #define TPM_DATA_OFFSET ( TPM_RETURN_OFFSET + TPM_U32_SIZE ) 88 | 89 | #define STORE32(buffer,offset,value) { *(uint32_t *)&buffer[offset] = htonl(value); } 90 | #define STORE16(buffer,offset,value) { *(uint16_t *)&buffer[offset] = htons(value); } 91 | #define STORE32N(buffer,offset,value) { *(uint32_t *)&buffer[offset] = value; } 92 | #define STORE16N(buffer,offset,value) { *(uint16_t *)&buffer[offset] = value; } 93 | #define LOAD32(buffer,offset) ( ntohl(*(uint32_t *)&buffer[offset]) ) 94 | #define LOAD16(buffer,offset) ( ntohs(*(uint16_t *)&buffer[offset]) ) 95 | #define LOAD32N(buffer,offset) ( *(uint32_t *)&buffer[offset] ) 96 | #define LOAD16N(buffer,offset) ( *(uint16_t *)&buffer[offset] ) 97 | 98 | #define TPM_CURRENT_TICKS_SIZE (sizeof(TPM_STRUCTURE_TAG)+2*TPM_U32_SIZE+TPM_U16_SIZE+TPM_NONCE_SIZE) 99 | 100 | struct tpm_buffer 101 | { 102 | uint32_t size; 103 | uint32_t used; 104 | uint32_t flags; 105 | unsigned char buffer[TPM_MAX_BUFF_SIZE]; 106 | }; 107 | 108 | enum { 109 | BUFFER_FLAG_ON_STACK = 1, 110 | }; 111 | 112 | #define STACK_TPM_BUFFER(X) \ 113 | struct tpm_buffer X = { \ 114 | .size = sizeof( X.buffer ), \ 115 | .used = 0, \ 116 | .flags = BUFFER_FLAG_ON_STACK, \ 117 | .buffer = ""}; 118 | #define RESET_TPM_BUFFER(X) \ 119 | (X)->used = 0 120 | #define ALLOC_TPM_BUFFER(X,S) \ 121 | struct tpm_buffer *X = TSS_AllocTPMBuffer(S); 122 | #define FREE_TPM_BUFFER(X) \ 123 | TSS_FreeTPMBuffer(X) 124 | #define SET_TPM_BUFFER(X, src, len) \ 125 | do { \ 126 | uint32_t to_copy = (X)->size > len ? len : (X)->size; \ 127 | memcpy((X)->buffer, src, to_copy); \ 128 | (X)->used = to_copy; \ 129 | } while (0); 130 | #define IS_TPM_BUFFER_EMPTY(X) \ 131 | ((X)->used == 0) 132 | 133 | struct tpm_buffer *TSS_AllocTPMBuffer(int len); 134 | 135 | static inline struct tpm_buffer *clone_tpm_buffer(struct tpm_buffer *orig) { 136 | struct tpm_buffer * buf = TSS_AllocTPMBuffer(orig->used + 20); 137 | if (buf) { 138 | SET_TPM_BUFFER(buf, orig->buffer, orig->used); 139 | } 140 | return buf; 141 | } 142 | 143 | #if defined (__x86_64__) 144 | #define OUT_FORMAT(a,b) b 145 | #else 146 | #define OUT_FORMAT(a,b) a 147 | #endif 148 | 149 | #endif 150 | -------------------------------------------------------------------------------- /swtpm-utils/lib/tpm_constants.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/momiji/tpm-luks/1ea9ad32ca938fcc04f753f8970558a9906fe22b/swtpm-utils/lib/tpm_constants.h -------------------------------------------------------------------------------- /swtpm-utils/lib/tpm_lowlevel.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Low Level Transport */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: tpm_lowlevel.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef TPM_LOWLEVEL_H 41 | #define TPM_LOWLEVEL_H 42 | 43 | #include "tpm.h" 44 | 45 | struct tpm_transport 46 | { 47 | uint32_t (*open)(int *fd); 48 | uint32_t (*close)(int fd); 49 | uint32_t (*send)(int fd, struct tpm_buffer *tb, const char *msg); 50 | uint32_t (*recv)(int fd, struct tpm_buffer *tb); 51 | }; 52 | 53 | enum { 54 | TPM_LOWLEVEL_TRANSPORT_CHARDEV = 1, 55 | TPM_LOWLEVEL_TRANSPORT_TCP_SOCKET, 56 | TPM_LOWLEVEL_TRANSPORT_UNIXIO, 57 | TPM_LOWLEVEL_TRANSPORT_CCA 58 | }; 59 | 60 | void TPM_LowLevel_TransportSocket_Set(void); 61 | void TPM_LowLevel_TransportUnixIO_Set(void); 62 | void TPM_LowLevel_TransportCharDev_Set(void); 63 | void TPM_LowLevel_Transport_Init(int choice); 64 | int TPM_LowLevel_Use_VTPM(void); 65 | int TPM_LowLevel_VTPM_Set(int state); 66 | 67 | #endif 68 | -------------------------------------------------------------------------------- /swtpm-utils/lib/tpmkeys.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Key Structures */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: tpmkeys.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef TPMKEYS_H 41 | #define TPMKEYS_H 42 | #include "tpm.h" 43 | #include "tpm_structures.h" 44 | #include 45 | 46 | #ifndef TPM_MAXIMUM_KEY_SIZE 47 | #define TPM_MAXIMUM_KEY_SIZE 4096 48 | #endif 49 | 50 | 51 | #define TPM_SIZED_BUFFER_EMB(SIZE_OF_BUFFER,uniq,name) \ 52 | struct uniq { \ 53 | uint32_t size; \ 54 | BYTE buffer[SIZE_OF_BUFFER]; \ 55 | } name 56 | 57 | 58 | typedef struct tdTPM_RSA_KEY_PARMS_EMB { 59 | uint32_t keyLength; 60 | uint32_t numPrimes; 61 | uint32_t exponentSize; 62 | BYTE exponent[3]; 63 | } TPM_RSA_KEY_PARMS_EMB; 64 | 65 | 66 | typedef struct tdTPM_SYMMETRIC_KEY_PARMS_EMB { 67 | uint32_t keyLength; 68 | uint32_t blockSize; 69 | uint32_t ivSize; 70 | BYTE IV[256]; 71 | } TPM_SYMMETRIC_KEY_PARMS_EMB; 72 | 73 | typedef struct tdTPM_KEY_PARMS_EMB { 74 | TPM_ALGORITHM_ID algorithmID; /* This SHALL be the key algorithm in use */ 75 | TPM_ENC_SCHEME encScheme; /* This SHALL be the encryption scheme that the key uses to encrypt 76 | information */ 77 | TPM_SIG_SCHEME sigScheme; /* This SHALL be the signature scheme that the key uses to perform 78 | digital signatures */ 79 | union { 80 | TPM_RSA_KEY_PARMS_EMB rsaKeyParms; 81 | TPM_SYMMETRIC_KEY_PARMS_EMB symKeyParms; 82 | } u; 83 | } TPM_KEY_PARMS_EMB; 84 | 85 | 86 | typedef struct tdTPM_STORE_PUBKEY_EMB { 87 | uint32_t keyLength; 88 | BYTE modulus[TPM_MAXIMUM_KEY_SIZE/8]; 89 | } TPM_STORE_PUBKEY_EMB; 90 | 91 | 92 | typedef struct tdTPM_KEY_EMB { 93 | TPM_STRUCT_VER ver; 94 | TPM_KEY_USAGE keyUsage; 95 | TPM_KEY_FLAGS keyFlags; 96 | TPM_AUTH_DATA_USAGE authDataUsage; 97 | TPM_KEY_PARMS_EMB algorithmParms; 98 | TPM_SIZED_BUFFER_EMB(256, 99 | pcrInfo_TPM_KEY_EMB, pcrInfo); 100 | TPM_STORE_PUBKEY_EMB pubKey; 101 | TPM_SIZED_BUFFER_EMB(1024, encData_TPM_KEY_EMB, encData); 102 | } TPM_KEY_EMB; 103 | 