From e26c12fb8fb9d20fbadf0a5abc80088af31f57d3 Mon Sep 17 00:00:00 2001
From: "Shawn W. Dunn" <sfalken@cloverleaf-linux.org>
Date: Wed, 18 Sep 2024 14:24:29 -0700
Subject: [PATCH] Initial Commit

---
 LICENSE             | 21 ++++++++++++++++++++
 README.md           |  8 ++++++++
 kalpa-check         | 47 +++++++++++++++++++++++++++++++++++++++++++++
 kalpa-check.service |  9 +++++++++
 4 files changed, 85 insertions(+)
 create mode 100644 LICENSE
 create mode 100644 README.md
 create mode 100755 kalpa-check
 create mode 100644 kalpa-check.service

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..b4e0c13
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 KalpaDesktop
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..0085a8c
--- /dev/null
+++ b/README.md
@@ -0,0 +1,8 @@
+# kalpa-check
+
+Initial design thoughts https://en.opensuse.org/Portal:Aeon/DevelopmentThoughts#aeon-check. This should be considered this project's long term goal.
+
+Short term goal - Local checks only directly executing fixes for resolving specific bugs in Aeon RC3 and later
+
+## Bugs Addressed
+- Check existing Aeon Default Mode installations and confirm the TPM enrolment is using pcrlock not PCR hashes after incase enrolment steps occurred in an imperfect order (boo#1228416)
diff --git a/kalpa-check b/kalpa-check
new file mode 100755
index 0000000..3cddde1
--- /dev/null
+++ b/kalpa-check
@@ -0,0 +1,47 @@
+#!/bin/bash
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: Copyright 2024 SUSE LLC
+# SPDX-FileCopyrightText: Copyright 2024 Richard Brown
+# SPDX-FileCopyrightText: Copyright 2024 Shawn W Dunn
+
+set -euo pipefail
+
+# Setup logging
+exec 3>&1 4>&2
+trap 'exec 2>&4 1>&3' 0 1 2 3
+exec 1>>/var/log/kalpa-check.log 2>&1
+
+boo1228416() {
+    # Determine root device
+    rootdev=/dev/$(dmsetup deps -o devname /dev/mapper/kalpa_root | cut -d '(' -f2 | cut -d ')' -f1)
+    # Check for failure conditions
+    tpm2hashpcrs=$(cryptsetup luksDump ${rootdev} | grep 'tpm2-hash-pcrs:' | tr -d ' \t' | cut -d ':' -f2)
+    tpm2pcrlock=$(cryptsetup luksDump ${rootdev} | grep 'tpm2-pcrlock:' | tr -d ' \t' | cut -d ':' -f2)
+    # For boo1228416 to be an issue hashpcrs must be 7 and pcrlock must be false. Be paranoid, only match on both
+    if [ "${tpm2hashpcrs}" == "7" ] && [ "${tpm2pcrlock}" == "false" ]; then
+        echo "boo1228416 detected - TPM2 using pcr hashes not pcrlock - correcting"
+
+        # Need a keyfile to avoid requesting the recovery key when re-enrolling
+        keyfile=/tmp/aeon-check-keyfile
+        dd bs=512 count=4 if=/dev/urandom of=${keyfile} iflag=fullblock
+        chmod 400 ${keyfile}
+
+        # Should be slot 2, but better to check and be sure
+        tpm2slot=$(systemd-cryptenroll ${rootdev} | grep tpm2 | xargs | cut -d ' ' -f1)
+
+        # Writing keyfile to slot 31 (end of the LUKS2 space) to avoid clashes with any customisation/extra keys
+        cryptsetup luksAddKey --token-only --batch-mode --new-key-slot=31 ${rootdev} ${keyfile}
+
+        # Drop existing enrollment and re enroll
+        systemd-cryptenroll --wipe-slot=${tpm2slot} ${rootdev}
+        systemd-cryptenroll --unlock-key-file=${keyfile} --tpm2-device=auto ${rootdev}
+
+        # Wipe out keyfile and keyfile keyslot
+        systemd-cryptenroll --wipe-slot=31 ${rootdev}
+        rm ${keyfile}
+
+        echo "boo1228416 corrected"
+    fi
+}
+
+boo1228416
diff --git a/kalpa-check.service b/kalpa-check.service
new file mode 100644
index 0000000..a8c75fb
--- /dev/null
+++ b/kalpa-check.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Kalpa Check Tool
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/kalpa-check
+
+[Install]
+WantedBy=default.target