#include "blockdev-util.h"
#include "chattr-util.h"
+#include "constants.h"
#include "creds-util.h"
+#include "efi-api.h"
#include "env-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "tpm2-util.h"
#include "virt.h"
+#define PUBLIC_KEY_MAX (UINT32_C(1024) * UINT32_C(1024))
+
bool credential_name_valid(const char *s) {
/* We want that credential names are both valid in filenames (since that's our primary way to pass
* them around) and as fdnames (which is how we might want to pass them around eventually) */
return filename_is_valid(s) && fdname_is_valid(s);
}
-int get_credentials_dir(const char **ret) {
+static int get_credentials_dir_internal(const char *envvar, const char **ret) {
const char *e;
assert(ret);
- e = secure_getenv("CREDENTIALS_DIRECTORY");
+ e = secure_getenv(envvar);
if (!e)
return -ENXIO;
return 0;
}
+int get_credentials_dir(const char **ret) {
+ return get_credentials_dir_internal("CREDENTIALS_DIRECTORY", ret);
+}
+
+int get_encrypted_credentials_dir(const char **ret) {
+ return get_credentials_dir_internal("ENCRYPTED_CREDENTIALS_DIRECTORY", ret);
+}
+
int read_credential(const char *name, void **ret, size_t *ret_size) {
_cleanup_free_ char *fn = NULL;
const char *d;
(char**) ret, ret_size);
}
+int read_credential_strings_many_internal(
+ const char *first_name, char **first_value,
+ ...) {
+
+ _cleanup_free_ void *b = NULL;
+ int r, ret = 0;
+
+ /* Reads a bunch of credentials into the specified buffers. If the specified buffers are already
+ * non-NULL frees them if a credential is found. Only supports string-based credentials
+ * (i.e. refuses embedded NUL bytes) */
+
+ if (!first_name)
+ return 0;
+
+ r = read_credential(first_name, &b, NULL);
+ if (r == -ENXIO) /* no creds passed at all? propagate this */
+ return r;
+ if (r < 0)
+ ret = r;
+ else
+ free_and_replace(*first_value, b);
+
+ va_list ap;
+ va_start(ap, first_value);
+
+ for (;;) {
+ _cleanup_free_ void *bb = NULL;
+ const char *name;
+ char **value;
+
+ name = va_arg(ap, const char *);
+ if (!name)
+ break;
+
+ value = va_arg(ap, char **);
+ if (*value)
+ continue;
+
+ r = read_credential(name, &bb, NULL);
+ if (r < 0) {
+ if (ret >= 0)
+ ret = r;
+ } else
+ free_and_replace(*value, bb);
+ }
+
+ va_end(ap);
+ return ret;
+}
+
+int get_credential_user_password(const char *username, char **ret_password, bool *ret_is_hashed) {
+ _cleanup_(erase_and_freep) char *creds_password = NULL;
+ _cleanup_free_ char *cn = NULL;
+ int r;
+
+ /* Try to pick up the password for this account via the credentials logic */
+ cn = strjoin("passwd.hashed-password.", username);
+ if (!cn)
+ return -ENOMEM;
+
+ r = read_credential(cn, (void**) &creds_password, NULL);
+ if (r == -ENOENT) {
+ free(cn);
+ cn = strjoin("passwd.plaintext-password.", username);
+ if (!cn)
+ return -ENOMEM;
+
+ r = read_credential(cn, (void**) &creds_password, NULL);
+ if (r < 0)
+ log_debug_errno(r, "Couldn't read credential '%s', ignoring: %m", cn);
+ else
+ *ret_is_hashed = false;
+ } else if (r < 0)
+ log_debug_errno(r, "Couldn't read credential '%s', ignoring: %m", cn);
+ else
+ *ret_is_hashed = true;
+
+ *ret_password = TAKE_PTR(creds_password);
+
+ return r;
+}
+
#if HAVE_OPENSSL
#define CREDENTIAL_HOST_SECRET_SIZE 4096
uint8_t data[CREDENTIAL_HOST_SECRET_SIZE];
} _packed_;
+static void warn_not_encrypted(int fd, CredentialSecretFlags flags, const char *dirname, const char *filename) {
+ int r;
+
+ assert(fd >= 0);
+ assert(dirname);
+ assert(filename);
+
+ if (!FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED))
+ return;
+
