git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
clevis
1
0
Fork 0
Files Pull Requests 0
Tree: f8286be5a8
Branches Tags
clevis
/
debian
/
patches
/
cherry-pick.v15-1-gef76951.pins-tpm2-add-support-for-tpm2-tools-5-x.patch

cherry-pick.v15-1-gef76951.pins-tpm2-add-support-for-tpm2-tools-5-x.patch 5.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110 
  1. Subject: Pins/tpm2: add support for tpm2-tools 5.X
    2. 

  2. Origin: v15-1-gef76951 <https://github.com/latchset/clevis/commit/v15-1-gef76951>
    3. 

  3. Upstream-Author: Jonas Witschel <diabonas@gmx.de>
    4. 

  4. Date: Wed Nov 11 12:43:18 2020 +0100
    5. 

  5. 

  6.     tpm2-tools 5.0 consolidates all tools into a single busybox-style binary, so
    7. 

  7.     the preferred way to invoke the commands would be e.g. "tpm2 createprimary"
    8. 

  8.     instead of "tpm2_createprimary". However, compatibility symlinks tpm2_* -> tpm2
    9. 

  9.     are installed by default, so we keep the old syntax for tpm2-tools 5.0 to avoid
    10. 

  10.     creating another special case, since the option syntax has not changed (it
    11. 

  11.     should be stable since version 4).
    12. 

  12. 

  13.     tpm2-tools 3.X is deprecated, but unfortunately still packaged by a few Linux
    14. 

  14.     distributions, so keep supporting it for now at least.
    15. 

  15. 

  16. --- a/src/pins/tpm2/clevis-decrypt-tpm2
    17. 

  17. +++ b/src/pins/tpm2/clevis-decrypt-tpm2
    18. 

  18. @@ -49,8 +49,8 @@
    19. 

  19.  
    20. 

  20.  match='version="(.)\.'
    21. 

  21.  [[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
    22. 

  22. -if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
    23. 

  23. -    echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
    24. 

  24. +if [[ $TPM2TOOLS_VERSION -lt 3 ]] || [[ $TPM2TOOLS_VERSION -gt 5 ]]; then
    25. 

  25. +    echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" >&2
    26. 

  26.      exit 1
    27. 

  27.  fi
    28. 

  28.  
    29. 

  29. @@ -135,7 +135,7 @@
    30. 

  30.  
    31. 

  31.  case "$TPM2TOOLS_VERSION" in
    32. 

  32.      3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
    33. 

  33. -    4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
    34. 

  34. +    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
    35. 

  35.      *) fail=1;;
    36. 

  36.  esac
    37. 

  37.  if [ -n "$fail" ]; then
    38. 

  38. @@ -146,8 +146,8 @@
    39. 

  39.  case "$TPM2TOOLS_VERSION" in
    40. 

  40.      3) tpm2_load -Q -c "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
    41. 

  41.                   -C "$TMP"/load.context || fail=$?;;
    42. 

  42. -    4) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
    43. 

  43. -                 -c "$TMP"/load.context || fail=$?;;
    44. 

  44. +    4|5) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
    45. 

  45. +                   -c "$TMP"/load.context || fail=$?;;
    46. 

  46.      *) fail=1;;
    47. 

  47.  esac
    48. 

  48.  if [ -n "$fail" ]; then
    49. 

  49. @@ -157,7 +157,7 @@
    50. 

  50.  
    51. 

  51.  case "$TPM2TOOLS_VERSION" in
    52. 

  52.      3) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-L $pcr_spec})" || fail=$?;;
    53. 

  53. -    4) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
    54. 

  54. +    4|5) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
    55. 

  55.      *) fail=1;;
    56. 

  56.  esac
    57. 

  57.  if [ -n "$fail" ]; then
    58. 

  58. --- a/src/pins/tpm2/clevis-encrypt-tpm2
    59. 

  59. +++ b/src/pins/tpm2/clevis-encrypt-tpm2
    60. 

  60. @@ -71,8 +71,8 @@
    61. 

  61.  
    62. 

  62.  match='version="(.)\.'
    63. 

  63.  [[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
    64. 

  64. -if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
    65. 

  65. -    echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
    66. 

  66. +if [[ $TPM2TOOLS_VERSION -lt 3 ]] || [[ $TPM2TOOLS_VERSION -gt 5 ]]; then
    67. 

  67. +    echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" >&2
    68. 

  68.      exit 1
    69. 

  69.  fi
    70. 

  70.  
    71. 

  71. @@ -153,7 +153,7 @@
    72. 

  72.  
    73. 

  73.  case "$TPM2TOOLS_VERSION" in
    74. 

  74.      3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
    75. 

  75. -    4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
    76. 

  76. +    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
    77. 

  77.      *) fail=1;;
    78. 

  78.  esac
    79. 

  79.  if [ -n "$fail" ]; then
    80. 

  80. @@ -166,7 +166,7 @@
    81. 

  81.      if [ -z "$pcr_digest" ]; then
    82. 

  82.          case "$TPM2TOOLS_VERSION" in
    83. 

  83.              3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
    84. 

  84. -            4) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
    85. 

  85. +            4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
    86. 

  86.              *) fail=1;;
    87. 

  87.          esac
    88. 

  88.          if [ -n "$fail" ]; then
    89. 

  89. @@ -183,8 +183,8 @@
    90. 

  90.      case "$TPM2TOOLS_VERSION" in
    91. 

  91.          3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \
    92. 

  92.                               -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;;
    93. 

  93. -        4) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
    94. 

  94. -                             -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
    95. 

  95. +        4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
    96. 

  96. +                               -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
    97. 

  97.          *) fail=1;;
    98. 

  98.      esac
    99. 

  99.      if [ -n "$fail" ]; then
    100. 

  100. @@ -200,8 +200,8 @@
    101. 

  101.  case "$TPM2TOOLS_VERSION" in
    102. 

  102.      3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \
    103. 

  103.                     -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;;
    104. 

  104. -    4) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
    105. 

  105. -                   -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
    106. 

  106. +    4|5) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
    107. 

  107. +                     -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
    108. 

  108.      *) fail=1;;
    109. 

  109.  esac
    110. 

  110.  if [ -n "$fail" ]; then
    111.