|
 |
8e132f |
From fb3c135906cab203cfd11b3cb4a502ef8530987a Mon Sep 17 00:00:00 2001
|
|
 |
8e132f |
From: Nathaniel McCallum <npmccallum@redhat.com>
|
|
 |
8e132f |
Date: Mon, 9 Jul 2018 08:47:14 +0200
|
|
 |
8e132f |
Subject: [PATCH] Add support for TPM 2.0
|
|
 |
8e132f |
|
|
 |
8e132f |
---
|
|
 |
8e132f |
Makefile.am | 5 ++
|
|
 |
8e132f |
configure.ac | 11 +++
|
|
 |
8e132f |
doc/clevis-encrypt-tpm2.1 | 142 +++++++++++++++++++++++++++++++
|
|
 |
8e132f |
doc/clevis-encrypt-tpm2.1.md | 108 +++++++++++++++++++++++
|
|
 |
8e132f |
doc/clevis.1 | 40 ++++++++-
|
|
 |
8e132f |
src/Makefile.am | 6 ++
|
|
 |
8e132f |
src/clevis-decrypt-tpm2 | 126 +++++++++++++++++++++++++++
|
|
 |
8e132f |
src/clevis-encrypt-tpm2 | 156 ++++++++++++++++++++++++++++++++++
|
|
 |
8e132f |
src/dracut/module-setup.sh.in | 23 +++++
|
|
 |
8e132f |
9 files changed, 615 insertions(+), 2 deletions(-)
|
|
 |
8e132f |
create mode 100644 doc/clevis-encrypt-tpm2.1
|
|
 |
8e132f |
create mode 100644 doc/clevis-encrypt-tpm2.1.md
|
|
 |
8e132f |
create mode 100755 src/clevis-decrypt-tpm2
|
|
 |
8e132f |
create mode 100755 src/clevis-encrypt-tpm2
|
|
 |
8e132f |
|
|
 |
8e132f |
diff --git a/Makefile.am b/Makefile.am
|
|
 |
8e132f |
index 141642a..75f9745 100644
|
|
 |
8e132f |
--- a/Makefile.am
|
|
 |
8e132f |
+++ b/Makefile.am
|
|
 |
8e132f |
@@ -14,3 +14,8 @@ dist_man1_MANS = \
|
|
 |
8e132f |
doc/clevis-luks-bind.1 \
|
|
 |
8e132f |
doc/clevis-decrypt.1 \
|
|
 |
8e132f |
doc/clevis.1
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if HAVE_TPM2_TOOLS
|
|
 |
8e132f |
+ dist_man1_MANS += \
|
|
 |
8e132f |
+ doc/clevis-encrypt-tpm2.1
|
|
 |
8e132f |
+endif
|
|
 |
8e132f |
diff --git a/configure.ac b/configure.ac
|
|
 |
8e132f |
index f9ed01a..313f64e 100644
|
|
 |
8e132f |
--- a/configure.ac
|
|
 |
8e132f |
+++ b/configure.ac
|
|
 |
8e132f |
@@ -54,6 +54,17 @@ fi
|
|
 |
8e132f |
|
|
 |
8e132f |
AC_SUBST(SD_ACTIVATE)
|
|
 |
8e132f |
|
|
 |
8e132f |
+for ac_prog in createprimary pcrlist createpolicy create load unseal; do
|
|
 |
8e132f |
+ unset TPM2_TOOLS
|
|
 |
8e132f |
+ unset ac_cv_prog_TPM2_TOOLS
|
|
 |
8e132f |
+ AC_CHECK_PROG([TPM2_TOOLS], [tpm2_$ac_prog], [yes])
|
|
 |
8e132f |
+ test -z "$TPM2_TOOLS" && break
|
|
 |
8e132f |
+done
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+test -n "$TPM2_TOOLS" || AC_MSG_WARN([tpm2_$ac_prog not found, tpm2 pin won't be installed])
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+AM_CONDITIONAL([HAVE_TPM2_TOOLS], [test -n "$TPM2_TOOLS"])
|
|
 |
8e132f |
+
|
|
 |
8e132f |
AC_ARG_ENABLE([user],
|
|
 |
8e132f |
AS_HELP_STRING([--enable-user=USER],
|
|
 |
8e132f |
[Set unprivileged user (default: root)]),
|
|
 |
8e132f |
diff --git a/doc/clevis-encrypt-tpm2.1 b/doc/clevis-encrypt-tpm2.1
|
|
 |
8e132f |
new file mode 100644
|
|
 |
8e132f |
index 0000000..096ad23
|
|
 |
8e132f |
--- /dev/null
|
|
 |
8e132f |
+++ b/doc/clevis-encrypt-tpm2.1
|
|
 |
8e132f |
@@ -0,0 +1,142 @@
|
|
 |
8e132f |
+.\" Automatically generated by Pandoc 1.19.1
|
|
 |
8e132f |
+.\"
|
|
 |
8e132f |
+.TH "CLEVIS\-ENCRYPT\-TPM2" "1" "November 2017" "" ""
|
|
 |
8e132f |
+.hy
|
|
 |
8e132f |
+.SH NAME
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+clevis\-encrypt\-tpm2 \-\- Encrypts using a TPM2.0 chip binding policy
|
|
 |
8e132f |
+.SH SYNOPSIS
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+\f[C]clevis\ encrypt\ tpm2\f[] CONFIG < PT > JWE
|
|
 |
8e132f |
+.SH OVERVIEW
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+The \f[C]clevis\ encrypt\ tpm2\f[] command encrypts using a Trusted
|
|
 |
8e132f |
+Platform Module 2.0 (TPM2) chip.
