0f1aa4e16b
The tpm2-tools package in Fedora 32 was updated to version 4.0, but clevis still only has 3.0 support. Support for the latest release is in the works and will probable make it to the next clevis release. But until that happens, let's backport the patches that add tpm2-tools 4.0 support for clevis so it continues to work in Fedora 32. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
237 lines
8.8 KiB
Diff
237 lines
8.8 KiB
Diff
From 7d4425dc1b96f4a0efeb4383c6a32ab664d7e3cc Mon Sep 17 00:00:00 2001
|
|
From: Jonas Witschel <diabonas@gmx.de>
|
|
Date: Fri, 6 Sep 2019 15:27:14 +0200
|
|
Subject: [PATCH] pins/tpm2: add support for tpm2-tools 4.X
|
|
|
|
tpm2-tools renamed tpm2_pcrlist to tpm2_pcrread and changed a lot of
|
|
option names. Only the new unified environment variable TPM2TOOLS_TCTI
|
|
is supported, TPM2TOOLS_TCTI_NAME and TPM2TOOLS_DEVICE_FILE are no
|
|
longer recognised. Determine the tpm2-tools version from the output of
|
|
$(tpm2_createprimary -v) and switch accordingly.
|
|
---
|
|
src/luks/systemd/dracut/module-setup.sh.in | 6 ++-
|
|
src/pins/tpm2/clevis-decrypt-tpm2 | 40 ++++++++++++++----
|
|
src/pins/tpm2/clevis-encrypt-tpm2 | 48 ++++++++++++++++++----
|
|
src/pins/tpm2/meson.build | 5 ++-
|
|
4 files changed, 77 insertions(+), 22 deletions(-)
|
|
|
|
diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
|
|
index 2dcdb68549d..89cc42cd226 100755
|
|
--- a/src/luks/systemd/dracut/module-setup.sh.in
|
|
+++ b/src/luks/systemd/dracut/module-setup.sh.in
|
|
@@ -19,7 +19,8 @@
|
|
#
|
|
|
|
check() {
|
|
- require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_pcrlist tpm2_unseal tpm2_load || return 1
|
|
+ require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_unseal tpm2_load || return 1
|
|
+ require_any_binary tpm2_pcrread tpm2_pcrlist || return 1
|
|
return 0
|
|
}
|
|
|
|
@@ -53,7 +54,8 @@ install() {
|
|
jose \
|
|
nc
|
|
|
|
- inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_pcrlist tpm2_unseal tpm2_load
|
|
+ inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_unseal tpm2_load
|
|
+ inst_multiple -o tpm2_pcrread tpm2_pcrlist
|
|
inst_libdir_file "libtss2-tcti-device.so*"
|
|
dracut_need_initqueue
|
|
}
|
|
diff --git a/src/pins/tpm2/clevis-decrypt-tpm2 b/src/pins/tpm2/clevis-decrypt-tpm2
|
|
index 4fc1c5858e3..e603e9a7275 100755
|
|
--- a/src/pins/tpm2/clevis-decrypt-tpm2
|
|
+++ b/src/pins/tpm2/clevis-decrypt-tpm2
|
|
@@ -37,16 +37,22 @@ if [ -t 0 ]; then
|
|
exit 1
|
|
fi
|
|
|
|
-TPM2TOOLS_INFO=`tpm2_pcrlist -v`
|
|
+TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
|
|
|
|
-if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then
|
|
- echo "The tpm2 pin requires tpm2-tools version 3" >&2
|
|
+match='version="(.)\.'
|
|
+[[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
|
|
+if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
|
|
+ echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
|
|
exit 1
|
|
fi
|
|
|
|
+# Old environment variables for tpm2-tools 3.0
|
|
export TPM2TOOLS_TCTI_NAME=device
|
|
export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null`
|
|
|
|
+# New environment variable for tpm2-tools >= 3.1
|
|
+export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:${TPM2TOOLS_DEVICE_FILE[0]}"
|
|
+
|
|
if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then
|
|
echo "A TPM2 device with the in-kernel resource manager is needed!" >&2
|
|
exit 1
|
|
@@ -98,9 +104,10 @@ trap 'on_exit' EXIT
|
|
|
|
pcr_ids=`jose fmt -j- -Og clevis -g tpm2 -g pcr_ids -Su- <<< "$jhd"` || true
|
|
|
|
+pcr_spec=''
|
|
if [ -n "$pcr_ids" ]; then
|
|
pcr_bank=`jose fmt -j- -Og clevis -g tpm2 -g pcr_bank -Su- <<< "$jhd"`
|
|
- policy_options="-L $pcr_bank:$pcr_ids"
|
|
+ pcr_spec="$pcr_bank:$pcr_ids"
|
|
fi
|
|
|
|
if ! `jose b64 dec -i- -O $TMP/jwk.pub <<< "$jwk_pub"`; then
|
|
@@ -113,19 +120,34 @@ if ! `jose b64 dec -i- -O $TMP/jwk.priv <<< "$jwk_priv"`; then
|
|
exit 1
|
|
fi
|
|
|
|
-if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" \
|
|
- -C $TMP/primary.context 2>/dev/null; then
|
|
+case "$TPM2TOOLS_VERSION" in
|
|
+ 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
|
|
+ 4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
|
|
+ *) fail=1;;
|
|
+esac
|
|
+if [ -n "$fail" ]; then
|
|
echo "Creating TPM2 primary key failed!" >&2
|
|
exit 1
|
|
fi
|
|
|
|
-if ! tpm2_load -Q -c $TMP/primary.context -u $TMP/jwk.pub -r $TMP/jwk.priv \
|
|
- -C $TMP/load.context 2>/dev/null; then
|
|
+case "$TPM2TOOLS_VERSION" in
|
|
+ 3) tpm2_load -Q -c "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
|
|
+ -C "$TMP"/load.context || fail=$?;;
|
|
+ 4) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
|
|
+ -c "$TMP"/load.context || fail=$?;;
|
|
+ *) fail=1;;
|
|
+esac
|
|
+if [ -n "$fail" ]; then
|
|
echo "Loading jwk to TPM2 failed!" >&2
|
|
exit 1
|
|
fi
|
|
|
|
-if ! jwk=`tpm2_unseal -c $TMP/load.context $policy_options 2>/dev/null`; then
|
|
+case "$TPM2TOOLS_VERSION" in
|
|
+ 3) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-L $pcr_spec})" || fail=$?;;
|
|
+ 4) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
|
|
+ *) fail=1;;
|
|
+esac
|
|
+if [ -n "$fail" ]; then
|
|
echo "Unsealing jwk from TPM failed!" >&2
|
|
exit 1
|
|
fi
|
|
diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2
|
|
index a7f333269bc..90321963d1e 100755
|
|
--- a/src/pins/tpm2/clevis-encrypt-tpm2
|
|
+++ b/src/pins/tpm2/clevis-encrypt-tpm2
|
|
@@ -59,16 +59,22 @@ if [ -t 0 ]; then
|
|
exit 1
|
|
fi
|
|
|
|
-TPM2TOOLS_INFO=`tpm2_pcrlist -v`
|
|
+TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
|
|
|
|
-if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then
|
|
- echo "The tpm2 pin requires tpm2-tools version 3" >&2
|
|
+match='version="(.)\.'
