src/zlevis-encrypt: update w.r.t. issue #1

2025-02-11 21:13:31 +01:00 · 2025-02-11 21:13:31 +01:00 · 3344160e52
commit 3344160e52
parent 67e14db930
1 changed files with 39 additions and 40 deletions
--- a/src/zlevis-encrypt
+++ b/src/zlevis-encrypt
@ -58,15 +58,6 @@ validate_pcrs() {
    return 0
 }

-# Function to clean up temporary files on exit
-on_exit() {
-    if [ ! -d "$tmp" ] || ! rm -rf "$tmp"; then
-        echo "Delete temporary files failed" >&2
-        echo "You need to clean up: $tmp" >&2
-        exit 1
-    fi
-}
-
 # Get the version of tpm2-tools
 tpm2tools_version=$(tpm2_createprimary -v | awk -F'version="' '{print $2}' | awk -F'.' '{print $1}')

@ -76,30 +67,18 @@ if [ -z "$tpm2tools_version" ] || [ "$tpm2tools_version" -lt 4 ] || [ "$tpm2tool
    exit 1
 fi

-# Create a temporary directory for TPM files
-if ! tmp="$(mktemp -d)"; then
-    echo "Creating a temporary dir for TPM files failed" >&2
-    exit 1
-fi
-
-# Set up cleanup on exit
-trap 'on_exit' EXIT
-
 # Validate the configuration input
 if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
    echo "Configuration is malformed" >&2
    exit 1
 fi

-# Store the configuration in a temporary file
-echo "$cfg" > "$tmp"/cfg
-
 # Extract hash and key from the configuration, defaulting if not present
-hash="$(jose fmt -j- -Og hash -u- < "$tmp"/cfg)" || hash="sha256"
-key="$(jose fmt -j- -Og key -u- < "$tmp"/cfg)" || key="ecc"
+hash="$(printf "%s" "$cfg" | jose fmt -j- -Og hash -u-)" || hash="sha256"
+key="$(printf "%s" "$cfg" | jose fmt -j- -Og key -u-)" || key="ecc"

 # Determine the PCR bank to use for policy
-pcr_bank="$(jose fmt -j- -Og pcr_bank -u- < "$tmp"/cfg)" || {
+pcr_bank="$(printf "%s" "$cfg" | jose fmt -j- -Og pcr_bank -u-)" || {
    # If not specified, find a non-empty PCR algorithm bank
    if ! pcr_bank=$(tpm2_getcap pcrs | awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit} END {exit !found}'); then
        echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2
@ -108,15 +87,14 @@ pcr_bank="$(jose fmt -j- -Og pcr_bank -u- < "$tmp"/cfg)" || {
 }

 # Trim spaces from the configuration for parsing PCR IDs
-pcr_cfg=$(tr -d '[:space:]' < "$tmp"/cfg)
-echo "$pcr_cfg" > "$tmp"/pcr_cfg
+pcr_cfg=$(printf "%s" "$cfg" | tr -d '[:space:]')

 # Handle both string and JSON array formats for pcr_ids
-if jose fmt -j- -Og pcr_ids 2>/dev/null < "$tmp"/pcr_cfg && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$tmp"/pcr_cfg)"; then
+if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids 2>/dev/null && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$tmp"/pcr_cfg)"; then
    # Attempt to parse as a JSON array if string parsing fails
-    if jose fmt -j- -Og pcr_ids -A 2>/dev/null < "$tmp"/pcr_cfg; then
+    if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids -A 2>/dev/null; then
        # Construct a comma-separated string from the array
-        for pcr in $(jose fmt -j- -Og pcr_ids -Af- < "$tmp"/pcr_cfg | tr -d '"'); do
+        for pcr in $(printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids -Af- | tr -d '"'); do
            pcr_ids=$(printf '%s,%s' "${pcr_ids}" "${pcr}")
        done
        # Remove leading comma
@ -134,19 +112,21 @@ if ! validate_pcrs "${tpm2tools_version}" "${pcr_bank}" "${pcr_ids}"; then
 fi

 # Get the PCR digest from the configuration or read it if not provided
-pcr_digest="$(jose fmt -j- -Og pcr_digest -u- < "$tmp"/cfg)" || true
-echo "$pcr_digest" > "$tmp"/pcr_digest
+pcr_digest="$(printf "%s" "$cfg" | jose fmt -j- -Og pcr_digest -u-)" || true

 # Generate a JSON Web Key (JWK)
 if ! jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"; then
    echo "Generating a jwk failed" >&2
    exit 1
 fi
-echo "$jwk" > "$tmp"/jwk
+
+# Define and trap primary_context
+tmp_primary_context="/tmp/primary_context.$$"
+trap 'rm -f "$tmp_primary_context"' EXIT