+ r = fd_is_encrypted(fd);
+ if (r < 0)
+ log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.",
+ dirname, filename);
+ else if (r == 0)
+ log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.",
+ dirname, filename);
+}
+
static int make_credential_host_secret(
int dfd,
const sd_id128_t machine_id,
+ CredentialSecretFlags flags,
+ const char *dirname,
const char *fn,
void **ret_data,
size_t *ret_size) {
- struct credential_host_secret_format buf;
_cleanup_free_ char *t = NULL;
- _cleanup_close_ int fd = -1;
+ _cleanup_close_ int fd = -EBADF;
int r;
assert(dfd >= 0);
if (r < 0)
log_debug_errno(r, "Failed to set file attributes for secrets file, ignoring: %m");
- buf = (struct credential_host_secret_format) {
+ struct credential_host_secret_format buf = {
.machine_id = machine_id,
};
- r = genuine_random_bytes(buf.data, sizeof(buf.data), RANDOM_BLOCK);
+ CLEANUP_ERASE(buf);
+
+ r = crypto_random_bytes(buf.data, sizeof(buf.data));
if (r < 0)
- goto finish;
+ goto fail;
r = loop_write(fd, &buf, sizeof(buf), false);
if (r < 0)
- goto finish;
+ goto fail;
if (fsync(fd) < 0) {
r = -errno;
- goto finish;
+ goto fail;
}
+ warn_not_encrypted(fd, flags, dirname, fn);
+
if (t) {
r = rename_noreplace(dfd, t, dfd, fn);
if (r < 0)
- goto finish;
+ goto fail;
t = mfree(t);
} else if (linkat(fd, "", dfd, fn, AT_EMPTY_PATH) < 0) {
r = -errno;
- goto finish;
+ goto fail;
}
if (fsync(dfd) < 0) {
r = -errno;
- goto finish;
+ goto fail;
}
if (ret_data) {
copy = memdup(buf.data, sizeof(buf.data));
if (!copy) {
r = -ENOMEM;
- goto finish;
+ goto fail;
}
*ret_data = copy;
if (ret_size)
*ret_size = sizeof(buf.data);
- r = 0;
+ return 0;
-finish:
+fail:
if (t && unlinkat(dfd, t, 0) < 0)
log_debug_errno(errno, "Failed to remove temporary credential key: %m");
- explicit_bzero_safe(&buf, sizeof(buf));
return r;
}
int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size) {
- _cleanup_free_ char *efn = NULL, *ep = NULL;
- _cleanup_close_ int dfd = -1;
+ _cleanup_free_ char *_dirname = NULL, *_filename = NULL;
+ _cleanup_close_ int dfd = -EBADF;
sd_id128_t machine_id;
- const char *e, *fn, *p;
+ const char *dirname, *filename;
int r;
r = sd_id128_get_machine_app_specific(credential_app_id, &machine_id);
if (r < 0)
return r;
- e = secure_getenv("SYSTEMD_CREDENTIAL_SECRET");
+ const char *e = secure_getenv("SYSTEMD_CREDENTIAL_SECRET");
if (e) {
if (!path_is_normalized(e))
return -EINVAL;
if (!path_is_absolute(e))
return -EINVAL;
- r = path_extract_directory(e, &ep);
+ r = path_extract_directory(e, &_dirname);
if (r < 0)
return r;
- r = path_extract_filename(e, &efn);
+ r = path_extract_filename(e, &_filename);
if (r < 0)
return r;
- p = ep;
- fn = efn;
+ dirname = _dirname;
+ filename = _filename;
} else {
- p = "/var/lib/systemd";
- fn = "credential.secret";
+ dirname = "/var/lib/systemd";
+ filename = "credential.secret";
}
- (void) mkdir_p(p, 0755);
- dfd = open(p, O_CLOEXEC|O_DIRECTORY|O_RDONLY);
+ mkdir_parents(dirname, 0755);
+ dfd = open_mkdir_at(AT_FDCWD, dirname, O_CLOEXEC, 0755);
if (dfd < 0)
- return -errno;
+ return log_debug_errno(dfd, "Failed to create or open directory '%s': %m", dirname);
if (FLAGS_SET(flags, CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS)) {
r = fd_is_temporary_fs(dfd);
if (r < 0)
- return r;
+ return log_debug_errno(r, "Failed to check directory '%s': %m", dirname);
if (r > 0)
- return -ENOMEDIUM;
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOMEDIUM),
+ "Directory '%s' is on a temporary file system, refusing.", dirname);
}
for (unsigned attempt = 0;; attempt++) {
