Browse Source

Cherry-pick support for tpm2-tools 5.X. Closes: #978574

Christoph Biedl 3 years ago
parent
commit
92e15fc9ac

+ 110 - 0
debian/patches/cherry-pick.v15-1-gef76951.pins-tpm2-add-support-for-tpm2-tools-5-x.patch

@@ -0,0 +1,110 @@
+Subject: Pins/tpm2: add support for tpm2-tools 5.X
+Origin: v15-1-gef76951 <https://github.com/latchset/clevis/commit/v15-1-gef76951>
+Upstream-Author: Jonas Witschel <diabonas@gmx.de>
+Date: Wed Nov 11 12:43:18 2020 +0100
+
+    tpm2-tools 5.0 consolidates all tools into a single busybox-style binary, so
+    the preferred way to invoke the commands would be e.g. "tpm2 createprimary"
+    instead of "tpm2_createprimary". However, compatibility symlinks tpm2_* -> tpm2
+    are installed by default, so we keep the old syntax for tpm2-tools 5.0 to avoid
+    creating another special case, since the option syntax has not changed (it
+    should be stable since version 4).
+
+    tpm2-tools 3.X is deprecated, but unfortunately still packaged by a few Linux
+    distributions, so keep supporting it for now at least.
+
+--- a/src/pins/tpm2/clevis-decrypt-tpm2
++++ b/src/pins/tpm2/clevis-decrypt-tpm2
+@@ -49,8 +49,8 @@
+ 
+ match='version="(.)\.'
+ [[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
+-if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
+-    echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
++if [[ $TPM2TOOLS_VERSION -lt 3 ]] || [[ $TPM2TOOLS_VERSION -gt 5 ]]; then
++    echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" >&2
+     exit 1
+ fi
+ 
+@@ -135,7 +135,7 @@
+ 
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
+-    4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
++    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+@@ -146,8 +146,8 @@
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_load -Q -c "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
+                  -C "$TMP"/load.context || fail=$?;;
+-    4) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
+-                 -c "$TMP"/load.context || fail=$?;;
++    4|5) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
++                   -c "$TMP"/load.context || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+@@ -157,7 +157,7 @@
+ 
+ case "$TPM2TOOLS_VERSION" in
+     3) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-L $pcr_spec})" || fail=$?;;
+-    4) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
++    4|5) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+--- a/src/pins/tpm2/clevis-encrypt-tpm2
++++ b/src/pins/tpm2/clevis-encrypt-tpm2
+@@ -71,8 +71,8 @@
+ 
+ match='version="(.)\.'
+ [[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
+-if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
+-    echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
++if [[ $TPM2TOOLS_VERSION -lt 3 ]] || [[ $TPM2TOOLS_VERSION -gt 5 ]]; then
++    echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" >&2
+     exit 1
+ fi
+ 
+@@ -153,7 +153,7 @@
+ 
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
+-    4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
++    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+@@ -166,7 +166,7 @@
+     if [ -z "$pcr_digest" ]; then
+         case "$TPM2TOOLS_VERSION" in
+             3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
+-            4) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
++            4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
+             *) fail=1;;
+         esac
+         if [ -n "$fail" ]; then
+@@ -183,8 +183,8 @@
+     case "$TPM2TOOLS_VERSION" in
+         3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \
+                              -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;;
+-        4) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
+-                             -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
++        4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
++                               -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
+         *) fail=1;;
+     esac
+     if [ -n "$fail" ]; then
+@@ -200,8 +200,8 @@
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \
+                    -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;;
+-    4) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
+-                   -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
++    4|5) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
++                     -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then

+ 2 - 0
debian/patches/series

@@ -1,3 +1,5 @@
+# cherry-picked commits. Keep in upstream's chronological order
+cherry-pick.v15-1-gef76951.pins-tpm2-add-support-for-tpm2-tools-5-x.patch
 
 # patches for upstream
 upstream.use-asciidoctor-to-build-manpages.patch