mirror of
https://github.com/systemd/systemd.git
synced 2024-10-27 18:55:40 +03:00
Merge pull request #29955 from poettering/repart-seal-key
repart: add --tpm2-seal-key= support, matching the recently added support cryptenroll has
This commit is contained in:
commit
be0916f77c
4
TODO
4
TODO
@ -133,6 +133,10 @@ Deprecations and removals:
|
|||||||
|
|
||||||
Features:
|
Features:
|
||||||
|
|
||||||
|
* repart + cryptsetup: support file systems that are encrypted and use verity
|
||||||
|
on top. Usecase: confexts that shall be signed by the admin but also be
|
||||||
|
confidential. Then, add a new --make-ddi=confext-encrypted for this.
|
||||||
|
|
||||||
* systemd-pcrextend:
|
* systemd-pcrextend:
|
||||||
- support measuring to nvindex with PCR update semantics ("fake PCRs")
|
- support measuring to nvindex with PCR update semantics ("fake PCRs")
|
||||||
- add api for "allocating" such an nvindex
|
- add api for "allocating" such an nvindex
|
||||||
|
@ -377,6 +377,17 @@
|
|||||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>--tpm2-device-key=</option><arg>PATH</arg></term>
|
||||||
|
<term><option>--tpm2-seal-key-handle=</option><arg>HANDLE</arg></term>
|
||||||
|
|
||||||
|
<listitem><para>Configures a TPM2 SRK key to bind encryption to. See
|
||||||
|
<citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||||
|
for details on this option.</para>
|
||||||
|
|
||||||
|
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--tpm2-public-key=</option><arg>PATH</arg></term>
|
<term><option>--tpm2-public-key=</option><arg>PATH</arg></term>
|
||||||
<term><option>--tpm2-public-key-pcrs=</option><arg rep="repeat">PCR</arg></term>
|
<term><option>--tpm2-public-key-pcrs=</option><arg rep="repeat">PCR</arg></term>
|
||||||
|
@ -193,6 +193,7 @@ int enroll_tpm2(struct crypt_device *cd,
|
|||||||
return log_error_errno(base64_encoded_size, "Failed to base64 encode salted pin: %m");
|
return log_error_errno(base64_encoded_size, "Failed to base64 encode salted pin: %m");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
TPM2B_PUBLIC public = {};
|
||||||
r = tpm2_load_pcr_public_key(pubkey_path, &pubkey, &pubkey_size);
|
r = tpm2_load_pcr_public_key(pubkey_path, &pubkey, &pubkey_size);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
if (pubkey_path || signature_path || r != -ENOENT)
|
if (pubkey_path || signature_path || r != -ENOENT)
|
||||||
@ -200,7 +201,12 @@ int enroll_tpm2(struct crypt_device *cd,
|
|||||||
|
|
||||||
log_debug_errno(r, "Failed to read TPM2 PCR public key, proceeding without: %m");
|
log_debug_errno(r, "Failed to read TPM2 PCR public key, proceeding without: %m");
|
||||||
pubkey_pcr_mask = 0;
|
pubkey_pcr_mask = 0;
|
||||||
} else if (signature_path) {
|
} else {
|
||||||
|
r = tpm2_tpm2b_public_from_pem(pubkey, pubkey_size, &public);
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Could not convert public key to TPM2B_PUBLIC: %m");
|
||||||
|
|
||||||
|
if (signature_path) {
|
||||||
/* Also try to load the signature JSON object, to verify that our enrollment will work.
|
/* Also try to load the signature JSON object, to verify that our enrollment will work.
