Initial Commit

GenStub

@@ -0,0 +1,9 @@
+##/proc/cmdline
+
+
+objcopy \
+    --add-section .osrel="/usr/lib/os-release" --change-section-vma .osrel=0x20000 \
+    --add-section .cmdline="/boot/cmdline" --change-section-vma .cmdline=0x30000 \
+    --add-section .linux="/boot/vmlinuz-linux" --change-section-vma .linux=0x40000 \
+    --add-section .initrd="/boot/initramfs-linux.img" --change-section-vma .initrd=0x3000000 \
+    "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/EFI/Linux/Linux.efi"

GenTPMPolicy

@@ -0,0 +1,8 @@
+##/proc/cmdline
+
+tpm2_createpolicy --policy-pcr -l sha1:0,7 -L policy.digest
+tpm2_createprimary -C e -g sha1 -G rsa -c primary.context
+tpm2_create -g sha256 -u obj.pub -r obj.priv -C primary.context -L policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin
+tpm2_load -C primary.context -u obj.pub -r obj.priv -c load.context
+tpm2_evictcontrol -C o -c load.context 0x81000000
+rm load.context obj.priv obj.pub policy.digest primary.context

initcpio/hooks/encrypt-tpm

@@ -0,0 +1,11 @@
+#!/usr/bin/ash
+
+run_hook() {
+
+    echo getting secret from TPM...
+    /usr/bin/tpm2_unseal -c 0x81000000 -p pcr:sha1:0,7 > /crypto_keyfile.bin
+    chmod 0400 /crypto_keyfile.bin
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
+"$@"

initcpio/install/encrypt-tpm

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+build() {
+    local mod
+    add_binary /usr/bin/tpm2_unseal
+    add_binary "/usr/lib/libtss2-tcti-device.so.0"
+
+    #export TPM2TOOLS_TCTI="device:/dev/tmp0"
+
+    add_runscript
+
+    cat >"$BUILDROOT/usr/lib/systemd/system/tpm.service" <<EOF
+[Unit]
+Description=Get Key From TPM
+Before=cryptsetup-pre.target
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStartPre=/usr/bin/modprobe tpm_tis
+ExecStart=/hooks/encrypt-tpm run_hook
+EOF
+
+    add_systemd_unit cryptsetup-pre.target
+    cd "$BUILDROOT/usr/lib/systemd/system/sysinit.target.wants"
+    ln -sf ../cryptsetup-pre.target cryptsetup-pre.target
+    ln -sf ../tpm.service tpm.service
+
+}
+
+help() {
+    cat <<HELPEOF
+This hook allows for reading the encryption key from TPM.
+HELPEOF
+}
+
+# vim: set ft=sh ts=4 sw=4 et:

mkkeys.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# Copyright (c) 2015 by Roderick W. Smith
+# Licensed under the terms of the GPL v3
+
+echo -n "Enter a Common Name to embed in the keys: "
+read NAME
+
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=$NAME PK/" -keyout PK.key \
+        -out PK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=$NAME KEK/" -keyout KEK.key \
+        -out KEK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=$NAME DB/" -keyout DB.key \
+        -out DB.crt -days 3650 -nodes -sha256
+openssl x509 -in PK.crt -out PK.cer -outform DER
+openssl x509 -in KEK.crt -out KEK.cer -outform DER
+openssl x509 -in DB.crt -out DB.cer -outform DER
+
+GUID=`python -c 'import uuid; print(str(uuid.uuid1()))'`
+echo $GUID > myGUID.txt
+
+cert-to-efi-sig-list -g $GUID PK.crt PK.esl
+cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl
+cert-to-efi-sig-list -g $GUID DB.crt DB.esl
+rm -f noPK.esl
+touch noPK.esl
+
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k PK.key -c PK.crt PK PK.esl PK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k PK.key -c PK.crt PK noPK.esl noPK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k PK.key -c PK.crt KEK KEK.esl KEK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k KEK.key -c KEK.crt db DB.esl DB.auth
+
+chmod 0600 *.key
+
+echo ""
+echo ""
+echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB"
+echo "flash drive or to your EFI System Partition (ESP)."
+echo "For use with most UEFIs' built-in key managers, copy the *.cer files."
+echo ""