#! /bin/bash -e
#
# SPDX-License-Identifier: LGPL-2.1-or-later
#
# This script goes through all 'tpm2-import' tokens and converts them
# to 'systemd-tpm2' ones.
#
getval () {
grep ^\"$2\" $1 | cut -f 2 -d ':' | sed 's/\"//g'
}
if [[ ! -b "$1" ]]; then
echo "Device $1 does not exist!" 1>&2
exit 1
fi
/usr/sbin/cryptsetup luksDump "$1" | sed -n '/^Tokens:/,/^Digests:/p' | grep ' tpm2-import' | cut -d ':' -f 1 | while read tokenid; do
echo "Importing token $tokenid from $1"
token=`mktemp`
/usr/sbin/cryptsetup token export --token-id "$tokenid" "$1" | sed -e 's/[{}]/''/g' -e 's/\[//g' -e 's/\]//g' -e 's/,\"/\n"/g' > "$token"
tempdir=`mktemp -d`
pushd "$tempdir" > /dev/null
# Save token data to inidividual files to process them with tpm2-tools
getval "$token" "parent_pub" | base64 -d > parent.pub
getval "$token" "parent_prv" | base64 -d > parent.prv
getval "$token" "parent_seed" | base64 -d > parent.seed
getval "$token" "seal_pub" | base64 -d > seal.pub
getval "$token" "seal_prv" | base64 -d > seal.prv
getval "$token" "pcrpolicy_dat" | base64 -d > pcrpolicy.dat
if [ ! -z `getval "$token" "unique_dat"` ]; then
getval "$token" "unique_dat" | base64 -d > unique.dat
fi
echo "Unsealing volume key"
# Import sealed object
tpm2_flushcontext -t
if [ ! -f "unique.dat" ]; then
tpm2_createprimary -Q -C o -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda' -g sha256 -G rsa -c primary.ctx
else
tpm2_createprimary -Q -C o -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda' -g sha256 -G rsa -u unique.dat -c primary.ctx
fi
tpm2_flushcontext -t
tpm2_import -Q -C primary.ctx -u parent.pub -i parent.prv -r parent_imported.prv -s parent.seed
tpm2_flushcontext -t
tpm2_load -Q -C primary.ctx -u parent.pub -r parent_imported.prv -c parent.ctx
tpm2_flushcontext -t
tpm2_load -Q -C parent.ctx -u seal.pub -r seal.prv -c seal.ctx
tpm2_flushcontext -t
tpm2_unseal -Q -c seal.ctx -p pcr:`getval "$token" tpm2-pcr-bank`:`getval "$token" tpm2-pcrs` > volume_key
tpm2_flushcontext -t
echo "Sealing new volume key"
# Create a new sealed object under primary ECC key
tpm2_createprimary -Q -C o -g sha256 -G ecc:null:aes128cfb -c primary_ecc.ctx
tpm2_flushcontext -t
tpm2_create -Q -u seal_local.pub -r seal_local.prv -C primary_ecc.ctx -L pcrpolicy.dat -i volume_key
# Create a new systemd-tpm2 compatible token
echo "Adding new LUKS token to $1"
echo '{"type":"systemd-tpm2","keyslots":["'`getval "$token" keyslots`'"],
"tpm2-blob":"'`cat seal_local.prv seal_local.pub | base64 -w0`'",
"tpm2-pcrs":['`getval "$token" tpm2-pcrs`'],
"tpm2-pcr-bank":"'`getval "$token" tpm2-pcr-bank`'",
"tpm2-primary-alg":"ecc",
"tpm2-policy-hash":"'`hexdump -ve '1/1 "%.2x"' pcrpolicy.dat`'",
"tpm2-pin": false,
"kversion": "'`uname -r`'"}' | /usr/sbin/cryptsetup token import "$1"
# Remove tpm2-import token now
echo "Removing now-unneeded token $tokenid from $1"
/usr/sbin/cryptsetup token remove --token-id "$tokenid" "$1"
echo "Importing token $tokenid from $1 finished successfully"
popd > /dev/null
# Cleanup
rm -rf "$tempdir"
rm -f "$token"
done