104 | 105 | typedef struct tdTPM_KEY12_EMB { 106 | TPM_STRUCTURE_TAG tag; 107 | uint16_t fill; 108 | TPM_KEY_USAGE keyUsage; 109 | TPM_KEY_FLAGS keyFlags; 110 | TPM_AUTH_DATA_USAGE authDataUsage; 111 | TPM_KEY_PARMS_EMB algorithmParms; 112 | TPM_SIZED_BUFFER_EMB(256, 113 | pcrInfo_TPM_KEY12_EMB, pcrInfo); 114 | TPM_STORE_PUBKEY_EMB pubKey; 115 | TPM_SIZED_BUFFER_EMB(1024, encData_TPM_KEY12_EMB, encData); 116 | } TPM_KEY12_EMB; 117 | 118 | typedef struct pubkeydata 119 | { 120 | TPM_KEY_PARMS_EMB algorithmParms; 121 | TPM_STORE_PUBKEY_EMB pubKey; 122 | TPM_SIZED_BUFFER_EMB(256, 123 | pcrInfo_pubkeydata, pcrInfo); 124 | } pubkeydata; 125 | 126 | typedef struct keydata 127 | { 128 | union { 129 | TPM_STRUCT_VER ver; 130 | TPM_STRUCTURE_TAG tag; // 1 131 | } v; 132 | TPM_KEY_USAGE keyUsage; // 2 133 | TPM_KEY_FLAGS keyFlags; // 3 134 | TPM_AUTH_DATA_USAGE authDataUsage; // 4 135 | pubkeydata pub; 136 | TPM_SIZED_BUFFER_EMB(1024, encData_keydata, encData); 137 | } keydata; 138 | 139 | 140 | #endif 141 | -------------------------------------------------------------------------------- /swtpm-utils/lib/tpmutil.h: -------------------------------------------------------------------------------- 1 | /********************************************************************************/ 2 | /* */ 3 | /* TPM Utilities */ 4 | /* Written by S. Berger */ 5 | /* IBM Thomas J. Watson Research Center */ 6 | /* $Id: tpmutil.h 4073 2010-04-30 14:44:14Z kgoldman $ */ 7 | /* */ 8 | /* (c) Copyright IBM Corporation 2006, 2010. */ 9 | /* */ 10 | /* All rights reserved. */ 11 | /* */ 12 | /* Redistribution and use in source and binary forms, with or without */ 13 | /* modification, are permitted provided that the following conditions are */ 14 | /* met: */ 15 | /* */ 16 | /* Redistributions of source code must retain the above copyright notice, */ 17 | /* this list of conditions and the following disclaimer. */ 18 | /* */ 19 | /* Redistributions in binary form must reproduce the above copyright */ 20 | /* notice, this list of conditions and the following disclaimer in the */ 21 | /* documentation and/or other materials provided with the distribution. */ 22 | /* */ 23 | /* Neither the names of the IBM Corporation nor the names of its */ 24 | /* contributors may be used to endorse or promote products derived from */ 25 | /* this software without specific prior written permission. */ 26 | /* */ 27 | /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */ 28 | /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */ 29 | /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */ 30 | /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */ 31 | /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */ 32 | /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */ 33 | /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */ 34 | /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */ 35 | /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */ 36 | /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */ 37 | /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ 38 | /********************************************************************************/ 39 | 40 | #ifndef TPMUTIL_H 41 | #define TPMUTIL_H 42 | 43 | #include 44 | 45 | #include 46 | 47 | #include 48 | 49 | #include 50 | 51 | #ifdef MIN 52 | #undef MIN 53 | #endif 54 | 55 | #define MIN(x,y) (x) < (y) ? (x) : (y) 56 | 57 | #define TPM_COUNTER_VALUE_SIZE 10 58 | 59 | #define TPM_MAX_TRANSPORTS 10 60 | 61 | /* AES requires data lengths that are a multiple of the block size */ 62 | #define TPM_AES_BITS 128 63 | /* The AES block size is always 16 bytes */ 64 | #define TPM_AES_BLOCK_SIZE 16 65 | 66 | 67 | struct tpm_buffer; 68 | 69 | uint32_t TSS_getsize(unsigned char *rsp); 70 | int TSS_gennonce(unsigned char *nonce); 71 | int TSS_buildbuff(char *format,struct tpm_buffer *, ...); 72 | int TSS_parsebuff(char *format,const struct tpm_buffer *, uint32_t offset, ...); 73 | uint32_t TPM_Transmit(struct tpm_buffer *,const char *msg); 74 | uint32_t TPM_Send(struct tpm_buffer *,const char *); 75 | int TPM_setlog(int flag); 76 | void TSS_sha1(void *input, unsigned int len, unsigned char *output); 77 | uint32_t TSS_SHAFile(const char *filename, unsigned char *hash); 78 | void showBuff(unsigned char* buff, char* string); 79 | 80 | uint32_t TPM_GetDelegationBlob(uint32_t etype, 81 | uint32_t keyhandle, 82 | unsigned char *passHash, 83 | unsigned char *buffer, uint32_t *bufferSize); 84 | uint32_t TPM_AddDelegationBlob(uint32_t etype, 85 | uint32_t keyhandle, 86 | unsigned char *oldPassHash, 87 | unsigned char *newPassHash, 88 | unsigned char *buffer, uint32_t bufferSize); 89 | uint32_t TPM_ResetDelegation(void); 90 | 91 | 92 | uint32_t _TPM_AuditInputstream(const struct tpm_buffer *req, int is_encrypted); 93 | uint32_t _TPM_AuditOutputstream(const struct tpm_buffer *res, uint32_t ord, 94 | int is_encrypted); 95 | uint32_t _TPM_IsAuditedOrdinal(uint32_t ord, uint32_t *rc); 96 | uint32_t TPM_SetAuditedOrdinal(uint32_t ord); 97 | uint32_t TPM_ClearAuditedOrdinal(uint32_t ord); 98 | uint32_t TPM_SetAuditingCounterValue(TPM_COUNTER_VALUE *cv); 99 | uint32_t TPM_ResetAuditing(void); 100 | 101 | uint32_t getNumHandles(uint32_t ord); 102 | uint32_t getNumRespHandles(uint32_t ord); 103 | #if 0 104 | uint32_t TPM_OpenClientSocket(int *sock_fd); 105 | uint32_t TPM_CloseClientSocket(int sock_fd); 106 | uint32_t TPM_TransmitSocket(int sock_fd, struct tpm_buffer *tb); 107 | uint32_t TPM_ReceiveSocket(int sock_fd, struct tpm_buffer *tb); 108 | uint32_t TPM_ReceiveBytes(int sock_fd, 109 | unsigned char *buffer, 110 | size_t