 # Create the primary key in the TPM
 case "$tpm2tools_version" in
-    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$tmp"/primary.context || fail=$?;;
+    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$tmp_primary_context" || fail=$?;;
    *) fail=1;;
 esac
 if [ -n "$fail" ]; then
@ -155,12 +135,17 @@ if [ -n "$fail" ]; then
 fi
 tpm2_flushcontext -t

+# Define and trap pcr_digest and pcr_policy
+tmp_pcr_digest="/tmp/pcr_digest.$$"
+tmp_pcr_policy="/tmp/pcr_policy.$$"
+trap 'rm -f "$tmp_primary_context" "$tmp_pcr_digest" "$tmp_pcr_policy"' EXIT
+
 # Handle PCRs and policy creation if PCR IDs are provided
 policy_options=""
 if [ -n "$pcr_ids" ]; then
    if [ -z "$pcr_digest" ]; then
        case "$tpm2tools_version" in
-            4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$tmp"/pcr.digest || fail=$?;;
+            4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$tmp_pcr_digest" || fail=$?;;
            *) fail=1;;
        esac
        if [ -n "$fail" ]; then
@ -169,7 +154,7 @@ if [ -n "$pcr_ids" ]; then
        fi
        tpm2_flushcontext -t
    else
-        if ! jose b64 dec -i- -O "$tmp"/pcr.digest < "$tmp"/pcr_digest; then
+        if ! printf "%s" "$pcr_digest" | jose b64 dec -i- -O "$tmp_pcr_digest"; then
            echo "Error decoding PCR digest" >&2
            exit 1
        fi
@ -177,7 +162,7 @@ if [ -n "$pcr_ids" ]; then

    # Create the policy based on PCRs
    case "$tpm2tools_version" in
-        4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" -f "$tmp"/pcr.digest -L "$tmp"/pcr.policy || fail=$?;;
+        4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" -f "$tmp_pcr_digest" -L "$tmp_pcr_policy" || fail=$?;;
        *) fail=1;;
    esac
    if [ -n "$fail" ]; then
@ -188,15 +173,23 @@ if [ -n "$pcr_ids" ]; then
    tpm2_flushcontext -l

    # Set the policy options to the created policy file
-    policy_options="$tmp/pcr.policy"
+    policy_options="$tmp_pcr_policy"
 else
    # If no PCR IDs are provided, add user authentication to the object attributes
    obj_attr="$obj_attr|userwithauth"
 fi

+# Remove tmp_pcr_digest and tmp_pcr_policy
+rm -f "$tmp_pcr_digest" "$tmp_pcr_policy"
+
+# Define and trap tmp jwk_pub and jwk_priv
+tmp_jwk_pub="/tmp/jwk_pub.$$"
+tmp_jwk_priv="/tmp/jwk_priv.$$"
+trap 'rm -f "$tmp_primary_context" "$tmp_jwk_pub" "$tmp_jwk_priv"' EXIT
+
 # Create the TPM2 object for the JWK
 case "$tpm2tools_version" in
-    4|5) tpm2_create -Q -g "$hash" -C "$tmp"/primary.context -u "$tmp"/jwk.pub -r "$tmp"/jwk.priv -a "$obj_attr" -L "$policy_options" -i- < "$tmp"/jwk || fail=$?;;
+    4|5) printf "%s" "$jwk" | tpm2_create -Q -g "$hash" -C "$tmp_primary_context" -u "$tmp_jwk_pub" -r "$tmp_jwk_priv" -a "$obj_attr" -L "$policy_options" -i- || fail=$?;;
    *) fail=1;;
 esac
 if [ -n "$fail" ]; then
@ -205,16 +198,22 @@ if [ -n "$fail" ]; then
 fi
 tpm2_flushcontext -t

+# Remove tmp_primary_context
+rm -f "$tmp_primary_context"
+
 # Encode the JWK public and private keys in Base64
-if ! jwk_pub="$(jose b64 enc -I "$tmp"/jwk.pub)"; then
+if ! jwk_pub="$(jose b64 enc -I "$tmp_jwk_pub")"; then
    echo "Encoding jwk.pub in Base64 failed" >&2
    exit 1
 fi
-if ! jwk_priv="$(jose b64 enc -I "$tmp"/jwk.priv)"; then
+if ! jwk_priv="$(jose b64 enc -I "$tmp_jwk_priv")"; then
    echo "Encoding jwk.priv in Base64 failed" >&2
    exit 1
 fi

+# Remove tmp_jwk_pub and tmp_jwk_priv
+rm -f "$tmp_jwk_pub" "$tmp_jwk_priv"
+
 # Construct the JWE (JSON Web Encryption) structure
 jwe='{"protected":{"zlevis":{"pin":"tpm2","tpm2":{}}}}'
 jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$hash" -s hash -UUUUo-)"