| Message ID | 20240527052948.2471630-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [isar-cip-core,v2] encrypt_partition.clevis: select tpm2_device for encryptition | expand |
On 27.05.24 07:29, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This allows use to select a tpm2 device which supports > all requirements if the hardware provides multiple device. > This is fixing a regression of cfef8103, isn't it? If so, call this a fix, bonus for linking to introducing commit. Jan > Since clevis v19 the tpm2 device can be selected with the > variable TPM2TOOLS_TCTI[1]. > > Setting the variable as no effect in older versions, so > no version check. > > No interface change as systemd-cryptenroll already allows > selecting the tpm2 device. > > [1]: https://github.com/latchset/clevis/commit/c6fc63fc055c18927decc7bcaa07821d5ae37614 > > Reported-by: Gokhan Cetin <gokhan.cetin@siemens.com> > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > > Changes v2: > - reword commit message to clarify intent > > .../files/encrypt_partition.clevis.script | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > index ddb3eab..a7a5009 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > @@ -13,8 +13,8 @@ > open_tpm2_partition() { > partition_device="$1" > crypt_mount_name="$2" > - #tpm_device="$3" > - if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \ > + tpm_device="$3" > + if ! TPM2TOOLS_TCTI=$tpm_device usr/bin/clevis luks unlock -n "$crypt_mount_name" \ > -d "$partition_device"; then > panic "Can't decrypt '$partition_device' !" > fi > @@ -23,11 +23,11 @@ open_tpm2_partition() { > enroll_tpm2_token() { > partition_device="$1" > passphrase="$2" > - #tpm_device="$3" > + tpm_device="$3" > tpm_key_algorithm="$4" > pcr_bank_hash_type="$5" > if [ -x /usr/bin/clevis ]; then > - clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" > + TPM2TOOLS_TCTI=$tpm_device clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" > else > panic "clevis not available cannot enroll tpm2 key!" > fi
On 5/27/24 8:18 AM, Jan Kiszka wrote: > On 27.05.24 07:29, Quirin Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> This allows use to select a tpm2 device which supports >> all requirements if the hardware provides multiple device. >> > > This is fixing a regression of cfef8103, isn't it? If so, call this a > fix, bonus for linking to introducing commit. It more of a improvement for clevis with Debian Bookworm and later than a fix - clevis in bullseye does not support this feature and this was the target for the clevis implementation. Quirin > > Jan > >> Since clevis v19 the tpm2 device can be selected with the >> variable TPM2TOOLS_TCTI[1]. >> >> Setting the variable as no effect in older versions, so >> no version check. >> >> No interface change as systemd-cryptenroll already allows >> selecting the tpm2 device. >> >> [1]: https://github.com/latchset/clevis/commit/c6fc63fc055c18927decc7bcaa07821d5ae37614 >> >> Reported-by: Gokhan Cetin <gokhan.cetin@siemens.com> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> >> Changes v2: >> - reword commit message to clarify intent >> >> .../files/encrypt_partition.clevis.script | 8 ++++---- >> 1 file changed, 4 insertions(+), 4 deletions(-) >> >> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script >> index ddb3eab..a7a5009 100644 >> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script >> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script >> @@ -13,8 +13,8 @@ >> open_tpm2_partition() { >> partition_device="$1" >> crypt_mount_name="$2" >> - #tpm_device="$3" >> - if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \ >> + tpm_device="$3" >> + if ! TPM2TOOLS_TCTI=$tpm_device usr/bin/clevis luks unlock -n "$crypt_mount_name" \ >> -d "$partition_device"; then >> panic "Can't decrypt '$partition_device' !" >> fi >> @@ -23,11 +23,11 @@ open_tpm2_partition() { >> enroll_tpm2_token() { >> partition_device="$1" >> passphrase="$2" >> - #tpm_device="$3" >> + tpm_device="$3" >> tpm_key_algorithm="$4" >> pcr_bank_hash_type="$5" >> if [ -x /usr/bin/clevis ]; then >> - clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" >> + TPM2TOOLS_TCTI=$tpm_device clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" >> else >> panic "clevis not available cannot enroll tpm2 key!" >> fi >