nbytes); 111 | #endif 112 | 113 | uint32_t tpm_buffer_load32 (const struct tpm_buffer *tb, uint32_t offset, uint32_t *val); 114 | uint32_t tpm_buffer_load32N(const struct tpm_buffer *tb, uint32_t offset, uint32_t *val); 115 | uint32_t tpm_buffer_load16 (const struct tpm_buffer *tb, uint32_t offset, uint16_t *val); 116 | uint32_t tpm_buffer_load16N(const struct tpm_buffer *tb, uint32_t offset, uint16_t *val); 117 | uint32_t tpm_buffer_store32(struct tpm_buffer *tb, uint32_t val); 118 | uint32_t tpm_buffer_store(struct tpm_buffer *dest, struct tpm_buffer *src, uint32_t soff, uint32_t slen); 119 | 120 | uint32_t parseHash(char *string, unsigned char *hash); 121 | TPM_RESULT TPM_AES_ctr128_Encrypt(unsigned char *data_out, 122 | const unsigned char *data_in, 123 | unsigned long data_size, 124 | const AES_KEY *aes_enc_key, 125 | unsigned char ctr[TPM_AES_BLOCK_SIZE]); 126 | TPM_RESULT TPM_MGF1(unsigned char *mask, 127 | uint32_t maskLen, 128 | const unsigned char *mgfSeed, 129 | uint32_t mgfSeedlen); 130 | TPM_RESULT TPM_SHA1(TPM_DIGEST md, ...); 131 | TPM_RESULT TPM_SHA1Init(void **context); 132 | TPM_RESULT TPM_SHA1_Update(void *context, const unsigned char *data, uint32_t length); 133 | TPM_RESULT TPM_SHA1Final(unsigned char *md, void *context); 134 | TPM_RESULT TPM_SHA1Delete(void **context); 135 | 136 | 137 | #if 0 138 | void TPM_XOR(unsigned char *out, 139 | const unsigned char *in1, 140 | const unsigned char *in2, 141 | size_t length); 142 | #endif 143 | 144 | int allowsTransport(uint32_t ord); 145 | 146 | void _TPM_getTransportAlgIdEncScheme(TPM_ALGORITHM_ID *algId, 147 | TPM_ENC_SCHEME *encScheme); 148 | void TPM_DetermineSessionEncryption(const session *, int *); 149 | 150 | struct tpm_transport *TPM_LowLevel_Transport_Set(struct tpm_transport *new_tp); 151 | void TPM_LowLevel_Transport_Init(int choice); 152 | 153 | uint32_t needKeysRoom(uint32_t key1, uint32_t key2, uint32_t key3, 154 | uint32_t room); 155 | uint32_t needKeysRoom_Stacked(uint32_t key1); 156 | 157 | 158 | #endif 159 | -------------------------------------------------------------------------------- /tpm-luks.conf.in: -------------------------------------------------------------------------------- 1 | # 2 | # tpm-luks.conf - configuration file for tpm-luks PCR use 3 | # 4 | # The format of the entries in this file is: 5 | # device:index:script 6 | # 7 | # device - a LUKS partition 8 | # 9 | # index - A TPM NVRAM index used to store the LUKS secret. You can list 10 | # NVRAM indexes with tpm_nvinfo. 11 | # 12 | # script - full path to a script that produces a TPM NVRAM permissions file, 13 | # as used by tpm_nvdefine -f. See tpm-luks-gen-tgrub2-pcr-values 14 | # for info on the format of the script file. 15 | # 16 | # Note: all TPM NVRAM indexes must be different at the moment, until init, 17 | # update and dracut crypt-tpm module is rewritten to allow the use of 18 | # the same index for severall LUKS devices 19 | # 20 | # to disable the use of TPM NVRAM PCR: 21 | # - use '' as script name (::) 22 | # 23 | # example: 24 | # 25 | #/dev/sda2:1:@sbindir@/tpm-luks-gen-tgrub2-pcr-values 26 | # 27 | -------------------------------------------------------------------------------- /tpm-luks.spec.in: -------------------------------------------------------------------------------- 1 | %define dracutlibdir %{_prefix}/lib/dracut 2 | 3 | %define dracut_mod_name 90crypt-tpm 4 | %if 0%{?rhel} == 6 5 | %define dracut_mod_name 50plymouth-tpm 6 | %endif 7 | 8 | Name: @PACKAGE@ 9 | Version: @VERSION@ 10 | Release: 9%{?dist} 11 | Summary: Utility for storing a LUKS key using a TPM 12 | 13 | Group: Security 14 | License: GPLv2 15 | #URL: 16 | Source0: tpm-luks-%{version}.tar.gz 17 | BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) 18 | 19 | BuildRequires: automake autoconf libtool openssl-devel 20 | #Requires: cryptsetup dracut gawk coreutils grubby tpm-tools trousers 21 | # for now we require an upstream tpm-tools and trousers, so don't add them 22 | # here so we can avoid --nodeps 23 | Requires: cryptsetup dracut gawk coreutils grubby 24 | 25 | %description 26 | tpm-luks is a set of scripts to enable storage of a LUKS key in your TPM. 27 | 28 | %prep 29 | %setup -q 30 | 31 | %build 32 | autoreconf -ivf 33 | %configure --prefix=/usr --libdir=%{_libdir} 34 | make %{?_smp_mflags} 35 | 36 | %install 37 | [ "${RPM_BUILD_ROOT}" != "/" ] && [ -d ${RPM_BUILD_ROOT} ] && rm -rf ${RPM_BUILD_ROOT}; 38 | make install DESTDIR=$RPM_BUILD_ROOT 39 | mkdir -p $RPM_BUILD_ROOT/etc/init.d/ 40 | ln -s %{_sbindir}/tpm-luks-svc $RPM_BUILD_ROOT/etc/init.d/tpm-luks-svc 41 | 42 | %clean 43 | [ "${RPM_BUILD_ROOT}" != "/" ] && [ -d ${RPM_BUILD_ROOT} ] && rm -rf ${RPM_BUILD_ROOT}; 44 | 45 | %files 46 | %defattr(-,root,root,-) 47 | %doc README TODO 48 | %config /etc/dracut.conf.d/tpm-luks.conf 49 | %{_bindir}/* 50 | %{_sbindir}/* 51 | %dir %{dracutlibdir}/modules.d/%{dracut_mod_name} 52 | %{dracutlibdir}/modules.d/%{dracut_mod_name}/* 53 | %config(noreplace) /etc/tpm-luks.conf 54 | /etc/init.d/tpm-luks-svc 55 | 56 | %changelog 57 | * Tue Apr 09 2013 Ryan Harper 58 | - Updated to build on F18 59 | 60 | * Tue May 29 2012 Kent Yoder 61 | - Initial drop of version 0.6 62 | -------------------------------------------------------------------------------- /tpm-luks/tpm-luks-gen-tgrub2-pcr-values: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | # 3 | # tpm-luks-gen-tgrub2-pcr-values 4 | # 5 | # Parse a grub1 menu.lst file and generate the future TPM PCR values needed 6 | # to seal a system state to. Based on the implementation of the trustedgrub 7 | # package at http://trustedgrub.sf.net. 