Blame SOURCES/tpm2-luks-import.sh

75c452
#! /bin/bash -e
75c452
#
75c452
# SPDX-License-Identifier: LGPL-2.1-or-later
75c452
#
75c452
# This script goes through all 'tpm2-import' tokens and converts them
75c452
# to 'systemd-tpm2' ones.
75c452
#
75c452
75c452
getval () {
75c452
    grep ^\"$2\" $1 | cut -f 2 -d ':' | sed 's/\"//g'
75c452
}
75c452
75c452
if [[ ! -b "$1" ]]; then
75c452
    echo "Device $1 does not exist!" 1>&2
75c452
    exit 1
75c452
fi
75c452
75c452
/usr/sbin/cryptsetup luksDump "$1" | sed -n '/^Tokens:/,/^Digests:/p' | grep ' tpm2-import' | cut -d ':' -f 1 | while read tokenid; do
75c452
    echo "Importing token $tokenid from $1"
75c452
    token=`mktemp`
75c452
    /usr/sbin/cryptsetup token export --token-id "$tokenid" "$1" | sed -e 's/[{}]/''/g' -e 's/\[//g' -e 's/\]//g' -e 's/,\"/\n"/g' > "$token"
75c452
    tempdir=`mktemp -d`
75c452
    pushd "$tempdir" > /dev/null
75c452
    # Save token data to inidividual files to process them with tpm2-tools
75c452
    getval "$token" "parent_pub" | base64 -d > parent.pub
75c452
    getval "$token" "parent_prv" | base64 -d > parent.prv
75c452
    getval "$token" "parent_seed" | base64 -d > parent.seed
75c452
    getval "$token" "seal_pub" | base64 -d > seal.pub
75c452
    getval "$token" "seal_prv" | base64 -d > seal.prv
75c452
    getval "$token" "pcrpolicy_dat" | base64 -d > pcrpolicy.dat
75c452
    if [ ! -z `getval "$token" "unique_dat"` ]; then
75c452
        getval "$token" "unique_dat" | base64 -d > unique.dat
75c452
    fi
75c452
    echo "Unsealing volume key"
75c452
    # Import sealed object
75c452
    tpm2_flushcontext -t
75c452
    if [ ! -f "unique.dat" ]; then
75c452
        tpm2_createprimary -Q -C o -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda' -g sha256 -G rsa -c primary.ctx
75c452
    else
75c452
        tpm2_createprimary -Q -C o -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda' -g sha256 -G rsa -u unique.dat -c primary.ctx
75c452
    fi
75c452
    tpm2_flushcontext -t
75c452
    tpm2_import -Q -C primary.ctx -u parent.pub -i parent.prv -r parent_imported.prv -s parent.seed
75c452
    tpm2_flushcontext -t
75c452
    tpm2_load -Q -C primary.ctx -u parent.pub -r parent_imported.prv -c parent.ctx
75c452
    tpm2_flushcontext -t
75c452
    tpm2_load -Q -C parent.ctx -u seal.pub -r seal.prv -c seal.ctx
75c452
    tpm2_flushcontext -t
75c452
    tpm2_unseal -Q -c seal.ctx -p pcr:`getval "$token" tpm2-pcr-bank`:`getval "$token" tpm2-pcrs` > volume_key
75c452
    tpm2_flushcontext -t
75c452
    echo "Sealing new volume key"
75c452
    # Create a new sealed object under primary ECC key
75c452
    tpm2_createprimary -Q -C o -g sha256 -G ecc:null:aes128cfb -c primary_ecc.ctx
75c452
    tpm2_flushcontext -t
75c452
    tpm2_create -Q -u seal_local.pub -r seal_local.prv -C primary_ecc.ctx -L pcrpolicy.dat -i volume_key
75c452
    # Create a new systemd-tpm2 compatible token
75c452
    echo "Adding new LUKS token to $1"
75c452
    echo '{"type":"systemd-tpm2","keyslots":["'`getval "$token" keyslots`'"],
75c452
           "tpm2-blob":"'`cat seal_local.prv seal_local.pub | base64 -w0`'",
75c452
	   "tpm2-pcrs":['`getval "$token" tpm2-pcrs`'],
75c452
           "tpm2-pcr-bank":"'`getval "$token" tpm2-pcr-bank`'",
75c452
	   "tpm2-primary-alg":"ecc",
75c452
	   "tpm2-policy-hash":"'`hexdump -ve '1/1 "%.2x"' pcrpolicy.dat`'",
75c452
	   "tpm2-pin": false,
75c452
	   "kversion": "'`uname -r`'"}' | /usr/sbin/cryptsetup token import "$1"
75c452
    # Remove tpm2-import token now
75c452
    echo "Removing now-unneeded token $tokenid from $1"
75c452
    /usr/sbin/cryptsetup token remove --token-id "$tokenid" "$1"
75c452
    echo "Importing token $tokenid from $1 finished successfully"
75c452
    popd > /dev/null
75c452
    # Cleanup
75c452
    rm -rf "$tempdir"
75c452
    rm -f "$token"
75c452
done