0f1aa4e16b
The tpm2-tools package in Fedora 32 was updated to version 4.0, but clevis still only has 3.0 support. Support for the latest release is in the works and will probable make it to the next clevis release. But until that happens, let's backport the patches that add tpm2-tools 4.0 support for clevis so it continues to work in Fedora 32. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
58 lines
2.1 KiB
Diff
58 lines
2.1 KiB
Diff
From b48c1096766f8fd1a9edc1ac5c1c0eea16dc2e5b Mon Sep 17 00:00:00 2001
|
|
From: Jonas Witschel <diabonas@gmx.de>
|
|
Date: Fri, 6 Sep 2019 15:04:35 +0200
|
|
Subject: [PATCH] clevis-encrypt-tpm2: fix TPM object attributes
|
|
|
|
Fix two problems with the current specification of the object
|
|
attributes:
|
|
|
|
1. According to the Trusted Platform Module Library Family 2.0
|
|
Specification - Part 2: Structures, Revision 1.38, Section 8.3.3.5,
|
|
sensitiveDataOrigin shall not be set for data objects:
|
|
|
|
NOTE 3 The inSensitive.sensitive.data.size parameter may not be zero for
|
|
a data object so sensitiveDataOrigin is required to be CLEAR. A data
|
|
object has type = TPM_ALG_KEYEDHASH and its sign and decrypt attributes
|
|
are CLEAR.
|
|
|
|
tpm2-tools 3.X silently removes the inconsistent 'sensitivedataorigin'
|
|
attribute.
|
|
|
|
2. If the key is sealed against a certain PCR configuration,
|
|
'userwithauth' needs to be clear so that the key cannot be unsealed with
|
|
the default empty authorisation password. On the other hand, if the key
|
|
is not sealed against a specific PCR configuration, 'userwithauth' must
|
|
be set because there is no PCR policy to fulfil.
|
|
|
|
tpm2-tools 3.X silently adds 'userwithauth' if no policy is specified
|
|
for tpm2_create.
|
|
---
|
|
src/pins/tpm2/clevis-encrypt-tpm2 | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2
|
|
index c70187d7f4c..a7f333269bc 100755
|
|
--- a/src/pins/tpm2/clevis-encrypt-tpm2
|
|
+++ b/src/pins/tpm2/clevis-encrypt-tpm2
|
|
@@ -24,7 +24,7 @@ auth="o"
|
|
# Algorithm type must be keyedhash for object with user provided sensitive data.
|
|
alg_create_key="keyedhash"
|
|
# Attributes for the created TPM2 object with the JWK as sensitive data.
|
|
-obj_attr="fixedtpm|fixedparent|sensitivedataorigin|noda|adminwithpolicy"
|
|
+obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy"
|
|
|
|
function on_exit() {
|
|
if ! rm -rf $TMP; then
|
|
@@ -130,6 +130,8 @@ if [ -n "$pcr_ids" ]; then
|
|
fi
|
|
|
|
policy_options="-L $TMP/pcr.policy"
|
|
+else
|
|
+ obj_attr="$obj_attr|userwithauth"
|
|
fi
|
|
|
|
if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \
|
|
--
|
|
2.21.0
|
|
|