From 6f1dfc407ef81500f1181f25b0cb3da2eaab756d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 11 Sep 2024 18:22:54 +0200 Subject: [PATCH] man: systemd-stub places PCR public key in file 'tpm2-pcr-public-key.pem', stick to that name across the board MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit systemd-stub provides the signing key for TPM2 signed PCR policies in a file tpm2-pcr-public-key.pem to userspace. Hence, to clarify that this is the same key as used when signing via "systemd-measure", let's rename it in the docs like that. Also rename the private key to tpm2-pcr-private-key.pem, to keep the symmetry. With this we should universally stick to this nomenclature: 1. tpm2-pcr-public-key.pem ← public part of signing key 2. tpm2-pcr-private-key.pem ← private part of signing key 3. tpm2-pcr-signature.json ← signature file made with key pair Inspired by: #34069 --- man/systemd-measure.xml | 42 ++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml index 9b991e87b31..71983ffe008 100644 --- a/man/systemd-measure.xml +++ b/man/systemd-measure.xml @@ -286,9 +286,9 @@ Generate a private/public key pair, a unified kernel image, and a TPM PCR 11 signature for it, and embed the signature and the public key in the image - $ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private.pem + $ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key.pem ..+.+++++++++......+.........+......+.......+....+.....+.+...+.......... -$ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem +$ openssl rsa -pubout -in tpm2-pcr-private-key.pem -out tpm2-pcr-public-key.pem # systemd-measure sign \ --linux=vmlinux \ --osrel=os-release.txt \ @@ -296,25 +296,25 @@ $ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem --initrd=initrd.cpio \ --splash=splash.bmp \ --dtb=devicetree.dtb \ - --pcrpkey=tpm2-pcr-public.pem \ + --pcrpkey=tpm2-pcr-public-key.pem \ --bank=sha1 \ --bank=sha256 \ - --private-key=tpm2-pcr-private.pem \ - --public-key=tpm2-pcr-public.pem >tpm2-pcr-signature.json + --private-key=tpm2-pcr-private-key.pem \ + --public-key=tpm2-pcr-public-key.pem >tpm2-pcr-signature.json # ukify --output=vmlinuz.efi \ --os-release=@os-release.txt \ --cmdline=@cmdline.txt \ --splash=splash.bmp \ --devicetree=devicetree.dtb \ - --pcr-private-key=tpm2-pcr-private.pem \ - --pcr-public-key=tpm2-pcr-public.pem \ + --pcr-private-key=tpm2-pcr-private-key.pem \ + --pcr-public-key=tpm2-pcr-public-key.pem \ --pcr-banks=sha1,sha256 \ vmlinux initrd.cpio Later on, enroll the signed PCR policy on a LUKS volume: # systemd-cryptenroll --tpm2-device=auto \ - --tpm2-public-key=tpm2-pcr-public.pem \ + --tpm2-public-key=tpm2-pcr-public-key.pem \ --tpm2-signature=tpm2-pcr-signature.json \ /dev/sda5 @@ -339,38 +339,38 @@ $ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem two classes of secrets or credentials: one that can be unlocked during the entire runtime, and the other that can only be used in the initrd. - $ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private.pem + $ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key.pem .+........+.+........+.......+...+...+........+....+......+..+.......... -$ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem -$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-initrd-private.pem +$ openssl rsa -pubout -in tpm2-pcr-private-key.pem -out tpm2-pcr-public-key.pem +$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key-initrd.pem ..+.......++........+........+......+........+....+.....+.+..+.......... -$ openssl rsa -pubout -in tpm2-pcr-initrd-private.pem -out tpm2-pcr-initrd-public.pem +$ openssl rsa -pubout -in tpm2-pcr-private-key-initrd.pem -out tpm2-pcr-public-key-initrd.pem # ukify --output vmlinux-1.2.3.efi \ --os-release=@os-release.txt \ --cmdline=@cmdline.txt \ --splash=splash.bmp \ --devicetree=devicetree.dtb \ - --pcr-private-key=tpm2-pcr-private.pem \ - --pcr-public-key=tpm2-pcr-public.pem \ + --pcr-private-key=tpm2-pcr-private-key.pem \ + --pcr-public-key=tpm2-pcr-public-key.pem \ --phases=enter-initrd,enter-initrd:leave-initrd,enter-initrd:leave-initrd:sysinit,enter-initrd:leave-initrd:sysinit:ready \ --pcr-banks=sha1,sha256 \ - --pcr-private-key=tpm2-pcr-initrd-private.pem \ - --pcr-public-key=tpm2-pcr-initrd-public.pem \ + --pcr-private-key=tpm2-pcr-private-key-initrd.pem \ + --pcr-public-key=tpm2-pcr-public-key-initrd.pem \ --phases=enter-initrd \ vmlinux-1.2.3 initrd.cpio \ --uname=1.2.3 + /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \ --osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \ --splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \ ---private-key=tpm2-pcr-private.pem --public-key=tpm2-pcr-public.pem \ +--private-key=tpm2-pcr-private-key.pem --public-key=tpm2-pcr-public-key.pem \ --phase=enter-initrd --phase=enter-initrd:leave-initrd \ --phase=enter-initrd:leave-initrd:sysinit \ --phase=enter-initrd:leave-initrd:sysinit:ready + /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \ --osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \ --splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \ ---private-key=tpm2-pcr-initrd-private.pem \ ---public-key=tpm2-pcr-initrd-public.pem \ +--private-key=tpm2-pcr-private-key-initrd.pem \ +--public-key=tpm2-pcr-public-key-initrd.pem \ --phase=enter-initrd Wrote unsigned vmlinux-1.2.3.efi @@ -385,8 +385,8 @@ Wrote unsigned vmlinux-1.2.3.efi by the first option, covering all boot phases. The .pcrpkey section is used in the default policies of systemd-cryptenroll and systemd-creds. To use the stricter policy - bound to tpm-pcr-initrd-public.pem, specify on - the command line of those tools. + bound to tpm2-pcr-public-key-initrd.pem, specify + on the command line of those tools. -- 2.47.3