TPM2 use first PCR algorithm bank supported by TPM

Resolves: #RHEL-65468

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
This commit is contained in:
Sergio Arroutbi 2024-11-05 15:59:33 +01:00
parent 3d8d6cb185
commit 3387ddc404
2 changed files with 71 additions and 1 deletions

View File

@ -0,0 +1,65 @@
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2 2024-09-24 10:27:06.000000000 +0200
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2 2024-11-05 15:54:16.209993587 +0100
@@ -58,7 +58,7 @@
echo
echo " key: <string> Algorithm type for the generated key (default: ecc)"
echo
- echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: sha1)"
+ echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: first supported by TPM)"
echo
echo " pcr_ids: <string> PCR list used for policy. If not present, no policy is used"
echo
@@ -130,7 +130,15 @@
key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc"
-pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1"
+pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || {
+ if ! pcr_bank=$(tpm2_getcap pcrs |
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
+ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit}
+ END {exit !found}'); then
+ echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2
+ exit 1
+ fi
+}
# Trim the spaces from the config, so that we will not have issues parsing
# the PCR IDs.
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-09-24 10:27:06.000000000 +0200
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-11-05 15:54:16.209993587 +0100
@@ -91,13 +91,17 @@
- *symcipher*
* *pcr_bank* (string) :
- PCR algorithm bank to use for policy (default: sha1)
+ PCR algorithm bank to use for policy (default: first supported by TPM)
- It must be one of the following:
+ Examples of PCR algorithm banks, support depends on TPM chip:
- *sha1*
- *sha256*
+ For the full list of algorithms supported by the TPM chip check output of
+ `tpm2_getcap pcrs` and use the algorithm which shows non-empty list of PCR
+ numbers.
+
* *pcr_ids* (string) :
Comma separated list of PCR used for policy. If not present, no policy is used
--- clevis-21.old/src/pins/tpm2/pin-tpm2 2024-09-24 10:27:06.000000000 +0200
+++ clevis-21/src/pins/tpm2/pin-tpm2 2024-11-05 15:54:16.209993587 +0100
@@ -142,8 +142,10 @@
# arrays and check if we get the expected pcr_ids.
# Let's first make sure this would be a valid configuration.
-_default_pcr_bank="sha1"
-if validate_pcrs "${_default_pcr_bank}" "4,16"; then
+_default_pcr_bank=$(tpm2_getcap pcrs |
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
+ {split($0, m, /[-:[:space:]]+/); print m[2]; exit}')
+if [ -n "$_default_pcr_bank" ] && validate_pcrs "${_default_pcr_bank}" "4,16"; then
test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1
test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16" || exit 1
test_pcr_ids "${orig}" '{"pcr_ids": "4, 16"}' "4,16" || exit 1

View File

@ -1,6 +1,6 @@
Name: clevis Name: clevis
Version: 21 Version: 21
Release: 205%{?dist} Release: 206%{?dist}
Summary: Automated decryption framework Summary: Automated decryption framework
License: GPLv3+ License: GPLv3+
@ -11,6 +11,7 @@ Source1: clevis.sysusers
Patch0: 0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch Patch0: 0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch
Patch1: 0002-Fix-potential-race-condition.patch Patch1: 0002-Fix-potential-race-condition.patch
Patch2: 0003-Fix-to-start-pcscd-appropriately.patch Patch2: 0003-Fix-to-start-pcscd-appropriately.patch
Patch3: 0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch
BuildRequires: git-core BuildRequires: git-core
BuildRequires: gcc BuildRequires: gcc
@ -218,6 +219,10 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%changelog %changelog
* Tue Nov 5 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-206
- TPM2: use first PCR algorithm bank supported by TPM as default
Resolves: #RHEL-65468
* Thu Oct 31 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-205 * Thu Oct 31 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-205
- Groom clevis.spec - Groom clevis.spec
Resolves: #RHEL-65458 Resolves: #RHEL-65458