_cleanup_(erase_and_freep) struct credential_host_secret_format *f = NULL;
- _cleanup_close_ int fd = -1;
+ _cleanup_close_ int fd = -EBADF;
size_t l = 0;
ssize_t n = 0;
struct stat st;
if (attempt >= 3) /* Somebody is playing games with us */
- return -EIO;
+ return log_debug_errno(SYNTHETIC_ERRNO(EIO),
+ "All attempts to create secret store in %s failed.", dirname);
- fd = openat(dfd, fn, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW);
+ fd = openat(dfd, filename, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW);
if (fd < 0) {
if (errno != ENOENT || !FLAGS_SET(flags, CREDENTIAL_SECRET_GENERATE))
- return -errno;
+ return log_debug_errno(errno,
+ "Failed to open %s/%s: %m", dirname, filename);
+
- r = make_credential_host_secret(dfd, machine_id, fn, ret, ret_size);
+ r = make_credential_host_secret(dfd, machine_id, flags, dirname, filename, ret, ret_size);
if (r == -EEXIST) {
- log_debug_errno(r, "Credential secret was created while we were creating it. Trying to read new secret.");
+ log_debug_errno(r, "Credential secret %s/%s appeared while we were creating it, rereading.",
+ dirname, filename);
continue;
}
if (r < 0)
- return r;
-
+ return log_debug_errno(r, "Failed to create credential secret %s/%s: %m",
+ dirname, filename);
return 0;
}
if (fstat(fd, &st) < 0)
- return -errno;
+ return log_debug_errno(errno, "Failed to stat %s/%s: %m", dirname, filename);
r = stat_verify_regular(&st);
if (r < 0)
- return r;
+ return log_debug_errno(r, "%s/%s is not a regular file: %m", dirname, filename);
if (st.st_nlink == 0) /* Deleted by now, try again */
continue;
if (st.st_nlink > 1)
- return -EPERM; /* Our deletion check won't work if hardlinked somewhere else */
- if ((st.st_mode & 07777) != 0400) /* Don't use file if not 0400 access mode */
- return -EPERM;
- if (st.st_size > 16*1024*1024)
- return -E2BIG;
+ /* Our deletion check won't work if hardlinked somewhere else */
+ return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
+ "%s/%s has too many links, refusing.",
+ dirname, filename);
+ if ((st.st_mode & 07777) != 0400)
+ /* Don't use file if not 0400 access mode */
+ return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
+ "%s/%s has permissive access mode, refusing.",
+ dirname, filename);
l = st.st_size;
if (l < offsetof(struct credential_host_secret_format, data) + 1)
- return -EINVAL;
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
+ "%s/%s is too small, refusing.", dirname, filename);
+ if (l > 16*1024*1024)
+ return log_debug_errno(SYNTHETIC_ERRNO(E2BIG),
+ "%s/%s is too big, refusing.", dirname, filename);
f = malloc(l+1);
if (!f)
- return -ENOMEM;
+ return log_oom_debug();
n = read(fd, f, l+1);
if (n < 0)
- return -errno;
+ return log_debug_errno(errno,
+ "Failed to read %s/%s: %m", dirname, filename);
if ((size_t) n != l) /* What? The size changed? */
- return -EIO;
+ return log_debug_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to read %s/%s: %m", dirname, filename);
if (sd_id128_equal(machine_id, f->machine_id)) {
size_t sz;
- if (FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED)) {
- r = fd_is_encrypted(fd);
- if (r < 0)
- log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.", p, fn);
- else if (r == 0)
- log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.", p, fn);
- }
+ warn_not_encrypted(fd, flags, dirname, filename);
sz = l - offsetof(struct credential_host_secret_format, data);
assert(sz > 0);
copy = memdup(f->data, sz);
if (!copy)
- return -ENOMEM;
+ return log_oom_debug();
*ret = copy;
}