|
|
 |
8e132f |
+Its only argument is the JSON configuration object.
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+When using the tpm2 pin, we create a new, cryptographically\-strong,
|
|
 |
8e132f |
+random key.
|
|
 |
8e132f |
+This key is encrypted using the TPM2 chip.
|
|
 |
8e132f |
+Then at decryption time, the key is decrypted again using the TPM2 chip.
|
|
 |
8e132f |
+.IP
|
|
 |
8e132f |
+.nf
|
|
 |
8e132f |
+\f[C]
|
|
 |
8e132f |
+$\ clevis\ encrypt\ tpm2\ \[aq]{}\[aq]\ <\ PT\ >\ JWE
|
|
 |
8e132f |
+\f[]
|
|
 |
8e132f |
+.fi
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+The pin has reasonable defaults for its configuration, but a different
|
|
 |
8e132f |
+hierarchy, hash, and key algorithms can be chosen if the defaults used
|
|
 |
8e132f |
+are not suitable:
|
|
 |
8e132f |
+.IP
|
|
 |
8e132f |
+.nf
|
|
 |
8e132f |
+\f[C]
|
|
 |
8e132f |
+$\ clevis\ encrypt\ tpm2\ \[aq]{"hash":"sha1","key":"rsa"}\[aq]\ <\ PT\ >\ JWE
|
|
 |
8e132f |
+\f[]
|
|
 |
8e132f |
+.fi
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+To decrypt the data, simply provide the ciphertext (JWE):
|
|
 |
8e132f |
+.IP
|
|
 |
8e132f |
+.nf
|
|
 |
8e132f |
+\f[C]
|
|
 |
8e132f |
+$\ clevis\ decrypt\ <\ JWE\ >\ PT
|
|
 |
8e132f |
+\f[]
|
|
 |
8e132f |
+.fi
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+Note that like other pins no configuration is used for decryption, this
|
|
 |
8e132f |
+is due clevis storing the public and private keys to unseal the TPM2
|
|
 |
8e132f |
+encrypted object in the JWE so clevis can fetch that information from
|
|
 |
8e132f |
+there.
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+The pin also supports sealing data to a Platform Configuration Registers
|
|
 |
8e132f |
+(PCR) state.
|
|
 |
8e132f |
+That way the data can only be unsealed if the PCRs hashes values match
|
|
 |
8e132f |
+the policy used when sealing.
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+For example, to seal the data to the PCR with index 0 and 1 for the SHA1
|
|
 |
8e132f |
+bank:
|
|
 |
8e132f |
+.IP
|
|
 |
8e132f |
+.nf
|
|
 |
8e132f |
+\f[C]
|
|
 |
8e132f |
+$\ clevis\ encrypt\ tpm2\ \[aq]{"pcr_bank":"sha1","pcr_ids":"0,1"}\[aq]\ <\ PT\ >\ JWE
|
|
 |
8e132f |
+\f[]
|
|
 |
8e132f |
+.fi
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+The PCR digest values are looked up from the current hash values for the
|
|
 |
8e132f |
+PCRs, but a digest can also be provided if the data needs to be sealed
|
|
 |
8e132f |
+with values different to the current ones, by passing the binary hash
|
|
 |
8e132f |
+encoded in base64:
|
|
 |
8e132f |
+.IP
|
|
 |
8e132f |
+.nf
|
|
 |
8e132f |
+\f[C]
|
|
 |
8e132f |
+$\ clevis\ encrypt\ tpm2\ \[aq]{"pcr_ids":"0","pcr_digest":"xy7J5svCtqlfM03d1lE5gdoA8MI"}\[aq]\ <\ PT\ >\ JWE
|
|
 |
8e132f |
+\f[]
|
|
 |
8e132f |
+.fi
|
|
 |
8e132f |
+.SH Threat model
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+The Clevis security model relies in the fact that an attacker will not
|
|
 |
8e132f |
+be able to access both the encrypted data and the decryption key.