|
||||||
* This is optional however, skip it if it's not explicitly provided. */
|
* This is optional however, skip it if it's not explicitly provided. */
|
||||||
|
|
||||||
@ -208,6 +214,7 @@ int enroll_tpm2(struct crypt_device *cd,
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_debug_errno(r, "Failed to read TPM PCR signature: %m");
|
return log_debug_errno(r, "Failed to read TPM PCR signature: %m");
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
bool any_pcr_value_specified = tpm2_pcr_values_has_any_values(hash_pcr_values, n_hash_pcr_values);
|
bool any_pcr_value_specified = tpm2_pcr_values_has_any_values(hash_pcr_values, n_hash_pcr_values);
|
||||||
|
|
||||||
@ -224,32 +231,9 @@ int enroll_tpm2(struct crypt_device *cd,
|
|||||||
_cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
|
_cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
|
||||||
TPM2B_PUBLIC device_key_public = {};
|
TPM2B_PUBLIC device_key_public = {};
|
||||||
if (device_key) {
|
if (device_key) {
|
||||||
_cleanup_free_ char *device_key_buffer = NULL;
|
r = tpm2_load_public_key_file(device_key, &device_key_public);
|
||||||
size_t device_key_buffer_size;
|
|
||||||
r = read_full_file(device_key, &device_key_buffer, &device_key_buffer_size);
|
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to read device key from file: %m");
|
return r;
|
||||||
|
|
||||||
r = dlopen_tpm2();
|
|
||||||
if (r < 0)
|
|
||||||
return log_debug_errno(r, "TPM2 support not installed: %m");
|
|
||||||
|
|
||||||
TSS2_RC rc;
|
|
||||||
size_t offset = 0;
|
|
||||||
rc = sym_Tss2_MU_TPM2B_PUBLIC_Unmarshal(
|
|
||||||
(uint8_t*) device_key_buffer,
|
|
||||||
device_key_buffer_size,
|
|
||||||
&offset,
|
|
||||||
&device_key_public);
|
|
||||||
if (rc != TSS2_RC_SUCCESS)
|
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
||||||
"Could not unmarshal public key from file.");
|
|
||||||
|
|
||||||
assert(offset <= device_key_buffer_size);
|
|
||||||
if (offset != device_key_buffer_size)
|
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
||||||
"Found %zu bytes of trailing garbage in public key file.",
|
|
||||||
device_key_buffer_size - offset);
|
|
||||||
|
|
||||||
if (!tpm2_pcr_values_has_all_values(hash_pcr_values, n_hash_pcr_values))
|
if (!tpm2_pcr_values_has_all_values(hash_pcr_values, n_hash_pcr_values))
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||||
@ -283,13 +267,6 @@ int enroll_tpm2(struct crypt_device *cd,
|
|||||||
return log_error_errno(r, "Could not get hash mask: %m");
|
return log_error_errno(r, "Could not get hash mask: %m");
|
||||||
}
|
}
|
||||||
|
|
||||||
TPM2B_PUBLIC public;
|
|
||||||
if (pubkey) {
|
|
||||||
r = tpm2_tpm2b_public_from_pem(pubkey, pubkey_size, &public);
|
|
||||||
if (r < 0)
|
|
||||||
return log_error_errno(r, "Could not convert public key to TPM2B_PUBLIC: %m");
|
|
||||||
}
|
|
||||||
|
|
||||||
TPM2B_DIGEST policy = TPM2B_DIGEST_MAKE(NULL, TPM2_SHA256_DIGEST_SIZE);
|
TPM2B_DIGEST policy = TPM2B_DIGEST_MAKE(NULL, TPM2_SHA256_DIGEST_SIZE);
|
||||||
r = tpm2_calculate_sealing_policy(
|
r = tpm2_calculate_sealing_policy(
|
||||||
hash_pcr_values,
|
hash_pcr_values,
|
||||||
|
@ -137,10 +137,10 @@ static int help(void) {
|
|||||||
"\n%3$sTPM2 Enrollment:%4$s\n"
|
"\n%3$sTPM2 Enrollment:%4$s\n"
|
||||||
" --tpm2-device=PATH\n"
|
" --tpm2-device=PATH\n"
|
||||||
" Enroll a TPM2 device\n"
|
" Enroll a TPM2 device\n"
|
||||||
" --tpm2-seal-key-handle=HANDLE\n"
|
|
||||||
" Specify handle of key to use for sealing\n"
|
|
||||||
" --tpm2-device-key=PATH\n"
|
" --tpm2-device-key=PATH\n"
|
||||||
" Enroll a TPM2 device using its public key\n"
|
" Enroll a TPM2 device using its public key\n"
|
||||||
|
" --tpm2-seal-key-handle=HANDLE\n"
|
||||||
|
" Specify handle of key to use for sealing\n"
|