* to ensure we are the only ones accessing the file while we delete it. */
if (flock(fd, LOCK_EX) < 0)
- return -errno;
+ return log_debug_errno(errno,
+ "Failed to flock %s/%s: %m", dirname, filename);
/* Before we delete it check that the file is still linked into the file system */
if (fstat(fd, &st) < 0)
- return -errno;
+ return log_debug_errno(errno, "Failed to stat %s/%s: %m", dirname, filename);
if (st.st_nlink == 0) /* Already deleted by now? */
continue;
if (st.st_nlink != 1) /* Safety check, someone is playing games with us */
- return -EPERM;
-
- if (unlinkat(dfd, fn, 0) < 0)
- return -errno;
+ return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
+ "%s/%s unexpectedly has too many links.",
+ dirname, filename);
+ if (unlinkat(dfd, filename, 0) < 0)
+ return log_debug_errno(errno, "Failed to unlink %s/%s: %m", dirname, filename);
/* And now try again */
}
*
* 3. The concatenation of the above.
*
+ * 4. Or a fixed "empty" key. This will not provide confidentiality or authenticity, of course, but is
+ * useful to encode credentials for the initrd on TPM-less systems, where we simply have no better
+ * concept to bind things to. Note that decryption of a key set up like this will be refused on
+ * systems that have a TPM and have SecureBoot enabled.
+ *
* The above is hashed with SHA256 which is then used as encryption key for AES256-GCM. The encrypted
* credential is a short (unencrypted) header describing which of the three keys to use, the IV to use for
* AES256-GCM and some more meta information (sizes of certain objects) that is strictly speaking redundant,
/* Followed by NUL bytes until next 8 byte boundary */
};
+struct _packed_ tpm2_public_key_credential_header {
+ le64_t pcr_mask; /* PCRs used for the public key PCR policy (usually just PCR 11, i.e. the unified kernel) */
+ le32_t size; /* Size of DER public key */
+ uint8_t data[]; /* DER public key */
+ /* Followed by NUL bytes until next 8 byte boundary */
+};
+
struct _packed_ metadata_credential_header {
le64_t timestamp;
le64_t not_after;
size_t tpm2_key_size,
uint8_t ret[static SHA256_DIGEST_LENGTH]) {
- SHA256_CTX sha256_context;
+ _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *md = NULL;
+ unsigned l;
assert(host_key_size == 0 || host_key);
assert(tpm2_key_size == 0 || tpm2_key);
/* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */
- if (SHA256_Init(&sha256_context) != 1)
+ md = EVP_MD_CTX_new();
+ if (!md)
+ return log_oom();
+
+ if (EVP_DigestInit_ex(md, EVP_sha256(), NULL) != 1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initial SHA256 context.");
- if (host_key && SHA256_Update(&sha256_context, host_key, host_key_size) != 1)
+ if (host_key && EVP_DigestUpdate(md, host_key, host_key_size) != 1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash host key.");
- if (tpm2_key && SHA256_Update(&sha256_context, tpm2_key, tpm2_key_size) != 1)
+ if (tpm2_key && EVP_DigestUpdate(md, tpm2_key, tpm2_key_size) != 1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash TPM2 key.");
- if (SHA256_Final(ret, &sha256_context) != 1)
+ assert(EVP_MD_CTX_size(md) == SHA256_DIGEST_LENGTH);
+
+ if (EVP_DigestFinal_ex(md, ret, &l) != 1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize SHA256 hash.");
+ assert(l == SHA256_DIGEST_LENGTH);
return 0;
}
usec_t timestamp,
usec_t not_after,
const char *tpm2_device,
- uint32_t tpm2_pcr_mask,
+ uint32_t tpm2_hash_pcr_mask,
+ const char *tpm2_pubkey_path,
+ uint32_t tpm2_pubkey_pcr_mask,
const void *input,
size_t input_size,
void **ret,
uint16_t tpm2_pcr_bank = 0, tpm2_primary_alg = 0;