8 | # 9 | # Author: Kent Yoder 10 | # 11 | #### 12 | # NVRAM permissions file format: 13 | # 14 | # [r/w] [PCR#] [40 byte ascii SHA-1 value] 15 | # 16 | # example: 17 | # 18 | # r 0 f952e49a7e90037fb6ee505d80a322798012db16 19 | # r 15 a0ea6036b734da48b57fdd0fd87218cbada887ef 20 | # w 12 3bd4ed7984d262f1d0d71e337ea4de290e17b4bd 21 | # 22 | # For this example, the TPM data written will only be readable when PCR 0's 23 | # value is f952e49a7e90037fb6ee505d80a322798012db16 and PCR 15's value is 24 | # a0ea6036b734da48b57fdd0fd87218cbada887ef and will only be writable when 25 | # PCR 12's value is 3bd4ed7984d262f1d0d71e337ea4de290e17b4bd. 26 | # 27 | #### 28 | # How do you know which PCRs to use? The canonical reference document that 29 | # describes which PCRs are used for which purposes for TPM 1.2 is here: 30 | # 31 | # http://www.trustedcomputinggroup.org/files/temp/64505409-1D09-3519-AD5C611FAD3F799B/PC%20Client%20Implementation%20for%20BIOS.pdf 32 | # 33 | # See section 3.2.3. A summary for convenience: 34 | # 35 | # PCR Index Use 36 | # 0 CRTM, BIOS, and Host Platform Extensions 37 | # 1 Host Platform Configuration 38 | # 2 Option ROM Code 39 | # 3 Option ROM Configuration and Data 40 | # 4 IPL Code (usually the MBR) 41 | # 5 IPL Code Configuration and Data 42 | # 6 State Transition and Wake Events 43 | # 7 Host Platform Manufacturer Control 44 | # 8-15 Used by the OS 45 | # 46 | # An explanation of the "srtm" profile (below): 47 | # 48 | # PCR 4 - record measurement of trusted grub in the MBR as measured by 49 | # the BIOS 50 | # PCR 5 - record the IPL config - this is a record of the boot device 51 | # chosen by the user 52 | # PCR 8 - The first 512 bytes of grub stage2 53 | # PCR 9 - The rest of stage2 54 | # PCR 10 - record the files that trusted grub launches - kernel and 55 | # initramfs 56 | # PCR 11 - record trusted grub's config file command lines - note that 57 | # this includes the kernel command line, so any change to the 58 | # kernel command line will prevent releasing the NVRAM secret! 59 | # 60 | # 61 | PCRS="4 5 8 9 10 11" 62 | TPM_DEVICE=/sys/class/tpm/tpm0/device 63 | [ -d $TPM_DEVICE ] || TPM_DEVICE=/sys/class/misc/tpm0/device 64 | TMPFILE= 65 | SOURCE=$TPM_DEVICE/pcrs 66 | OUTFILE=/dev/stdout 67 | 68 | if [ -z "${PCRS}" ]; then 69 | exit 0 70 | elif [ ! -e ${SOURCE} ]; then 71 | echo "PCR measurements file not found, is securityfs mounted?" 1>&2 72 | exit 255 73 | fi 74 | 75 | function usage 76 | { 77 | echo "usage ${0##/*} [options]" 78 | echo "options:" 79 | echo 80 | echo " -o Optional file to write NVRAM permissions files to (default is stdout)" 81 | } 82 | 83 | while getopts "o:m:" opt; do 84 | case $opt in 85 | o) 86 | OUTFILE=$OPTARG 87 | ;; 88 | *) 89 | usage 90 | exit 255 91 | ;; 92 | esac 93 | done 94 | 95 | cleanup() 96 | { 97 | rm -f $TMPFILE 98 | } 99 | 100 | TMPFILE=$(mktemp -q /tmp/${0##*/}-XXXXXX) 101 | 102 | if [ ! -n "$TMPFILE" ]; then 103 | echo "Temp file creation failed" 1>&2 104 | exit -1 105 | fi 106 | 107 | trap cleanup EXIT 108 | 109 | #echo "Writing PCRs for \"$MENU\" boot entries:" 110 | cat $SOURCE | sed "s/ //g" > $TMPFILE 111 | for PCRNUM in $PCRS; do 112 | PCRNUM2=$(printf "%02d" $PCRNUM) 113 | PCR=$( cat $TMPFILE | awk -F: "\$1 ~ /PCR-$PCRNUM2/ { print tolower(\$2) }" ) 114 | echo "r $PCRNUM $PCR" >> ${OUTFILE} 115 | done 116 | 117 | exit 0 118 | -------------------------------------------------------------------------------- /tpm-luks/tpm-luks-svc: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Service to automatically call cryptsetup open on devices not automatically opened by 5 | # dracut during boot. 6 | # This allows to specify additionnal devices without having to modify /etc/default/grub. 7 | # Devices to open must have the following: 8 | # - type must be of type crypto_LUKS, visible in `blkid -c /dev/null` 9 | # - map name is luks- unless an entry is present in /etc/crypttab 10 | # - if device is present in /etc/crypttab, it must have the attribute `noauto` to prevent open at boot 11 | # - if mount is needed at boot time, it must have nofail option in /etc/fstab 12 | # 13 | # 14 | # chkconfig: 2345 00 00 15 | # description: Mount additional LUKS partitions 16 | # 17 | 18 | LUKS_CONF=/etc/tpm-luks.conf 19 | KEYFILE=/dev/shm/luks.key 20 | NVSIZE=32 21 | CRYPTTAB=/etc/crypttab 22 | TPM_NV_PER_AUTHREAD=0x00040000 23 | TPM_NV_PER_OWNERREAD=0x00020000 24 | 25 | ERROR=0 26 | 27 | case "$1" in 28 | start) 29 | ;; 30 | *) 31 | exit 0 32 | ;; 33 | esac 34 | 35 | function wipe_file 36 | { 37 | dd if=/dev/zero of=$KEYFILE bs=1c count=$NVSIZE >/dev/null 2>&1 38 | rm -f $KEYFILE 39 | } 40 | 41 | trap wipe_file EXIT 42 | 43 | (blkid -c /dev/null -t TYPE=crypto_LUKS -o export ; echo) \ 44 | | while read _line ; do 45 | eval $_line 46 | if [ -z "$_line" ]; then 47 | MAPNAME=$( cat $CRYPTTAB | grep -v "^\s*#" | grep " UUID=$UUID " | cut -d' ' -f1 ) 48 | [ -z "$MAPNAME" ] && MAPNAME=luks-$UUID 49 | _cipher=$( cryptsetup -v status $MAPNAME 2> /dev/null | grep cipher ) 50 | if [ -z "$_cipher" ]; then 51 | NVINDEX=0 52 | _conf=$(cat $LUKS_CONF | grep -v "^\s*#" | grep "^$DEVNAME:") 53 | if [ -n "$_conf" ]; then 54 | NVINDEX=$(echo $_conf | cut -d: -f2) 55 | if [ -n "$NVINDEX" ]; then 56 | echo Opening $DEVNAME as /dev/mapper/$MAPNAME using TPM NVRAM at index $NVINDEX... 