On 27.05.24 13:06, Gylstorff Quirin wrote: > > > On 5/27/24 8:18 AM, Jan Kiszka wrote: >> On 27.05.24 07:29, Quirin Gylstorff wrote: >>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>> >>> This allows use to select a tpm2 device which supports >>> all requirements if the hardware provides multiple device. >>> >> >> This is fixing a regression of cfef8103, isn't it? If so, call this a >> fix, bonus for linking to introducing commit. > > It more of a improvement for clevis with Debian Bookworm and later than > a fix - clevis in bullseye does not support this feature and this was > the target for the clevis implementation. > Okay - now it makes sense to me. Can you enrich the message accordingly? Thanks, Jan > > Quirin >> >> Jan >> >>> Since clevis v19 the tpm2 device can be selected with the >>> variable TPM2TOOLS_TCTI[1]. >>> >>> Setting the variable as no effect in older versions, so >>> no version check. >>> >>> No interface change as systemd-cryptenroll already allows >>> selecting the tpm2 device. >>> >>> [1]: >>> https://github.com/latchset/clevis/commit/c6fc63fc055c18927decc7bcaa07821d5ae37614 >>> >>> Reported-by: Gokhan Cetin <gokhan.cetin@siemens.com> >>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >>> --- >>> >>> Changes v2: >>> - reword commit message to clarify intent >>> >>> .../files/encrypt_partition.clevis.script | 8 ++++---- >>> 1 file changed, 4 insertions(+), 4 deletions(-) >>> >>> diff --git >>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script >>> index ddb3eab..a7a5009 100644 >>> --- >>> a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script >>> +++ >>> b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script >>> @@ -13,8 +13,8 @@ >>> open_tpm2_partition() { >>> partition_device="$1" >>> crypt_mount_name="$2" >>> - #tpm_device="$3" >>> - if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \ >>> + tpm_device="$3" >>> + if ! TPM2TOOLS_TCTI=$tpm_device usr/bin/clevis luks unlock -n >>> "$crypt_mount_name" \ >>> -d "$partition_device"; then >>> panic "Can't decrypt '$partition_device' !" >>> fi >>> @@ -23,11 +23,11 @@ open_tpm2_partition() { >>> enroll_tpm2_token() { >>> partition_device="$1" >>> passphrase="$2" >>> - #tpm_device="$3" >>> + tpm_device="$3" >>> tpm_key_algorithm="$4" >>> pcr_bank_hash_type="$5" >>> if [ -x /usr/bin/clevis ]; then >>> - clevis luks bind -d "$partition_device" tpm2 >>> '{"key":"'"$tpm_key_algorithm"'", >>> "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" >>> + TPM2TOOLS_TCTI=$tpm_device clevis luks bind -d >>> "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", >>> "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" >>> else >>> panic "clevis not available cannot enroll tpm2 key!" >>> fi >> >
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index ddb3eab..a7a5009 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -13,8 +13,8 @@ open_tpm2_partition() { partition_device="$1" crypt_mount_name="$2" - #tpm_device="$3" - if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \ + tpm_device="$3" + if ! TPM2TOOLS_TCTI=$tpm_device usr/bin/clevis luks unlock -n "$crypt_mount_name" \ -d "$partition_device"; then panic "Can't decrypt '$partition_device' !" fi @@ -23,11 +23,11 @@ open_tpm2_partition() { enroll_tpm2_token() { partition_device="$1" passphrase="$2" - #tpm_device="$3" + tpm_device="$3" tpm_key_algorithm="$4" pcr_bank_hash_type="$5" if [ -x /usr/bin/clevis ]; then - clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" + TPM2TOOLS_TCTI=$tpm_device clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" else panic "clevis not available cannot enroll tpm2 key!" fi