struct encrypted_credential_header *h;
int ksz, bsz, ivsz, tsz, added, r;
+ _cleanup_free_ void *pubkey = NULL;
+ size_t pubkey_size = 0;
uint8_t md[SHA256_DIGEST_LENGTH];
const EVP_CIPHER *cc;
-#if HAVE_TPM2
- bool try_tpm2 = false;
-#endif
sd_id128_t id;
assert(input || input_size == 0);
assert(ret);
assert(ret_size);
+ if (!sd_id128_in_set(with_key,
+ _CRED_AUTO,
+ _CRED_AUTO_INITRD,
+ CRED_AES256_GCM_BY_HOST,
+ CRED_AES256_GCM_BY_TPM2_HMAC,
+ CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
+ CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
+ CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK,
+ CRED_AES256_GCM_BY_TPM2_ABSENT))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid key type: " SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(with_key));
+
if (name && !credential_name_valid(name))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid credential name: %s", name);
log_debug("Including not-after timestamp '%s' in encrypted credential.", format_timestamp(buf, sizeof(buf), not_after));
}
- if (sd_id128_is_null(with_key) ||
- sd_id128_in_set(with_key, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC)) {
+ if (sd_id128_in_set(with_key,
+ _CRED_AUTO,
+ CRED_AES256_GCM_BY_HOST,
+ CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
+ CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK)) {
r = get_credential_host_secret(
CREDENTIAL_SECRET_GENERATE|
CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED|
- (sd_id128_is_null(with_key) ? CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS : 0),
+ (sd_id128_equal(with_key, _CRED_AUTO) ? CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS : 0),
&host_key,
&host_key_size);
- if (r == -ENOMEDIUM && sd_id128_is_null(with_key))
+ if (r == -ENOMEDIUM && sd_id128_equal(with_key, _CRED_AUTO))
log_debug_errno(r, "Credential host secret location on temporary file system, not using.");
else if (r < 0)
return log_error_errno(r, "Failed to determine local credential host secret: %m");
}
#if HAVE_TPM2
- if (sd_id128_is_null(with_key)) {
+ bool try_tpm2;
+ if (sd_id128_equal(with_key, _CRED_AUTO)) {
/* If automatic mode is selected and we are running in a container, let's not try TPM2. OTOH
* if user picks TPM2 explicitly, let's always honour the request and try. */
log_debug("Running in container, not attempting to use TPM2.");
try_tpm2 = r <= 0;
- }
+ } else if (sd_id128_equal(with_key, _CRED_AUTO_INITRD)) {
+ /* If automatic mode for initrds is selected, we'll use the TPM2 key if the firmware does it,
+ * otherwise we'll use a fixed key */
+
+ try_tpm2 = efi_has_tpm2();
+ if (!try_tpm2)
+ log_debug("Firmware lacks TPM2 support, not attempting to use TPM2.");
+ } else
+ try_tpm2 = sd_id128_in_set(with_key,
+ CRED_AES256_GCM_BY_TPM2_HMAC,
+ CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
+ CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
+ CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK);
+
+ if (try_tpm2) {
+ if (sd_id128_in_set(with_key,
+ _CRED_AUTO,
+ _CRED_AUTO_INITRD,
+ CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
+ CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK)) {
+
+ /* Load public key for PCR policies, if one is specified, or explicitly requested */
+
+ r = tpm2_load_pcr_public_key(tpm2_pubkey_path, &pubkey, &pubkey_size);
+ if (r < 0) {
+ if (tpm2_pubkey_path || r != -ENOENT || !sd_id128_in_set(with_key, _CRED_AUTO, _CRED_AUTO_INITRD))
+ return log_error_errno(r, "Failed read TPM PCR public key: %m");
+
