diff --git a/README.md b/README.md index 6f75208..ec23fb5 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ -# zlevis +# Zlevis -A minimal fork of clevis, rewritten in POSIX shell to accommodate automatic decryption of a ZFS root pool with TPM2. \ No newline at end of file +A minimal fork of [Clevis](https://github.com/latchset/clevis), rewritten in POSIX shell to accommodate automatic decryption of a ZFS root pool with TPM2. diff --git a/src/zlevis-encrypt b/src/zlevis-encrypt new file mode 100644 index 0000000..3e50ffd --- /dev/null +++ b/src/zlevis-encrypt @@ -0,0 +1,242 @@ +#!/bin/sh + +# Exit immediately if a command exits with a non-zero status +set -e + +# Summary of the script's functionality +summary="Encrypts using a TPM2.0 chip binding policy." + +# TPM2.0 owner hierarchy to be used by the Operating System +auth="o" + +# Algorithm type for the TPM2 object with user-provided sensitive data +alg_create_key="keyedhash" + +# Policy options for the TPM2 object +policy_options="" + +# Attributes for the created TPM2 object with the JWK as sensitive data +obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy" + +# Display summary if requested +if [ "$1" = "--summary" ]; then + echo "$summary" + exit 0 +fi + +# Display usage information if input is from a terminal +if [ -t 0 ]; then + exec >&2 + echo "Usage: zlevis-encrypt '{\"property\":\"value\"}' < tank.key > tank.jwe" + echo + echo "$summary" + echo + echo "This command uses the following configuration properties:" + echo " hash: -> Hash algorithm used in the computation of the object name (default: sha256)." + echo " key: -> Algorithm type for the generated key (default: ecc)." + echo " pcr_bank: -> PCR algorithm bank to use for policy (default: first supported by TPM)." + echo " pcr_ids: -> PCR list used for policy. If not present, no policy is used." + echo " pcr_digest: -> Binary PCR hashes encoded in base64. If not present, the hash values are looked up." + exit 2 +fi + +# Function to validate PCRs +validate_pcrs() { + _tpm2_tools_v="${1}" + _pcr_bank="${2}" + _pcrs="${3}" + + # Return if PCR bank is not provided + [ -z "${_pcr_bank}" ] && return 1 + [ -z "${_pcrs}" ] && return 0 + + _pcrs_r="" + case "${_tpm2_tools_v}" in + 4|5) _pcrs_r=$(tpm2_pcrread "${_pcr_bank}":"${_pcrs}" | grep -v " ${_pcr_bank}") || _fail=$?;; + *) _fail=1 + esac + + # Check for errors in PCR validation + if [ -n "${_fail}" ] || [ -z "${_pcrs_r}" ]; then + return 1 + fi + return 0 +} + +# Function to clean up temporary files on exit +on_exit() { + if [ ! -d "$tmp" ] || ! rm -rf "$tmp"; then + echo "Delete temporary files failed" >&2 + echo "You need to clean up: $tmp" >&2 + exit 1 + fi +} + +# Get the version of tpm2-tools +tpm2tools_version=$(tpm2_createprimary -v | awk -F'version="' '{print $2}' | awk -F'.' '{print $1}') + +# Check if the tpm2-tools version is supported +if [ -z "$tpm2tools_version" ] || [ $tpm2tools_version -lt 4 ] || [ $tpm2tools_version -gt 5 ]; then + echo "The tpm2 pin requires a tpm2-tools version between 4 and 5" + exit 1 +fi + +# Create a temporary directory for TPM files +mkdir -p "${tmpdir:-/tmp}" +if ! tmp="$(mktemp -d)"; then + echo "Creating a temporary dir for TPM files failed" >&2 + exit 1 +fi + +# Set up cleanup on exit +trap 'on_exit' EXIT + +# Validate the configuration input +if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then + echo "Configuration is malformed" >&2 + exit 1 +fi + +# Store the configuration in a temporary file +echo "$cfg" > "$tmp"/cfg + +# Extract hash and key from the configuration, defaulting if not present +hash="$(jose fmt -j- -Og hash -u- < "$tmp"/cfg)" || hash="sha256" +key="$(jose fmt -j- -Og key -u- < "$tmp"/cfg)" || key="ecc" + +# Determine the PCR bank to use for policy +pcr_bank="$(jose fmt -j- -Og pcr_bank -u- < "$tmp"/cfg)" || { + # If not specified, find a non-empty PCR algorithm bank + if ! pcr_bank=$(tpm2_getcap pcrs | awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit} END {exit !found}'); then + echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2 + exit 1 + fi +} + +# Trim spaces from the configuration for parsing PCR IDs +pcr_cfg=$(tr -d '[:space:]' < "$tmp"/cfg) +echo "$pcr_cfg" > "$tmp"/pcr_cfg + +# Handle both string and JSON array formats for pcr_ids +if jose fmt -j- -Og pcr_ids 2>/dev/null < "$tmp"/pcr_cfg && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$tmp"/pcr_cfg)"; then + # Attempt to parse as a JSON array if string parsing fails + if jose fmt -j- -Og pcr_ids -A 2>/dev/null < "$tmp"/pcr_cfg; then + # Construct a comma-separated string from the array + for pcr in $(jose fmt -j- -Og pcr_ids -Af- < "$tmp"/pcr_cfg | tr -d '"'); do + pcr_ids=$(printf '%s,%s' "${pcr_ids}" "${pcr}") + done + # Remove leading comma + pcr_ids=${pcr_ids#,} + else + echo "Parsing the requested policy failed" >&2 + exit 1 + fi +fi + +# Validate the combination of PCR bank and PCR IDs +if ! validate_pcrs "${tpm2tools_version}" "${pcr_bank}" "${pcr_ids}"; then + echo "Unable to validate combination of PCR bank '${pcr_bank}' and PCR IDs '${pcr_ids}'" >&2 + exit 1 +fi + +# Get the PCR digest from the configuration or read it if not provided +pcr_digest="$(jose fmt -j- -Og pcr_digest -u- < "$tmp"/cfg)" || true +echo "$pcr_digest" > "$tmp"/pcr_digest + +# Generate a JSON Web Key (JWK) +if ! jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"; then + echo "Generating a jwk failed" >&2 + exit 1 +fi +echo "$jwk" > "$tmp"/jwk + +# Create the primary key in the TPM +case "$tpm2tools_version" in + 4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$tmp"/primary.context || fail=$?;; + *) fail=1;; +esac +if [ -n "$fail" ]; then + echo "Creating TPM2 primary key failed" >&2 + exit 1 +fi +tpm2_flushcontext -t + +# Handle PCRs and policy creation if PCR IDs are provided +if [ -n "$pcr_ids" ]; then + if [ -z "$pcr_digest" ]; then + case "$tpm2tools_version" in + 4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$tmp"/pcr.digest || fail=$?;; + *) fail=1;; + esac + if [ -n "$fail" ]; then + echo "Creating PCR hashes file failed" >&2 + exit 1 + fi + tpm2_flushcontext -t + else + if ! jose b64 dec -i- -O "$tmp"/pcr.digest < "$tmp"/pcr_digest; then + echo "Error decoding PCR digest" >&2 + exit 1 + fi + fi + + # Create the policy based on PCRs + case "$tpm2tools_version" in + 4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" -f "$tmp"/pcr.digest -L "$tmp"/pcr.policy || fail=$?;; + *) fail=1;; + esac + if [ -n "$fail" ]; then + echo "create policy fail, please check the environment or parameters" + exit 1 + fi + tpm2_flushcontext -t + tpm2_flushcontext -l + + # Set the policy options to the created policy file + policy_options="$tmp/pcr.policy" +else + # If no PCR IDs are provided, add user authentication to the object attributes + obj_attr="$obj_attr|userwithauth" +fi + +# Create the TPM2 object for the JWK +case "$tpm2tools_version" in + 4|5) tpm2_create -Q -g "$hash" -C "$tmp"/primary.context -u "$tmp"/jwk.pub -r "$tmp"/jwk.priv -a "$obj_attr" -L "$policy_options" -i- < "$tmp"/jwk || fail=$?;; + *) fail=1;; +esac +if [ -n "$fail" ]; then + echo "Creating TPM2 object for jwk failed" >&2 + exit 1 +fi +tpm2_flushcontext -t + +# Encode the JWK public and private keys in Base64 +if ! jwk_pub="$(jose b64 enc -I "$tmp"/jwk.pub)"; then + echo "Encoding jwk.pub in Base64 failed" >&2 + exit 1 +fi +if ! jwk_priv="$(jose b64 enc -I "$tmp"/jwk.priv)"; then + echo "Encoding jwk.priv in Base64 failed" >&2 + exit 1 +fi + +# Construct the JWE (JSON Web Encryption) structure +jwe='{"protected":{"clevis":{"pin":"tpm2","tpm2":{}}}}' +jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$hash" -s hash -UUUUo-)" +jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$key" -s key -UUUUo-)" + +# Include PCR bank and IDs in the JWE if they are provided +if [ -n "$pcr_ids" ]; then + jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_bank" -s pcr_bank -UUUUo-)" + jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_ids" -s pcr_ids -UUUUo-)" +fi + +# Add the Base64 encoded JWK public and private keys to the JWE +jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)" +jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)" + +# Clean up the temporary directory at the end of the script +[ -d "${tmp}" ] && rm -rf "${tmp}" + +# Output the final JWE +exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat) \ No newline at end of file