57 | NVINDEX=$(printf "0x%x" $NVINDEX) 58 | NVMATCH=$(getcapability -cap 0x11 -scap $NVINDEX | awk -F ": " '$1 ~ /Matches/ { print $2 }') 59 | NVSIZE=$(getcapability -cap 0x11 -scap $NVINDEX | awk -F= '$1 ~ /dataSize/ { print $2 }') 60 | NVRESULT=$(getcapability -cap 0x11 -scap $NVINDEX | awk '$1 ~ /Result/ { print $11 }') 61 | 62 | if [ -z "$NVSIZE" ]; then 63 | echo "- Skipped: no TPM NVRAM found" 64 | ERROR=1 65 | continue 66 | fi 67 | 68 | if [ -n "$MATCH1" -a "$MATCH1" != "Yes" ]; then 69 | echo "- Skipped: TPM NVRAM does not match PCR state" 70 | ERROR=1 71 | continue 72 | fi 73 | 74 | if [ -n "$NVRESULT" -a -z "$PASS" ]; then 75 | AUTHREAD=$(( 0x$NVRESULT & $TPM_NV_PER_AUTHREAD )) 76 | OWNERREAD=$(( 0x$NVRESULT & $TPM_NV_PER_OWNERREAD )) 77 | if [ $AUTHREAD -ne 0 -o $OWNERREAD -ne 0 ]; then 78 | echo "- Skipped: TPM NVRAM needs a password" 79 | ERROR=1 80 | continue 81 | fi 82 | fi 83 | 84 | nv_readvalue -ix $NVINDEX -sz $NVSIZE -of $KEYFILE >/dev/null 2>&1 85 | RC=$? 86 | if [ $RC -ne 0 ]; then 87 | echo "- Error: reading TPM NVRAM returns error $RC" 88 | ERROR=1 89 | continue 90 | fi 91 | 92 | cryptsetup luksOpen $DEVNAME $MAPNAME --key-file $KEYFILE --keyfile-size $NVSIZE 93 | RC=$? 94 | wipe_file 95 | if [ $RC -ne 0 ]; then 96 | echo "- Error: cryptsetup returns error $RC" 97 | ERROR=1 98 | continue 99 | fi 100 | 101 | echo "- Success" 102 | fi 103 | fi 104 | fi 105 | fi 106 | done 107 | 108 | exit $ERROR 109 | 110 | #lsblk -p -r -o NAME,UUID,FSTYPE | grep crypto_LUKS | while read NAME UUID FSTYPE ; do 111 | # _cipher=$( cryptsetup -v status luks-$UUID 2> /dev/null | grep cipher ) 112 | # [ -z "$_cipher" ] && echo $NAME to open 113 | #done 114 | -------------------------------------------------------------------------------- /xtra/rhel7/TrustedGRUB2.spec: -------------------------------------------------------------------------------- 1 | Name: TrustedGRUB2 2 | Version: 1.2.1 3 | Release: 1%{?dist} 4 | Summary: Trusted boot loader based on grub2 5 | 6 | Group: System Environment/Base 7 | License: GPLv3+ 8 | #URL: 9 | Source0: TrustedGRUB2-%{version}.tar.gz 10 | BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) 11 | 12 | BuildRequires: gc gcc make bison gettext flex python autoconf automake autogen guile 13 | #Requires: cryptsetup dracut gawk coreutils grubby tpm-tools trousers 14 | # for now we require an upstream tpm-tools and trousers, so don't add them 15 | # here so we can avoid --nodeps 16 | Requires: dracut 17 | 18 | %description 19 | TrustedGRUB2 is a boot loader based on grub2 that offers TCG (TPM) support to guaranty 20 | the integrity of the boot process (trusted boot). All boot components are measured and 21 | written into PCR during the boot process. 22 | 23 | %prep 24 | %setup -q 25 | 26 | %build 27 | ./autogen.sh 28 | %configure --prefix=/usr --libdir=%{_libdir} 29 | make %{?_smp_mflags} CFLAGS= CXXFLAGS= FFLAGS= FCFLAGS= LDFLAGS= CCASFLAGS= 30 | 31 | %install 32 | [ "${RPM_BUILD_ROOT}" != "/" ] && [ -d ${RPM_BUILD_ROOT} ] && rm -rf ${RPM_BUILD_ROOT}; 33 | make install DESTDIR=$RPM_BUILD_ROOT 34 | touch $RPM_BUILD_DIR/$RPM_PACKAGE_NAME-$RPM_PACKAGE_VERSION/debugfiles.list 35 | 36 | %clean 37 | [ "${RPM_BUILD_ROOT}" != "/" ] && [ -d ${RPM_BUILD_ROOT} ] && rm -rf ${RPM_BUILD_ROOT}; 38 | 39 | %files 40 | %defattr(-,root,root,-) 41 | %doc README TODO 42 | %{_bindir}/* 43 | %{_sbindir}/* 44 | %dir %{_datadir}/grub 45 | %{_datadir}/grub/* 46 | %dir %{_libdir}/grub 47 | %dir %{_libdir}/grub/i386-pc 48 | %{_libdir}/grub/i386-pc/* 49 | %dir /etc/grub.d 50 | %config /etc/grub.d/* 51 | %dir /etc/bash_completion.d 52 | /etc/bash_completion.d/grub 53 | 54 | %exclude /usr/lib/debug 55 | %exclude /usr/share/info/dir 56 | 57 | %changelog 58 | -------------------------------------------------------------------------------- /xtra/rhel7/build_tpm-luks.sh: -------------------------------------------------------------------------------- 1 | if [ "$1" == "-d" ]; then 2 | shift 3 | set -x 4 | trap read debug 5 | fi 6 | 7 | action=$1 8 | 9 | mkdir -p src work 10 | 11 | url=https://github.com/momiji/tpm-luks 12 | file=${url##*/}-0.8.tar.gz 13 | dir=${file%.tar.gz} 14 | pkg=$dir-9.el7 15 | spec=tpm-luks.spec 16 | specf=${spec##*/} 17 | 18 | if [ "$action" == "1" -o -z "$action" ]; then 19 | [ -f src/$file ] || ( 20 | [ -d src/$dir ] && rm -rf src/$dir 21 | git clone $url src/$dir 22 | ( 23 | cd src 24 | tar zcf $file --exclude .git* $dir 25 | ) 26 | ) 27 | [ -d work/$dir ] && rm -rf work/$dir/ 28 | ( 29 | cd work 30 | tar zxf ../src/$file 31 | cd $dir 32 | sudo yum install -y automake autoconf libtool openssl openssl-devel 33 | autoreconf -ivf 34 | autoreconf -ivf 35 | ./configure 36 | ) 37 | fi 38 | 39 | if [ "$action" == "2" -o "$action" == "3" -o -z "$action" ]; then 40 | cp src/$file ~/rpmbuild/SOURCES/ 41 | cp work/$dir/$spec ~/rpmbuild/SPECS/ 42 | rpmbuild -bs ~/rpmbuild/SPECS/$specf 43 | if [ "$action" == "2" -o -z "$action" ]; then 44 | mock -r rhel --clean 45 | fi 46 | home=$( echo ~makerpm ) 47 | mock -r rhel --resultdir=$home/rpmbuild/RPMS/ ~/rpmbuild/SRPMS/$pkg.src.rpm --no-clean --no-cleanup-after 48 | fi 49 | -------------------------------------------------------------------------------- /xtra/rhel7/build_tpm-tools.sh: -------------------------------------------------------------------------------- 1 | if [ "$1" == "-d" ]; then 2 | shift 3 | set -x 4 | trap read debug 5 | fi 6 | 7 | action=$1 8 | 9 | mkdir -p src work 10 | 11 | url=http://sourceforge.net/projects/trousers/files/tpm-tools/1.3.8/tpm-tools-1.3.8.tar.gz 12 | file=${url##*/} 13 | dir=${file%.tar.gz} 14 | pkg=$dir-7 15 | spec=dist/tpm-tools.spec 16 | specf=${spec##*/} 17 | 18 | ext1=ftp://rpmfind.net/linux/centos/7.1.1503/os/x86_64/Packages/opencryptoki-devel-3.2-4.1.el7.x86_64.rpm 19 | ext1f=${ext1##*/} 20 | dep1=trousers-0.3.13-1.x86_64.rpm 21 | dep2=trousers-devel-0.3.13-1.x86_64.rpm 22 | 23 | if [ "$action" == "1" -o -z "$action" ]; then 24 | [ -f src/$ext1f ] || wget $ext1 -P src 25 | [ -f src/$file ] || wget $url -P src 26 | [ -d work/$dir ] && rm -rf work/$dir/ 27 | ( 28 | cd work 29 | tar zxf ../src/$file 30 | cd $dir 31 | id tss &> /dev/null || sudo useradd -r tss 32 | sudo yum install -y automake autoconf libtool openssl openssl-devel ../../src/$ext1f gtk+ ~/rpmbuild/RPMS/$dep1 ~/rpmbuild/RPMS/$dep2 33 | sudo ln -s /usr/lib64/libtspi.so.1 /usr/lib64/libtspi.so 34 | ./configure 35 | ) 36 | fi 37 | 38 | if [ "$action" == "2" -o "$action" == "3" -o -z "$action" ]; then 39 | cp -f src/$file ~/rpmbuild/SOURCES/ 40 | cp -f work/$dir/$spec ~/rpmbuild/SPECS/ 41 | sed -i 's/libtpm_unseal.so.0/libtpm_unseal.so.?