+ log_debug_errno(r, "Failed to read TPM2 PCR public key, proceeding without: %m");
+ }
+ }
- if (try_tpm2 ||
- sd_id128_in_set(with_key, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC)) {
+ if (!pubkey)
+ tpm2_pubkey_pcr_mask = 0;
r = tpm2_seal(tpm2_device,
- tpm2_pcr_mask,
- &tpm2_key,
- &tpm2_key_size,
- &tpm2_blob,
- &tpm2_blob_size,
- &tpm2_policy_hash,
- &tpm2_policy_hash_size,
+ tpm2_hash_pcr_mask,
+ pubkey, pubkey_size,
+ tpm2_pubkey_pcr_mask,
+ /* pin= */ NULL,
+ &tpm2_key, &tpm2_key_size,
+ &tpm2_blob, &tpm2_blob_size,
+ &tpm2_policy_hash, &tpm2_policy_hash_size,
&tpm2_pcr_bank,
&tpm2_primary_alg);
if (r < 0) {
- if (!sd_id128_is_null(with_key))
+ if (sd_id128_equal(with_key, _CRED_AUTO_INITRD))
+ log_warning("Firmware reported a TPM2 being present and used, but we didn't manage to talk to it. Credential will be refused if SecureBoot is enabled.");
+ else if (!sd_id128_equal(with_key, _CRED_AUTO))
return r;
- log_debug_errno(r, "TPM2 sealing didn't work, not using: %m");
+ log_notice_errno(r, "TPM2 sealing didn't work, continuing without TPM2: %m");
}
assert(tpm2_blob_size <= CREDENTIAL_FIELD_SIZE_MAX);
}
#endif
- if (sd_id128_is_null(with_key)) {
+ if (sd_id128_in_set(with_key, _CRED_AUTO, _CRED_AUTO_INITRD)) {
/* Let's settle the key type in auto mode now. */
if (host_key && tpm2_key)
- id = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC;
+ id = pubkey ? CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK : CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC;
else if (tpm2_key)
- id = CRED_AES256_GCM_BY_TPM2_HMAC;
+ id = pubkey ? CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK : CRED_AES256_GCM_BY_TPM2_HMAC;
else if (host_key)
id = CRED_AES256_GCM_BY_HOST;
+ else if (sd_id128_equal(with_key, _CRED_AUTO_INITRD))
+ id = CRED_AES256_GCM_BY_TPM2_ABSENT;
else
return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"TPM2 not available and host key located on temporary file system, no encryption key available.");
} else
id = with_key;
+ if (sd_id128_equal(id, CRED_AES256_GCM_BY_TPM2_ABSENT))
+ log_warning("Using a null key for encryption and signing. Confidentiality or authenticity will not be provided.");
+
/* Let's now take the host key and the TPM2 key and hash it together, to use as encryption key for the data */
r = sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md);
if (r < 0)
if (!iv)
return log_oom();
- r = genuine_random_bytes(iv, ivsz, RANDOM_BLOCK);
+ r = crypto_random_bytes(iv, ivsz);
if (r < 0)
return log_error_errno(r, "Failed to acquired randomized IV: %m");
}
output_size =
ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz) +
ALIGN8(tpm2_key ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size : 0) +
+ ALIGN8(pubkey ? offsetof(struct tpm2_public_key_credential_header, data) + pubkey_size : 0) +
ALIGN8(offsetof(struct metadata_credential_header, name) + strlen_ptr(name)) +
input_size + 2U * (size_t) bsz +
tsz;
struct tpm2_credential_header *t;
t = (struct tpm2_credential_header*) ((uint8_t*) output + p);
- t->pcr_mask = htole64(tpm2_pcr_mask);
+ t->pcr_mask = htole64(tpm2_hash_pcr_mask);
t->pcr_bank = htole16(tpm2_pcr_bank);
t->primary_alg = htole16(tpm2_primary_alg);
t->blob_size = htole32(tpm2_blob_size);
p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size);
}
+ if (pubkey) {
+ struct tpm2_public_key_credential_header *z;
+
+ z = (struct tpm2_public_key_credential_header*) ((uint8_t*) output + p);
+ z->pcr_mask = htole64(tpm2_pubkey_pcr_mask);
+ z->size = htole32(pubkey_size);
+ memcpy(z->data, pubkey, pubkey_size);
+
