initrd/bin/kexec-unseal-key: make TPM Disk Unlock Key actually retry (pipefail prevented retries) + cleanup.

tlaurion · tlaurion · commit df27306dcaa0 · 2024-01-18T14:32:45.000-05:00
Apply workaround stating that capslock might be on, TPM might be in locked state: poweroff/poweron to retry cleanly.
Output pcrs only in debug mode, otherwise disclosing unauthenticated final PCRs values to possible attacker. Should be available from authenticated Recovery console and from Debug only.
Unify LUKS/TPM Disk Unlock Key output to end user for clarity

Signed-off-by: Thierry Laurion &lt;insurgo@riseup.net&gt;
diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key
@@ -111,18 +111,18 @@ for dev in $(cat "$KEY_DEVICES" | cut -d\  -f1); do
 
 # Remove all the old keys from slot 1
 for dev in $(cat "$KEY_DEVICES" | cut -d\  -f1); do
-	echo "++++++ $dev: Removing old key slot 1"
+	echo "++++++ $dev: Removing old TPM Disk Unlock Key in LUKS slot 1"
 	cryptsetup luksKillSlot \
 		--key-file "$RECOVERY_KEY" \
 		$dev 1 ||
-		warn "$dev: removal of key in slot 1 failed: might not exist. Continuing"
+		warn "$dev: removal of TPM Disk Unlock Key in LUKS slot 1 failed: might not exist. Continuing"
 
-	echo "++++++ $dev: Adding key to slot 1"
+	echo "++++++ $dev: Adding TPM DISK Unlock Key to LUKS slot 1"
 	cryptsetup luksAddKey \
 		--key-file "$RECOVERY_KEY" \
 		--key-slot 1 \
 		$dev "$KEY_FILE" ||
-		die "$dev: Unable to add key to slot 1"
+		die "$dev: Unable to add TPM Disk Unlock Key to LUKS slot 1"
 done
 
 # Now that we have setup the new keys, measure the PCRs
diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key
@@ -25,23 +25,25 @@ DEBUG "CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
 DEBUG "Show PCRs"
 DEBUG "$(pcrs)"
 
+failed=0
 for tries in 1 2 3; do
-	read -s -p "Enter LUKS Disk Unlock Key passphrase (blank to abort): " tpm_password
+	read -s -p "Enter LUKS TPM Disk Unlock Key passphrase (blank to abort): " tpm_password
 	echo
 	if [ -z "$tpm_password" ]; then
 		die "Aborting unseal disk encryption key"
 	fi
 
 	DO_WITH_DEBUG --mask-position 6 \
 		tpmr unseal "$TPM_INDEX" "0,1,2,3,4,5,6,7" "$TPM_SIZE" \
-		"$key_file" "$tpm_password"
+		"$key_file" "$tpm_password" || failed=1
 
-	if [ "$?" -eq 0 ]; then
+	if [ "$failed" -eq 0 ]; then
 		exit 0
 	fi
 
-	pcrs
-	warn "Unable to unseal disk encryption key"
+	DEBUG pcrs # Show PCRs final state only in debug mode. TCPA/TPM Event log should only be visible in debug mode/from authenticated Recovery console
+	warn "Unable to unseal TPM Disk Unlock Key with provided passphrase. retry count: $tries/3."
+	warn "Caps Lock mode on? (All letters typed might have been uppercased)"
 done
 
-die "Retry count exceeded..."
+die "Retry count exceeded: TPM might be in a locked state until machine is cold rebooted (Power off, wait 30 seconds, power on)"