||||||
" --tpm2-pcrs=PCR1+PCR2+PCR3+…\n"
|
" --tpm2-pcrs=PCR1+PCR2+PCR3+…\n"
|
||||||
" Specify TPM2 PCRs to seal against\n"
|
" Specify TPM2 PCRs to seal against\n"
|
||||||
" --tpm2-public-key=PATH\n"
|
" --tpm2-public-key=PATH\n"
|
||||||
@ -175,14 +175,14 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
ARG_PKCS11_TOKEN_URI,
|
ARG_PKCS11_TOKEN_URI,
|
||||||
ARG_FIDO2_DEVICE,
|
ARG_FIDO2_DEVICE,
|
||||||
ARG_TPM2_DEVICE,
|
ARG_TPM2_DEVICE,
|
||||||
ARG_TPM2_SEAL_KEY_HANDLE,
|
|
||||||
ARG_TPM2_DEVICE_KEY,
|
ARG_TPM2_DEVICE_KEY,
|
||||||
|
ARG_TPM2_SEAL_KEY_HANDLE,
|
||||||
ARG_TPM2_PCRS,
|
ARG_TPM2_PCRS,
|
||||||
ARG_TPM2_PUBLIC_KEY,
|
ARG_TPM2_PUBLIC_KEY,
|
||||||
ARG_TPM2_PUBLIC_KEY_PCRS,
|
ARG_TPM2_PUBLIC_KEY_PCRS,
|
||||||
ARG_TPM2_SIGNATURE,
|
ARG_TPM2_SIGNATURE,
|
||||||
ARG_TPM2_PIN,
|
|
||||||
ARG_TPM2_PCRLOCK,
|
ARG_TPM2_PCRLOCK,
|
||||||
|
ARG_TPM2_WITH_PIN,
|
||||||
ARG_WIPE_SLOT,
|
ARG_WIPE_SLOT,
|
||||||
ARG_FIDO2_WITH_PIN,
|
ARG_FIDO2_WITH_PIN,
|
||||||
ARG_FIDO2_WITH_UP,
|
ARG_FIDO2_WITH_UP,
|
||||||
@ -204,14 +204,14 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
{ "fido2-with-user-presence", required_argument, NULL, ARG_FIDO2_WITH_UP },
|
{ "fido2-with-user-presence", required_argument, NULL, ARG_FIDO2_WITH_UP },
|
||||||
{ "fido2-with-user-verification", required_argument, NULL, ARG_FIDO2_WITH_UV },
|
{ "fido2-with-user-verification", required_argument, NULL, ARG_FIDO2_WITH_UV },
|
||||||
{ "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
|
{ "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
|
||||||
{ "tpm2-seal-key-handle", required_argument, NULL, ARG_TPM2_SEAL_KEY_HANDLE },
|
|
||||||
{ "tpm2-device-key", required_argument, NULL, ARG_TPM2_DEVICE_KEY },
|
{ "tpm2-device-key", required_argument, NULL, ARG_TPM2_DEVICE_KEY },
|
||||||
|
{ "tpm2-seal-key-handle", required_argument, NULL, ARG_TPM2_SEAL_KEY_HANDLE },
|
||||||
{ "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS },
|
{ "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS },
|
||||||
{ "tpm2-public-key", required_argument, NULL, ARG_TPM2_PUBLIC_KEY },
|
{ "tpm2-public-key", required_argument, NULL, ARG_TPM2_PUBLIC_KEY },
|
||||||
{ "tpm2-public-key-pcrs", required_argument, NULL, ARG_TPM2_PUBLIC_KEY_PCRS },
|
{ "tpm2-public-key-pcrs", required_argument, NULL, ARG_TPM2_PUBLIC_KEY_PCRS },
|
||||||
{ "tpm2-signature", required_argument, NULL, ARG_TPM2_SIGNATURE },
|
{ "tpm2-signature", required_argument, NULL, ARG_TPM2_SIGNATURE },
|
||||||
{ "tpm2-with-pin", required_argument, NULL, ARG_TPM2_PIN },
|
|
||||||
{ "tpm2-pcrlock", required_argument, NULL, ARG_TPM2_PCRLOCK },
|
{ "tpm2-pcrlock", required_argument, NULL, ARG_TPM2_PCRLOCK },
|
||||||
|
{ "tpm2-with-pin", required_argument, NULL, ARG_TPM2_WITH_PIN },
|
||||||
{ "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT },
|
{ "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT },
|
||||||
{}
|
{}
|
||||||
};
|
};
|
||||||
@ -380,13 +380,6 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
case ARG_TPM2_SEAL_KEY_HANDLE:
|
|
||||||
r = safe_atou32_full(optarg, 16, &arg_tpm2_seal_key_handle);
|
|
||||||
if (r < 0)
|
|
||||||
return log_error_errno(r, "Could not parse TPM2 seal key handle index '%s': %m", optarg);
|
|
||||||
|
|
||||||
break;
|
|
||||||
|
|
||||||
case ARG_TPM2_DEVICE_KEY:
|
case ARG_TPM2_DEVICE_KEY:
|
||||||
if (arg_enroll_type >= 0 || arg_tpm2_device_key)
|
if (arg_enroll_type >= 0 || arg_tpm2_device_key)
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||||
@ -400,16 +393,16 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
arg_enroll_type = ENROLL_TPM2;
|
arg_enroll_type = ENROLL_TPM2;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case ARG_TPM2_PCRS:
|
case ARG_TPM2_SEAL_KEY_HANDLE:
|
||||||
auto_hash_pcr_values = false;
