TPM2 use first PCR algorithm bank supported by TPM
Resolves: #RHEL-65468 Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
This commit is contained in:
parent
3d8d6cb185
commit
3387ddc404
65
0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch
Normal file
65
0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2 2024-09-24 10:27:06.000000000 +0200
|
||||||
|
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2 2024-11-05 15:54:16.209993587 +0100
|
||||||
|
@@ -58,7 +58,7 @@
|
||||||
|
echo
|
||||||
|
echo " key: <string> Algorithm type for the generated key (default: ecc)"
|
||||||
|
echo
|
||||||
|
- echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: sha1)"
|
||||||
|
+ echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: first supported by TPM)"
|
||||||
|
echo
|
||||||
|
echo " pcr_ids: <string> PCR list used for policy. If not present, no policy is used"
|
||||||
|
echo
|
||||||
|
@@ -130,7 +130,15 @@
|
||||||
|
|
||||||
|
key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc"
|
||||||
|
|
||||||
|
-pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1"
|
||||||
|
+pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || {
|
||||||
|
+ if ! pcr_bank=$(tpm2_getcap pcrs |
|
||||||
|
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
|
||||||
|
+ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit}
|
||||||
|
+ END {exit !found}'); then
|
||||||
|
+ echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2
|
||||||
|
+ exit 1
|
||||||
|
+ fi
|
||||||
|
+}
|
||||||
|
|
||||||
|
# Trim the spaces from the config, so that we will not have issues parsing
|
||||||
|
# the PCR IDs.
|
||||||
|
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-09-24 10:27:06.000000000 +0200
|
||||||
|
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-11-05 15:54:16.209993587 +0100
|
||||||
|
@@ -91,13 +91,17 @@
|
||||||
|
- *symcipher*
|
||||||
|
|
||||||
|
* *pcr_bank* (string) :
|
||||||
|
- PCR algorithm bank to use for policy (default: sha1)
|
||||||
|
+ PCR algorithm bank to use for policy (default: first supported by TPM)
|
||||||
|
|
||||||
|
- It must be one of the following:
|
||||||
|
+ Examples of PCR algorithm banks, support depends on TPM chip:
|
||||||
|
|
||||||
|
- *sha1*
|
||||||
|
- *sha256*
|
||||||
|
|
||||||
|
+ For the full list of algorithms supported by the TPM chip check output of
|
||||||
|
+ `tpm2_getcap pcrs` and use the algorithm which shows non-empty list of PCR
|
||||||
|
+ numbers.
|
||||||
|
+
|
||||||
|
* *pcr_ids* (string) :
|
||||||
|
Comma separated list of PCR used for policy. If not present, no policy is used
|
||||||
|
|
||||||
|
--- clevis-21.old/src/pins/tpm2/pin-tpm2 2024-09-24 10:27:06.000000000 +0200
|
||||||
|
+++ clevis-21/src/pins/tpm2/pin-tpm2 2024-11-05 15:54:16.209993587 +0100
|
||||||
|
@@ -142,8 +142,10 @@
|
||||||
|
# arrays and check if we get the expected pcr_ids.
|
||||||
|
|
||||||
|
# Let's first make sure this would be a valid configuration.
|
||||||
|
-_default_pcr_bank="sha1"
|
||||||
|
-if validate_pcrs "${_default_pcr_bank}" "4,16"; then
|
||||||
|
+_default_pcr_bank=$(tpm2_getcap pcrs |
|
||||||
|
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
|
||||||
|
+ {split($0, m, /[-:[:space:]]+/); print m[2]; exit}')
|
||||||
|
+if [ -n "$_default_pcr_bank" ] && validate_pcrs "${_default_pcr_bank}" "4,16"; then
|
||||||
|
test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1
|
||||||
|
test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16" || exit 1
|
||||||
|
test_pcr_ids "${orig}" '{"pcr_ids": "4, 16"}' "4,16" || exit 1
|
@ -1,6 +1,6 @@
|
|||||||
Name: clevis
|
Name: clevis
|
||||||
Version: 21
|
Version: 21
|
||||||
Release: 205%{?dist}
|
Release: 206%{?dist}
|
||||||
Summary: Automated decryption framework
|
Summary: Automated decryption framework
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -11,6 +11,7 @@ Source1: clevis.sysusers
|
|||||||
Patch0: 0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch
|
Patch0: 0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch
|
||||||
Patch1: 0002-Fix-potential-race-condition.patch
|
Patch1: 0002-Fix-potential-race-condition.patch
|
||||||
Patch2: 0003-Fix-to-start-pcscd-appropriately.patch
|
Patch2: 0003-Fix-to-start-pcscd-appropriately.patch
|
||||||
|
Patch3: 0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch
|
||||||
|
|
||||||
BuildRequires: git-core
|
BuildRequires: git-core
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -218,6 +219,10 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
|
||||||
|
* Tue Nov 5 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-206
|
||||||
|
- TPM2: use first PCR algorithm bank supported by TPM as default
|
||||||
|
Resolves: #RHEL-65468
|
||||||
|
|
||||||
* Thu Oct 31 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-205
|
* Thu Oct 31 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-205
|
||||||
- Groom clevis.spec
|
- Groom clevis.spec
|
||||||
Resolves: #RHEL-65458
|
Resolves: #RHEL-65458
|
||||||
|
Loading…
Reference in New Issue
Block a user