* Mon Jan 23 2023 Miroslav Rezanina <mrezanin@redhat.com> - 2.7.0.6-7
- wla-redhat-Azure-CVM-specific-udev-rules.patch [bz#2162668] - Resolves: bz#2162668 (Add support for importing remotely sealed TPM2 objects)
This commit is contained in:
parent
c6e9387f0e
commit
d909050d90
1
90-tpm2-import.rules
Normal file
1
90-tpm2-import.rules
Normal file
@ -0,0 +1 @@
|
|||||||
|
SUBSYSTEM=="block", ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/usr/sbin/tpm2-luks-import.sh /dev/$name"
|
@ -1,15 +1,19 @@
|
|||||||
%global with_legacy 0
|
%global with_legacy 0
|
||||||
%global dracut_modname 97walinuxagent
|
%global dracut_modname_udev 97walinuxagent
|
||||||
|
%global dracut_modname_cvm 97walinuxagentcvm
|
||||||
|
|
||||||
Name: WALinuxAgent
|
Name: WALinuxAgent
|
||||||
Version: 2.7.0.6
|
Version: 2.7.0.6
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
Summary: The Microsoft Azure Linux Agent
|
Summary: The Microsoft Azure Linux Agent
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: https://github.com/Azure/%{name}
|
URL: https://github.com/Azure/%{name}
|
||||||
Source0: https://github.com/Azure/%{name}/archive/v%{version}.tar.gz
|
Source0: https://github.com/Azure/%{name}/archive/v%{version}.tar.gz
|
||||||
Source1: module-setup.sh
|
Source1: module-setup-udev.sh
|
||||||
|
Source2: module-setup-cvm.sh
|
||||||
|
Source3: 90-tpm2-import.rules
|
||||||
|
Source4: tpm2-luks-import.sh
|
||||||
|
|
||||||
# Python3.9 fixes
|
# Python3.9 fixes
|
||||||
Patch0001: 0001-Initial-redhat-build-configuation.patch
|
Patch0001: 0001-Initial-redhat-build-configuation.patch
|
||||||
@ -66,6 +70,14 @@ Summary: Udev rules for Microsoft Azure
|
|||||||
%description udev
|
%description udev
|
||||||
Udev rules specific to Microsoft Azure Virtual Machines.
|
Udev rules specific to Microsoft Azure Virtual Machines.
|
||||||
|
|
||||||
|
%package cvm
|
||||||
|
Summary: Microsoft Azure CVM specific tools
|
||||||
|
Requires: tpm2-tools
|
||||||
|
Requires: cryptsetup
|
||||||
|
|
||||||
|
%description cvm
|
||||||
|
Scripts and udev rules specific to Microsoft Azure Confidential Virtual Machines.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%autopatch -p1
|
%autopatch -p1
|
||||||
@ -95,7 +107,15 @@ rm -f %{buildroot}%{_sbindir}/waagent2.0
|
|||||||
|
|
||||||
mv %{buildroot}%{_sysconfdir}/logrotate.d/waagent.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
mv %{buildroot}%{_sysconfdir}/logrotate.d/waagent.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
||||||
|
|
||||||
install -m0755 -D -t %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname}/ %{SOURCE1}
|
mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname_udev}
|
||||||
|
cp %{SOURCE1} %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname_udev}/module-setup.sh
|
||||||
|
