Readability and Usage

README.md

@@ -3,25 +3,35 @@ Adds automatic decryption function based on TPM policy configuration
 
 Main Source: https://threat.tevora.com/secure-boot-tpm-2/
 
-# Using the scripts
-`setup` automatically pulls out the LUKS and EFI boot partition using blkid and grep. The only input it requires is a `cryptsetup` password and a simple `yes`. The script supports flags as follows:
+# General requirements
+- A secure-boot enabled system with a custom key authentication setting in BIOS.
+- EFI System Partition (ESP) access for installing custom kernels.
+- General understanding of bash commands.
+- ~~Patience. Quite a bit of it~~ Not so much patience required anymore, just time.
+
+# Detailed Walkthrough
+## Prerequisites
+* An Ubuntu install during which [Encryption was Enabled](https://ubuntu.com/tutorials/install-ubuntu-desktop#7-optional-enable-encryption)
+* `Secure Boot` disabled in the BIOS (will be enabled after Step 1)
+
+## Step 1
+Run `./setup` as `root`, this will install the required packages and automatically pull the LUKS and EFI boot partition using blkid and grep. It will ask for confirmation to continue before modifying anything, then a password (and confirmation) that will be used for the `MOK Enrollment`, then the passphrase for your `LUKS` partition. The script supports flags as follows:
 
   * -b: Manually sets the boot partition by UUID
   * -l: Manually sets the LUKS partition by UUID
   * -p: Provides the `cryptsetup` password for automation
   * -r: Manually sets the root partition under /dev/mapper/
   * -y Gives the script a clear go-ahead for signed kernel creation
 
-Once it finishes the first round, it will try to set up a GRUB menu entry. If the system does not use GRUB, it will continue running after giving a notice. Next, a `systemd` file will be added and enabled to run at boot. The `tpm2keyunlock.service` file will be installed under /etc/systemd/system and run TPM commands to persist secret in memory. The service will then disable itself after finishing setting up `/etc/crypttab` and `/usr/local/bin/passphrase-from-tpm` with the appropriate PCR hash method and persistent handle.
+As it finishes, it will set up a `MOK Enrollment` for secure boot. To complete this Step, the user must reboot (see Note below).
 
-# Detailed walkthrough
-The setup of TPM unlocking involves three phases. The first phase installs the TPM tools. The second sets up a TPM-signed kernel and TPM key. The final step verifies the TPM key is working and finishes setting up the TPM kernel.
+**Note**
+Upon rebooting, the user will be prompted with the `MOK Enrollment` blue screen.  Select `Enroll MOK`, then `Continue` followed by `Yes`, enter the password given during `setup`, finally select `Reboot`.
 
-# General requirements
-- A secure-boot enabled system with a custom key authentication setting in BIOS.
-- EFI System Partition (ESP) access for installing custom kernels.
-- General understanding of bash commands.
-- ~~Patience. Quite a bit of it~~ Not so much patience required anymore, just time.
+Once back in Ubuntu, reboot a second time, this time entering the BIOS to enable Secure Boot.
+
+## Step 2
+Now back in Ubuntu (with MOK Enrollment and Secure Boot enabled), run `./tpm2PolicyConfig` as root.  This will run TPM commands to persist the LUKS passphrase in memory by setting up `/etc/crypttab` and `/usr/local/bin/passphrase-from-tpm` with the appropriate PCR hash method and persistent handle.
 
 # Using cloud-init to automate deployment and installation
 I created an overview over at https://www.edwardssite.com/cloud-init outlining the details of how to automate the deployment and installation process of this project using cloud-init and Ubuntu's autoinstall settings. Pretty much everything needed is explained there, and reference files are included.

setup

@@ -73,9 +73,6 @@ done
 
 apt-get install -y glib2.0 || (echo "Could not install glib2.0"; exit 1)
 
-cp tpm2keyunlock.service /etc/systemd/system/
-sed -i "s#LOCATION#$BASEDIR#g" /etc/systemd/system/tpm2keyunlock.service
-
 cd /usr/local/src || exit 1
 git clone https://github.com/tpm2-software/tpm2-tss.git
 
@@ -155,6 +152,7 @@ sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth
 cp db.auth /boot/efi/EFI/BOOT/
 cp KEK.auth /boot/efi/EFI/BOOT/
 
+echo "Enter password for MOK Enrollment:"
 mokutil --import db.cer KEK.cer
 
 echo "root=$ROOT panic=60" > cmdline.txt
@@ -179,6 +177,7 @@ dd if=/dev/urandom of=secret.bin bs=32 count=1 conv=sync
 if [ "${PASSWORD}" != '' ]; then
 	echo $PASSWORD | cryptsetup luksAddKey $DRIVE secret.bin
 else
+	echo "Enter passphrase for the encrypted drive ($DRIVE):"
 	cryptsetup luksAddKey $DRIVE secret.bin
 fi
 
@@ -192,6 +191,5 @@ cp /etc/crypttab /etc/crypttab.bak
 efibootmgr -c -L "TPM2 EFI Stub" -l "\\EFI\\BOOT\\BOOTX64.EFI" -d $EFIBOOT -p $EFIPART
 efibootmgr -o $(efibootmgr | grep "TPM2 EFI Stub" | grep -Po "(?<=Boot)[A-Za-z0-9]+"),$EFIORDER
 
-systemctl enable tpm2keyunlock.service
 echo "TPM2 boot enabled, please restart." >> /var/run/reboot-required
 cat /var/run/reboot-required

tpm2PolicyConfig

@@ -9,8 +9,6 @@ TPM_TEST=$(tpm2_pcrread sha256:0 | grep -Po "[0][x][A-Za-z0-9]+")
 PCR_BANK=1
 PCR_VALUES="0,2,3,7"
 
-systemctl disable tpm2keyunlock.service
-
 chmod 0755 tpm2Hook passphrase-from-tpm
 cp tpm2Hook /usr/share/initramfs-tools/hooks/tpm2KeyUnlock
 chown 0:0 /usr/share/initramfs-tools/hooks/tpm2KeyUnlock
@@ -43,10 +41,9 @@ tpm2_createpolicy --policy-pcr -l sha$PCR_BANK:$PCR_VALUES -f pcrs.bin --policy
 tpm2_createprimary -c primary.context
 tpm2_create -u obj.pub -r obj.priv -C primary.context -L policy.digest --attributes "noda|adminwithpolicy|fixedparent|fixedtpm" -i secret.bin
 tpm2_load -C primary.context -u obj.pub -r obj.priv -c load.context
-tpm2_evictcontrol -c load.context
+REFERENCE=$(tpm2_evictcontrol -c load.context | tee /dev/tty | grep "persistent-handle:" | cut -d' ' -sf2)
 
 sed -i "s/HASH/sha$PCR_BANK/g" /usr/local/bin/passphrase-from-tpm
-REFERENCE=$(tpm2_getcap handles-persistent | grep -Po "[0][x][A-Za-z0-9]+" | tail -1)
 sed -i "s/REFERENCE/$REFERENCE/g" /usr/local/bin/passphrase-from-tpm
 sed -i "s/PCRVAL/$PCR_VALUES/g" /usr/local/bin/passphrase-from-tpm