123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283 |
- #!/bin/bash -e
- # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
- #
- # Copyright (c) 2019 Red Hat, Inc.
- # Author: Sergio Correia <scorreia@redhat.com>
- #
- # This program is free software: you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation, either version 3 of the License, or
- # (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
- #
- # valid_slot() will check whether a given slot is possibly valid, i.e., if it
- # is a numeric value within the specified range.
- valid_slot() {
- local SLT="${1}"
- local MAX_SLOTS="${2}"
- case "${SLT}" in
- ''|*[!0-9]*)
- return 1
- ;;
- *)
- # We got an integer, now let's make sure it is within the
- # supported range.
- if [ "${SLT}" -ge "${MAX_SLOTS}" ]; then
- return 1
- fi
- ;;
- esac
- }
- # clevis_luks_read_slot() will read a particular slot of a given device, which
- # should be either LUKS1 or LUKS2. Returns 1 in case of failure; 0 in case of
- # success.
- clevis_luks_read_slot() {
- local DEV="${1}"
- local SLT="${2}"
- if [ -z "${DEV}" ] || [ -z "${SLT}" ]; then
- echo "Need both a device and a slot as arguments." >&2
- return 1
- fi
- local DATA_CODED=''
- local MAX_LUKS1_SLOTS=8
- local MAX_LUKS2_SLOTS=32
- if cryptsetup isLuks --type luks1 "${DEV}"; then
- if ! valid_slot "${SLT}" "${MAX_LUKS1_SLOTS}"; then
- echo "Please, provide a valid key slot number; 0-7 for LUKS1" >&2
- return 1
- fi
- if ! luksmeta test -d "${DEV}"; then
- echo "The ${DEV} device is not valid!" >&2
- return 1
- fi
- local CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
- local uuid
- # Pattern from luksmeta: active slot uuid.
- read -r _ _ uuid <<< "$(luksmeta show -d "${DEV}" | grep "^${SLT} *")"
- if [ "${uuid}" != ${CLEVIS_UUID}"" ]; then
- echo "Not a clevis slot!" >&2
- return 1
- fi
- if ! DATA_CODED="$(luksmeta load -d "${DEV}" -s "${SLT}")"; then
- echo "Cannot load data from ${DEV} slot:${SLT}!" >&2
- return 1
- fi
- elif cryptsetup isLuks --type luks2 "${DEV}"; then
- if ! valid_slot "${SLT}" "${MAX_LUKS2_SLOTS}"; then
- echo "Please, provide a valid key slot number; 0-31 for LUKS2" >&2
- return 1
- fi
- local token_id
- token_id=$(cryptsetup luksDump "${DEV}" \
- | grep -E -B1 "^\s+Keyslot:\s+${SLT}$" \
- | head -n 1 | sed -rn 's|^\s+([0-9]+): clevis|\1|p')
- if [ -z "${token_id}" ]; then
- echo "Cannot load data from ${DEV} slot:${SLT}. No token found!" >&2
- return 1
- fi
- local token
- token=$(cryptsetup token export --token-id "${token_id}" "${DEV}")
- DATA_CODED=$(jose fmt -j- -Og jwe -o- <<< "${token}" \
- | jose jwe fmt -i- -c)
- if [ -z "${DATA_CODED}" ]; then
- echo "Cannot load data from ${DEV} slot:${SLT}!" >&2
- return 1
- fi
- else
- echo "${DEV} is not a supported LUKS device!" >&2
- return 1
- fi
- echo "${DATA_CODED}"
- }
- # clevis_luks_used_slots() will return the list of used slots for a given LUKS
- # device.
- clevis_luks_used_slots() {
- local DEV="${1}"
- local slots
- if cryptsetup isLuks --type luks1 "${DEV}"; then
- readarray -t slots < <(cryptsetup luksDump "${DEV}" \
- | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
- elif cryptsetup isLuks --type luks2 "${DEV}"; then
- readarray -t slots < <(cryptsetup luksDump "${DEV}" \
- | sed -rn 's|^\s+([0-9]+): luks2$|\1|p')
- else
- echo "${DEV} is not a supported LUKS device!" >&2
- return 1
- fi
- echo "${slots[@]}"
- }
- # clevis_luks_decode_jwe() will decode a given JWE.
- clevis_luks_decode_jwe() {
- local jwe="${1}"
- local coded
- if ! coded=$(jose jwe fmt -i- <<< "${jwe}"); then
- return 1
- fi
- coded=$(jose fmt -j- -g protected -u- <<< "${coded}" | tr -d '"')
- jose b64 dec -i- <<< "${coded}"
- }
- # clevis_luks_print_pin_config() will print the config of a given pin; i.e.
