|
@@ -24,11 +24,12 @@ auth="o"
|
|
|
# Algorithm type must be keyedhash for object with user provided sensitive data.
|
|
|
alg_create_key="keyedhash"
|
|
|
# Attributes for the created TPM2 object with the JWK as sensitive data.
|
|
|
-obj_attr="fixedtpm|fixedparent|sensitivedataorigin|noda|adminwithpolicy"
|
|
|
+obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy"
|
|
|
|
|
|
function on_exit() {
|
|
|
- if ! rm -rf $TMP; then
|
|
|
+ if [ ! -d "$TMP" ] || ! rm -rf "$TMP"; then
|
|
|
echo "Delete temporary files failed!" >&2
|
|
|
+ echo "You need to clean up: $TMP" >&2
|
|
|
exit 1
|
|
|
fi
|
|
|
}
|
|
@@ -39,81 +40,126 @@ if [ "$1" == "--summary" ]; then
|
|
|
fi
|
|
|
|
|
|
if [ -t 0 ]; then
|
|
|
- echo >&2
|
|
|
- echo "Usage: clevis encrypt tpm2 CONFIG < PLAINTEXT > JWE" >&2
|
|
|
- echo >&2
|
|
|
- echo $SUMMARY >&2
|
|
|
- echo >&2
|
|
|
- echo "This command uses the following configuration properties:" >&2
|
|
|
- echo >&2
|
|
|
- echo " hash: <string> Hash algorithm used in the computation of the object name (default: sha256)" >&2
|
|
|
- echo >&2
|
|
|
- echo " key: <string> Algorithm type for the generated key (default: ecc)" >&2
|
|
|
- echo >&2
|
|
|
- echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: sha1)" >&2
|
|
|
- echo >&2
|
|
|
- echo " pcr_ids: <string> PCR list used for policy. If not present, no policy is used" >&2
|
|
|
- echo >&2
|
|
|
- echo " pcr_digest: <string> Binary PCR hashes encoded in base64. If not present, the hash values are looked up" >&2
|
|
|
- echo >&2
|
|
|
- exit 1
|
|
|
+ exec >&2
|
|
|
+ echo
|
|
|
+ echo "Usage: clevis encrypt tpm2 CONFIG < PLAINTEXT > JWE"
|
|
|
+ echo
|
|
|
+ echo "$SUMMARY"
|
|
|
+ echo
|
|
|
+ echo "This command uses the following configuration properties:"
|
|
|
+ echo
|
|
|
+ echo " hash: <string> Hash algorithm used in the computation of the object name (default: sha256)"
|
|
|
+ echo
|
|
|
+ echo " key: <string> Algorithm type for the generated key (default: ecc)"
|
|
|
+ echo
|
|
|
+ echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: sha1)"
|
|
|
+ echo
|
|
|
+ echo " pcr_ids: <string> PCR list used for policy. If not present, no policy is used"
|
|
|
+ echo
|
|
|
+ echo " pcr_digest: <string> Binary PCR hashes encoded in base64. If not present, the hash values are looked up"
|
|
|
+ echo
|
|
|
+ exit 2
|
|
|
fi
|
|
|
|
|
|
-TPM2TOOLS_INFO=`tpm2_pcrlist -v`
|
|
|
+TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
|
|
|
|
|
|
-if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then
|
|
|
- echo "The tpm2 pin requires tpm2-tools version 3" >&2
|
|
|
+match='version="(.)\.'
