Browse Source

Add support for TPM2

Christoph Biedl 6 years ago
parent
commit
168aeef59a

+ 3 - 0
debian/clevis-tpm2.install

@@ -0,0 +1,3 @@
+
+usr/bin/clevis-decrypt-tpm2
+usr/bin/clevis-encrypt-tpm2

+ 2 - 0
debian/clevis-tpm2.manpages

@@ -0,0 +1,2 @@
+
+debian/tmp/usr/share/man/man1/clevis-encrypt-tpm2.1

+ 17 - 2
debian/control

@@ -1,7 +1,7 @@
 Source: clevis
 Maintainer: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
 Homepage: https://github.com/latchset/clevis
-Standards-Version: 4.1.1
+Standards-Version: 4.1.3
 Build-Depends: debhelper (>= 10~),
     curl,
     dracut,
@@ -16,6 +16,7 @@ Build-Depends: debhelper (>= 10~),
     libudisks2-dev,
     pkg-config,
     systemd,
+    tpm2-tools,
     tang,
 Priority: optional
 Section: net
@@ -35,7 +36,21 @@ Description: automated encryption framework
  to provide automated decryption of data or even automated unlocking of
  LUKS volumes.
  .
- It supports tang, shamir secret sharing, escrow using HTTP.
+ It supports tang, shamir secret sharing (SSS), and escrow using HTTP.
+
+Package: clevis-tpm2
+Architecture: linux-any
+Depends: ${misc:Depends}, ${shlibs:Depends},
+    clevis,
+    tpm2-tools,
+Recommends:
+    cryptsetup,
+Description: automated encryption framework, TPM2 support
+ Clevis is a plugable framework for automated decryption. It can be used
+ to provide automated decryption of data or even automated unlocking of
+ LUKS volumes.
+ .
+ This package provides the TPM2 pin.
 
 Package: clevis-dracut
 Architecture: all

+ 39 - 0
debian/patches/cherry-pick.v9-2-gdc292ff.dont-attempt-to-create-temporary-files-in-the-user-s-home-directory.patch

@@ -0,0 +1,39 @@
+Subject: Don't attempt to create temporary files in the user's home directory
+Origin: v9-2-gdc292ff
+Upstream-Author: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue Feb 20 16:51:10 2018 +0100
+
+    To use the tpm2 pin, some temporary files need to be created due how the
+    tpm2-tools work. Currently they are created in the user's home directory
+    but the commands can be executed by a user that doesn't have a home dir.
+    
+    So it's better to just create the temporary directory in /tmp, which is
+    mktemp default. The mktemp default permissions are u+rwx anyways, so it
+    isn't less secure to have the temp dir at /tmp instead of the home dir.
+    
+    Fixes: #30
+    
+    Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+
+--- a/src/clevis-decrypt-tpm2
++++ b/src/clevis-decrypt-tpm2
+@@ -82,7 +82,7 @@
+     exit 1
+ fi
+ 
+-if ! TMP=`mktemp -d -p ~`; then
++if ! TMP=`mktemp -d`; then
+     echo "Creating a temporary dir for TPM files failed!" >&2
+     exit 1
+ fi
+--- a/src/clevis-encrypt-tpm2
++++ b/src/clevis-encrypt-tpm2
+@@ -92,7 +92,7 @@
+     exit 1
+ fi
+ 
+-if ! TMP=`mktemp -d -p ~`; then
++if ! TMP=`mktemp -d`; then
+     echo "Creating a temporary dir for TPM files failed!" >&2
+     exit 1
+ fi

+ 1 - 0
debian/patches/series

@@ -1,3 +1,4 @@
+cherry-pick.v9-2-gdc292ff.dont-attempt-to-create-temporary-files-in-the-user-s-home-directory.patch
 test-exec-path.patch
 disable-dracut-check.patch
 fix-manpage-add-name.patch