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+For most Clevis pins, the decryption key is not locally stored, so the
|
|
 |
8e132f |
+decryption policy is only satisfied if the decryption key can be
|
|
 |
8e132f |
+remotely accessed.
|
|
 |
8e132f |
+It could for example be stored in a remote server or in a hardware
|
|
 |
8e132f |
+authentication device that has to be plugged into the machine.
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+The tpm2 pin is different in this regard, since a key is wrapped by a
|
|
 |
8e132f |
+TPM2 chip that is always present in the machine.
|
|
 |
8e132f |
+This does not mean that there are not use cases for this pin, but it is
|
|
 |
8e132f |
+important to understand the fact that an attacker that has access to
|
|
 |
8e132f |
+both the encrypted data and the local TPM2 chip will be able to decrypt
|
|
 |
8e132f |
+the data.
|
|
 |
8e132f |
+.SH CONFIG
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+This command uses the following configuration properties:
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]hash\f[] (string) : Hash algorithm used in the computation of the
|
|
 |
8e132f |
+object name (default: sha256)
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+It must be one of the following:
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]sha1\f[]
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]sha256\f[]
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]sha384\f[]
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]sha512\f[]
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]sm3_256\f[]
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]key\f[] (string) : Algorithm type for the generated key (default:
|
|
 |
8e132f |
+ecc)
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+It must be one of the following:
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]rsa\f[]
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]keyedhash\f[]
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]ecc\f[]
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]symcipher\f[]
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]pcr_bank\f[] (string) : PCR algorithm bank to use for policy
|
|
 |
8e132f |
+(default: sha1)
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+It must be one of the following:
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]sha1\f[]
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]sha256\f[]
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]pcr_ids\f[] (string) : Comma separated list of PCR used for policy.
|
|
 |
8e132f |
+If not present, no policy is used
|
|
 |
8e132f |
+.IP \[bu] 2
|
|
 |
8e132f |
+\f[C]pcr_digest\f[] (string) : Binary PCR hashes encoded in base64.
|
|
 |
8e132f |
+If not present, the hash values are looked up
|
|
 |
8e132f |
+.SH SEE ALSO
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+\f[C]clevis\-decrypt\f[](1)
|
|
 |
8e132f |
+.SH AUTHORS
|
|
 |
8e132f |
+Javier Martinez Canillas <javierm@redhat.com>.
|
|
 |
8e132f |
diff --git a/doc/clevis-encrypt-tpm2.1.md b/doc/clevis-encrypt-tpm2.1.md
|
|
 |
8e132f |
new file mode 100644
|
|
 |
8e132f |
index 0000000..f533d67
|
|
 |
8e132f |
--- /dev/null
|
|
 |
8e132f |
+++ b/doc/clevis-encrypt-tpm2.1.md
|
|
 |
8e132f |
@@ -0,0 +1,108 @@
|
|
 |
8e132f |
+% CLEVIS-ENCRYPT-TPM2(1)
|
|
 |
8e132f |
+% Javier Martinez Canillas <javierm@redhat.com>
|
|
 |
8e132f |
+% November 2017
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+# NAME
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+clevis-encrypt-tpm2 -- Encrypts using a TPM2.0 chip binding policy
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+# SYNOPSIS
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+`clevis encrypt tpm2` CONFIG < PT > JWE
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+# OVERVIEW
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+The `clevis encrypt tpm2` command encrypts using a Trusted Platform Module 2.0
|
|
 |
8e132f |
+(TPM2) chip. Its only argument is the JSON configuration object.
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+When using the tpm2 pin, we create a new, cryptographically-strong, random key.
|
|
 |
8e132f |
+This key is encrypted using the TPM2 chip.
|
|
 |
8e132f |
+Then at decryption time, the key is decrypted again using the TPM2 chip.
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ $ clevis encrypt tpm2 '{}' < PT > JWE
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+The pin has reasonable defaults for its configuration, but a different hierarchy,
|
|
 |
8e132f |
+hash, and key algorithms can be chosen if the defaults used are not suitable:
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ $ clevis encrypt tpm2 '{"hash":"sha1","key":"rsa"}' < PT > JWE
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+To decrypt the data, simply provide the ciphertext (JWE):
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ $ clevis decrypt < JWE > PT
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+Note that like other pins no configuration is used for decryption, this is due
|
|
 |
8e132f |
+clevis storing the public and private keys to unseal the TPM2 encrypted object
|
|
 |
8e132f |
+in the JWE so clevis can fetch that information from there.
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+The pin also supports sealing data to a Platform Configuration Registers (PCR)
|
|
 |
8e132f |
+state. That way the data can only be unsealed if the PCRs hashes values match
|
|
 |
8e132f |
+the policy used when sealing.