|
|
|
+[[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
|
|
|
+if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
|
|
|
+ echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
|
|
|
exit 1
|
|
|
fi
|
|
|
|
|
|
+# Old environment variables for tpm2-tools 3.0
|
|
|
export TPM2TOOLS_TCTI_NAME=device
|
|
|
-export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null`
|
|
|
+export TPM2TOOLS_DEVICE_FILE=
|
|
|
+for dev in /dev/tpmrm?; do
|
|
|
+ [ -e "$dev" ] || continue
|
|
|
+ TPM2TOOLS_DEVICE_FILE="$dev"
|
|
|
+ break
|
|
|
+done
|
|
|
+
|
|
|
+# New environment variable for tpm2-tools >= 3.1
|
|
|
+export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:$TPM2TOOLS_DEVICE_FILE"
|
|
|
|
|
|
-if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then
|
|
|
+if [ -z "$TPM2TOOLS_DEVICE_FILE" ]; then
|
|
|
echo "A TPM2 device with the in-kernel resource manager is needed!" >&2
|
|
|
exit 1
|
|
|
fi
|
|
|
|
|
|
-if ! [[ -r "${TPM2TOOLS_DEVICE_FILE[0]}" && -w "${TPM2TOOLS_DEVICE_FILE[0]}" ]]; then
|
|
|
- echo "The ${TPM2TOOLS_DEVICE_FILE[0]} device must be readable and writable!" >&2
|
|
|
+if ! [[ -r "$TPM2TOOLS_DEVICE_FILE" && -w "$TPM2TOOLS_DEVICE_FILE" ]]; then
|
|
|
+ echo "The $TPM2TOOLS_DEVICE_FILE device must be readable and writable!" >&2
|
|
|
exit 1
|
|
|
fi
|
|
|
|
|
|
-if ! cfg=`jose fmt -j "$1" -Oo- 2>/dev/null`; then
|
|
|
+if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
|
|
|
echo "Configuration is malformed!" >&2
|
|
|
exit 1
|
|
|
fi
|
|
|
|
|
|
-hash=`jose fmt -j- -Og hash -u- <<< "$cfg"` || hash="sha256"
|
|
|
+hash="$(jose fmt -j- -Og hash -u- <<< "$cfg")" || hash="sha256"
|
|
|
|
|
|
-key=`jose fmt -j- -Og key -u- <<< "$cfg"` || key="ecc"
|
|
|
+key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc"
|
|
|
|
|
|
-pcr_bank=`jose fmt -j- -Og pcr_hash -u- <<< "$cfg"` || pcr_bank="sha1"
|
|
|
+pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1"
|
|
|
|
|
|
-pcr_ids=`jose fmt -j- -Og pcr_ids -u- <<< "$cfg"` || true
|
|
|
+# Issue #103: We support passing pcr_ids using both a single string, as in
|
|
|
+# "1,3", as well as an actual JSON array, such as ["1,"3"]. Let's handle both
|
|
|
+# cases here.
|
|
|
+if [[ ${cfg// /} != '{}' ]] \
|
|
|
+ && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null <<< "$cfg")"; then
|
|
|
|
|
|
-pcr_digest=`jose fmt -j- -Og pcr_digest -u- <<< "$cfg"` || true
|
|
|
+ # We failed to parse a string, so let's try to parse a JSON array instead.
|
|
|
+ if jose fmt -j- -Og pcr_ids -A 2>/dev/null <<< "${cfg}"; then
|
|
|
+ # OK, it is an array, so let's get the items and form a string.
|
|
|
+ pcr_ids=
|
|
|
+ for pcr in $(jose fmt -j- -Og pcr_ids -Af- <<< "${cfg}" \
|
|
|
+ | tr -d '"'); do
|
|
|
+ pcr_ids=$(printf '%s,%s' "${pcr_ids}" "${pcr}")
|
|
|
+ done
|
|
|
+ # Now let's remove the leading comma.
|
|
|
+ pcr_ids=${pcr_ids/#,/}
|
|
|
+ else
|
|
|
+ # Not to add a policy that was not intended, in this case, no policy
|
|
|
+ # at all, let's report the issue and exit.
