From bc017e57b9cff885d79245748dd45e95a09b961b Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Sun, 27 Jul 2025 16:16:07 -0600
Subject: sys/boot/tpm: enforce passwordless TPM chain-of-trust for LUKS unlock

---
 sys/boot/detached-luks.nix | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

(limited to 'sys/boot/detached-luks.nix')

diff --git a/sys/boot/detached-luks.nix b/sys/boot/detached-luks.nix
index 1e7cc2b..8be7de1 100644
--- a/sys/boot/detached-luks.nix
+++ b/sys/boot/detached-luks.nix
@@ -68,27 +68,28 @@ in
             mount -o ro -t ${bootFs.fsType} ${bootFs.device} /initrd-boot
           '' + optionalString tpmInitrd ''
             mkdir /tpm
+            touch ${escapeShellArg hardwareKeyPath}
 
-            tpm2 createprimary -Q -C owner -g sha256 -G ecc -c /tpm/prim.ctx
+            unseal_tpm_key() {
+              tpm2 createprimary -Q -C owner -g sha256 -G ecc -c /tpm/prim.ctx || return
 
-            tpm2 loadexternal -Q -C owner -G rsa -u ${tpmPath}/signing-key.pub -c /tpm/signing-key.ctx -n /tpm/signing-key.name
-            tpm2 verifysignature -Q -c /tpm/signing-key.ctx -g sha256 -m ${tpmPath}/auth.policy -s ${tpmPath}/auth.sig -t /tpm/verified.ticket -f rsassa
+              tpm2 loadexternal -Q -C owner -G rsa -u ${tpmPath}/signing-key.pub -c /tpm/signing-key.ctx -n /tpm/signing-key.name || return
+              tpm2 verifysignature -Q -c /tpm/signing-key.ctx -g sha256 -m ${tpmPath}/auth.policy -s ${tpmPath}/auth.sig -t /tpm/verified.ticket -f rsassa || return
 
-            tpm2 startauthsession -Q -S /tpm/session.ctx --policy-session
+              tpm2 startauthsession -Q -S /tpm/session.ctx --policy-session || return
 
-            tpm_resets=`tpm2 readclock | grep reset_count | sed 's/.*: //g'`
-            tpm2 policycountertimer -Q -S /tpm/session.ctx resets="$tpm_resets"
-            tpm2 policypcr -Q -S /tpm/session.ctx -l sha256:${pcrList}
-            tpm2 policyauthorize -Q -S /tpm/session.ctx -i ${tpmPath}/auth.policy -n /tpm/signing-key.name -t /tpm/verified.ticket
+              tpm_resets=`tpm2 readclock | grep reset_count | sed 's/.*: //g'`
+              tpm2 policycountertimer -Q -S /tpm/session.ctx resets="$tpm_resets" || return
+              tpm2 policypcr -Q -S /tpm/session.ctx -l sha256:${pcrList} || return
+              tpm2 policyauthorize -Q -S /tpm/session.ctx -i ${tpmPath}/auth.policy -n /tpm/signing-key.name -t /tpm/verified.ticket || return
 
-            tpm2 load -Q -C /tpm/prim.ctx -u ${tpmPath}/key.pub -r ${tpmPath}/key.priv -c /tpm/key.ctx
-            tpm2 unseal -Q -c /tpm/key.ctx -p session:/tpm/session.ctx -o /tpm/unsealed.luks-key
+              tpm2 load -Q -C /tpm/prim.ctx -u ${tpmPath}/key.pub -r ${tpmPath}/key.priv -c /tpm/key.ctx || return
+              tpm2 unseal -Q -c /tpm/key.ctx -p session:/tpm/session.ctx -o ${escapeShellArg hardwareKeyPath} || return
 
-            echo "Unsealed!"
-            cat /tpm/unsealed.luks-key
-            echo "Unsealed! END"
+              tpm2 flushcontext /tpm/session.ctx
+            }
 
-            tpm2 flushcontext /tpm/session.ctx
+            unseal_tpm_key
           '';
 
           postOpenCommands = mkBefore (''
-- 
cgit v1.2.3