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+For example, to seal the data to the PCR with index 0 and 1 for the SHA1 bank:
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ $ clevis encrypt tpm2 '{"pcr_bank":"sha1","pcr_ids":"0,1"}' < PT > JWE
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+The PCR digest values are looked up from the current hash values for the PCRs,
|
|
 |
8e132f |
+but a digest can also be provided if the data needs to be sealed with values
|
|
 |
8e132f |
+different to the current ones, by passing the binary hash encoded in base64:
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ $ clevis encrypt tpm2 '{"pcr_ids":"0","pcr_digest":"xy7J5svCtqlfM03d1lE5gdoA8MI"}' < PT > JWE
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+# Threat model
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+The Clevis security model relies in the fact that an attacker will not be able to
|
|
 |
8e132f |
+access both the encrypted data and the decryption key.
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+For most Clevis pins, the decryption key is not locally stored, so the decryption
|
|
 |
8e132f |
+policy is only satisfied if the decryption key can be remotely accessed. It could
|
|
 |
8e132f |
+for example be stored in a remote server or in a hardware authentication device
|
|
 |
8e132f |
+that has to be plugged into the machine.
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+The tpm2 pin is different in this regard, since a key is wrapped by a TPM2 chip
|
|
 |
8e132f |
+that is always present in the machine. This does not mean that there are not use
|
|
 |
8e132f |
+cases for this pin, but it is important to understand the fact that an attacker
|
|
 |
8e132f |
+that has access to both the encrypted data and the local TPM2 chip will be able
|
|
 |
8e132f |
+to decrypt the data.
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+# CONFIG
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+This command uses the following configuration properties:
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+* `hash` (string) :
|
|
 |
8e132f |
+ Hash algorithm used in the computation of the object name (default: sha256)
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ It must be one of the following:
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ * `sha1`
|
|
 |
8e132f |
+ * `sha256`
|
|
 |
8e132f |
+ * `sha384`
|
|
 |
8e132f |
+ * `sha512`
|
|
 |
8e132f |
+ * `sm3_256`
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+* `key` (string) :
|
|
 |
8e132f |
+ Algorithm type for the generated key (default: ecc)
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ It must be one of the following:
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ * `rsa`
|
|
 |
8e132f |
+ * `keyedhash`
|
|
 |
8e132f |
+ * `ecc`
|
|
 |
8e132f |
+ * `symcipher`
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+* `pcr_bank` (string) :
|
|
 |
8e132f |
+ PCR algorithm bank to use for policy (default: sha1)
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ It must be one of the following:
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ * `sha1`
|
|
 |
8e132f |
+ * `sha256`
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+* `pcr_ids` (string) :
|
|
 |
8e132f |
+ Comma separated list of PCR used for policy. If not present, no policy is used
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+* `pcr_digest` (string) :
|
|
 |
8e132f |
+ Binary PCR hashes encoded in base64. If not present, the hash values are looked up
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+# SEE ALSO
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+`clevis-decrypt`(1)
|
|
 |
8e132f |
diff --git a/doc/clevis.1 b/doc/clevis.1
|
|
 |
8e132f |
index 3d4a10d..0937533 100644
|
|
 |
8e132f |
--- a/doc/clevis.1
|
|
 |
8e132f |
+++ b/doc/clevis.1
|
|
 |
8e132f |
@@ -80,6 +80,42 @@ $\ clevis\ decrypt\ <\ JWE\ >\ PT
|
|
 |
8e132f |
.fi
|
|
 |
8e132f |
.PP
|
|
 |
8e132f |
For more information, see \f[C]clevis\-encrypt\-tang\f[](1).
|
|
 |
8e132f |
+.SH TPM2 BINDING
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+Clevis provides support to encrypt a key in a Trusted Platform Module
|
|
 |
8e132f |
+2.0 (TPM2) chip.
|
|
 |
8e132f |
+The cryptographically\-strong, random key used for encryption is
|
|
 |
8e132f |
+encrypted using the TPM2 chip, and then at decryption time is decrypted
|
|
 |
8e132f |
+using the TPM2 to allow clevis to decrypt the secret stored in the JWE.
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+Encrypting data using the tpm2 pin works the same than the pins
|
|
 |
8e132f |
+mentioned above:
|
|
 |
8e132f |
+.IP
|
|
 |
8e132f |
+.nf
|
|
 |
8e132f |
+\f[C]
|
|
 |
8e132f |
+$\ clevis\ encrypt\ tpm2\ \[aq]{}\[aq]\ <\ PT\ >\ JWE
|
|
 |
8e132f |
+\f[]
|
|
 |
8e132f |
+.fi
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+The pin has reasonable defaults for its configuration, but a different
|
|
 |
8e132f |
+hierarchy, hash, and key algorithms can be chosen if the defaults used
|
|
 |
8e132f |
+are not suitable.