chmod 0755 %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname_udev}/module-setup.sh
|
||||||
|
|
||||||
|
mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname_cvm}
|
||||||
|
cp %{SOURCE2} %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname_cvm}/module-setup.sh
|
||||||
|
chmod 0755 %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname_cvm}/module-setup.sh
|
||||||
|
install -m0644 -D -t %{buildroot}%{_udevrulesdir}/ %{SOURCE3}
|
||||||
|
install -m0755 -D -t %{buildroot}%{_sbindir} %{SOURCE4}
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%systemd_post waagent.service
|
%systemd_post waagent.service
|
||||||
@ -122,8 +142,16 @@ rm -rf %{_unitdir}/waagent.service.d/
|
|||||||
%{python3_sitelib}/*.egg-info
|
%{python3_sitelib}/*.egg-info
|
||||||
|
|
||||||
%files udev
|
%files udev
|
||||||
%{_udevrulesdir}/*.rules
|
%{_udevrulesdir}/66-azure-storage.rules
|
||||||
%{_prefix}/lib/dracut/modules.d/%{dracut_modname}/*.sh
|
%{_udevrulesdir}/99-azure-product-uuid.rules
|
||||||
|
%dir %{_prefix}/lib/dracut/modules.d/%{dracut_modname_udev}
|
||||||
|
%{_prefix}/lib/dracut/modules.d/%{dracut_modname_udev}/*.sh
|
||||||
|
|
||||||
|
%files cvm
|
||||||
|
%{_sbindir}/tpm2-luks-import.sh
|
||||||
|
%{_udevrulesdir}/90-tpm2-import.rules
|
||||||
|
%dir %{_prefix}/lib/dracut/modules.d/%{dracut_modname_cvm}
|
||||||
|
%{_prefix}/lib/dracut/modules.d/%{dracut_modname_cvm}/*.sh
|
||||||
|
|
||||||
%if 0%{?with_legacy}
|
%if 0%{?with_legacy}
|
||||||
%files legacy
|
%files legacy
|
||||||
@ -131,6 +159,11 @@ rm -rf %{_unitdir}/waagent.service.d/
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 23 2023 Miroslav Rezanina <mrezanin@redhat.com> - 2.7.0.6-7
|
||||||
|
- wla-redhat-Azure-CVM-specific-udev-rules.patch [bz#2162668]
|
||||||
|
- Resolves: bz#2162668
|
||||||
|
(Add support for importing remotely sealed TPM2 objects)
|
||||||
|
|
||||||
* Mon Aug 29 2022 Miroslav Rezanina <mrezanin@redhat.com> - 2.7.0.6-6
|
* Mon Aug 29 2022 Miroslav Rezanina <mrezanin@redhat.com> - 2.7.0.6-6
|
||||||
- wla-redhat-Remove-files-inside-WALA-services-directory.patch [bz#2114768]
|
- wla-redhat-Remove-files-inside-WALA-services-directory.patch [bz#2114768]
|
||||||
- Resolves: bz#2114768
|
- Resolves: bz#2114768
|
||||||
|
18
module-setup-cvm.sh
Normal file
18
module-setup-cvm.sh
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
#!/usr/bin/bash
|
||||||
|
# SPDX-License-Identifier: GPL-2.0-or-later
|
||||||
|
|
||||||
|
check() {
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
depends() {
|
||||||
|
echo tpm2-tss
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
install() {
|
||||||
|
inst_multiple -o \
|
||||||
|
cryptsetup cut mktemp base64 uname hexdump \
|
||||||
|
tpm2_flushcontext tpm2_import tpm2_load tpm2_unseal tpm2_create tpm2_createprimary \