|
r = safe_atou32_full(optarg, 16, &arg_tpm2_seal_key_handle);
|
||||||
r = tpm2_parse_pcr_argument_append(optarg, &arg_tpm2_hash_pcr_values, &arg_tpm2_n_hash_pcr_values);
|
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return log_error_errno(r, "Could not parse TPM2 seal key handle index '%s': %m", optarg);
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case ARG_TPM2_PIN:
|
case ARG_TPM2_PCRS:
|
||||||
r = parse_boolean_argument("--tpm2-with-pin=", optarg, &arg_tpm2_pin);
|
auto_hash_pcr_values = false;
|
||||||
|
r = tpm2_parse_pcr_argument_append(optarg, &arg_tpm2_hash_pcr_values, &arg_tpm2_n_hash_pcr_values);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
@ -445,6 +438,13 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
auto_pcrlock = false;
|
auto_pcrlock = false;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case ARG_TPM2_WITH_PIN:
|
||||||
|
r = parse_boolean_argument("--tpm2-with-pin=", optarg, &arg_tpm2_pin);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
break;
|
||||||
|
|
||||||
case ARG_WIPE_SLOT: {
|
case ARG_WIPE_SLOT: {
|
||||||
const char *p = optarg;
|
const char *p = optarg;
|
||||||
|
|
||||||
|
@ -148,6 +148,8 @@ static size_t arg_key_size = 0;
|
|||||||
static EVP_PKEY *arg_private_key = NULL;
|
static EVP_PKEY *arg_private_key = NULL;
|
||||||
static X509 *arg_certificate = NULL;
|
static X509 *arg_certificate = NULL;
|
||||||
static char *arg_tpm2_device = NULL;
|
static char *arg_tpm2_device = NULL;
|
||||||
|
static uint32_t arg_tpm2_seal_key_handle = 0;
|
||||||
|
static char *arg_tpm2_device_key = NULL;
|
||||||
static Tpm2PCRValue *arg_tpm2_hash_pcr_values = NULL;
|
static Tpm2PCRValue *arg_tpm2_hash_pcr_values = NULL;
|
||||||
static size_t arg_tpm2_n_hash_pcr_values = 0;
|
static size_t arg_tpm2_n_hash_pcr_values = 0;
|
||||||
static char *arg_tpm2_public_key = NULL;
|
static char *arg_tpm2_public_key = NULL;
|
||||||
@ -174,6 +176,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_key, erase_and_freep);
|
|||||||
STATIC_DESTRUCTOR_REGISTER(arg_private_key, EVP_PKEY_freep);
|
STATIC_DESTRUCTOR_REGISTER(arg_private_key, EVP_PKEY_freep);
|
||||||
STATIC_DESTRUCTOR_REGISTER(arg_certificate, X509_freep);
|
STATIC_DESTRUCTOR_REGISTER(arg_certificate, X509_freep);
|
||||||
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device, freep);
|
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device, freep);
|
||||||
|
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device_key, freep);
|
||||||
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep);
|
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep);
|
||||||
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep);
|
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep);
|
||||||
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_pcrlock, freep);
|
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_pcrlock, freep);
|
||||||
@ -3684,6 +3687,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
|
|||||||
_cleanup_free_ char *hp = NULL, *vol = NULL, *dm_name = NULL;
|
_cleanup_free_ char *hp = NULL, *vol = NULL, *dm_name = NULL;
|
||||||
const char *passphrase = NULL;
|
const char *passphrase = NULL;
|
||||||
size_t passphrase_size = 0;
|
size_t passphrase_size = 0;
|
||||||
|
TPM2Flags flags = 0;
|
||||||
const char *vt;
|
const char *vt;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
@ -3790,11 +3794,6 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
_cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
|
|
||||||
r = tpm2_context_new(arg_tpm2_device, &tpm2_context);
|
|
||||||
if (r < 0)
|
|
||||||
return log_error_errno(r, "Failed to create TPM2 context: %m");
|
|
||||||
|
|
||||||
TPM2B_PUBLIC public;
|
TPM2B_PUBLIC public;
|
||||||
if (pubkey) {
