git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
clevis
1
0
Fork 0
Files Pull Requests 0
Tree: f2d8867697
Branches Tags
clevis
/
src
/
pins
/
tpm2
/
clevis-encrypt-tpm2

clevis-encrypt-tpm2 8.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238 
  1. #!/bin/bash -e
    2. 

  2. # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
    3. 

  3. #
    4. 

  4. # Copyright (c) 2017 Red Hat, Inc.
    5. 

  5. # Author: Javier Martinez Canillas <javierm@redhat.com>
    6. 

  6. #
    7. 

  7. # This program is free software: you can redistribute it and/or modify
    8. 

  8. # it under the terms of the GNU General Public License as published by
    9. 

  9. # the Free Software Foundation, either version 3 of the License, or
    10. 

  10. # (at your option) any later version.
    11. 

  11. #
    12. 

  12. # This program is distributed in the hope that it will be useful,
    13. 

  13. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    15. 

  15. # GNU General Public License for more details.
    16. 

  16. #
    17. 

  17. # You should have received a copy of the GNU General Public License
    18. 

  18. # along with this program.  If not, see <http://www.gnu.org/licenses/>.
    19. 

  19. #
    20. 

  20. 

  21. # First try to use the new version of the PIN implementation
    22. 

  22. if command -v clevis-pin-tpm2 >/dev/null;
    23. 

  23. then
    24. 

  24.     exec clevis-pin-tpm2 encrypt "$@"
    25. 

  25. fi
    26. 

  26. 

  27. SUMMARY="Encrypts using a TPM2.0 chip binding policy"
    28. 

  28. # The owner hierarchy is the one that should be used by the Operating System.
    29. 

  29. auth="o"
    30. 

  30. # Algorithm type must be keyedhash for object with user provided sensitive data.
    31. 

  31. alg_create_key="keyedhash"
    32. 

  32. # Attributes for the created TPM2 object with the JWK as sensitive data.
    33. 

  33. obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy"
    34. 

  34. 

  35. function on_exit() {
    36. 

  36.     if [ ! -d "$TMP" ] || ! rm -rf "$TMP"; then
    37. 

  37.         echo "Delete temporary files failed!" >&2
    38. 

  38.         echo "You need to clean up: $TMP" >&2
    39. 

  39.         exit 1
    40. 

  40.     fi
    41. 

  41. }
    42. 

  42. 

  43. if [ "$1" == "--summary" ]; then
    44. 

  44.     echo "$SUMMARY"
    45. 

  45.     exit 0
    46. 

  46. fi
    47. 

  47. 

  48. if [ -t 0 ]; then
    49. 

  49.     exec >&2
    50. 

  50.     echo
    51. 

  51.     echo "Usage: clevis encrypt tpm2 CONFIG < PLAINTEXT > JWE"
    52. 

  52.     echo
    53. 

  53.     echo "$SUMMARY"
    54. 

  54.     echo
    55. 

  55.     echo "This command uses the following configuration properties:"
    56. 

  56.     echo
    57. 

  57.     echo "  hash: <string>  Hash algorithm used in the computation of the object name (default: sha256)"
    58. 

  58.     echo
    59. 

  59.     echo "  key: <string>   Algorithm type for the generated key (default: ecc)"
    60. 

  60.     echo
    61. 

  61.     echo "  pcr_bank: <string>   PCR algorithm bank to use for policy (default: sha1)"
    62. 

  62.     echo
    63. 

  63.     echo "  pcr_ids: <string>   PCR list used for policy. If not present, no policy is used"
    64. 

  64.     echo
    65. 

  65.     echo "  pcr_digest: <string>   Binary PCR hashes encoded in base64. If not present, the hash values are looked up"
    66. 

  66.     echo
    67. 

  67.     exit 2
    68. 

  68. fi
    69. 

  69. 

  70. TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
    71. 

  71. 

  72. match='version="(.)\.'
    73. 

  73. [[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
    74. 

  74. if [[ $TPM2TOOLS_VERSION -lt 3 ]] || [[ $TPM2TOOLS_VERSION -gt 5 ]]; then
    75. 