+ p += ALIGN8(offsetof(struct tpm2_public_key_credential_header, data) + pubkey_size);
+ }
+
/* Pass the encrypted + TPM2 header as AAD */
if (EVP_EncryptUpdate(context, NULL, &added, output, p) != 1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s",
const char *validate_name,
usec_t validate_timestamp,
const char *tpm2_device,
+ const char *tpm2_signature_path,
const void *input,
size_t input_size,
void **ret,
size_t *ret_size) {
_cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL, *plaintext = NULL;
+ _cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL;
_cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL;
size_t host_key_size = 0, tpm2_key_size = 0, plaintext_size, p, hs;
struct encrypted_credential_header *h;
struct metadata_credential_header *m;
uint8_t md[SHA256_DIGEST_LENGTH];
- bool with_tpm2, with_host_key;
+ bool with_tpm2, with_host_key, is_tpm2_absent, with_tpm2_pk;
const EVP_CIPHER *cc;
int r, added;
if (input_size < sizeof(h->id))
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
- with_host_key = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC);
- with_tpm2 = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC);
+ with_host_key = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK);
+ with_tpm2_pk = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK);
+ with_tpm2 = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC) || with_tpm2_pk;
+ is_tpm2_absent = sd_id128_equal(h->id, CRED_AES256_GCM_BY_TPM2_ABSENT);
- if (!with_host_key && !with_tpm2)
+ if (!with_host_key && !with_tpm2 && !is_tpm2_absent)
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unknown encryption format, or corrupted data: %m");
+ if (with_tpm2_pk) {
+ r = tpm2_load_pcr_signature(tpm2_signature_path, &signature_json);
+ if (r < 0)
+ return r;
+ }
+
+ if (is_tpm2_absent) {
+ /* So this is a credential encrypted with a zero length key. We support this to cover for the
+ * case where neither a host key not a TPM2 are available (specifically: initrd environments
+ * where the host key is not yet accessible and no TPM2 chip exists at all), to minimize
+ * different codeflow for TPM2 and non-TPM2 codepaths. Of course, credentials encoded this
+ * way offer no confidentiality nor authenticity. Because of that it's important we refuse to
+ * use them on systems that actually *do* have a TPM2 chip – if we are in SecureBoot
+ * mode. Otherwise an attacker could hand us credentials like this and we'd use them thinking
+ * they are trusted, even though they are not. */
+
+ if (efi_has_tpm2()) {
+ if (is_efi_secure_boot())
+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
+ "Credential uses fixed key for fallback use when TPM2 is absent — but TPM2 is present, and SecureBoot is enabled, refusing.");
+
+ log_warning("Credential uses fixed key for use when TPM2 is absent, but TPM2 is present! Accepting anyway, since SecureBoot is disabled.");
+ } else
+ log_debug("Credential uses fixed key for use when TPM2 is absent, and TPM2 indeed is absent. Accepting.");
+ }
+
/* Now we know the minimum header size */
if (input_size < offsetof(struct encrypted_credential_header, iv))
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
* lower limit only) */
if (input_size <
ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) +
- ALIGN8((with_tpm2 ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) : 0)) +
+ ALIGN8(with_tpm2 ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) : 0) +
+ ALIGN8(with_tpm2_pk ? offsetof(struct tpm2_public_key_credential_header, data) : 0) +
ALIGN8(offsetof(struct metadata_credential_header, name)) +