|
if (pubkey) {
|
||||||
r = tpm2_tpm2b_public_from_pem(pubkey, pubkey_size, &public);
|
r = tpm2_tpm2b_public_from_pem(pubkey, pubkey_size, &public);
|
||||||
@ -3802,9 +3801,36 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
|
|||||||
return log_error_errno(r, "Could not convert public key to TPM2B_PUBLIC: %m");
|
return log_error_errno(r, "Could not convert public key to TPM2B_PUBLIC: %m");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
_cleanup_(tpm2_pcrlock_policy_done) Tpm2PCRLockPolicy pcrlock_policy = {};
|
||||||
|
if (arg_tpm2_pcrlock) {
|
||||||
|
r = tpm2_pcrlock_policy_load(arg_tpm2_pcrlock, &pcrlock_policy);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
flags |= TPM2_FLAGS_USE_PCRLOCK;
|
||||||
|
}
|
||||||
|
|
||||||
|
_cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
|
||||||
|
TPM2B_PUBLIC device_key_public = {};
|
||||||
|
if (arg_tpm2_device_key) {
|
||||||
|
r = tpm2_load_public_key_file(arg_tpm2_device_key, &device_key_public);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
if (!tpm2_pcr_values_has_all_values(arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values))
|
||||||
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||||
|
"Must provide all PCR values when using TPM2 device key.");
|
||||||
|
} else {
|
||||||
|
r = tpm2_context_new(arg_tpm2_device, &tpm2_context);
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to create TPM2 context: %m");
|
||||||
|
|
||||||
|
if (!tpm2_pcr_values_has_all_values(arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values)) {
|
||||||
r = tpm2_pcr_read_missing_values(tpm2_context, arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values);
|
r = tpm2_pcr_read_missing_values(tpm2_context, arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Could not read pcr values: %m");
|
return log_error_errno(r, "Could not read pcr values: %m");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
uint16_t hash_pcr_bank = 0;
|
uint16_t hash_pcr_bank = 0;
|
||||||
uint32_t hash_pcr_mask = 0;
|
uint32_t hash_pcr_mask = 0;
|
||||||
@ -3823,13 +3849,6 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
|
|||||||
return log_error_errno(r, "Could not get hash mask: %m");
|
return log_error_errno(r, "Could not get hash mask: %m");
|
||||||
}
|
}
|
||||||
|
|
||||||
_cleanup_(tpm2_pcrlock_policy_done) Tpm2PCRLockPolicy pcrlock_policy = {};
|
|
||||||
if (arg_tpm2_pcrlock) {
|
|
||||||
r = tpm2_pcrlock_policy_load(arg_tpm2_pcrlock, &pcrlock_policy);
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
|
|
||||||
TPM2B_DIGEST policy = TPM2B_DIGEST_MAKE(NULL, TPM2_SHA256_DIGEST_SIZE);
|
TPM2B_DIGEST policy = TPM2B_DIGEST_MAKE(NULL, TPM2_SHA256_DIGEST_SIZE);
|
||||||
r = tpm2_calculate_sealing_policy(
|
r = tpm2_calculate_sealing_policy(
|
||||||
arg_tpm2_hash_pcr_values,
|
arg_tpm2_hash_pcr_values,
|
||||||
@ -3841,8 +3860,20 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Could not calculate sealing policy digest: %m");
|
return log_error_errno(r, "Could not calculate sealing policy digest: %m");
|
||||||
|
|
||||||
|
if (arg_tpm2_device_key)
|
||||||
|
r = tpm2_calculate_seal(
|
||||||
|
arg_tpm2_seal_key_handle,
|
||||||
|
&device_key_public,
|
||||||
|
/* attributes= */ NULL,
|
||||||
|
/* secret= */ NULL, /* secret_size= */ 0,
|
||||||
|
&policy,
|
||||||
|
/* pin= */ NULL,
|
||||||
|
&secret, &secret_size,
|
||||||
|
&blob, &blob_size,
|
||||||
|
&srk_buf, &srk_buf_size);
|
||||||
|
else
|
||||||
r = tpm2_seal(tpm2_context,
|
r = tpm2_seal(tpm2_context,
|
||||||
/* seal_key_handle= */ 0,
|
arg_tpm2_seal_key_handle,
|
||||||
&policy,
|
&policy,
|
||||||
/* pin= */ NULL,
|
/* pin= */ NULL,
|
||||||
&secret, &secret_size,
|
&secret, &secret_size,
|
||||||
@ -3863,8 +3894,8 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