/' ~/rpmbuild/SPECS/$specf 42 | sed -i 's/opencryptoki-devel/opencryptoki/g' ~/rpmbuild/SPECS/$specf 43 | sed -ri 's/(define\s+release\s+)1/\17/g' ~/rpmbuild/SPECS/$specf 44 | rpmbuild -bs ~/rpmbuild/SPECS/$specf 45 | if [ "$action" == "2" -o -z "$action" ]; then 46 | mock -r rhel --clean 47 | fi 48 | home=$( echo ~makerpm ) 49 | mock -r rhel --yum-cmd localinstall ~/rpmbuild/RPMS/$dep1 50 | mock -r rhel --yum-cmd localinstall ~/rpmbuild/RPMS/$dep2 51 | mock -r rhel --yum-cmd localinstall src/${ext1##*/} 52 | mock -r rhel --resultdir=$home/rpmbuild/RPMS/ ~/rpmbuild/SRPMS/$pkg.src.rpm --no-clean --no-cleanup-after 53 | fi 54 | -------------------------------------------------------------------------------- /xtra/rhel7/build_trousers.sh: -------------------------------------------------------------------------------- 1 | if [ "$1" == "-d" ]; then 2 | shift 3 | set -x 4 | trap read debug 5 | fi 6 | 7 | action=$1 8 | 9 | mkdir -p src work 10 | 11 | url=http://sourceforge.net/projects/trousers/files/trousers/0.3.13/trousers-0.3.13.tar.gz 12 | file=${url##*/} 13 | dir=${file%.tar.gz} 14 | pkg=$dir-1 15 | spec=dist/fedora/trousers.spec 16 | specf=${spec##*/} 17 | 18 | if [ "$action" == "1" -o -z "$action" ]; then 19 | [ -f src/$file ] || wget $url -P src 20 | [ -d work/$dir ] && rm -rf work/$dir/ 21 | ( 22 | cd work 23 | tar zxf ../src/$file 24 | cd $dir 25 | sudo yum install automake autoconf pkgconfig libtool openssl-devel glibc-devel 26 | export PKG_CONFIG_PATH=/usr/lib64/pkgconfig 27 | sh ./bootstrap.sh 28 | CFLAGS="-L/usr/lib64 -L/opt/gnome/lib64" LDFLAGS="-L/usr/lib64 -L/opt/gnome/lib64" ./configure --libdir="/usr/local/lib64" 29 | ) 30 | fi 31 | 32 | if [ "$action" == "2" -o "$action" == "3" -o -z "$action" ]; then 33 | cp -f src/$file ~/rpmbuild/SOURCES/ 34 | cp -f work/$dir/$spec ~/rpmbuild/SPECS/ 35 | rpmbuild -bs ~/rpmbuild/SPECS/$specf 36 | if [ "$action" == "2" -o -z "$action" ]; then 37 | mock -r rhel --clean 38 | fi 39 | home=$( echo ~makerpm ) 40 | mock -r rhel --resultdir=$home/rpmbuild/RPMS/ ~/rpmbuild/SRPMS/$pkg.src.rpm --no-clean --no-cleanup-after 41 | fi 42 | -------------------------------------------------------------------------------- /xtra/rhel7/build_trustedgrub2.sh: -------------------------------------------------------------------------------- 1 | if [ "$1" == "-d" ]; then 2 | shift 3 | set -x 4 | trap read debug 5 | fi 6 | 7 | action=$1 8 | 9 | mkdir -p src work 10 | 11 | url=https://github.com/Sirrix-AG/TrustedGRUB2/archive/1.2.1.tar.gz 12 | file=TrustedGRUB2-1.2.1.tar.gz 13 | dir=${file%.tar.gz} 14 | pkg=$dir-1.el7 15 | spec=dist/TrustedGRUB2.spec 16 | specf=${spec##*/} 17 | 18 | ext1=http://mirror.centos.org/centos/7/os/x86_64/Packages/guile-2.0.9-5.el7.x86_64.rpm 19 | ext2=http://mirror.centos.org/centos/7/os/x86_64/Packages/autogen-5.18-5.el7.x86_64.rpm 20 | specu=TrustedGRUB2.spec 21 | 22 | if [ "$action" == "1" -o -z "$action" ]; then 23 | [ -f src/${ext1##*/} ] || wget $ext1 -P src 24 | [ -f src/${ext2##*/} ] || wget $ext2 -P src 25 | [ -f src/$specu ] || cp $specu src 26 | [ -f src/$file ] || wget $url -O src/$file --no-check-certificate 27 | fi 28 | 29 | if [ "$action" == "2" -o "$action" == "3" -o -z "$action" ]; then 30 | [ -d work/$dir ] && rm -rf work/$dir/ 31 | ( 32 | cd work 33 | tar zxf ../src/$file 34 | cp -f ../src/$specu $dir/ 35 | tar zcf $file $dir/ 36 | ) 37 | cp -f work/$file ~/rpmbuild/SOURCES/ 38 | cp -f work/$dir/$specf ~/rpmbuild/SPECS/ 39 | rpmbuild -bs ~/rpmbuild/SPECS/$specf 40 | if [ "$action" == "2" -o -z "$action" ]; then 41 | mock -r rhel --clean 42 | fi 43 | home=$( echo ~makerpm ) 44 | mock -r rhel --yum-cmd localinstall src/${ext1##*/} 45 | mock -r rhel --yum-cmd localinstall src/${ext2##*/} 46 | mock -r rhel --shell "sed -i 's/--strict-build-id//g' /usr/lib/rpm/macros" 47 | mock -r rhel --resultdir=$home/rpmbuild/RPMS/ ~/rpmbuild/SRPMS/$pkg.src.rpm --no-clean --no-cleanup-after 48 | fi 49 | -------------------------------------------------------------------------------- /xtra/rhel7/deploy.sh: -------------------------------------------------------------------------------- 1 | function cont { 2 | if [ $FORCE -eq 0 ]; then 3 | echo 4 | echo $1 5 | read -p "== press ENTER to continue or CTRL+C to stop ==" 6 | echo 7 | fi 8 | } 9 | 10 | FORCE=0 11 | [ "$1" == "-f" ] && FORCE=1 12 | 13 | #YUM exclusions 14 | 15 | cont "adding tpm-tools tpm-luks trustedGRUB2 to yum update exclusions" 16 | exclude=$( 17 | ( 18 | echo "tpm-tools tpm-luks TrustedGRUB2" | tr ' ' '\n' 19 | 20 | ) | sort -u | tr '\n' ' ' 21 | cat /etc/yum.conf | grep '^exclude=' | sed -r 's/^exclude=(.*)/\1/' | tr ' ' '\n' | grep -v '^\s*$' 22 | ) 23 | echo exclude=$exclude 24 | 25 | /usr/bin/cp -f /etc/yum.conf /etc/yum.conf.bak 26 | (cat /etc/yum.conf | grep -v '^exclude=' ; echo "exclude=$exclude") > /etc/yum.conf.new 27 | /usr/bin/cp -f /etc/yum.conf.new /etc/yum.conf 28 | /usr/bin/rm -f /etc/yum.conf.new 29 | 30 | #INSTALL AND CONFIGURE TrustedGRUB2 31 | 32 | cont "replacing grub2 with TrustedGRUB2 package..." 