scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-10-31 18:37:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
261936654fd8266ea813674b37d6bfb6bb96b9c8
secureblue/files/system/usr/libexec/luks-enable-tpm2-autounlock
RoyalOughtness 261936654f chore: copy config from upstream and remove dep (#593)
2024-11-21 17:23:06 -08:00

123 lines
4.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Copyright 2024 Universal Blue
#
# This file includes code that is licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and limitations under the License.
## setup auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
set -eou pipefail
[ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
echo "WARNING: Do NOT use this if your CPU is vulnerable to faulTPM!"
echo "All AMD Zen2 and Zen3 Processors are known to be affected!"
echo "All AMD Zen1 processors are also likely affected, with Zen4 unknown!"
echo "If you have an AMD CPU, you likely shouldn't use this!"
echo "----------------------------------------------------------------------------"
echo "This script uses systemd-cryptenroll to enable TPM2 auto-unlock."
echo "You can review systemd-cryptenroll's manpage for more information."
echo "This script will modify your system."
echo "It will enable TPM2 auto-unlock of your LUKS partition for your root device!"
echo "It will bind to PCR 7 and 14 which is tied to your secureboot and moklist state."
read -p "Are you sure are good with this and want to enable TPM2 auto-unlock? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
fi
## Inspect Kernel Cmdline for rd.luks.uuid
RD_LUKS_UUID="$(xargs -n1 -a /proc/cmdline | grep rd.luks.uuid | cut -d = -f 2)"
# Check to make sure cmdline rd.luks.uuid exists
if [[ -z ${RD_LUKS_UUID:-} ]]; then
printf "LUKS device not defined on Kernel Commandline.\n"
printf "This is not supported by this script.\n"
printf "Exiting...\n"
exit 1
fi
# Check to make sure that the specified cmdline uuid exists.
if ! grep -q "${RD_LUKS_UUID}" <<< "$(lsblk)" ; then
printf "LUKS device not listed in block devices.\n"
printf "Exiting...\n"
exit 1
fi
# Cut off the luks-
LUKS_PREFIX="luks-"
if grep -q ^${LUKS_PREFIX} <<< "${RD_LUKS_UUID}"; then
DISK_UUID=${RD_LUKS_UUID#"$LUKS_PREFIX"}
else
echo "LUKS UUID format mismatch."
echo "Exiting..."
exit 1
fi
SET_PIN_ARG=""
read -p "Would you like to set a PIN? (y/N): " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
SET_PIN_ARG=" --tpm2-with-pin=yes "
fi
# Specify Crypt Disk by-uuid
CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
# Check to make sure crypt disk exists
if [[ ! -L "$CRYPT_DISK" ]]; then
printf "LUKS device not listed in block devices.\n"
printf "Exiting...\n"
exit 1
fi
if cryptsetup luksDump "$CRYPT_DISK" | grep systemd-tpm2 > /dev/null; then
KEYSLOT=$(cryptsetup luksDump "$CRYPT_DISK"|grep -A29 systemd-tpm2|grep Keyslot|awk '{print $2}')
echo "TPM2 already present in LUKS keyslot $KEYSLOT of $CRYPT_DISK."
read -p "Wipe it and re-enroll? (y/N): " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
systemd-cryptenroll --wipe-slot=tpm2 "$CRYPT_DISK"
else
echo
echo "Either clear the existing TPM2 keyslot before retrying, else choose 'y' next time."
echo "Exiting..."
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
fi
fi
## Run crypt enroll
echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password"
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+14 $SET_PIN_ARG "$CRYPT_DISK"
if lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null; then
## add tpm2-tss to initramfs
if rpm-ostree initramfs | grep tpm2 > /dev/null; then
echo "TPM2 already present in rpm-ostree initramfs config."
rpm-ostree initramfs
echo "Re-running initramfs to pickup changes above."
fi
rpm-ostree initramfs --enable --arg=--force-add --arg=tpm2-tss
else
## initramfs already containts tpm2-tss
echo "TPM2 already present in initramfs."
fi
## Now reboot
echo
echo "TPM2 LUKS auto-unlock configured. Reboot now."
# References:
# https://www.reddit.com/r/Fedora/comments/uo4ufq/any_way_to_get_systemdcryptenroll_working_on/
# https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
Reference in New Issue View Git Blame Copy Permalink