luc/zlevis
1
1
Fork 0
Code Issues Pull requests Releases 5 Wiki Activity

src/zlevis-encrypt: update w.r.t. issue #1

Browse source
This commit is contained in:
Luc Bijl 2025-02-11 21:13:31 +01:00
parent 67e14db930
commit 3344160e52
1 changed files with 39 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

79
src/zlevis-encrypt
View file

@ -58,15 +58,6 @@ validate_pcrs() {
return 0 return 0
} }
# Function to clean up temporary files on exit
on_exit() {
if [ ! -d "$tmp" ] || ! rm -rf "$tmp"; then
echo "Delete temporary files failed" >&2
echo "You need to clean up: $tmp" >&2
exit 1
fi
}
# Get the version of tpm2-tools # Get the version of tpm2-tools
tpm2tools_version=$(tpm2_createprimary -v | awk -F'version="' '{print $2}' | awk -F'.' '{print $1}') tpm2tools_version=$(tpm2_createprimary -v | awk -F'version="' '{print $2}' | awk -F'.' '{print $1}')
@ -76,30 +67,18 @@ if [ -z "$tpm2tools_version" ] || [ "$tpm2tools_version" -lt 4 ] || [ "$tpm2tool
exit 1 exit 1
fi fi
# Create a temporary directory for TPM files
if ! tmp="$(mktemp -d)"; then
echo "Creating a temporary dir for TPM files failed" >&2
exit 1
fi
# Set up cleanup on exit
trap 'on_exit' EXIT
# Validate the configuration input # Validate the configuration input
if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
echo "Configuration is malformed" >&2 echo "Configuration is malformed" >&2
exit 1 exit 1
fi fi
# Store the configuration in a temporary file
echo "$cfg" > "$tmp"/cfg
# Extract hash and key from the configuration, defaulting if not present # Extract hash and key from the configuration, defaulting if not present
hash="$(jose fmt -j- -Og hash -u- < "$tmp"/cfg)" || hash="sha256" hash="$(printf "%s" "$cfg" | jose fmt -j- -Og hash -u-)" || hash="sha256"
key="$(jose fmt -j- -Og key -u- < "$tmp"/cfg)" || key="ecc" key="$(printf "%s" "$cfg" | jose fmt -j- -Og key -u-)" || key="ecc"
# Determine the PCR bank to use for policy # Determine the PCR bank to use for policy
pcr_bank="$(jose fmt -j- -Og pcr_bank -u- < "$tmp"/cfg)" || { pcr_bank="$(printf "%s" "$cfg" | jose fmt -j- -Og pcr_bank -u-)" || {
# If not specified, find a non-empty PCR algorithm bank # If not specified, find a non-empty PCR algorithm bank
if ! pcr_bank=$(tpm2_getcap pcrs | awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit} END {exit !found}'); then if ! pcr_bank=$(tpm2_getcap pcrs | awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit} END {exit !found}'); then
echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2 echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2
@ -108,15 +87,14 @@ pcr_bank="$(jose fmt -j- -Og pcr_bank -u- < "$tmp"/cfg)" || {
} }
# Trim spaces from the configuration for parsing PCR IDs # Trim spaces from the configuration for parsing PCR IDs
pcr_cfg=$(tr -d '[:space:]' < "$tmp"/cfg) pcr_cfg=$(printf "%s" "$cfg" | tr -d '[:space:]')
echo "$pcr_cfg" > "$tmp"/pcr_cfg
# Handle both string and JSON array formats for pcr_ids # Handle both string and JSON array formats for pcr_ids
if jose fmt -j- -Og pcr_ids 2>/dev/null < "$tmp"/pcr_cfg && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$tmp"/pcr_cfg)"; then if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids 2>/dev/null && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$tmp"/pcr_cfg)"; then