33 | yum remove -y grub2 grub2-tools 34 | [ -d /boot/grub2 ] && mv /boot/grub2 /boot/grub2.old 35 | rpm -ivh ./TrustedGRUB2-[0-9]*.x86_64.rpm 36 | 37 | cont "replacing boot loader..." 38 | lsblk 39 | read -a DEVICE -p "disk to install [/dev/sda]" 40 | [ -z "$DEVICE" ] && DEVICE=/dev/sda 41 | 42 | grub-install --no-rs-codes $DEVICE 43 | grub-mkconfig -o /boot/grub/grub.cfg 44 | 45 | cont "building new initramfs..." 46 | dracut --force 47 | 48 | #INSTALL TPM-TOOLS and TPM-LUKS 49 | 50 | cont "creating tss user..." 51 | id tss || useradd -r tss 52 | 53 | cont "installing tpm-tools and tpm-luks packages..." 54 | yum install -y trousers 55 | rpm -ivh ./tpm-tools-[0-9]*.x86_64.rpm 56 | rpm -ivh ./tpm-luks-[0-9]*.x86_64.rpm 57 | 58 | cont "testing tpm...." 59 | tcsd 60 | tpm_nvinfo 61 | tpm_version 62 | RC=$? 63 | 64 | if [ $RC -ne 0 ]; then 65 | echo "ERROR: tpm error" 66 | exit 1 67 | fi 68 | 69 | echo 70 | echo "You must now:" 71 | echo "- tpm-luks-ctl init to generate new LUKS keys and save them in the TPM NVRAM" 72 | echo "- tpm-luks-ctl backup to dump the LUKS keys and backup them in a safe place" 73 | echo "- dracut --force to update initramfs" 74 | echo "- reboot to verify it works and have all PCRs computed correctly" 75 | echo "- tpm-luks-ctl seal to seal the TPM NVRAM" 76 | echo "- reboot to verify it restarts automatically" 77 | echo "- tpm-luks-ctl check to be sure" 78 | echo 79 | -------------------------------------------------------------------------------- /xtra/rhel7/install.sh: -------------------------------------------------------------------------------- 1 | #debug 2 | if [ "$1" == "-d" ]; then 3 | shift 4 | set -x 5 | trap read debug 6 | fi 7 | 8 | ################################################################# 9 | #root part 10 | ################################################################# 11 | 12 | if [ $EUID -eq 0 ]; then 13 | 14 | #install epel repository 15 | yum install -y wget 16 | if [ ! -f epel-release-latest-7.noarch.rpm ]; then 17 | wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm 18 | rpm -Uvh epel-release-*.rpm 19 | fi 20 | 21 | #install packages 22 | yum install -y rpm-build mock 23 | 24 | #create rhel mock template 25 | cp rhel.cfg /etc/mock/ 26 | 27 | #create user makerpm 28 | id makerpm &> /dev/null || ( 29 | useradd -G mock,wheel makerpm 30 | echo makerpm | passwd makerpm --stdin 31 | ) 32 | 33 | echo "password for makerpm user is: makerpm" 34 | 35 | exit 36 | 37 | fi 38 | 39 | ################################################################# 40 | #non-root part 41 | ################################################################# 42 | 43 | #create folder 44 | mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} 45 | 46 | #init mock 47 | mock -r rhel --init 48 | mock -r rhel --shell "cat /etc/system-release" -q 49 | -------------------------------------------------------------------------------- /xtra/rhel7/rhel.cfg: -------------------------------------------------------------------------------- 1 | config_opts['root'] = 'rhel-7-x86_64' 2 | config_opts['target_arch'] = 'x86_64' 3 | config_opts['legal_host_arches'] = ('x86_64',) 4 | config_opts['chroot_setup_cmd'] = 'install @core @development' 5 | config_opts['dist'] = 'el7' # only useful for --resultdir variable subst 6 | config_opts['releasever'] = '7' 7 | 8 | config_opts['yum.conf'] = """ 9 | [main] 10 | cachedir=/var/cache/yum 11 | keepcache=1 12 | debuglevel=2 13 | reposdir=/dev/null 14 | logfile=/var/log/yum.log 15 | retries=20 16 | obsoletes=1 17 | gpgcheck=0 18 | assumeyes=1 19 | syslog_ident=mock 20 | syslog_device= 21 | 22 | # repos 23 | [rhel] 24 | name=rhel 25 | baseurl=file:///mnt/cdrom 26 | enabled=1 27 | gpgcheck=0 28 | 29 | [epel] 30 | name=epel 31 | baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch 32 | enabled=1 33 | gpgcheck=0 34 | 35 | """ 36 | -------------------------------------------------------------------------------- /yum/post-transaction-actions.conf: -------------------------------------------------------------------------------- 1 | [main] 2 | enabled = 1 3 | actiondir = /etc/yum/post-actions/ 4 | -------------------------------------------------------------------------------- /yum/post-transaction-actions.py: -------------------------------------------------------------------------------- 1 | # This program is free software; you can redistribute it and/or modify 2 | # it under the terms of the GNU General Public License as published by 3 | # the Free Software Foundation; either version 2 of the License, or 4 | # (at your option) any later version. 5 | # 6 | # This program is distributed in the hope that it will be useful, 7 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 8 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 9 | # GNU Library General Public License for more details. 10 | # 11 | # You should have received a copy of the GNU General Public License 12 | # along with this program; if not, write to the Free Software 13 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 14 | 15 | # Copyright 2008 Red Hat, Inc 16 | # written by Seth Vidal 17 | 18 | """ 19 | This plugin runs actions following the transaction based on the content of 20 | the transaction. 