le32toh(h->tag_size))
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
if (with_tpm2) {
#if HAVE_TPM2
struct tpm2_credential_header* t = (struct tpm2_credential_header*) ((uint8_t*) input + p);
+ struct tpm2_public_key_credential_header *z = NULL;
- if (le64toh(t->pcr_mask) >= (UINT64_C(1) << TPM2_PCRS_MAX))
+ if (!TPM2_PCR_MASK_VALID(t->pcr_mask))
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range.");
if (!tpm2_pcr_bank_to_string(le16toh(t->pcr_bank)))
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR bank invalid or not supported");
if (input_size <
ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) +
ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + le32toh(t->blob_size) + le32toh(t->policy_hash_size)) +
+ ALIGN8(with_tpm2_pk ? offsetof(struct tpm2_public_key_credential_header, data) : 0) +
ALIGN8(offsetof(struct metadata_credential_header, name)) +
le32toh(h->tag_size))
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
+ p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) +
+ le32toh(t->blob_size) +
+ le32toh(t->policy_hash_size));
+
+ if (with_tpm2_pk) {
+ z = (struct tpm2_public_key_credential_header*) ((uint8_t*) input + p);
+
+ if (!TPM2_PCR_MASK_VALID(le64toh(z->pcr_mask)) || le64toh(z->pcr_mask) == 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range.");
+ if (le32toh(z->size) > PUBLIC_KEY_MAX)
+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected public key size.");
+
+ if (input_size <
+ ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) +
+ ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + le32toh(t->blob_size) + le32toh(t->policy_hash_size)) +
+ ALIGN8(offsetof(struct tpm2_public_key_credential_header, data) + le32toh(z->size)) +
+ ALIGN8(offsetof(struct metadata_credential_header, name)) +
+ le32toh(h->tag_size))
+ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
+
+ p += ALIGN8(offsetof(struct tpm2_public_key_credential_header, data) +
+ le32toh(z->size));
+ }
+
r = tpm2_unseal(tpm2_device,
le64toh(t->pcr_mask),
le16toh(t->pcr_bank),
+ z ? z->data : NULL,
+ z ? le32toh(z->size) : 0,
+ z ? le64toh(z->pcr_mask) : 0,
+ signature_json,
+ /* pin= */ NULL,
le16toh(t->primary_alg),
t->policy_hash_and_blob,
le32toh(t->blob_size),
if (r < 0)
return r;
- p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) +
- le32toh(t->blob_size) +
- le32toh(t->policy_hash_size));
#else
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Credential requires TPM2 support, but TPM2 support not available.");
#endif
return log_error_errno(r, "Failed to determine local credential key: %m");
}
+ if (is_tpm2_absent)
+ log_warning("Warning: using a null key for decryption and authentication. Confidentiality or authenticity are not provided.");
+
sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md);
assert_se(cc = EVP_aes_256_gcm());
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
}
-int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size) {
+int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_hash_pcr_mask, const char *tpm2_pubkey_path, uint32_t tpm2_pubkey_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size) {
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
}
-int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const void *input, size_t input_size, void **ret, size_t *ret_size) {
+int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const char *tpm2_signature_path, const void *input, size_t input_size, void **ret, size_t *ret_size) {
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
}