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+Decryption also works similar to other pins, only the JWE needs to be
|
|
 |
8e132f |
+provided:
|
|
 |
8e132f |
+.IP
|
|
 |
8e132f |
+.nf
|
|
 |
8e132f |
+\f[C]
|
|
 |
8e132f |
+$\ clevis\ decrypt\ <\ JWE\ >\ PT
|
|
 |
8e132f |
+\f[]
|
|
 |
8e132f |
+.fi
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+Note that like other pins no configuration is used for decryption, this
|
|
 |
8e132f |
+is due clevis storing the public and private keys to unseal the TPM2
|
|
 |
8e132f |
+encrypted object in the JWE so clevis can fetch that information from
|
|
 |
8e132f |
+there.
|
|
 |
8e132f |
+.PP
|
|
 |
8e132f |
+For more information see \f[C]clevis\-encrypt\-tpm2\f[](1).
|
|
 |
8e132f |
.SH SHAMIR\[aq]S SECRET SHARING
|
|
 |
8e132f |
.PP
|
|
 |
8e132f |
Clevis provides a way to mix pins together to create sophisticated
|
|
 |
8e132f |
@@ -151,7 +187,7 @@ For more information, see \f[C]clevis\-luks\-bind\f[](1).
|
|
 |
8e132f |
.SH SEE ALSO
|
|
 |
8e132f |
.PP
|
|
 |
8e132f |
\f[C]clevis\-encrypt\-http\f[](1), \f[C]clevis\-encrypt\-tang\f[](1),
|
|
 |
8e132f |
-\f[C]clevis\-encrypt\-sss\f[](1), \f[C]clevis\-luks\-bind\f[](1),
|
|
 |
8e132f |
-\f[C]clevis\-decrypt\f[](1)
|
|
 |
8e132f |
+\f[C]clevis\-encrypt\-tpm2\f[](1), \f[C]clevis\-encrypt\-sss\f[](1),
|
|
 |
8e132f |
+\f[C]clevis\-luks\-bind\f[](1), \f[C]clevis\-decrypt\f[](1)
|
|
 |
8e132f |
.SH AUTHORS
|
|
 |
8e132f |
Nathaniel McCallum <npmccallum@redhat.com>.
|
|
 |
8e132f |
diff --git a/src/Makefile.am b/src/Makefile.am
|
|
 |
8e132f |
index 244874b..8562502 100644
|
|
 |
8e132f |
--- a/src/Makefile.am
|
|
 |
8e132f |
+++ b/src/Makefile.am
|
|
 |
8e132f |
@@ -25,6 +25,12 @@ dist_bin_SCRIPTS = \
|
|
 |
8e132f |
clevis-decrypt \
|
|
 |
8e132f |
clevis
|
|
 |
8e132f |
|
|
 |
8e132f |
+if HAVE_TPM2_TOOLS
|
|
 |
8e132f |
+ dist_bin_SCRIPTS += \
|
|
 |
8e132f |
+ clevis-encrypt-tpm2 \
|
|
 |
8e132f |
+ clevis-decrypt-tpm2
|
|
 |
8e132f |
+endif
|
|
 |
8e132f |
+
|
|
 |
8e132f |
clevis_encrypt_sss_SOURCES = clevis-encrypt-sss.c sss.c sss.h
|
|
 |
8e132f |
clevis_decrypt_sss_SOURCES = clevis-decrypt-sss.c sss.c sss.h
|
|
 |
8e132f |
clevis_encrypt_sss_LDADD = @jose_LIBS@ @libcrypto_LIBS@
|
|
 |
8e132f |
diff --git a/src/clevis-decrypt-tpm2 b/src/clevis-decrypt-tpm2
|
|
 |
8e132f |
new file mode 100755
|
|
 |
8e132f |
index 0000000..f3871d8
|
|
 |
8e132f |
--- /dev/null
|
|
 |
8e132f |
+++ b/src/clevis-decrypt-tpm2
|
|
 |
8e132f |
@@ -0,0 +1,126 @@
|
|
 |
8e132f |
+#!/bin/bash -e
|
|
 |
8e132f |
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
 |
8e132f |
+#
|
|
 |
8e132f |
+# Copyright (c) 2017 Red Hat, Inc.
|
|
 |
8e132f |
+# Author: Javier Martinez Canillas <javierm@redhat.com>
|
|
 |
8e132f |
+#
|
|
 |
8e132f |
+# This program is free software: you can redistribute it and/or modify
|
|
 |
8e132f |
+# it under the terms of the GNU General Public License as published by
|
|
 |
8e132f |
+# the Free Software Foundation, either version 3 of the License, or
|
|
 |
8e132f |
+# (at your option) any later version.
|
|
 |
8e132f |
+#
|
|
 |
8e132f |
+# This program is distributed in the hope that it will be useful,
|
|
 |
8e132f |
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
 |
8e132f |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
 |
8e132f |
+# GNU General Public License for more details.
|
|
 |
8e132f |
+#
|
|
 |
8e132f |
+# You should have received a copy of the GNU General Public License
|
|
 |
8e132f |
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
 |
8e132f |
+#
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+# The owner hierarchy is the one that should be used by the Operating System.