|
||||||
|
/usr/sbin/tpm2-luks-import.sh /lib/udev/rules.d/90-tpm2-import.rules
|
||||||
|
}
|
74
tpm2-luks-import.sh
Executable file
74
tpm2-luks-import.sh
Executable file
@ -0,0 +1,74 @@
|
|||||||
|
#! /bin/bash -e
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||||
|
#
|
||||||
|
# This script goes through all 'tpm2-import' tokens and converts them
|
||||||
|
# to 'systemd-tpm2' ones.
|
||||||
|
#
|
||||||
|
|
||||||
|
getval () {
|
||||||
|
grep ^\"$2\" $1 | cut -f 2 -d ':' | sed 's/\"//g'
|
||||||
|
}
|
||||||
|
|
||||||
|
if [[ ! -b "$1" ]]; then
|
||||||
|
echo "Device $1 does not exist!" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
/usr/sbin/cryptsetup luksDump "$1" | sed -n '/^Tokens:/,/^Digests:/p' | grep ' tpm2-import' | cut -d ':' -f 1 | while read tokenid; do
|
||||||
|
echo "Importing token $tokenid from $1"
|
||||||
|
token=`mktemp`
|
||||||
|
/usr/sbin/cryptsetup token export --token-id "$tokenid" "$1" | sed -e 's/[{}]/''/g' -e 's/\[//g' -e 's/\]//g' -e 's/,\"/\n"/g' > "$token"
|
||||||
|
tempdir=`mktemp -d`
|
||||||
|
pushd "$tempdir" > /dev/null
|
||||||
|
# Save token data to inidividual files to process them with tpm2-tools
|
||||||
|
getval "$token" "parent_pub" | base64 -d > parent.pub
|
||||||
|
getval "$token" "parent_prv" | base64 -d > parent.prv
|
||||||
|
getval "$token" "parent_seed" | base64 -d > parent.seed
|
||||||
|
getval "$token" "seal_pub" | base64 -d > seal.pub
|
||||||
|
getval "$token" "seal_prv" | base64 -d > seal.prv
|
||||||
|
getval "$token" "pcrpolicy_dat" | base64 -d > pcrpolicy.dat
|
||||||
|
if [ ! -z `getval "$token" "unique_dat"` ]; then
|
||||||
|
getval "$token" "unique_dat" | base64 -d > unique.dat
|
||||||
|
fi
|
||||||
|
echo "Unsealing volume key"
|
||||||
|
# Import sealed object
|
||||||
|
tpm2_flushcontext -t
|
||||||
|
if [ ! -f "unique.dat" ]; then
|
||||||
|
tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
|
||||||
|
else
|
||||||
|
tpm2_createprimary -Q -C o -g sha256 -G rsa -u unique.dat -c primary.ctx
|
||||||
|
fi
|
||||||
|
tpm2_flushcontext -t
|
||||||
|
tpm2_import -Q -C primary.ctx -u parent.pub -i parent.prv -r parent_imported.prv -s parent.seed
|
||||||
|
tpm2_flushcontext -t
|
||||||
|
tpm2_load -Q -C primary.ctx -u parent.pub -r parent_imported.prv -c parent.ctx
|
||||||
|
tpm2_flushcontext -t
|
||||||
|
tpm2_load -Q -C parent.ctx -u seal.pub -r seal.prv -c seal.ctx
|
||||||
|
tpm2_flushcontext -t
|
||||||
|
tpm2_unseal -Q -c seal.ctx -p pcr:`getval "$token" tpm2-pcr-bank`:`getval "$token" tpm2-pcrs` > volume_key
|
||||||
|
tpm2_flushcontext -t
|
||||||
|
echo "Sealing new volume key"
|
||||||
|
# Create a new sealed object under primary ECC key
|
||||||
|
tpm2_createprimary -Q -C o -g sha256 -G ecc:null:aes128cfb -c primary_ecc.ctx
|
||||||
|
tpm2_flushcontext -t
|
||||||
|
tpm2_create -Q -u seal_local.pub -r seal_local.prv -C primary_ecc.ctx -L pcrpolicy.dat -i volume_key
|
||||||
|
# Create a new systemd-tpm2 compatible token
|
||||||
|
echo "Adding new LUKS token to $1"
|
||||||
|
echo '{"type":"systemd-tpm2","keyslots":["'`getval "$token" keyslots`'"],
|
||||||
|
"tpm2-blob":"'`cat seal_local.prv seal_local.pub | base64 -w0`'",
|
||||||
|
"tpm2-pcrs":['`getval "$token" tpm2-pcrs`'],
|
||||||
|
"tpm2-pcr-bank":"'`getval "$token" tpm2-pcr-bank`'",
|
||||||
|
"tpm2-primary-alg":"ecc",
|
||||||
|
"tpm2-policy-hash":"'`hexdump -ve '1/1 "%.2x"' pcrpolicy.dat`'",
|
||||||
|
"tpm2-pin": false,
|
||||||
|
"kversion": "'`uname -r`'"}' | /usr/sbin/cryptsetup token import "$1"
|
||||||
|
# Remove tpm2-import token now
|
||||||
|
echo "Removing now-unneeded token $tokenid from $1"
|
||||||
|
/usr/sbin/cryptsetup token remove --token-id "$tokenid" "$1"
|
||||||
|
echo "Importing token $tokenid from $1 finished successfully"
|
||||||
|
popd > /dev/null
|
||||||
|
# Cleanup
|
||||||
|
rm -rf "$tempdir"
|
||||||
|
rm -f "$token"
|
||||||
|
done
|
Loading…
Reference in New Issue
Block a user