- # for tang it will display the associated url address, and for tpm2, the
- # properties in place, like the hash, for instance.
- clevis_luks_print_pin_config() {
- local P="${1}"
- local decoded="${2}"
- local content
- if ! content="$(jose fmt -j- -g clevis -g "${P}" -o- <<< "${decoded}")" \
- || [ -z "${content}" ]; then
- return 1
- fi
- local pin=
- case "${P}" in
- tang)
- local url
- url="$(jose fmt -j- -g url -u- <<< "${content}")"
- pin=$(printf '{"url":"%s"}' "${url}")
- printf "tang '%s'" "${pin}"
- ;;
- tpm2)
- # Valid properties for tpm2 pin are the following:
- # hash, key, pcr_bank, pcr_ids, pcr_digest.
- local key
- local value
- for key in 'hash' 'key' 'pcr_bank' 'pcr_ids' 'pcr_digest'; do
- if value=$(jose fmt -j- -g "${key}" -u- <<< "${content}"); then
- pin=$(printf '%s,"%s":"%s"' "${pin}" "${key}" "${value}")
- fi
- done
- # Remove possible leading comma.
- pin=${pin/#,/}
- printf "tpm2 '{%s}'" "${pin}"
- ;;
- sss)
- local threshold
- threshold=$(jose fmt -j- -Og t -o- <<< "${content}")
- clevis_luks_process_sss_pin "${content}" "${threshold}"
- ;;
- *)
- printf "unknown pin '%s'" "${P}"
- ;;
- esac
- }
- # clevis_luks_decode_pin_config() will receive a JWE and extract a pin config
- # from it.
- clevis_luks_decode_pin_config() {
- local jwe="${1}"
- local decoded
- if ! decoded=$(clevis_luks_decode_jwe "${jwe}"); then
- return 1
- fi
- local P
- if ! P=$(jose fmt -j- -Og clevis -g pin -u- <<< "${decoded}"); then
- return 1
- fi
- clevis_luks_print_pin_config "${P}" "${decoded}"
- }
- # clevis_luks_join_sss_cfg() will receive a list of configurations for a given
- # pin and returns it as list, in the format PIN [cfg1, cfg2, ..., cfgN].
- clevis_luks_join_sss_cfg() {
- local pin="${1}"
- local cfg="${2}"
- cfg=$(echo "${cfg}" | tr -d "'" | sed -e 's/^,//')
- printf '"%s":[%s]' "${pin}" "${cfg}"
- }
- # clevis_luks_process_sss_pin() will receive a JWE with information on the sss
- # pin config, and also its associated threshold, and will extract the info.
- clevis_luks_process_sss_pin() {
- local jwe="${1}"
- local threshold="${2}"
- local sss_tang
- local sss_tpm2
- local sss
- local pin_cfg
- local pin
- local cfg
- local coded
- for coded in $(jose fmt -j- -Og jwe -Af- <<< "${jwe}"| tr -d '"'); do
- if ! pin_cfg="$(clevis_luks_decode_pin_config "${coded}")"; then
- continue
- fi
- read -r pin cfg <<< "${pin_cfg}"
- case "${pin}" in
- tang)
- sss_tang="${sss_tang},${cfg}"
- ;;
- tpm2)
- sss_tpm2="${sss_tpm2},${cfg}"
- ;;
- sss)
- sss=$(echo "${cfg}" | tr -d "'")
- ;;
- esac
- done
- cfg=
- if [ -n "${sss_tang}" ]; then
- cfg=$(clevis_luks_join_sss_cfg "tang" "${sss_tang}")
- fi
- if [ -n "${sss_tpm2}" ]; then
- cfg="${cfg},"$(clevis_luks_join_sss_cfg "tpm2" "${sss_tpm2}")
- fi
- if [ -n "${sss}" ]; then
- cfg=$(printf '%s,"sss":%s' "${cfg}" "${sss}")
- fi
- # Remove possible leading comma.
- cfg=${cfg/#,/}
- pin=$(printf '{"t":%d,"pins":{%s}}' "${threshold}" "${cfg}")
- printf "sss '%s'" "${pin}"
- }
- # clevis_luks_read_pins_from_slot() will receive a given device and slot and
- # will then output its associated policy configuration.
- clevis_luks_read_pins_from_slot() {
- local DEV="${1}"
- local SLOT="${2}"
- local jwe
- if ! jwe=$(clevis_luks_read_slot "${DEV}" "${SLOT}" 2>/dev/null); then
- return 1
- fi
- local cfg
- if ! cfg="$(clevis_luks_decode_pin_config "${jwe}")"; then
- return 1
- fi
- printf "%s: %s\n" "${SLOT}" "${cfg}"
- }
|