|
|
 |
8e132f |
+auth="o"
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+function on_exit() {
|
|
 |
8e132f |
+ if ! rm -r $TMP; then
|
|
 |
8e132f |
+ echo "Delete temporary files failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+ fi
|
|
 |
8e132f |
+}
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+[ $# -eq 1 -a "$1" == "--summary" ] && exit 1
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if [ -t 0 ]; then
|
|
 |
8e132f |
+ echo >&2
|
|
 |
8e132f |
+ echo "Usage: clevis decrypt tpm2 < JWE > PLAINTEXT" >&2
|
|
 |
8e132f |
+ echo >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+export TPM2TOOLS_TCTI_NAME=device
|
|
 |
8e132f |
+export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null`
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then
|
|
 |
8e132f |
+ echo "A TPM2 device with the in-kernel resource manager is needed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! [[ -r "${TPM2TOOLS_DEVICE_FILE[0]}" && -w "${TPM2TOOLS_DEVICE_FILE[0]}" ]]; then
|
|
 |
8e132f |
+ echo "The ${TPM2TOOLS_DEVICE_FILE[0]} device must be readable and writable!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+read -d . hdr
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! jhd=`jose b64 dec -i- <<< "$hdr"`; then
|
|
 |
8e132f |
+ echo "Error decoding JWE protected header!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if [ `jose fmt -j- -Og clevis -g pin -u- <<< "$jhd"` != "tpm2" ]; then
|
|
 |
8e132f |
+ echo "JWE pin mismatch!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! hash=`jose fmt -j- -Og clevis -g tpm2 -g hash -Su- <<< "$jhd"`; then
|
|
 |
8e132f |
+ echo "JWE missing required 'hash' header parameter!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! key=`jose fmt -j- -Og clevis -g tpm2 -g key -Su- <<< "$jhd"`; then
|
|
 |
8e132f |
+ echo "JWE missing required 'key' header parameter!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! jwk_pub=`jose fmt -j- -Og clevis -g tpm2 -g jwk_pub -Su- <<< "$jhd"`; then
|
|
 |
8e132f |
+ echo "JWE missing required 'key' header parameter!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! jwk_priv=`jose fmt -j- -Og clevis -g tpm2 -g jwk_priv -Su- <<< "$jhd"`; then
|
|
 |
8e132f |
+ echo "JWE missing required 'key' header parameter!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! TMP=`mktemp -d`; then
|
|
 |
8e132f |
+ echo "Creating a temporary dir for TPM files failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+trap 'on_exit' EXIT
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+pcr_ids=`jose fmt -j- -Og clevis -g tpm2 -g pcr_ids -Su- <<< "$jhd"` || true
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if [ -n "$pcr_ids" ]; then
|
|
 |
8e132f |
+ pcr_bank=`jose fmt -j- -Og clevis -g tpm2 -g pcr_bank -Su- <<< "$jhd"`
|
|
 |
8e132f |
+ policy_options="-L $pcr_bank:$pcr_ids"
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! `jose b64 dec -i- -O $TMP/jwk.pub <<< "$jwk_pub"`; then
|
|
 |
8e132f |
+ echo "Decoding jwk.pub from Base64 failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! `jose b64 dec -i- -O $TMP/jwk.priv <<< "$jwk_priv"`; then
|
|
 |
8e132f |
+ echo "Decoding jwk.priv from Base64 failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" \
|
|
 |
8e132f |
+ -C $TMP/primary.context 2>/dev/null; then
|
|
 |
8e132f |
+ echo "Creating TPM2 primary key failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! tpm2_load -Q -c $TMP/primary.context -u $TMP/jwk.pub -r $TMP/jwk.priv \
|
|
 |
8e132f |
+ -C $TMP/load.context 2>/dev/null; then
|
|
 |
8e132f |
+ echo "Loading jwk to TPM2 failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! jwk=`tpm2_unseal -c $TMP/load.context $policy_options 2>/dev/null`; then
|
|
 |
8e132f |
+ echo "Unsealing jwk from TPM failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; cat)
|
|
 |
8e132f |
diff --git a/src/clevis-encrypt-tpm2 b/src/clevis-encrypt-tpm2
|
|
 |
8e132f |
new file mode 100755
|
|
 |
8e132f |
index 0000000..b99aa97
|
|
 |
8e132f |
--- /dev/null
|
|
 |
8e132f |
+++ b/src/clevis-encrypt-tpm2
|
|
 |
8e132f |
@@ -0,0 +1,156 @@
|
|
 |
8e132f |
+#!/bin/bash -e
|
|
 |
8e132f |
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
 |
8e132f |
+#
|
|
 |
8e132f |
+# Copyright (c) 2017 Red Hat, Inc.