|
|||||||
keyslot = sym_crypt_keyslot_add_by_volume_key(
|
keyslot = sym_crypt_keyslot_add_by_volume_key(
|
||||||
cd,
|
cd,
|
||||||
CRYPT_ANY_SLOT,
|
CRYPT_ANY_SLOT,
|
||||||
NULL,
|
/* volume_key= */ NULL,
|
||||||
VOLUME_KEY_SIZE,
|
/* volume_key_size= */ VOLUME_KEY_SIZE,
|
||||||
base64_encoded,
|
base64_encoded,
|
||||||
base64_encoded_size);
|
base64_encoded_size);
|
||||||
if (keyslot < 0)
|
if (keyslot < 0)
|
||||||
@ -3881,7 +3912,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
|
|||||||
policy.buffer, policy.size,
|
policy.buffer, policy.size,
|
||||||
NULL, 0, /* no salt because tpm2_seal has no pin */
|
NULL, 0, /* no salt because tpm2_seal has no pin */
|
||||||
srk_buf, srk_buf_size,
|
srk_buf, srk_buf_size,
|
||||||
0,
|
flags,
|
||||||
&v);
|
&v);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to prepare TPM2 JSON token object: %m");
|
return log_error_errno(r, "Failed to prepare TPM2 JSON token object: %m");
|
||||||
@ -6389,6 +6420,10 @@ static int help(void) {
|
|||||||
" --certificate=PATH PEM certificate to use when generating verity\n"
|
" --certificate=PATH PEM certificate to use when generating verity\n"
|
||||||
" roothash signatures\n"
|
" roothash signatures\n"
|
||||||
" --tpm2-device=PATH Path to TPM2 device node to use\n"
|
" --tpm2-device=PATH Path to TPM2 device node to use\n"
|
||||||
|
" --tpm2-device-key=PATH\n"
|
||||||
|
" Enroll a TPM2 device using its public key\n"
|
||||||
|
" --tpm2-seal-key-handle=HANDLE\n"
|
||||||
|
" Specify handle of key to use for sealing\n"
|
||||||
" --tpm2-pcrs=PCR1+PCR2+PCR3+…\n"
|
" --tpm2-pcrs=PCR1+PCR2+PCR3+…\n"
|
||||||
" TPM2 PCR indexes to use for TPM2 enrollment\n"
|
" TPM2 PCR indexes to use for TPM2 enrollment\n"
|
||||||
" --tpm2-public-key=PATH\n"
|
" --tpm2-public-key=PATH\n"
|
||||||
@ -6449,6 +6484,8 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
ARG_PRIVATE_KEY,
|
ARG_PRIVATE_KEY,
|
||||||
ARG_CERTIFICATE,
|
ARG_CERTIFICATE,
|
||||||
ARG_TPM2_DEVICE,
|
ARG_TPM2_DEVICE,
|
||||||
|
ARG_TPM2_DEVICE_KEY,
|
||||||
|
ARG_TPM2_SEAL_KEY_HANDLE,
|
||||||
ARG_TPM2_PCRS,
|
ARG_TPM2_PCRS,
|
||||||
ARG_TPM2_PUBLIC_KEY,
|
ARG_TPM2_PUBLIC_KEY,
|
||||||
ARG_TPM2_PUBLIC_KEY_PCRS,
|
ARG_TPM2_PUBLIC_KEY_PCRS,
|
||||||
@ -6487,6 +6524,8 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
{ "private-key", required_argument, NULL, ARG_PRIVATE_KEY },
|
{ "private-key", required_argument, NULL, ARG_PRIVATE_KEY },
|
||||||
{ "certificate", required_argument, NULL, ARG_CERTIFICATE },
|
{ "certificate", required_argument, NULL, ARG_CERTIFICATE },
|
||||||
{ "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
|
{ "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
|
||||||
|
{ "tpm2-device-key", required_argument, NULL, ARG_TPM2_DEVICE_KEY },
|
||||||
|
{ "tpm2-seal-key-handle", required_argument, NULL, ARG_TPM2_SEAL_KEY_HANDLE },
|
||||||
{ "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS },
|
{ "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS },
|
||||||
{ "tpm2-public-key", required_argument, NULL, ARG_TPM2_PUBLIC_KEY },
|
{ "tpm2-public-key", required_argument, NULL, ARG_TPM2_PUBLIC_KEY },
|
||||||
{ "tpm2-public-key-pcrs", required_argument, NULL, ARG_TPM2_PUBLIC_KEY_PCRS },
|
{ "tpm2-public-key-pcrs", required_argument, NULL, ARG_TPM2_PUBLIC_KEY_PCRS },
|
||||||
@ -6724,6 +6763,20 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
case ARG_TPM2_DEVICE_KEY:
|
||||||
|
r = parse_path_argument(optarg, /* suppress_root= */ false, &arg_tpm2_device_key);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
break;
|
||||||
|
|
||||||
|
case ARG_TPM2_SEAL_KEY_HANDLE:
|
||||||
|
r = safe_atou32_full(optarg, 16, &arg_tpm2_seal_key_handle);
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Could not parse TPM2 seal key handle index '%s': %m", optarg);
