diff --git a/README.md b/README.md index ec23fb5..6f75208 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ -# Zlevis +# zlevis -A minimal fork of [Clevis](https://github.com/latchset/clevis), rewritten in POSIX shell to accommodate automatic decryption of a ZFS root pool with TPM2. +A minimal fork of clevis, rewritten in POSIX shell to accommodate automatic decryption of a ZFS root pool with TPM2. \ No newline at end of file diff --git a/src/zlevis-encrypt b/src/zlevis-encrypt deleted file mode 100644 index 3e50ffd..0000000 --- a/src/zlevis-encrypt +++ /dev/null @@ -1,242 +0,0 @@ -#!/bin/sh - -# Exit immediately if a command exits with a non-zero status -set -e - -# Summary of the script's functionality -summary="Encrypts using a TPM2.0 chip binding policy." - -# TPM2.0 owner hierarchy to be used by the Operating System -auth="o" - -# Algorithm type for the TPM2 object with user-provided sensitive data -alg_create_key="keyedhash" - -# Policy options for the TPM2 object -policy_options="" - -# Attributes for the created TPM2 object with the JWK as sensitive data -obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy" - -# Display summary if requested -if [ "$1" = "--summary" ]; then - echo "$summary" - exit 0 -fi - -# Display usage information if input is from a terminal -if [ -t 0 ]; then - exec >&2 - echo "Usage: zlevis-encrypt '{\"property\":\"value\"}' < tank.key > tank.jwe" - echo - echo "$summary" - echo - echo "This command uses the following configuration properties:" - echo " hash: -> Hash algorithm used in the computation of the object name (default: sha256)." - echo " key: -> Algorithm type for the generated key (default: ecc)." - echo " pcr_bank: -> PCR algorithm bank to use for policy (default: first supported by TPM)." - echo " pcr_ids: -> PCR list used for policy. If not present, no policy is used." - echo " pcr_digest: -> Binary PCR hashes encoded in base64. If not present, the hash values are looked up." - exit 2 -fi - -# Function to validate PCRs -validate_pcrs() { - _tpm2_tools_v="${1}" - _pcr_bank="${2}" - _pcrs="${3}" - - # Return if PCR bank is not provided - [ -z "${_pcr_bank}" ] && return 1 - [ -z "${_pcrs}" ] && return 0 - - _pcrs_r="" - case "${_tpm2_tools_v}" in - 4|5) _pcrs_r=$(tpm2_pcrread "${_pcr_bank}":"${_pcrs}" | grep -v " ${_pcr_bank}") || _fail=$?;; - *) _fail=1 - esac - - # Check for errors in PCR validation - if [ -n "${_fail}" ] || [ -z "${_pcrs_r}" ]; then - return 1 - fi - return 0 -} - -# Function to clean up temporary files on exit -on_exit() { - if [ ! -d "$tmp" ] || ! rm -rf "$tmp"; then - echo "Delete temporary files failed" >&2 - echo "You need to clean up: $tmp" >&2 - exit 1 - fi -} - -# Get the version of tpm2-tools -tpm2tools_version=$(tpm2_createprimary -v | awk -F'version="' '{print $2}' | awk -F'.' '{print $1}') - -# Check if the tpm2-tools version is supported -if [ -z "$tpm2tools_version" ] || [ $tpm2tools_version -lt 4 ] || [ $tpm2tools_version -gt 5 ]; then - echo "The tpm2 pin requires a tpm2-tools version between 4 and 5" - exit 1 -fi - -# Create a temporary directory for TPM files -mkdir -p "${tmpdir:-/tmp}" -if ! tmp="$(mktemp -d)"; then - echo "Creating a temporary dir for TPM files failed" >&2 - exit 1 -fi - -# Set up cleanup on exit -trap 'on_exit' EXIT - -# Validate the configuration input -if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then - echo "Configuration is malformed" >&2 - exit 1 -fi - -# Store the configuration in a temporary file -echo "$cfg" > "$tmp"/cfg - -# Extract hash and key from the configuration, defaulting if not present -hash="$(jose fmt -j- -Og hash -u- < "$tmp"/cfg)" || hash="sha256" -key="$(jose fmt -j- -Og key -u- < "$tmp"/cfg)" || key="ecc" - -# Determine the PCR bank to use for policy -pcr_bank="$(jose fmt -j- -Og pcr_bank -u- < "$tmp"/cfg)" || { - # If not specified, find a non-empty PCR algorithm bank - if ! pcr_bank=$(tpm2_getcap pcrs | awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit} END {exit !found}'); then - echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2 - exit 1 - fi -} - -# Trim spaces from the configuration for parsing PCR IDs -pcr_cfg=$(tr -d '[:space:]' < "$tmp"/cfg) -echo "$pcr_cfg" > "$tmp"/pcr_cfg - -# Handle both string and JSON array formats for pcr_ids -if jose fmt -j- -Og pcr_ids 2>/dev/null < "$tmp"/pcr_cfg && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$tmp"/pcr_cfg)"; then - # Attempt to parse as a JSON array if string parsing fails - if jose fmt -j- -Og pcr_ids -A 2>/dev/null < "$tmp"/pcr_cfg; then - # Construct a comma-separated string from the array - for pcr in $(jose fmt -j- -Og pcr_ids -Af- < "$tmp"/pcr_cfg | tr -d '"'); do - pcr_ids=$(printf '%s,%s' "${pcr_ids}" "${pcr}") - done - # Remove leading comma - pcr_ids=${pcr_ids#,} - else - echo "Parsing the requested policy failed" >&2 - exit 1 - fi -fi - -# Validate the combination of PCR bank and PCR IDs -if ! validate_pcrs "${tpm2tools_version}" "${pcr_bank}" "${pcr_ids}"; then - echo "Unable to validate combination of PCR bank '${pcr_bank}' and PCR IDs '${pcr_ids}'" >&2 - exit 1 -fi - -# Get the PCR digest from the configuration or read it if not provided -pcr_digest="$(jose fmt -j- -Og pcr_digest -u- < "$tmp"/cfg)" || true -echo "$pcr_digest" > "$tmp"/pcr_digest - -# Generate a JSON Web Key (JWK) -if ! jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"; then - echo "Generating a jwk failed" >&2 - exit 1 -fi -echo "$jwk" > "$tmp"/jwk - -# Create the primary key in the TPM -case "$tpm2tools_version" in - 4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$tmp"/primary.context || fail=$?;; - *) fail=1;; -esac -if [ -n "$fail" ]; then - echo "Creating TPM2 primary key failed" >&2 - exit 1 -fi -tpm2_flushcontext -t - -# Handle PCRs and policy creation if PCR IDs are provided -if [ -n "$pcr_ids" ]; then - if [ -z "$pcr_digest" ]; then - case "$tpm2tools_version" in - 4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$tmp"/pcr.digest || fail=$?;; - *) fail=1;; - esac - if [ -n "$fail" ]; then - echo "Creating PCR hashes file failed" >&2 - exit 1 - fi - tpm2_flushcontext -t - else - if ! jose b64 dec -i- -O "$tmp"/pcr.digest < "$tmp"/pcr_digest; then - echo "Error decoding PCR digest" >&2 - exit 1 - fi - fi - - # Create the policy based on PCRs - case "$tpm2tools_version" in - 4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" -f "$tmp"/pcr.digest -L "$tmp"/pcr.policy || fail=$?;; - *) fail=1;; - esac - if [ -n "$fail" ]; then - echo "create policy fail, please check the environment or parameters" - exit 1 - fi - tpm2_flushcontext -t - tpm2_flushcontext -l - - # Set the policy options to the created policy file - policy_options="$tmp/pcr.policy" -else - # If no PCR IDs are provided, add user authentication to the object attributes - obj_attr="$obj_attr|userwithauth" -fi - -# Create the TPM2 object for the JWK -case "$tpm2tools_version" in - 4|5) tpm2_create -Q -g "$hash" -C "$tmp"/primary.context -u "$tmp"/jwk.pub -r "$tmp"/jwk.priv -a "$obj_attr" -L "$policy_options" -i- < "$tmp"/jwk || fail=$?;; - *) fail=1;; -esac -if [ -n "$fail" ]; then - echo "Creating TPM2 object for jwk failed" >&2 - exit 1 -fi -tpm2_flushcontext -t - -# Encode the JWK public and private keys in Base64 -if ! jwk_pub="$(jose b64 enc -I "$tmp"/jwk.pub)"; then - echo "Encoding jwk.pub in Base64 failed" >&2 - exit 1 -fi -if ! jwk_priv="$(jose b64 enc -I "$tmp"/jwk.priv)"; then - echo "Encoding jwk.priv in Base64 failed" >&2 - exit 1 -fi - -# Construct the JWE (JSON Web Encryption) structure -jwe='{"protected":{"clevis":{"pin":"tpm2","tpm2":{}}}}' -jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$hash" -s hash -UUUUo-)" -jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$key" -s key -UUUUo-)" - -# Include PCR bank and IDs in the JWE if they are provided -if [ -n "$pcr_ids" ]; then - jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_bank" -s pcr_bank -UUUUo-)" - jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_ids" -s pcr_ids -UUUUo-)" -fi - -# Add the Base64 encoded JWK public and private keys to the JWE -jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)" -jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)" - -# Clean up the temporary directory at the end of the script -[ -d "${tmp}" ] && rm -rf "${tmp}" - -# Output the final JWE -exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat) \ No newline at end of file