66 lines
2.9 KiB
Diff
66 lines
2.9 KiB
Diff
|
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2 2024-09-24 10:27:06.000000000 +0200
|
||
|
|
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2 2024-11-05 15:54:16.209993587 +0100
|
||
|
|
@@ -58,7 +58,7 @@
|
||
|
|
echo
|
||
|
|
echo " key: <string> Algorithm type for the generated key (default: ecc)"
|
||
|
|
echo
|
||
|
|
- echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: sha1)"
|
||
|
|
+ echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: first supported by TPM)"
|
||
|
|
echo
|
||
|
|
echo " pcr_ids: <string> PCR list used for policy. If not present, no policy is used"
|
||
|
|
echo
|
||
|
|
@@ -130,7 +130,15 @@
|
||
|
|
|
||
|
|
key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc"
|
||
|
|
|
||
|
|
-pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1"
|
||
|
|
+pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || {
|
||
|
|
+ if ! pcr_bank=$(tpm2_getcap pcrs |
|
||
|
|
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
|
||
|
|
+ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit}
|
||
|
|
+ END {exit !found}'); then
|
||
|
|
+ echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2
|
||
|
|
+ exit 1
|
||
|
|
+ fi
|
||
|
|
+}
|
||
|
|
|
||
|
|
# Trim the spaces from the config, so that we will not have issues parsing
|
||
|
|
# the PCR IDs.
|
||
|
|
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-09-24 10:27:06.000000000 +0200
|
||
|
|
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-11-05 15:54:16.209993587 +0100
|
||
|
|
@@ -91,13 +91,17 @@
|
||
|
|
- *symcipher*
|
||
|
|
|
||
|
|
* *pcr_bank* (string) :
|
||
|
|
- PCR algorithm bank to use for policy (default: sha1)
|
||
|
|
+ PCR algorithm bank to use for policy (default: first supported by TPM)
|
||
|
|
|
||
|
|
- It must be one of the following:
|
||
|
|
+ Examples of PCR algorithm banks, support depends on TPM chip:
|
||
|
|
|
||
|
|
- *sha1*
|
||
|
|
- *sha256*
|
||
|
|
|
||
|
|
+ For the full list of algorithms supported by the TPM chip check output of
|
||
|
|
+ `tpm2_getcap pcrs` and use the algorithm which shows non-empty list of PCR
|
||
|
|
+ numbers.
|
||
|
|
+
|
||
|
|
* *pcr_ids* (string) :
|
||
|
|
Comma separated list of PCR used for policy. If not present, no policy is used
|
||
|
|
|
||
|
|
--- clevis-21.old/src/pins/tpm2/pin-tpm2 2024-09-24 10:27:06.000000000 +0200
|
||
|
|
+++ clevis-21/src/pins/tpm2/pin-tpm2 2024-11-05 15:54:16.209993587 +0100
|
||
|
|
@@ -142,8 +142,10 @@
|
||
|
|
# arrays and check if we get the expected pcr_ids.
|
||
|
|
|
||
|
|
# Let's first make sure this would be a valid configuration.
|
||
|
|
-_default_pcr_bank="sha1"
|
||
|
|
-if validate_pcrs "${_default_pcr_bank}" "4,16"; then
|
||
|
|
+_default_pcr_bank=$(tpm2_getcap pcrs |
|
||
|
|
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
|
||
|
|
+ {split($0, m, /[-:[:space:]]+/); print m[2]; exit}')
|
||
|
|
+if [ -n "$_default_pcr_bank" ] && validate_pcrs "${_default_pcr_bank}" "4,16"; then
|
||
|
|
test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1
|
||
|
|
test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16" || exit 1
|
||
|
|
test_pcr_ids "${orig}" '{"pcr_ids": "4, 16"}' "4,16" || exit 1
|