|
|
 |
8e132f |
+# Author: Javier Martinez Canillas <javierm@redhat.com>
|
|
 |
8e132f |
+#
|
|
 |
8e132f |
+# This program is free software: you can redistribute it and/or modify
|
|
 |
8e132f |
+# it under the terms of the GNU General Public License as published by
|
|
 |
8e132f |
+# the Free Software Foundation, either version 3 of the License, or
|
|
 |
8e132f |
+# (at your option) any later version.
|
|
 |
8e132f |
+#
|
|
 |
8e132f |
+# This program is distributed in the hope that it will be useful,
|
|
 |
8e132f |
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
 |
8e132f |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
 |
8e132f |
+# GNU General Public License for more details.
|
|
 |
8e132f |
+#
|
|
 |
8e132f |
+# You should have received a copy of the GNU General Public License
|
|
 |
8e132f |
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
 |
8e132f |
+#
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+SUMMARY="Encrypts using a TPM2.0 chip binding policy"
|
|
 |
8e132f |
+# The owner hierarchy is the one that should be used by the Operating System.
|
|
 |
8e132f |
+auth="o"
|
|
 |
8e132f |
+# Algorithm type must be keyedhash for object with user provided sensitive data.
|
|
 |
8e132f |
+alg_create_key="keyedhash"
|
|
 |
8e132f |
+# Attributes for the created TPM2 object with the JWK as sensitive data.
|
|
 |
8e132f |
+obj_attr="fixedtpm|fixedparent|sensitivedataorigin|noda|adminwithpolicy"
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+function on_exit() {
|
|
 |
8e132f |
+ if ! rm -rf $TMP; then
|
|
 |
8e132f |
+ echo "Delete temporary files failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+ fi
|
|
 |
8e132f |
+}
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if [ "$1" == "--summary" ]; then
|
|
 |
8e132f |
+ echo "$SUMMARY"
|
|
 |
8e132f |
+ exit 0
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if [ -t 0 ]; then
|
|
 |
8e132f |
+ echo >&2
|
|
 |
8e132f |
+ echo "Usage: clevis encrypt tpm2 CONFIG < PLAINTEXT > JWE" >&2
|
|
 |
8e132f |
+ echo >&2
|
|
 |
8e132f |
+ echo $SUMMARY >&2
|
|
 |
8e132f |
+ echo >&2
|
|
 |
8e132f |
+ echo "This command uses the following configuration properties:" >&2
|
|
 |
8e132f |
+ echo >&2
|
|
 |
8e132f |
+ echo " hash: <string> Hash algorithm used in the computation of the object name (default: sha256)" >&2
|
|
 |
8e132f |
+ echo >&2
|
|
 |
8e132f |
+ echo " key: <string> Algorithm type for the generated key (default: ecc)" >&2
|
|
 |
8e132f |
+ echo >&2
|
|
 |
8e132f |
+ echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: sha1)" >&2
|
|
 |
8e132f |
+ echo >&2
|
|
 |
8e132f |
+ echo " pcr_ids: <string> PCR list used for policy. If not present, no policy is used" >&2
|
|
 |
8e132f |
+ echo >&2
|
|
 |
8e132f |
+ echo " pcr_digest: <string> Binary PCR hashes encoded in base64. If not present, the hash values are looked up" >&2
|
|
 |
8e132f |
+ echo >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+export TPM2TOOLS_TCTI_NAME=device
|
|
 |
8e132f |
+export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null`
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then
|
|
 |
8e132f |
+ echo "A TPM2 device with the in-kernel resource manager is needed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! [[ -r "${TPM2TOOLS_DEVICE_FILE[0]}" && -w "${TPM2TOOLS_DEVICE_FILE[0]}" ]]; then
|
|
 |
8e132f |
+ echo "The ${TPM2TOOLS_DEVICE_FILE[0]} device must be readable and writable!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! cfg=`jose fmt -j "$1" -Oo- 2>/dev/null`; then
|
|
 |
8e132f |
+ echo "Configuration is malformed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+hash=`jose fmt -j- -Og hash -u- <<< "$cfg"` || hash="sha256"
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+key=`jose fmt -j- -Og key -u- <<< "$cfg"` || key="ecc"
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+pcr_bank=`jose fmt -j- -Og pcr_hash -u- <<< "$cfg"` || pcr_bank="sha1"
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+pcr_ids=`jose fmt -j- -Og pcr_ids -u- <<< "$cfg"` || true
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+pcr_digest=`jose fmt -j- -Og pcr_digest -u- <<< "$cfg"` || true
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! jwk=`jose jwk gen -i '{"alg":"A256GCM"}'`; then
|
|
 |
8e132f |
+ echo "Generating a jwk failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! TMP=`mktemp -d`; then
|
|
 |
8e132f |
+ echo "Creating a temporary dir for TPM files failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+trap 'on_exit' EXIT
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C $TMP/primary.context; then
|
|
 |
8e132f |
+ echo "Creating TPM2 primary key failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if [ -n "$pcr_ids" ]; then
|
|
 |
8e132f |
+ if [ -z "$pcr_digest" ]; then
|
|
 |
8e132f |
+ if ! tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o $TMP/pcr.digest; then
|
|
 |
8e132f |
+ echo "Creating PCR hashes file failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+ fi
|
|
 |
8e132f |
+ else
|
|
 |
8e132f |
+ if ! jose b64 dec -i- -O "$TMP"/pcr.digest <<< "$pcr_digest"; then
|
|
 |
8e132f |
+ echo "Error decoding PCR digest!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+ fi
|
|
 |
8e132f |
+ fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ if ! tpm2_createpolicy -Q -P -L "$pcr_bank":"$pcr_ids" -F $TMP/pcr.digest -f $TMP/pcr.policy; then
|
|
 |
8e132f |
+ echo "create policy fail, please check the environment or parameters!"