|
|
|
+ echo "Parsing the requested policy failed!" >&2
|
|
|
+ exit 1
|
|
|
+ fi
|
|
|
+fi
|
|
|
|
|
|
-if ! jwk=`jose jwk gen -i '{"alg":"A256GCM"}'`; then
|
|
|
+pcr_digest="$(jose fmt -j- -Og pcr_digest -u- <<< "$cfg")" || true
|
|
|
+
|
|
|
+if ! jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"; then
|
|
|
echo "Generating a jwk failed!" >&2
|
|
|
exit 1
|
|
|
fi
|
|
|
|
|
|
-if ! TMP=`mktemp -d`; then
|
|
|
+if ! TMP="$(mktemp -d)"; then
|
|
|
echo "Creating a temporary dir for TPM files failed!" >&2
|
|
|
exit 1
|
|
|
fi
|
|
|
|
|
|
trap 'on_exit' EXIT
|
|
|
|
|
|
-if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C $TMP/primary.context; then
|
|
|
+case "$TPM2TOOLS_VERSION" in
|
|
|
+ 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
|
|
|
+ 4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
|
|
|
+ *) fail=1;;
|
|
|
+esac
|
|
|
+if [ -n "$fail" ]; then
|
|
|
echo "Creating TPM2 primary key failed!" >&2
|
|
|
exit 1
|
|
|
fi
|
|
|
|
|
|
+policy_options=()
|
|
|
if [ -n "$pcr_ids" ]; then
|
|
|
if [ -z "$pcr_digest" ]; then
|
|
|
- if ! tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o $TMP/pcr.digest; then
|
|
|
+ case "$TPM2TOOLS_VERSION" in
|
|
|
+ 3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
|
|
|
+ 4) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
|
|
|
+ *) fail=1;;
|
|
|
+ esac
|
|
|
+ if [ -n "$fail" ]; then
|
|
|
echo "Creating PCR hashes file failed!" >&2
|
|
|
exit 1
|
|
|
fi
|
|
@@ -124,40 +170,59 @@ if [ -n "$pcr_ids" ]; then
|
|
|
fi
|
|
|
fi
|
|
|
|
|
|
- if ! tpm2_createpolicy -Q -P -L "$pcr_bank":"$pcr_ids" -F $TMP/pcr.digest -f $TMP/pcr.policy; then
|
|
|
+ case "$TPM2TOOLS_VERSION" in
|
|
|
+ 3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \
|
|
|
+ -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;;
|
|
|
+ 4) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
|
|
|
+ -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
|
|
|
+ *) fail=1;;
|
|
|
+ esac
|
|
|
+ if [ -n "$fail" ]; then
|
|
|
echo "create policy fail, please check the environment or parameters!"
|
|
|
exit 1
|
|
|
fi
|
|
|
|
|
|
- policy_options="-L $TMP/pcr.policy"
|
|
|
+ policy_options+=(-L "$TMP/pcr.policy")
|
|
|
+else
|
|
|
+ obj_attr="$obj_attr|userwithauth"
|
|
|
fi
|
|
|
|
|
|
-if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \
|
|
|
- -r $TMP/jwk.priv -A "$obj_attr" $policy_options -I- <<< "$jwk"; then
|
|
|
+case "$TPM2TOOLS_VERSION" in
|
|
|
+ 3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \
|
|
|
+ -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;;
|
|
|
+ 4) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
|
|
|
+ -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
|
|
|
+ *) fail=1;;
|
|
|
+esac
|
|
|
+if [ -n "$fail" ]; then
|
|
|
echo "Creating TPM2 object for jwk failed!" >&2
|
|
|
exit 1
|
|
|
fi
|
|
|
|
|
|
-if ! jwk_pub=`jose b64 enc -I $TMP/jwk.pub`; then
|
|
|
+if ! jwk_pub="$(jose b64 enc -I "$TMP"/jwk.pub)"; then
|
|
|
echo "Encoding jwk.pub in Base64 failed!" >&2
|
|
|
exit 1
|
|
|
fi
|
|
|
|
|
|
-if ! jwk_priv=`jose b64 enc -I $TMP/jwk.priv`; then
|
|
|
+if ! jwk_priv="$(jose b64 enc -I "$TMP"/jwk.priv)"; then
|
|
|
echo "Encoding jwk.priv in Base64 failed!" >&2
|
|
|
exit 1
|
|
|
fi
|
|
|
|
|
|
jwe='{"protected":{"clevis":{"pin":"tpm2","tpm2":{}}}}'
|
|
|
-jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$hash" -s hash -UUUUo-`
|
|
|
-jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$key" -s key -UUUUo-`
|
|
|
+jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$hash" -s hash -UUUUo-)"
|
|
|
+jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$key" -s key -UUUUo-)"
|
|
|
|
|
|
if [ -n "$pcr_ids" ]; then
|
|
|
- jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_bank" -s pcr_bank -UUUUo-`
|
|
|
- jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_ids" -s pcr_ids -UUUUo-`
|
|
|
+ jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_bank" -s pcr_bank -UUUUo-)"
|
|
|
+ jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_ids" -s pcr_ids -UUUUo-)"
|
|
|
fi
|
|
|
|
|
|
-jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-`
|
|
|
-jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-`
|
|
|
+jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)"
|
|
|
+jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)"
|
|
|
+
|
|
|
+# The on_exit() trap will not be fired after exec, so let's clean up the temp
|
|
|
+# directory at this point.
|
|
|
+[ -d "${TMP}" ] && rm -rf "${TMP}"
|
|
|
|
|
|
-jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
|
|
|
+exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
|