|
|
+[[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
|
|
+if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
|
|
+ echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
|
|
exit 1
|
|
fi
|
|
|
|
+# Old environment variables for tpm2-tools 3.0
|
|
export TPM2TOOLS_TCTI_NAME=device
|
|
export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null`
|
|
|
|
+# New environment variable for tpm2-tools >= 3.1
|
|
+export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:${TPM2TOOLS_DEVICE_FILE[0]}"
|
|
+
|
|
if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then
|
|
echo "A TPM2 device with the in-kernel resource manager is needed!" >&2
|
|
exit 1
|
|
@@ -106,14 +112,25 @@ fi
|
|
|
|
trap 'on_exit' EXIT
|
|
|
|
-if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C $TMP/primary.context; then
|
|
+case "$TPM2TOOLS_VERSION" in
|
|
+ 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
|
|
+ 4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
|
|
+ *) fail=1;;
|
|
+esac
|
|
+if [ -n "$fail" ]; then
|
|
echo "Creating TPM2 primary key failed!" >&2
|
|
exit 1
|
|
fi
|
|
|
|
+policy_options=()
|
|
if [ -n "$pcr_ids" ]; then
|
|
if [ -z "$pcr_digest" ]; then
|
|
- if ! tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o $TMP/pcr.digest; then
|
|
+ case "$TPM2TOOLS_VERSION" in
|
|
+ 3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
|
|
+ 4) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
|
|
+ *) fail=1;;
|
|
+ esac
|
|
+ if [ -n "$fail" ]; then
|
|
echo "Creating PCR hashes file failed!" >&2
|
|
exit 1
|
|
fi
|
|
@@ -124,18 +141,31 @@ if [ -n "$pcr_ids" ]; then
|
|
fi
|
|
fi
|
|
|
|
- if ! tpm2_createpolicy -Q -P -L "$pcr_bank":"$pcr_ids" -F $TMP/pcr.digest -f $TMP/pcr.policy; then
|
|
+ case "$TPM2TOOLS_VERSION" in
|
|
+ 3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \
|
|
+ -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;;
|
|
+ 4) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
|
|
+ -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
|
|
+ *) fail=1;;
|
|
+ esac
|
|
+ if [ -n "$fail" ]; then
|
|
echo "create policy fail, please check the environment or parameters!"
|
|
exit 1
|
|
fi
|
|
|
|
- policy_options="-L $TMP/pcr.policy"
|
|
+ policy_options+=(-L "$TMP/pcr.policy")
|
|
else
|
|
obj_attr="$obj_attr|userwithauth"
|
|
fi
|
|
|
|
-if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \
|
|
- -r $TMP/jwk.priv -A "$obj_attr" $policy_options -I- <<< "$jwk"; then
|
|
+case "$TPM2TOOLS_VERSION" in
|
|
+ 3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \
|
|
+ -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;;
|
|
+ 4) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
|
|
+ -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
|
|
+ *) fail=1;;
|
|
+esac
|
|
+if [ -n "$fail" ]; then
|
|
echo "Creating TPM2 object for jwk failed!" >&2
|
|
exit 1
|
|
fi
|
|
diff --git a/src/pins/tpm2/meson.build b/src/pins/tpm2/meson.build
|
|
index 8121ec49cb3..4041a9a16d4 100644
|
|
--- a/src/pins/tpm2/meson.build
|
|
+++ b/src/pins/tpm2/meson.build
|
|
@@ -1,8 +1,9 @@
|
|
-cmds = ['createprimary', 'pcrlist', 'createpolicy', 'create', 'load', 'unseal']
|
|
+cmds = ['tpm2_createprimary', ['tpm2_pcrread', 'tpm2_pcrlist'],
|
|
+ 'tpm2_createpolicy', 'tpm2_create', 'tpm2_load', 'tpm2_unseal']
|
|
|
|
all = true
|
|
foreach cmd : cmds
|
|
- all = all and find_program('tpm2_' + cmd, required: false).found()
|
|
+ all = all and find_program(cmd, required: false).found()
|
|
endforeach
|
|
|
|
if all
|
|
--
|
|
2.21.0
|
|
|