when TPM2 enrollment metadata is not available.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>tpm2-signature=</option></term>
+
+ <listitem><para>Takes an absolute path to a TPM2 PCR JSON signature file, as produced by the
+ <citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ tool. This permits locking LUKS2 volumes to any PCR values for which a valid signature matching a
+ public key specified at key enrollment time can be provided. See
+ <citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ for details on enrolling TPM2 PCR public keys. If this option is not specified but it is attempted to
+ unlock a LUKS2 volume with a signed TPM2 PCR enrollment a suitable signature file
+ <filename>tpm2-pcr-signature.json</filename> is searched for in <filename>/etc/systemd/</filename>,
+ <filename>/run/systemd/</filename>, <filename>/usr/lib/systemd/</filename> (in this
+ order).</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>token-timeout=</option></term>
const char *device,
uint32_t hash_pcr_mask,
uint16_t pcr_bank,
+ const void *pubkey,
+ size_t pubkey_size,
+ uint32_t pubkey_pcr_mask,
+ const char *signature_path,
uint16_t primary_alg,
const char *key_file,
size_t key_file_size,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size) {
+ _cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL;
_cleanup_free_ void *loaded_blob = NULL;
_cleanup_free_ char *auto_device = NULL;
size_t blob_size;
blob = loaded_blob;
}
+ if (pubkey_pcr_mask != 0) {
+ r = tpm2_load_pcr_signature(signature_path, &signature_json);
+ if (r < 0)
+ return r;
+ }
+
if (!(flags & TPM2_FLAGS_USE_PIN))
return tpm2_unseal(
device,
hash_pcr_mask,
pcr_bank,
- /* pubkey= */ NULL, /* pubkey_size= */ 0,
- /* pubkey_pcr_mask= */ 0,
- /* signature= */ NULL,
+ pubkey, pubkey_size,
+ pubkey_pcr_mask,
+ signature_json,
/* pin= */ NULL,
primary_alg,
blob,
r = tpm2_unseal(device,
hash_pcr_mask,
pcr_bank,
- /* pubkey= */ NULL, /* pubkey_size= */ 0,
- /* pubkey_pcr_mask= */ 0,
- /* signature= */ NULL,
+ pubkey, pubkey_size,
+ pubkey_pcr_mask,
+ signature_json,
pin_str,
primary_alg,
blob,
struct crypt_device *cd,
uint32_t search_pcr_mask,
int start_token,
- uint32_t *ret_pcr_mask,
+ uint32_t *ret_hash_pcr_mask,
uint16_t *ret_pcr_bank,
+ void **ret_pubkey,
+ size_t *ret_pubkey_size,
+ uint32_t *ret_pubkey_pcr_mask,
uint16_t *ret_primary_alg,
void **ret_blob,
size_t *ret_blob_size,
int *ret_token,
TPM2Flags *ret_flags) {
- _cleanup_free_ void *blob = NULL, *policy_hash = NULL;
- size_t blob_size = 0, policy_hash_size = 0;
+ _cleanup_free_ void *blob = NULL, *policy_hash = NULL, *pubkey = NULL;
+ size_t blob_size = 0, policy_hash_size = 0, pubkey_size = 0;
int r, keyslot = -1, token = -1;
TPM2Flags flags = 0;
- uint32_t pcr_mask = 0;
+ uint32_t hash_pcr_mask = 0, pubkey_pcr_mask = 0;
uint16_t pcr_bank = UINT16_MAX; /* default: pick automatically */
uint16_t primary_alg = TPM2_ALG_ECC; /* ECC was the only supported algorithm in systemd < 250, use that as implied default, for compatibility */
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"TPM2 token data lacks 'tpm2-pcrs' field.");
- r = tpm2_parse_pcr_json_array(w, &pcr_mask);
+ r = tpm2_parse_pcr_json_array(w, &hash_pcr_mask);
if (r < 0)
return log_error_errno(r, "Failed to parse TPM2 PCR mask: %m");
if (search_pcr_mask != UINT32_MAX &&
- search_pcr_mask != pcr_mask) /* PCR mask doesn't match what is configured, ignore this entry */
+ search_pcr_mask != hash_pcr_mask) /* PCR mask doesn't match what is configured, ignore this entry */
continue;
assert(keyslot < 0);
flags |= TPM2_FLAGS_USE_PIN;
}
+ w = json_variant_by_key(v, "tpm2_pubkey_pcrs");
+ if (w) {
+ r = tpm2_parse_pcr_json_array(w, &pubkey_pcr_mask);
+ if (r < 0)
+ return r;
+ }
+
+ w = json_variant_by_key(v, "tpm2_pubkey");
+ if (w) {
+ r = json_variant_unbase64(w, &pubkey, &pubkey_size);
+ if (r < 0)
+ return log_error_errno(r, "Failed to decode PCR public key.");
+ } else if (pubkey_pcr_mask != 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Public key PCR mask set, but not public key included in JSON data, refusing.");
+
break;
}
if (start_token <= 0)
log_info("Automatically discovered security TPM2 token unlocks volume.");