  75.     echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" >&2
    76. 

  76.     exit 1
    77. 

  77. fi
    78. 

  78. 

  79. # Old environment variables for tpm2-tools 3.0
    80. 

  80. export TPM2TOOLS_TCTI_NAME=device
    81. 

  81. export TPM2TOOLS_DEVICE_FILE=
    82. 

  82. for dev in /dev/tpmrm?; do
    83. 

  83.     [ -e "$dev" ] || continue
    84. 

  84.     TPM2TOOLS_DEVICE_FILE="$dev"
    85. 

  85.     break
    86. 

  86. done
    87. 

  87. 

  88. # New environment variable for tpm2-tools >= 3.1
    89. 

  89. export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:$TPM2TOOLS_DEVICE_FILE"
    90. 

  90. 

  91. if [ -z "$TPM2TOOLS_DEVICE_FILE" ]; then
    92. 

  92.     echo "A TPM2 device with the in-kernel resource manager is needed!" >&2
    93. 

  93.     exit 1
    94. 

  94. fi
    95. 

  95. 

  96. if ! [[ -r "$TPM2TOOLS_DEVICE_FILE" && -w "$TPM2TOOLS_DEVICE_FILE" ]]; then
    97. 

  97.     echo "The $TPM2TOOLS_DEVICE_FILE device must be readable and writable!" >&2
    98. 

  98.     exit 1
    99. 

  99. fi
    100. 

  100. 

  101. if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
    102. 

  102.     echo "Configuration is malformed!" >&2
    103. 

  103.     exit 1
    104. 

  104. fi
    105. 

  105. 

  106. hash="$(jose fmt -j- -Og hash -u- <<< "$cfg")" || hash="sha256"
    107. 

  107. 

  108. key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc"
    109. 

  109. 

  110. pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1"
    111. 

  111. 

  112. # Trim the spaces from the config, so that we will not have issues parsing
    113. 

  113. # the PCR IDs.
    114. 

  114. pcr_cfg=${cfg//[[:space:]]/}
    115. 

  115. # Issue #103: We support passing pcr_ids using both a single string, as in
    116. 

  116. # "1,3", as well as an actual JSON array, such as ["1","3"]. Let's handle both
    117. 

  117. # cases here.
    118. 

  118. if jose fmt -j- -Og pcr_ids 2>/dev/null <<< "${pcr_cfg}" \
    119. 

  119.     && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null \
    120. 

  120.                     <<< "${pcr_cfg}")"; then
    121. 

  121. 

  122.     # We failed to parse a string, so let's try to parse a JSON array instead.
    123. 

  123.     if jose fmt -j- -Og pcr_ids -A 2>/dev/null <<< "${pcr_cfg}"; then
    124. 

  124.         # OK, it is an array, so let's get the items and form a string.
    125. 

  125.         pcr_ids=
    126. 

  126.         for pcr in $(jose fmt -j- -Og pcr_ids -Af- <<< "${pcr_cfg}" \
    127. 

  127.                      | tr -d '"'); do
    128. 

  128.             pcr_ids=$(printf '%s,%s' "${pcr_ids}" "${pcr}")
    129. 

  129.         done
    130. 

  130.         # Now let's remove the leading comma.
    131. 

  131.         pcr_ids=${pcr_ids/#,/}
    132. 

  132.     else
    133. 

  133.         # Not to add a policy that was not intended, in this case, no policy
    134. 

  134.         # at all, let's report the issue and exit.
    135. 

  135.         echo "Parsing the requested policy failed!" >&2
    136. 

  136.         exit 1
    137. 

  137.     fi
    138. 

  138. fi
    139. 

  139. 

  140. pcr_digest="$(jose fmt -j- -Og pcr_digest -u- <<< "$cfg")" || true
    141. 

  141. 

  142. if ! jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"; then
    143. 

  143.     echo "Generating a jwk failed!" >&2
    144. 

  144.     exit 1
    145. 

  145. fi
    146. 

  146. 

  147. if ! TMP="$(mktemp -d)"; then
    148. 

  148.     echo "Creating a temporary dir for TPM files failed!" >&2
    149. 