|
||||||
|
|
||||||
|
break;
|
||||||
|
|
||||||
case ARG_TPM2_PCRS:
|
case ARG_TPM2_PCRS:
|
||||||
auto_hash_pcr_values = false;
|
auto_hash_pcr_values = false;
|
||||||
r = tpm2_parse_pcr_argument_append(optarg, &arg_tpm2_hash_pcr_values, &arg_tpm2_n_hash_pcr_values);
|
r = tpm2_parse_pcr_argument_append(optarg, &arg_tpm2_hash_pcr_values, &arg_tpm2_n_hash_pcr_values);
|
||||||
|
@ -88,7 +88,7 @@ static TSS2_RC (*sym_Tss2_MU_TPM2B_NAME_Marshal)(TPM2B_NAME const *src, uint8_t
|
|||||||
static TSS2_RC (*sym_Tss2_MU_TPM2B_PRIVATE_Marshal)(TPM2B_PRIVATE const *src, uint8_t buffer[], size_t buffer_size, size_t *offset) = NULL;
|
static TSS2_RC (*sym_Tss2_MU_TPM2B_PRIVATE_Marshal)(TPM2B_PRIVATE const *src, uint8_t buffer[], size_t buffer_size, size_t *offset) = NULL;
|
||||||
static TSS2_RC (*sym_Tss2_MU_TPM2B_PRIVATE_Unmarshal)(uint8_t const buffer[], size_t buffer_size, size_t *offset, TPM2B_PRIVATE *dest) = NULL;
|
static TSS2_RC (*sym_Tss2_MU_TPM2B_PRIVATE_Unmarshal)(uint8_t const buffer[], size_t buffer_size, size_t *offset, TPM2B_PRIVATE *dest) = NULL;
|
||||||
static TSS2_RC (*sym_Tss2_MU_TPM2B_PUBLIC_Marshal)(TPM2B_PUBLIC const *src, uint8_t buffer[], size_t buffer_size, size_t *offset) = NULL;
|
static TSS2_RC (*sym_Tss2_MU_TPM2B_PUBLIC_Marshal)(TPM2B_PUBLIC const *src, uint8_t buffer[], size_t buffer_size, size_t *offset) = NULL;
|
||||||
TSS2_RC (*sym_Tss2_MU_TPM2B_PUBLIC_Unmarshal)(uint8_t const buffer[], size_t buffer_size, size_t *offset, TPM2B_PUBLIC *dest) = NULL;
|
static TSS2_RC (*sym_Tss2_MU_TPM2B_PUBLIC_Unmarshal)(uint8_t const buffer[], size_t buffer_size, size_t *offset, TPM2B_PUBLIC *dest) = NULL;
|
||||||
static TSS2_RC (*sym_Tss2_MU_TPM2B_SENSITIVE_Marshal)(TPM2B_SENSITIVE const *src, uint8_t buffer[], size_t buffer_size, size_t *offset) = NULL;
|
static TSS2_RC (*sym_Tss2_MU_TPM2B_SENSITIVE_Marshal)(TPM2B_SENSITIVE const *src, uint8_t buffer[], size_t buffer_size, size_t *offset) = NULL;
|
||||||
static TSS2_RC (*sym_Tss2_MU_TPML_PCR_SELECTION_Marshal)(TPML_PCR_SELECTION const *src, uint8_t buffer[], size_t buffer_size, size_t *offset) = NULL;
|
static TSS2_RC (*sym_Tss2_MU_TPML_PCR_SELECTION_Marshal)(TPML_PCR_SELECTION const *src, uint8_t buffer[], size_t buffer_size, size_t *offset) = NULL;
|
||||||
static TSS2_RC (*sym_Tss2_MU_TPMS_NV_PUBLIC_Marshal)(TPMS_NV_PUBLIC const *src, uint8_t buffer[], size_t buffer_size, size_t *offset) = NULL;
|
static TSS2_RC (*sym_Tss2_MU_TPMS_NV_PUBLIC_Marshal)(TPMS_NV_PUBLIC const *src, uint8_t buffer[], size_t buffer_size, size_t *offset) = NULL;
|
||||||
@ -6845,6 +6845,44 @@ int tpm2_pcrlock_policy_load(
|
|||||||
*ret_policy = TAKE_STRUCT(policy);
|
*ret_policy = TAKE_STRUCT(policy);
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int tpm2_load_public_key_file(const char *path, TPM2B_PUBLIC *ret) {
|
||||||
|
_cleanup_free_ char *device_key_buffer = NULL;
|
||||||
|
TPM2B_PUBLIC device_key_public = {};
|
||||||
|
size_t device_key_buffer_size;
|
||||||
|
TSS2_RC rc;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert(path);
|
||||||
|
assert(ret);
|
||||||
|
|
||||||
|
r = dlopen_tpm2();
|
||||||
|
if (r < 0)
|
||||||
|
return log_debug_errno(r, "TPM2 support not installed: %m");
|
||||||
|
|
||||||
|
r = read_full_file(path, &device_key_buffer, &device_key_buffer_size);
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to read device key from file '%s': %m", path);
|
||||||
|
|
||||||
|
size_t offset = 0;
|
||||||
|
rc = sym_Tss2_MU_TPM2B_PUBLIC_Unmarshal(
|
||||||
|
(uint8_t*) device_key_buffer,
|
||||||
|
device_key_buffer_size,
|
||||||
|
&offset,
|
||||||
|
&device_key_public);
|
||||||
|
if (rc != TSS2_RC_SUCCESS)
|
||||||
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||||
|