- *ret_pcr_mask = pcr_mask;
+ *ret_hash_pcr_mask = hash_pcr_mask;
+ *ret_pcr_bank = pcr_bank;
+ *ret_pubkey = TAKE_PTR(pubkey);
+ *ret_pubkey_size = pubkey_size;
+ *ret_pubkey_pcr_mask = pubkey_pcr_mask;
+ *ret_primary_alg = primary_alg;
*ret_blob = TAKE_PTR(blob);
*ret_blob_size = blob_size;
*ret_policy_hash = TAKE_PTR(policy_hash);
*ret_policy_hash_size = policy_hash_size;
*ret_keyslot = keyslot;
*ret_token = token;
- *ret_pcr_bank = pcr_bank;
- *ret_primary_alg = primary_alg;
*ret_flags = flags;
return 0;
int acquire_tpm2_key(
const char *volume_name,
const char *device,
- uint32_t pcr_mask,
+ uint32_t hash_pcr_mask,
uint16_t pcr_bank,
+ const void *pubkey,
+ size_t pubkey_size,
+ uint32_t pubkey_pcr_mask,
+ const char *signature_path,
uint16_t primary_alg,
const char *key_file,
size_t key_file_size,
struct crypt_device *cd,
uint32_t search_pcr_mask,
int start_token,
- uint32_t *ret_pcr_mask,
+ uint32_t *ret_hash_pcr_mask,
uint16_t *ret_pcr_bank,
+ void **ret_pubkey,
+ size_t *ret_pubkey_size,
+ uint32_t *ret_pubkey_pcr_mask,
uint16_t *ret_primary_alg,
void **ret_blob,
size_t *ret_blob_size,
static inline int acquire_tpm2_key(
const char *volume_name,
const char *device,
- uint32_t pcr_mask,
+ uint32_t hash_pcr_mask,
uint16_t pcr_bank,
+ const void *pubkey,
+ size_t pubkey_size,
+ uint32_t pubkey_pcr_mask,
+ const char *signature_path,
uint16_t primary_alg,
const char *key_file,
size_t key_file_size,
struct crypt_device *cd,
uint32_t search_pcr_mask,
int start_token,
- uint32_t *ret_pcr_mask,
+ uint32_t *ret_hash_pcr_mask,
uint16_t *ret_pcr_bank,
+ void **ret_pubkey,
+ size_t *ret_pubkey_size,
+ uint32_t *ret_pubkey_pcr_mask,
uint16_t *ret_primary_alg,
void **ret_blob,
size_t *ret_blob_size,
static char *arg_tpm2_device = NULL;
static bool arg_tpm2_device_auto = false;
static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
+static char *arg_tpm2_signature = NULL;
static bool arg_tpm2_pin = false;
static bool arg_headless = false;
static usec_t arg_token_timeout_usec = 30*USEC_PER_SEC;
STATIC_DESTRUCTOR_REGISTER(arg_fido2_cid, freep);
STATIC_DESTRUCTOR_REGISTER(arg_fido2_rp_id, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device, freep);
+STATIC_DESTRUCTOR_REGISTER(arg_tpm2_signature, freep);
static const char* const passphrase_type_table[_PASSPHRASE_TYPE_MAX] = {
[PASSPHRASE_REGULAR] = "passphrase",
if (r < 0)
return r;
+ } else if ((val = startswith(option, "tpm2-signature="))) {
+
+ if (!path_is_absolute(val))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "TPM2 signature path \"%s\" is not absolute, refusing.", val);
+
+ r = free_and_strdup(&arg_tpm2_signature, val);
+ if (r < 0)
+ return log_oom();
+
} else if ((val = startswith(option, "tpm2-pin="))) {
r = parse_boolean(val);
arg_tpm2_device,
arg_tpm2_pcr_mask == UINT32_MAX ? TPM2_PCR_MASK_DEFAULT : arg_tpm2_pcr_mask,
UINT16_MAX,
- 0,
+ /* pubkey= */ NULL, /* pubkey_size= */ 0,
+ /* pubkey_pcr_mask= */ 0,
+ /* signature_path= */ NULL,
+ /* primary_alg= */ 0,
key_file, arg_keyfile_size, arg_keyfile_offset,
key_data, key_data_size,
- NULL, 0, /* we don't know the policy hash */
+ /* policy_hash= */ NULL, /* policy_hash_size= */ 0, /* we don't know the policy hash */
arg_tpm2_pin,
until,
arg_headless,
* works. */
for (;;) {
- uint32_t pcr_mask;
+ _cleanup_free_ void *pubkey = NULL;
+ size_t pubkey_size = 0;
+ uint32_t hash_pcr_mask, pubkey_pcr_mask;
uint16_t pcr_bank, primary_alg;
TPM2Flags tpm2_flags;
cd,
arg_tpm2_pcr_mask, /* if != UINT32_MAX we'll only look for tokens with this PCR mask */
token, /* search for the token with this index, or any later index than this */
- &pcr_mask,
+ &hash_pcr_mask,
&pcr_bank,
+ &pubkey, &pubkey_size,
+ &pubkey_pcr_mask,
&primary_alg,
&blob, &blob_size,
&policy_hash, &policy_hash_size,
r = acquire_tpm2_key(
name,
arg_tpm2_device,
- pcr_mask,
+ hash_pcr_mask,
pcr_bank,
+ pubkey, pubkey_size,
+ pubkey_pcr_mask,
+ arg_tpm2_signature,
primary_alg,
- NULL, 0, 0, /* no key file */
+ /* key_file= */ NULL, /* key_file_size= */ 0, /* key_file_offset= */ 0, /* no key file */
blob, blob_size,
policy_hash, policy_hash_size,
tpm2_flags,
projects / thirdparty / systemd.git / commitdiff
