-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtpm2-rotate-swapkey
executable file
·40 lines (30 loc) · 1.09 KB
/
tpm2-rotate-swapkey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/bin/sh
getarg() {
grep -Eo "$1(\\S+)" /proc/cmdline | cut -d= -f2
}
part="$(getarg rd.swap_tpm2_partition=)"
handle="$(getarg rd.swap_tpm2_handle=)"
auth="$(getarg rd.swap_tpm2_auth=)"
# Kill swap image to manipulate partition
swapoff /dev/mapper/swap
cryptsetup close /dev/mapper/swap
cd /tmp
# Generate new key
dd if=/dev/random of=/tmp/newswapkey bs=32 count=1
# Purge old key from TPM2
tpm2_evictcontrol -c $handle -C o
# Create one-time TPM2 load policy and load the key
tpm2_createpolicy --policy-pcr -l ${auth##pcr:} -L /tmp/policy.digest
tpm2_createprimary -C e -g sha1 -G rsa -c /tmp/primary.context
tpm2_create -g sha256 \
-u /tmp/obj.pub -r /tmp/obj.priv \
-C /tmp/primary.context \
-L /tmp/policy.digest \
-a "noda|adminwithpolicy|fixedparent|fixedtpm" \
-i /tmp/newswapkey
tpm2_load -C /tmp/primary.context \
-u /tmp/obj.pub -r /tmp/obj.priv \
-c /tmp/load.context
tpm2_evictcontrol -C o -c /tmp/load.context $handle
# Reformat LUKS2 volume with the new key
cryptsetup luksFormat $part /tmp/newswapkey