Migrate tpm cleanup method from kcrypt-challenger

jimmykarily · jimmykarily · commit 286aed7c2f74 · 2025-11-11T17:53:16.000+02:00
because local passphrase logic is now removed from kcrypt-challenger

Signed-off-by: Dimitris Karakasilis &lt;dimitris@karakasilis.me&gt;
diff --git a/main.go b/main.go
@@ -1228,6 +1228,58 @@ The output will be a tarball with logs organized by type (journal/, files/).`,
 			return agent.ExecuteLogsCommand(cfg.Fs, cfg.Logger, cfg.Runner, outputPath)
 		},
 	},
+	{
+		Name:  "kcrypt",
+		Usage: "kcrypt subcommands",
+		Description: "kcrypt subcommands for managing encryption-related operations",
+		Subcommands: []*cli.Command{
+			{
+				Name:  "cleanup",
+				Usage: "Clean up TPM NV memory",
+				Description: `Clean up TPM NV memory by undefining specific NV indices.
+
+??  DANGER: This command removes data from TPM memory!
+??  If you delete the wrong index, your encrypted disk may become UNBOOTABLE!
+
+This command helps clean up TPM NV memory. It can be used to clean up
+legacy local passphrase storage (now handled by kairos-sdk) or any other
+TPM NV indices that need to be removed.
+
+The command will prompt for confirmation before deletion unless you use
+the --i-know-what-i-am-doing flag to skip the safety prompt.
+
+Default behavior:
+- Uses NV index from config or defaults to 0x1500000 (legacy local passphrase index)
+- Uses the same TPM device as configured (or system default if none specified)
+- Prompts for confirmation with safety warnings`,
+				Flags: []cli.Flag{
+					&cli.StringFlag{
+						Name:  "nv-index",
+						Value:  "0x1500000",
+						Usage:  "NV index to clean up (defaults to configured index or 0x1500000)",
+					},
+					&cli.StringFlag{
+						Name:  "tpm-device",
+						Usage: "TPM device path (defaults to configured device or system default)",
+					},
+					&cli.BoolFlag{
+						Name:  "i-know-what-i-am-doing",
+						Usage: "Skip confirmation prompt (DANGEROUS: may make encrypted disks unbootable)",
+					},
+				},
+				Before: func(c *cli.Context) error {
+					return checkRoot()
+				},
+				Action: func(c *cli.Context) error {
+					cfg, err := agentConfig.Scan(collector.Directories(constants.GetUserConfigDirs()...), collector.NoLogs)
+					if err != nil {
+						return fmt.Errorf("failed to scan config: %w", err)
+					}
+					return action.KcryptCleanup(cfg, c.String("nv-index"), c.String("tpm-device"), c.Bool("i-know-what-i-am-doing"))
+				},
+			},
+		},
+	},
 }
 
 func main() {
diff --git a/pkg/action/kcrypt_cleanup.go b/pkg/action/kcrypt_cleanup.go
@@ -0,0 +1,99 @@
+package action
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/kairos-io/kairos-agent/v2/pkg/config"
+	"github.com/kairos-io/tpm-helpers"
+)
+
+// KcryptCleanup cleans up TPM NV memory by undefining specific NV indices.
+// This is used to clean up legacy local passphrase storage (now handled by kairos-sdk)
+// or any other TPM NV indices that need to be removed.
+func KcryptCleanup(cfg *config.Config, nvIndex, tpmDevice string, skipConfirmation bool) error {
+	logger := cfg.Logger
+
+	// Get kcrypt config from the embedded collector.Config
+	var challengerNVIndex, challengerTPMDevice string
+	if kcryptConfig, ok := cfg.Config.Values["kcrypt"].(map[string]interface{}); ok {
+		if nvIdx, ok := kcryptConfig["nv_index"].(string); ok && nvIdx != "" {
+			challengerNVIndex = nvIdx
+		}
+		if tpmDev, ok := kcryptConfig["tpm_device"].(string); ok && tpmDev != "" {
+			challengerTPMDevice = tpmDev
+		}
+	}
+
+	// Determine NV index to clean up
+	// Priority: explicit flag > config > default
+	targetIndex := nvIndex
+	if targetIndex == "" || targetIndex == "0x1500000" {
+		// If flag is empty or default, check config first
+		if challengerNVIndex != "" {
+			targetIndex = challengerNVIndex
+		} else if targetIndex == "" {
+			// Only use default if flag was truly empty (not just default value)
+			targetIndex = "0x1500000" // Legacy local passphrase NV index (for backward compatibility)
+		}
+	}
+
+	// Determine TPM device
+	targetDevice := tpmDevice
+	if targetDevice == "" {
+		targetDevice = challengerTPMDevice
+	}
+
+	logger.Debugf("Cleaning up TPM NV index: %s", targetIndex)
+	if targetDevice != "" {
+		logger.Debugf("Using TPM device: %s", targetDevice)
+	}
+
+	// Check if the NV index exists first
+	opts := []tpm.TPMOption{tpm.WithIndex(targetIndex)}
+	if targetDevice != "" {
+		opts = append(opts, tpm.WithDevice(targetDevice))
+	}
+
+	// Try to read from the index to see if it exists
+	logger.Debugf("Checking if NV index %s exists", targetIndex)
+	_, err := tpm.ReadBlob(opts...)
+	if err != nil {
+		// If we can't read it, it might not exist or be empty
+		logger.Debugf("NV index %s appears to be empty or non-existent: %v", targetIndex, err)
+		fmt.Printf("NV index %s appears to be empty or does not exist\n", targetIndex)
+		return nil
+	}
+
+	// Confirmation prompt with warning
+	if !skipConfirmation {
+		fmt.Printf("\n??  WARNING: You are about to delete TPM NV index %s\n", targetIndex)
+		fmt.Printf("??  If this index contains your disk encryption passphrase, your encrypted disk will become UNBOOTABLE!\n")
+		fmt.Printf("??  This action CANNOT be undone.\n\n")
+		fmt.Printf("Are you sure you want to continue? (type 'yes' to confirm): ")
+
+		scanner := bufio.NewScanner(os.Stdin)
+		scanner.Scan()
+		response := strings.TrimSpace(strings.ToLower(scanner.Text()))
+
+		if response != "yes" {
+			fmt.Printf("Cleanup cancelled.\n")
+			return nil
+		}
+	}
+
+	// Use native Go TPM library to undefine the NV space
+	logger.Debugf("Using native TPM library to undefine NV index")
+	fmt.Printf("Cleaning up TPM NV index %s...\n", targetIndex)
+
+	err = tpm.UndefineBlob(opts...)
+	if err != nil {
+		return fmt.Errorf("failed to undefine NV index %s: %w", targetIndex, err)
+	}
+
+	fmt.Printf("Successfully cleaned up NV index %s\n", targetIndex)
+	logger.Debugf("Successfully undefined NV index %s", targetIndex)
+	return nil
+}
