|
|
75c452 |
#! /bin/bash -e
|
|
|
75c452 |
#
|
|
|
75c452 |
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
75c452 |
#
|
|
|
75c452 |
# This script goes through all 'tpm2-import' tokens and converts them
|
|
|
75c452 |
# to 'systemd-tpm2' ones.
|
|
|
75c452 |
#
|
|
|
75c452 |
|
|
|
75c452 |
getval () {
|
|
|
75c452 |
grep ^\"$2\" $1 | cut -f 2 -d ':' | sed 's/\"//g'
|
|
|
75c452 |
}
|
|
|
75c452 |
|
|
|
75c452 |
if [[ ! -b "$1" ]]; then
|
|
|
75c452 |
echo "Device $1 does not exist!" 1>&2
|
|
|
75c452 |
exit 1
|
|
|
75c452 |
fi
|
|
|
75c452 |
|
|
|
75c452 |
/usr/sbin/cryptsetup luksDump "$1" | sed -n '/^Tokens:/,/^Digests:/p' | grep ' tpm2-import' | cut -d ':' -f 1 | while read tokenid; do
|
|
|
75c452 |
echo "Importing token $tokenid from $1"
|
|
|
75c452 |
token=`mktemp`
|
|
|
75c452 |
/usr/sbin/cryptsetup token export --token-id "$tokenid" "$1" | sed -e 's/[{}]/''/g' -e 's/\[//g' -e 's/\]//g' -e 's/,\"/\n"/g' > "$token"
|
|
|
75c452 |
tempdir=`mktemp -d`
|
|
|
75c452 |
pushd "$tempdir" > /dev/null
|
|
|
75c452 |
# Save token data to inidividual files to process them with tpm2-tools
|
|
|
75c452 |
getval "$token" "parent_pub" | base64 -d > parent.pub
|
|
|
75c452 |
getval "$token" "parent_prv" | base64 -d > parent.prv
|
|
|
75c452 |
getval "$token" "parent_seed" | base64 -d > parent.seed
|
|
|
75c452 |
getval "$token" "seal_pub" | base64 -d > seal.pub
|
|
|
75c452 |
getval "$token" "seal_prv" | base64 -d > seal.prv
|
|
|
75c452 |
getval "$token" "pcrpolicy_dat" | base64 -d > pcrpolicy.dat
|
|
|
75c452 |
if [ ! -z `getval "$token" "unique_dat"` ]; then
|
|
|
75c452 |
getval "$token" "unique_dat" | base64 -d > unique.dat
|
|
|
75c452 |
fi
|
|
|
75c452 |
echo "Unsealing volume key"
|
|
|
75c452 |
# Import sealed object
|
|
|
75c452 |
tpm2_flushcontext -t
|
|
|
75c452 |
if [ ! -f "unique.dat" ]; then
|
|
|
75c452 |
tpm2_createprimary -Q -C o -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda' -g sha256 -G rsa -c primary.ctx
|
|
|
75c452 |
else
|
|
|
75c452 |
tpm2_createprimary -Q -C o -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda' -g sha256 -G rsa -u unique.dat -c primary.ctx
|
|
|
75c452 |
fi
|
|
|
75c452 |
tpm2_flushcontext -t
|
|
|
75c452 |
tpm2_import -Q -C primary.ctx -u parent.pub -i parent.prv -r parent_imported.prv -s parent.seed
|
|
|
75c452 |
tpm2_flushcontext -t
|
|
|
75c452 |
tpm2_load -Q -C primary.ctx -u parent.pub -r parent_imported.prv -c parent.ctx
|
|
|
75c452 |
tpm2_flushcontext -t
|
|
|
75c452 |
tpm2_load -Q -C parent.ctx -u seal.pub -r seal.prv -c seal.ctx
|
|
|
75c452 |
tpm2_flushcontext -t
|
|
|
75c452 |
tpm2_unseal -Q -c seal.ctx -p pcr:`getval "$token" tpm2-pcr-bank`:`getval "$token" tpm2-pcrs` > volume_key
|
|
|
75c452 |
tpm2_flushcontext -t
|
|
|
75c452 |
echo "Sealing new volume key"
|
|
|
75c452 |
# Create a new sealed object under primary ECC key
|
|
|
75c452 |
tpm2_createprimary -Q -C o -g sha256 -G ecc:null:aes128cfb -c primary_ecc.ctx
|
|
|
75c452 |
tpm2_flushcontext -t
|
|
|
75c452 |
tpm2_create -Q -u seal_local.pub -r seal_local.prv -C primary_ecc.ctx -L pcrpolicy.dat -i volume_key
|
|
|
75c452 |
# Create a new systemd-tpm2 compatible token
|
|
|
75c452 |
echo "Adding new LUKS token to $1"
|
|
|
75c452 |
echo '{"type":"systemd-tpm2","keyslots":["'`getval "$token" keyslots`'"],
|
|
|
75c452 |
"tpm2-blob":"'`cat seal_local.prv seal_local.pub | base64 -w0`'",
|
|
|
75c452 |
"tpm2-pcrs":['`getval "$token" tpm2-pcrs`'],
|
|
|
75c452 |
"tpm2-pcr-bank":"'`getval "$token" tpm2-pcr-bank`'",
|
|
|
75c452 |
"tpm2-primary-alg":"ecc",
|
|
|
75c452 |
"tpm2-policy-hash":"'`hexdump -ve '1/1 "%.2x"' pcrpolicy.dat`'",
|
|
|
75c452 |
"tpm2-pin": false,
|
|
|
75c452 |
"kversion": "'`uname -r`'"}' | /usr/sbin/cryptsetup token import "$1"
|
|
|
75c452 |
# Remove tpm2-import token now
|
|
|
75c452 |
echo "Removing now-unneeded token $tokenid from $1"
|
|
|
75c452 |
/usr/sbin/cryptsetup token remove --token-id "$tokenid" "$1"
|
|
|
75c452 |
echo "Importing token $tokenid from $1 finished successfully"
|
|
|
75c452 |
popd > /dev/null
|
|
|
75c452 |
# Cleanup
|
|
|
75c452 |
rm -rf "$tempdir"
|
|
|
75c452 |
rm -f "$token"
|
|
|
75c452 |
done
|