  149.     exit 1
    150. 

  150. fi
    151. 

  151. 

  152. trap 'on_exit' EXIT
    153. 

  153. 

  154. case "$TPM2TOOLS_VERSION" in
    155. 

  155.     3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
    156. 

  156.     4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
    157. 

  157.     *) fail=1;;
    158. 

  158. esac
    159. 

  159. if [ -n "$fail" ]; then
    160. 

  160.     echo "Creating TPM2 primary key failed!" >&2
    161. 

  161.     exit 1
    162. 

  162. fi
    163. 

  163. 

  164. policy_options=()
    165. 

  165. if [ -n "$pcr_ids" ]; then
    166. 

  166.     if [ -z "$pcr_digest" ]; then
    167. 

  167.         case "$TPM2TOOLS_VERSION" in
    168. 

  168.             3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
    169. 

  169.             4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
    170. 

  170.             *) fail=1;;
    171. 

  171.         esac
    172. 

  172.         if [ -n "$fail" ]; then
    173. 

  173.             echo "Creating PCR hashes file failed!" >&2
    174. 

  174.             exit 1
    175. 

  175.         fi
    176. 

  176.     else
    177. 

  177.         if ! jose b64 dec -i- -O "$TMP"/pcr.digest <<< "$pcr_digest"; then
    178. 

  178.             echo "Error decoding PCR digest!" >&2
    179. 

  179.             exit 1
    180. 

  180.         fi
    181. 

  181.     fi
    182. 

  182. 

  183.     case "$TPM2TOOLS_VERSION" in
    184. 

  184.         3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \
    185. 

  185.                              -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;;
    186. 

  186.         4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
    187. 

  187.                                -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
    188. 

  188.         *) fail=1;;
    189. 

  189.     esac
    190. 

  190.     if [ -n "$fail" ]; then
    191. 

  191.         echo "create policy fail, please check the environment or parameters!"
    192. 

  192.         exit 1
    193. 

  193.     fi
    194. 

  194. 

  195.     policy_options+=(-L "$TMP/pcr.policy")
    196. 

  196. else
    197. 

  197.     obj_attr="$obj_attr|userwithauth"
    198. 

  198. fi
    199. 

  199. 

  200. case "$TPM2TOOLS_VERSION" in
    201. 

  201.     3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \
    202. 

  202.                    -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;;
    203. 

  203.     4|5) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
    204. 

  204.                      -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
    205. 

  205.     *) fail=1;;
    206. 

  206. esac
    207. 

  207. if [ -n "$fail" ]; then
    208. 

  208.     echo "Creating TPM2 object for jwk failed!" >&2
    209. 

  209.     exit 1
    210. 

  210. fi
    211. 

  211. 

  212. if ! jwk_pub="$(jose b64 enc -I "$TMP"/jwk.pub)"; then
    213. 

  213.     echo "Encoding jwk.pub in Base64 failed!" >&2
    214. 

  214.     exit 1
    215. 

  215. fi
    216. 

  216. 

  217. if ! jwk_priv="$(jose b64 enc -I "$TMP"/jwk.priv)"; then
    218. 

  218.     echo "Encoding jwk.priv in Base64 failed!" >&2
    219. 

  219.     exit 1
    220. 

  220. fi
    221. 

  221. 

  222. jwe='{"protected":{"clevis":{"pin":"tpm2","tpm2":{}}}}'
    223. 

  223. jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$hash" -s hash -UUUUo-)"
    224. 

  224. jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$key" -s key -UUUUo-)"
    225. 

  225. 

  226. if [ -n "$pcr_ids" ]; then
    227. 

  227.     jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_bank" -s pcr_bank -UUUUo-)"
    228. 

  228.     jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_ids" -s pcr_ids -UUUUo-)"
    229. 

  229. fi
    230. 

  230. 

  231. jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)"
    232. 

  232. jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)"
    233. 

  233. 

  234. # The on_exit() trap will not be fired after exec, so let's clean up the temp
    235. 

  235. # directory at this point.
    236. 

  236. [ -d "${TMP}" ] && rm -rf "${TMP}"
    237. 

  237. 

  238. exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
    239.