21 | """ 22 | 23 | 24 | from yum.plugins import TYPE_CORE 25 | from yum.constants import * 26 | import yum.misc 27 | from yum.parser import varReplace 28 | from yum.packages import parsePackages 29 | import fnmatch 30 | import re 31 | import os 32 | import glob 33 | import shlex 34 | 35 | requires_api_version = '2.4' 36 | plugin_type = (TYPE_CORE,) 37 | 38 | _just_installed = {} # pkgtup = po 39 | 40 | def parse_actions(ddir, conduit): 41 | """read in .action files from ddir path. 42 | store content in a list of tuples""" 43 | action_tuples = [] # (action key, action_state, shell command) 44 | action_file_list = [] 45 | if os.access(ddir, os.R_OK): 46 | action_file_list.extend(glob.glob(ddir + "*.action")) 47 | 48 | if action_file_list: 49 | for f in action_file_list: 50 | for line in open(f).readlines(): 51 | line = line.strip() 52 | if line and line[0] != "#": 53 | try: 54 | (a_key, a_state, a_command) = line.split(':') 55 | except ValueError,e: 56 | conduit.error(2,'Bad Action Line: %s' % line) 57 | continue 58 | else: 59 | action_tuples.append((a_key, a_state, a_command)) 60 | 61 | return action_tuples 62 | 63 | def _get_installed_po(rpmdb, pkgtup): 64 | (n,a,e,v,r) = pkgtup 65 | if pkgtup in _just_installed: 66 | return _just_installed[pkgtup] 67 | return rpmdb.searchNevra(name=n, arch=a, epoch=e, ver=v, rel=r)[0] 68 | 69 | def _convert_vars(txmbr, command): 70 | """converts %options on the command to their values from the package it 71 | is running it for: takes $name, $arch, $ver, $rel, $epoch, 72 | $state, $repoid""" 73 | state_dict = { TS_INSTALL: 'install', 74 | TS_TRUEINSTALL: 'install', 75 | TS_OBSOLETING: 'obsoleting', 76 | TS_UPDATE: 'updating', 77 | TS_ERASE: 'remove', 78 | TS_OBSOLETED: 'obsoleted', 79 | TS_UPDATED: 'updated'} 80 | try: 81 | state = state_dict[txmbr.output_state] 82 | except KeyError: 83 | state = 'unknown - %s' % txmbr.output_state 84 | 85 | vardict = {'name': txmbr.name, 86 | 'arch': txmbr.arch, 87 | 'ver': txmbr.version, 88 | 'rel': txmbr.release, 89 | 'epoch': txmbr.epoch, 90 | 'repoid': txmbr.repoid, 91 | 'state': state } 92 | 93 | result = varReplace(command, vardict) 94 | return result 95 | 96 | def posttrans_hook(conduit): 97 | # we have provides/requires for everything 98 | # we do not have filelists for erasures 99 | # we have to fetch filelists for the package object for installs/updates 100 | action_dir = conduit.confString('main','actiondir','/etc/yum/post-actions/') 101 | action_tuples = parse_actions(action_dir, conduit) 102 | commands_to_run = {} 103 | ts = conduit.getTsInfo() 104 | rpmdb = conduit.getRpmDB() 105 | all = ts.getMembers() 106 | removes = ts.getMembersWithState(output_states=TS_REMOVE_STATES) 107 | installs = ts.getMembersWithState(output_states=TS_INSTALL_STATES) 108 | updates = ts.getMembersWithState(output_states=[TS_UPDATE, TS_OBSOLETING]) 109 | 110 | for (a_k, a_s, a_c) in action_tuples: 111 | #print 'if %s in state %s the run %s' %( a_k, a_s, a_c) 112 | if a_s == 'update': 113 | pkgset = updates 114 | elif a_s == 'install': 115 | pkgset = installs 116 | elif a_s == 'remove': 117 | pkgset = removes 118 | elif a_s == 'any': 119 | pkgset = all 120 | else: 121 | # no idea what this is skip it 122 | conduit.error(2,'whaa? %s' % a_s) 123 | continue 124 | 125 | if a_k.startswith('/'): 126 | if yum.misc.re_glob(a_k): 127 | restring = fnmatch.translate(a_k) 128 | c_string = re.compile(restring) 129 | 130 | for txmbr in pkgset: 131 | matched = False 132 | #print '%s - %s' % txmbr.name, txmbr.ts_state 133 | if txmbr.po.state in TS_INSTALL_STATES: 134 | thispo = _get_installed_po(rpmdb, txmbr.pkgtup) 135 | 136 | if not yum.misc.re_glob(a_k): 137 | if a_k in thispo.filelist + thispo.dirlist + thispo.ghostlist: 138 | thiscommand = _convert_vars(txmbr, a_c) 139 | commands_to_run[thiscommand] = 1 140 | matched = True 141 | else: 142 | for name in thispo.filelist + thispo.dirlist + thispo.ghostlist: 143 | if c_string.match(name): 144 | thiscommand = _convert_vars(txmbr, a_c) 145 | commands_to_run[thiscommand] = 1 146 | matched = True 147 | break 148 | 149 | if matched: 150 | break 151 | continue 152 | 153 | if a_k.find('/') == -1: # pkgspec 154 | pkgs = [ txmbr.po for txmbr in pkgset ] 155 | e,m,u = parsePackages(pkgs, [a_k]) 156 | if not u: 157 | for pkg in e+m: 158 | for txmbr in ts.getMembers(pkgtup=pkg.pkgtup): 159 | thiscommand = _convert_vars(txmbr, a_c) 160 | commands_to_run[thiscommand] = 1 161 | continue 162 | 163 | for comm in commands_to_run.keys(): 164 | try: 165 | args = shlex.split(comm) 166 | except ValueError, e: 167 | conduit.error(2,"command was not parseable: %s" % comm) 168 | continue 169 | #try 170 | conduit.info(2,'Running post transaction command: %s' % comm) 171 | p = os.system(comm) 172 | #except? 173 | 174 | 175 | -------------------------------------------------------------------------------- /yum/tpm-luks.action.in: -------------------------------------------------------------------------------- 1 | #action_key:transaction_state:command 2 | # action_key can be: pkgglob, /path/to/file (wildcards allowed) 3 | # transaction_state can be: install,update,remove,any 4 | # command can be: any shell command 5 | # the following variables are allowed to be passed to any command: 6 | # $name - package name 7 | # $arch - package arch 8 | # $ver - package version 9 | # $rel - package release 10 | # $epoch - package epoch 11 | # $repoid - package repository id 12 | # $state - text string of state of the package in the transaction set 13 | # 14 | # file matches cannot be used with removes b/c we don't have the info available 15 | 16 | kernel:any:@sbindir@/tpm-luks-update 17 | # 18 | # since we're not using the distro's grub package, this will never 19 | # update, but it is part of the root of trust 20 | # 21 | #/boot/grub/stage2:any:@sbindir@/tpm-luks-update 22 | --------------------------------------------------------------------------------