"Could not unmarshal public key from file.");
|
||||||
|
|
||||||
|
assert(offset <= device_key_buffer_size);
|
||||||
|
if (offset != device_key_buffer_size)
|
||||||
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||||
|
"Found %zu bytes of trailing garbage in public key file.",
|
||||||
|
device_key_buffer_size - offset);
|
||||||
|
|
||||||
|
*ret = device_key_public;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
char *tpm2_pcr_mask_to_string(uint32_t mask) {
|
char *tpm2_pcr_mask_to_string(uint32_t mask) {
|
||||||
|
@ -306,6 +306,8 @@ int tpm2_unseal_data(Tpm2Context *c, const struct iovec *public, const struct io
|
|||||||
int tpm2_serialize(Tpm2Context *c, const Tpm2Handle *handle, void **ret_serialized, size_t *ret_serialized_size);
|
int tpm2_serialize(Tpm2Context *c, const Tpm2Handle *handle, void **ret_serialized, size_t *ret_serialized_size);
|
||||||
int tpm2_deserialize(Tpm2Context *c, const void *serialized, size_t serialized_size, Tpm2Handle **ret_handle);
|
int tpm2_deserialize(Tpm2Context *c, const void *serialized, size_t serialized_size, Tpm2Handle **ret_handle);
|
||||||
|
|
||||||
|
int tpm2_load_public_key_file(const char *path, TPM2B_PUBLIC *ret);
|
||||||
|
|
||||||
/* The tpm2-tss library has many structs that are simply a combination of an array (or object) and
|
/* The tpm2-tss library has many structs that are simply a combination of an array (or object) and
|
||||||
* size. These macros allow easily initializing or assigning instances of such structs from an existing
|
* size. These macros allow easily initializing or assigning instances of such structs from an existing
|
||||||
* buffer/object and size, while also checking the size for safety with the struct buffer/object size. If the
|
* buffer/object and size, while also checking the size for safety with the struct buffer/object size. If the
|
||||||
@ -362,8 +364,6 @@ int tpm2_deserialize(Tpm2Context *c, const void *serialized, size_t serialized_s
|
|||||||
0; \
|
0; \
|
||||||
})
|
})
|
||||||
|
|
||||||
extern TSS2_RC (*sym_Tss2_MU_TPM2B_PUBLIC_Unmarshal)(uint8_t const buffer[], size_t buffer_size, size_t *offset, TPM2B_PUBLIC *dest);
|
|
||||||
|
|
||||||
#else /* HAVE_TPM2 */
|
#else /* HAVE_TPM2 */
|
||||||
typedef struct {} Tpm2Context;
|
typedef struct {} Tpm2Context;
|
||||||
typedef struct {} Tpm2Handle;
|
typedef struct {} Tpm2Handle;
|
||||||
|
@ -195,4 +195,26 @@ PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handl
|
|||||||
systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
|
systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
|
||||||
systemd-cryptsetup detach test-volume
|
systemd-cryptsetup detach test-volume
|
||||||
|
|
||||||
|
# Make sure that --tpm2-device-key= also works with systemd-repart
|
||||||
|
tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub
|
||||||
|
mkdir /tmp/dditest
|
||||||
|
cat > /tmp/dditest/50-root.conf <<EOF
|
||||||
|
[Partition]
|
||||||
|
Type=root
|
||||||
|
Format=ext4
|
||||||
|
CopyFiles=/tmp/dditest:/
|
||||||
|
Encrypt=tpm2
|
||||||
|
EOF
|
||||||
|
PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=50M /tmp/dditest.raw --tpm2-pcrs=
|
||||||
|
DEVICE="$(systemd-dissect --attach /tmp/dditest.raw)"
|
||||||
|
systemd-cryptsetup attach dditest "$DEVICE"p1 - tpm2-device=auto,headless=yes
|
||||||
|
mkdir /tmp/dditest.mnt
|
||||||
|
mount -t ext4 /dev/mapper/dditest /tmp/dditest.mnt
|
||||||
|
cmp /tmp/dditest.mnt/50-root.conf /tmp/dditest/50-root.conf
|
||||||
|
umount /tmp/dditest.mnt
|
||||||
|
rmdir /tmp/dditest.mnt
|
||||||
|
rm /tmp/dditest.raw
|
||||||
|
rm /tmp/dditest/50-root.conf
|
||||||
|
rmdir /tmp/dditest
|
||||||
|
|
||||||
rm -f "$IMAGE" "$PRIMARY"
|
rm -f "$IMAGE" "$PRIMARY"
|
||||||
|
Loading…
Reference in New Issue
Block a user