src/zlevis-encrypt: update

Reverted prior adaptation in parsing policy_options in tpm2_create due
to incombatility with systems using busybox

README.md

@@ -1,16 +1,10 @@
-# Zlevis
+# zlevis
 
 A minimal fork of [Clevis](https://github.com/latchset/clevis), rewritten in POSIX shell to accommodate automatic decryption of a ZFS root pool with TPM2. 
 
 ## Installation
 
-### Alpine Linux
-
-Work in progress.
-
-### Manual
-
-Zlevis can be manually installed with `meson`, after cloning the repository, setup the build directory
+`zlevis` can be installed with `meson`, after cloning the repository, setup the build directory:
 
 ```
 $ meson setup builddir
@@ -20,7 +14,7 @@ $ meson setup builddir
 
 > Using the `--reconfigure` flag will reconfigure the build directory.
 
-Installation of the zlevis scripts is now performed with
+Installation of the `zlevis` scripts is now performed with:
 
 ```
 # meson install -C builddir

meson.build

@@ -1,5 +1,5 @@
 # Project definition
-project('zlevis', license: 'GPL3', version: '1')
+project('zlevis', license: 'GPL3')
 
 # Define bindir
 bindir = join_paths(get_option('prefix'), get_option('bindir'))

src/zlevis-decrypt

@@ -122,7 +122,7 @@ rm -f "$tmp_jwk_pub" "$tmp_jwk_priv" "$tmp_primary_context"
 
 # Unseal the JWK from the TPM
 case "$tpm2tools_version" in
-    4|5) jwk="$(tpm2_unseal -c "$tmp_load_context" ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
+    4|5) jwk="$(tpm2_unseal -c "$tmp_load_context" ${pcr_spec:+-p pcr:$pcr_spec} 2>/dev/null)" || fail=$?;;
     *) fail=1;;
 esac
 if [ -n "$fail" ]; then
@@ -138,4 +138,4 @@ rm -f "$tmp_load_context"
 (echo "$jwk$hdr."; /bin/cat) | jose jwe dec -k- -i-
 
 # Exit with the status of the last command
-exit $?
+exit $?

src/zlevis-encrypt

@@ -87,7 +87,7 @@ pcr_bank="$(printf "%s" "$cfg" | jose fmt -j- -Og pcr_bank -u-)" || {
 pcr_cfg=$(printf "%s" "$cfg" | tr -d '[:space:]')
 
 # Handle both string and JSON array formats for pcr_ids
-if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids 2>/dev/null && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$tmp"/pcr_cfg)"; then
+if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids 2>/dev/null && ! pcr_ids="$(printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids -u- 2>/dev/null)"; then
     # Attempt to parse as a JSON array if string parsing fails
     if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids -A 2>/dev/null; then
         # Construct a comma-separated string from the array
@@ -176,17 +176,17 @@ else
     obj_attr="$obj_attr|userwithauth"
 fi
 
-# Remove tmp_pcr_digest and tmp_pcr_policy
-rm -f "$tmp_pcr_digest" "$tmp_pcr_policy"
+# Remove tmp_pcr_digest
+rm -f "$tmp_pcr_digest"
 
 # Define and trap tmp jwk_pub and jwk_priv
 tmp_jwk_pub="/tmp/jwk_pub.$$"
 tmp_jwk_priv="/tmp/jwk_priv.$$"
-trap 'rm -f "$tmp_primary_context" "$tmp_jwk_pub" "$tmp_jwk_priv"' EXIT
+trap 'rm -f "$tmp_primary_context" "$tmp_pcr_policy" "$tmp_jwk_pub" "$tmp_jwk_priv"' EXIT
 
 # Create the TPM2 object for the JWK
 case "$tpm2tools_version" in
-    4|5) printf "%s" "$jwk" | tpm2_create -Q -g "$hash" -C "$tmp_primary_context" -u "$tmp_jwk_pub" -r "$tmp_jwk_priv" -a "$obj_attr" -L "$policy_options" -i- || fail=$?;;
+	4|5) printf "%s" "$jwk" | tpm2_create -Q -g "$hash" -C "$tmp_primary_context" -u "$tmp_jwk_pub" -r "$tmp_jwk_priv" -a "$obj_attr" -L "$policy_options" -i- || fail=$?;;
     *) fail=1;;
 esac
 if [ -n "$fail" ]; then
@@ -195,8 +195,8 @@ if [ -n "$fail" ]; then
 fi
 tpm2_flushcontext -t
 
-# Remove tmp_primary_context
-rm -f "$tmp_primary_context"
+# Remove tmp_primary_context and tmp_pcr_policy
+rm -f "$tmp_primary_context" "$tmp_pcr_policy"
 
 # Encode the JWK public and private keys in Base64
 if ! jwk_pub="$(jose b64 enc -I "$tmp_jwk_pub")"; then
@@ -230,4 +230,4 @@ jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$jwk_priv" -s jwk_p
 (echo "$jwe$jwk$(/bin/cat)") | jose jwe enc -i- -k- -I- -c
 
 # Exit with the status of the last command
-exit $?
+exit $?