clevis/clevis-encrypt-tpm2-fix-TPM-object-attributes.patch

From b48c1096766f8fd1a9edc1ac5c1c0eea16dc2e5b Mon Sep 17 00:00:00 2001
From: Jonas Witschel <diabonas@gmx.de>
Date: Fri, 6 Sep 2019 15:04:35 +0200
Subject: [PATCH] clevis-encrypt-tpm2: fix TPM object attributes

Fix two problems with the current specification of the object
attributes:

1. According to the Trusted Platform Module Library Family 2.0
Specification - Part 2: Structures, Revision 1.38, Section 8.3.3.5,
sensitiveDataOrigin shall not be set for data objects:

NOTE 3 The inSensitive.sensitive.data.size parameter may not be zero for
a data object so sensitiveDataOrigin is required to be CLEAR. A data
object has type = TPM_ALG_KEYEDHASH and its sign and decrypt attributes
are CLEAR.

tpm2-tools 3.X silently removes the inconsistent 'sensitivedataorigin'
attribute.

2. If the key is sealed against a certain PCR configuration,
'userwithauth' needs to be clear so that the key cannot be unsealed with
the default empty authorisation password. On the other hand, if the key
is not sealed against a specific PCR configuration, 'userwithauth' must
be set because there is no PCR policy to fulfil.

tpm2-tools 3.X silently adds 'userwithauth' if no policy is specified
for tpm2_create.
---
 src/pins/tpm2/clevis-encrypt-tpm2 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2
index c70187d7f4c..a7f333269bc 100755
--- a/src/pins/tpm2/clevis-encrypt-tpm2
+++ b/src/pins/tpm2/clevis-encrypt-tpm2
@@ -24,7 +24,7 @@ auth="o"
 # Algorithm type must be keyedhash for object with user provided sensitive data.
 alg_create_key="keyedhash"
 # Attributes for the created TPM2 object with the JWK as sensitive data.
-obj_attr="fixedtpm|fixedparent|sensitivedataorigin|noda|adminwithpolicy"
+obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy"
 
 function on_exit() {
     if ! rm -rf $TMP; then
@@ -130,6 +130,8 @@ if [ -n "$pcr_ids" ]; then
     fi
 
     policy_options="-L $TMP/pcr.policy"
+else
+    obj_attr="$obj_attr|userwithauth"
 fi
 
 if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \
-- 
2.21.0
Add support for tpm2-tools 4.0 The tpm2-tools package in Fedora 32 was updated to version 4.0, but clevis still only has 3.0 support. Support for the latest release is in the works and will probable make it to the next clevis release. But until that happens, let's backport the patches that add tpm2-tools 4.0 support for clevis so it continues to work in Fedora 32. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> 2019-09-06 12:39:24 +00:00			`From b48c1096766f8fd1a9edc1ac5c1c0eea16dc2e5b Mon Sep 17 00:00:00 2001`
			`From: Jonas Witschel <diabonas@gmx.de>`
			`Date: Fri, 6 Sep 2019 15:04:35 +0200`
			`Subject: [PATCH] clevis-encrypt-tpm2: fix TPM object attributes`

			`Fix two problems with the current specification of the object`
			`attributes:`

			`1. According to the Trusted Platform Module Library Family 2.0`
			`Specification - Part 2: Structures, Revision 1.38, Section 8.3.3.5,`
			`sensitiveDataOrigin shall not be set for data objects:`

			`NOTE 3 The inSensitive.sensitive.data.size parameter may not be zero for`
			`a data object so sensitiveDataOrigin is required to be CLEAR. A data`
			`object has type = TPM_ALG_KEYEDHASH and its sign and decrypt attributes`
			`are CLEAR.`

			`tpm2-tools 3.X silently removes the inconsistent 'sensitivedataorigin'`
			`attribute.`

			`2. If the key is sealed against a certain PCR configuration,`
			`'userwithauth' needs to be clear so that the key cannot be unsealed with`
			`the default empty authorisation password. On the other hand, if the key`
			`is not sealed against a specific PCR configuration, 'userwithauth' must`
			`be set because there is no PCR policy to fulfil.`

			`tpm2-tools 3.X silently adds 'userwithauth' if no policy is specified`
			`for tpm2_create.`
			`---`
			`src/pins/tpm2/clevis-encrypt-tpm2 \| 4 +++-`
			`1 file changed, 3 insertions(+), 1 deletion(-)`

			`diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2`
			`index c70187d7f4c..a7f333269bc 100755`
			`--- a/src/pins/tpm2/clevis-encrypt-tpm2`
			`+++ b/src/pins/tpm2/clevis-encrypt-tpm2`
			`@@ -24,7 +24,7 @@ auth="o"`
			`# Algorithm type must be keyedhash for object with user provided sensitive data.`
			`alg_create_key="keyedhash"`
			`# Attributes for the created TPM2 object with the JWK as sensitive data.`
			`-obj_attr="fixedtpm\|fixedparent\|sensitivedataorigin\|noda\|adminwithpolicy"`
			`+obj_attr="fixedtpm\|fixedparent\|noda\|adminwithpolicy"`

			`function on_exit() {`
			`if ! rm -rf $TMP; then`
			`@@ -130,6 +130,8 @@ if [ -n "$pcr_ids" ]; then`
			`fi`

			`policy_options="-L $TMP/pcr.policy"`
			`+else`
			`+ obj_attr="$obj_attr\|userwithauth"`
			`fi`

			`if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \`
			`--`
			`2.21.0`