diff mbox series

[isar-cip-core,v4] encrypt_partition.clevis: select tpm2_device for encryptition

Message ID 20240528093656.21040-1-Quirin.Gylstorff@siemens.com (mailing list archive)
State Accepted
Headers show
Series [isar-cip-core,v4] encrypt_partition.clevis: select tpm2_device for encryptition | expand

Commit Message

Quirin Gylstorff May 28, 2024, 9:36 a.m. UTC 
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This change allows to preselect the TPM2 device for clevis in Debian
bookworm and later.

As clevis is intented to provided TPM2 based disk encryption
with Debian bullseye and earlier the TPM2 device selection was not avaiable
or implemented. Since clevis v19(part of Debian bookworm) the TPM2
device can be selected with the variable TPM2TOOLS_TCTI[1].

Setting the variable as no effect in older versions, so
no version check was implemented.

No interface change as systemd-cryptenroll already allows
selecting the tpm2 device.

[1]: https://github.com/latchset/clevis/commit/c6fc63fc055c18927decc7bcaa07821d5ae37614

Reported-by: Gokhan Cetin  <gokhan.cetin@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Changes v4:
 - use correct format of TPM2TOOLS_TCTI `<tcti-name>:<tcti-option-config>` according to
 https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md#tcti-configuration.

Changes v3:
 - reword commit message that the disable setting was intentional

Changes v2:
 - reword commit message to clarify intent

 .../files/encrypt_partition.clevis.script                 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Jan Kiszka May 28, 2024, 11:03 a.m. UTC | #1 
On 28.05.24 11:36, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This change allows to preselect the TPM2 device for clevis in Debian
> bookworm and later.
> 
> As clevis is intented to provided TPM2 based disk encryption
> with Debian bullseye and earlier the TPM2 device selection was not avaiable
> or implemented. Since clevis v19(part of Debian bookworm) the TPM2
> device can be selected with the variable TPM2TOOLS_TCTI[1].
> 
> Setting the variable as no effect in older versions, so
> no version check was implemented.
> 
> No interface change as systemd-cryptenroll already allows
> selecting the tpm2 device.
> 
> [1]: https://github.com/latchset/clevis/commit/c6fc63fc055c18927decc7bcaa07821d5ae37614
> 
> Reported-by: Gokhan Cetin  <gokhan.cetin@siemens.com>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> Changes v4:
>  - use correct format of TPM2TOOLS_TCTI `<tcti-name>:<tcti-option-config>` according to
>  https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md#tcti-configuration.
> 
> Changes v3:
>  - reword commit message that the disable setting was intentional
> 
> Changes v2:
>  - reword commit message to clarify intent
> 
>  .../files/encrypt_partition.clevis.script                 | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> index ddb3eab..ceeacd1 100644
> --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
> @@ -13,8 +13,8 @@
>  open_tpm2_partition() {
>  	partition_device="$1"
>  	crypt_mount_name="$2"
> -	#tpm_device="$3"
> -	if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \
> +	tpm_device="$3"
> +	if ! TPM2TOOLS_TCTI="device:$tpm_device" usr/bin/clevis luks unlock -n "$crypt_mount_name" \
>  		 -d "$partition_device"; then
>  		panic "Can't decrypt '$partition_device' !"
>  	fi
> @@ -23,11 +23,11 @@ open_tpm2_partition() {
>  enroll_tpm2_token() {
>  	partition_device="$1"
>  	passphrase="$2"
> -	#tpm_device="$3"
> +	tpm_device="$3"
>  	tpm_key_algorithm="$4"
>  	pcr_bank_hash_type="$5"
>  	if [ -x /usr/bin/clevis ]; then
> -		clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase"
> +		TPM2TOOLS_TCTI="device:$tpm_device" clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase"
>  	else
>  		panic "clevis not available cannot enroll tpm2 key!"
>  	fi

Thanks, applied.

Jan
diff mbox series

Patch

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
index ddb3eab..ceeacd1 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script
@@ -13,8 +13,8 @@ 
 open_tpm2_partition() {
 	partition_device="$1"
 	crypt_mount_name="$2"
-	#tpm_device="$3"
-	if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \
+	tpm_device="$3"
+	if ! TPM2TOOLS_TCTI="device:$tpm_device" usr/bin/clevis luks unlock -n "$crypt_mount_name" \
 		 -d "$partition_device"; then
 		panic "Can't decrypt '$partition_device' !"
 	fi
@@ -23,11 +23,11 @@  open_tpm2_partition() {
 enroll_tpm2_token() {
 	partition_device="$1"
 	passphrase="$2"
-	#tpm_device="$3"
+	tpm_device="$3"
 	tpm_key_algorithm="$4"
 	pcr_bank_hash_type="$5"
 	if [ -x /usr/bin/clevis ]; then
-		clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase"
+		TPM2TOOLS_TCTI="device:$tpm_device" clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase"
 	else
 		panic "clevis not available cannot enroll tpm2 key!"
 	fi