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+ fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ policy_options="-L $TMP/pcr.policy"
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \
|
|
 |
8e132f |
+ -r $TMP/jwk.priv -A "$obj_attr" $policy_options -I- <<< "$jwk"; then
|
|
 |
8e132f |
+ echo "Creating TPM2 object for jwk failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! jwk_pub=`jose b64 enc -I $TMP/jwk.pub`; then
|
|
 |
8e132f |
+ echo "Encoding jwk.pub in Base64 failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if ! jwk_priv=`jose b64 enc -I $TMP/jwk.priv`; then
|
|
 |
8e132f |
+ echo "Encoding jwk.priv in Base64 failed!" >&2
|
|
 |
8e132f |
+ exit 1
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+jwe='{"protected":{"clevis":{"pin":"tpm2","tpm2":{}}}}'
|
|
 |
8e132f |
+jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$hash" -s hash -UUUUo-`
|
|
 |
8e132f |
+jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$key" -s key -UUUUo-`
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+if [ -n "$pcr_ids" ]; then
|
|
 |
8e132f |
+ jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_bank" -s pcr_bank -UUUUo-`
|
|
 |
8e132f |
+ jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_ids" -s pcr_ids -UUUUo-`
|
|
 |
8e132f |
+fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-`
|
|
 |
8e132f |
+jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-`
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; cat)
|
|
 |
8e132f |
diff --git a/src/dracut/module-setup.sh.in b/src/dracut/module-setup.sh.in
|
|
 |
8e132f |
index 5087d56..119762e 100755
|
|
 |
8e132f |
--- a/src/dracut/module-setup.sh.in
|
|
 |
8e132f |
+++ b/src/dracut/module-setup.sh.in
|
|
 |
8e132f |
@@ -28,6 +28,8 @@ cmdline() {
|
|
 |
8e132f |
}
|
|
 |
8e132f |
|
|
 |
8e132f |
install() {
|
|
 |
8e132f |
+ local ret=0
|
|
 |
8e132f |
+
|
|
 |
8e132f |
cmdline > "${initdir}/etc/cmdline.d/99clevis.conf"
|
|
 |
8e132f |
|
|
 |
8e132f |
inst_hook initqueue/online 60 "$moddir/clevis-hook.sh"
|
|
 |
8e132f |
@@ -41,10 +43,31 @@ install() {
|
|
 |
8e132f |
clevis-decrypt \
|
|
 |
8e132f |
luksmeta \
|
|
 |
8e132f |
clevis \
|
|
 |
8e132f |
+ mktemp \
|
|
 |
8e132f |
curl \
|
|
 |
8e132f |
jose \
|
|
 |
8e132f |
nc
|
|
 |
8e132f |
|
|
 |
8e132f |
+ for cmd in clevis-decrypt-tpm2 \
|
|
 |
8e132f |
+ tpm2_createprimary \
|
|
 |
8e132f |
+ tpm2_unseal \
|
|
 |
8e132f |
+ tpm2_load; do
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ if ! find_binary "$cmd" &>/dev/null; then
|
|
 |
8e132f |
+ ((ret++))
|
|
 |
8e132f |
+ fi
|
|
 |
8e132f |
+ done
|
|
 |
8e132f |
+
|
|
 |
8e132f |
+ if (($ret == 0)); then
|
|
 |
8e132f |
+ inst_multiple clevis-decrypt-tpm2 \
|
|
 |
8e132f |
+ tpm2_createprimary \
|
|
 |
8e132f |
+ tpm2_unseal \
|
|
 |
8e132f |
+ tpm2_load
|
|
 |
8e132f |
+ fi
|
|
 |
8e132f |
+
|
|
 |
8e132f |
dracut_need_initqueue
|
|
 |
8e132f |
}
|
|
 |
8e132f |
|
|
 |
8e132f |
+installkernel() {
|
|
 |
8e132f |
+ hostonly='' instmods =drivers/char/tpm
|
|
 |
8e132f |
+}
|
|
 |
8e132f |
--
|
|
 |
8e132f |
2.17.1
|
|
 |
8e132f |
|