| Message ID | DU0PR10MB68986B841B1C6F0F8FA701E2F0B2A@DU0PR10MB6898.EURPRD10.PROD.OUTLOOK.COM (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [isar-cip-core,v2] added configurable pcr_bank for clevis | expand |
On 14.11.23 06:01, Sari, Sercan (ADV D EU TR C&E) wrote: > Configurable hash type for pcr_bank information. clevis will fail to encrypt data when the TPM has multiple banks, such as SHA1 and SHA256, adding the pcr_bank information resolves this issue. > > Signed-off-by: Sercan Sari <sari.sercan@siemens.com> > --- > .../files/encrypt_partition.clevis.script | 3 ++- > .../initramfs-crypt-hook/files/encrypt_partition.env.tmpl | 1 + > .../initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb | 5 ++++- > 3 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > index 899f20e..6d8f209 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > @@ -40,6 +40,7 @@ modprobe tpm_crb > tpm_device=/dev/tpmrm0 > partition_sets="$PARTITIONS" > create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" > +hash_type="$HASH_TYPE" > > if [ -z "${create_file_system_cmd}" ]; then > create_file_system_cmd="mke2fs -t ext4" > @@ -61,7 +62,7 @@ open_tpm2_partition() { > > enroll_tpm2_token() { > if [ -x /usr/bin/clevis ]; then > - clevis luks bind -d "$1" tpm2 '{"pcr_ids":"7"}' < "$2" > + clevis luks bind -d "$1" tpm2 '{"pcr_bank":"'"$hash_type"'","pcr_ids":"7"}' < "$2" > else > panic "clevis not available cannot enroll tpm2 key!" > fi > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > index 52dbd00..bcc57be 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl > @@ -2,3 +2,4 @@ PARTITIONS="${CRYPT_PARTITIONS}" > CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}" > SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" > WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" > +HASH_TYPE="${CRYPT_HASH_TYPE}" > \ No newline at end of file > diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > index 3c3f6bb..3b2e6fa 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb > @@ -37,9 +37,12 @@ CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4" > CRYPT_SETUP_TIMEOUT ??= "600" > # Watchdog to service during the initial setup of the crypto partitions > INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog" > +# clevis needs tpm hash algorithm type > +CRYPT_HASH_TYPE ??= "sha256" > + > > TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ > - CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE" > + CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE" > TEMPLATE_FILES = "encrypt_partition.env.tmpl" > > do_install[cleandirs] += " \ Thanks, applied. Jan
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index 899f20e..6d8f209 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -40,6 +40,7 @@ modprobe tpm_crb tpm_device=/dev/tpmrm0 partition_sets="$PARTITIONS" create_file_system_cmd="$CREATE_FILE_SYSTEM_CMD" +hash_type="$HASH_TYPE" if [ -z "${create_file_system_cmd}" ]; then create_file_system_cmd="mke2fs -t ext4" @@ -61,7 +62,7 @@ open_tpm2_partition() { enroll_tpm2_token() { if [ -x /usr/bin/clevis ]; then - clevis luks bind -d "$1" tpm2 '{"pcr_ids":"7"}' < "$2" + clevis luks bind -d "$1" tpm2 '{"pcr_bank":"'"$hash_type"'","pcr_ids":"7"}' < "$2" else panic "clevis not available cannot enroll tpm2 key!" fi diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl index 52dbd00..bcc57be 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.env.tmpl @@ -2,3 +2,4 @@ PARTITIONS="${CRYPT_PARTITIONS}" CREATE_FILE_SYSTEM_CMD="${CRYPT_CREATE_FILE_SYSTEM_CMD}" SETUP_TIMEOUT="${CRYPT_SETUP_TIMEOUT}" WATCHDOG_DEV="${INITRAMFS_WATCHDOG_DEVICE}" +HASH_TYPE="${CRYPT_HASH_TYPE}" \ No newline at end of file diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb index 3c3f6bb..3b2e6fa 100644 --- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb +++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb @@ -37,9 +37,12 @@ CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4" CRYPT_SETUP_TIMEOUT ??= "600" # Watchdog to service during the initial setup of the crypto partitions INITRAMFS_WATCHDOG_DEVICE ??= "/dev/watchdog" +# clevis needs tpm hash algorithm type +CRYPT_HASH_TYPE ??= "sha256" + TEMPLATE_VARS = "CRYPT_PARTITIONS CRYPT_CREATE_FILE_SYSTEM_CMD \ - CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE" + CRYPT_SETUP_TIMEOUT INITRAMFS_WATCHDOG_DEVICE CRYPT_HASH_TYPE" TEMPLATE_FILES = "encrypt_partition.env.tmpl" do_install[cleandirs] += " \
Configurable hash type for pcr_bank information. clevis will fail to encrypt data when the TPM has multiple banks, such as SHA1 and SHA256, adding the pcr_bank information resolves this issue. Signed-off-by: Sercan Sari <sari.sercan@siemens.com> --- .../files/encrypt_partition.clevis.script | 3 ++- .../initramfs-crypt-hook/files/encrypt_partition.env.tmpl | 1 + .../initramfs-crypt-hook/initramfs-crypt-hook_0.1.bb | 5 ++++- 3 files changed, 7 insertions(+), 2 deletions(-)