# Attempt to parse as a JSON array if string parsing fails # Attempt to parse as a JSON array if string parsing fails
if jose fmt -j- -Og pcr_ids -A 2>/dev/null < "$tmp"/pcr_cfg; then if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids -A 2>/dev/null; then
# Construct a comma-separated string from the array # Construct a comma-separated string from the array
for pcr in $(jose fmt -j- -Og pcr_ids -Af- < "$tmp"/pcr_cfg | tr -d '"'); do for pcr in $(printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids -Af- | tr -d '"'); do
pcr_ids=$(printf '%s,%s' "${pcr_ids}" "${pcr}") pcr_ids=$(printf '%s,%s' "${pcr_ids}" "${pcr}")
done done
# Remove leading comma # Remove leading comma
@ -134,19 +112,21 @@ if ! validate_pcrs "${tpm2tools_version}" "${pcr_bank}" "${pcr_ids}"; then
fi fi
# Get the PCR digest from the configuration or read it if not provided # Get the PCR digest from the configuration or read it if not provided
pcr_digest="$(jose fmt -j- -Og pcr_digest -u- < "$tmp"/cfg)" || true pcr_digest="$(printf "%s" "$cfg" | jose fmt -j- -Og pcr_digest -u-)" || true
echo "$pcr_digest" > "$tmp"/pcr_digest
# Generate a JSON Web Key (JWK) # Generate a JSON Web Key (JWK)
if ! jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"; then if ! jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"; then
echo "Generating a jwk failed" >&2 echo "Generating a jwk failed" >&2
exit 1 exit 1
fi fi
echo "$jwk" > "$tmp"/jwk
# Define and trap primary_context
tmp_primary_context="/tmp/primary_context.$$"
trap 'rm -f "$tmp_primary_context"' EXIT
# Create the primary key in the TPM # Create the primary key in the TPM
case "$tpm2tools_version" in case "$tpm2tools_version" in
4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$tmp"/primary.context || fail=$?;; 4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$tmp_primary_context" || fail=$?;;
*) fail=1;; *) fail=1;;
esac esac
if [ -n "$fail" ]; then if [ -n "$fail" ]; then
@ -155,12 +135,17 @@ if [ -n "$fail" ]; then
fi fi
tpm2_flushcontext -t tpm2_flushcontext -t
# Define and trap pcr_digest and pcr_policy
tmp_pcr_digest="/tmp/pcr_digest.$$"
tmp_pcr_policy="/tmp/pcr_policy.$$"
trap 'rm -f "$tmp_primary_context" "$tmp_pcr_digest" "$tmp_pcr_policy"' EXIT
# Handle PCRs and policy creation if PCR IDs are provided # Handle PCRs and policy creation if PCR IDs are provided
policy_options="" policy_options=""
if [ -n "$pcr_ids" ]; then if [ -n "$pcr_ids" ]; then
if [ -z "$pcr_digest" ]; then if [ -z "$pcr_digest" ]; then
case "$tpm2tools_version" in case "$tpm2tools_version" in
4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$tmp"/pcr.digest || fail=$?;; 4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$tmp_pcr_digest" || fail=$?;;
*) fail=1;; *) fail=1;;
esac esac
if [ -n "$fail" ]; then if [ -n "$fail" ]; then
@ -169,7 +154,7 @@ if [ -n "$pcr_ids" ]; then
fi fi
tpm2_flushcontext -t tpm2_flushcontext -t
else else
if ! jose b64 dec -i- -O "$tmp"/pcr.digest < "$tmp"/pcr_digest; then if ! printf "%s" "$pcr_digest" | jose b64 dec -i- -O "$tmp_pcr_digest"; then
echo "Error decoding PCR digest" >&2 echo "Error decoding PCR digest" >&2
exit 1 exit 1
fi fi
@ -177,7 +162,7 @@ if [ -n "$pcr_ids" ]; then
# Create the policy based on PCRs # Create the policy based on PCRs
case "$tpm2tools_version" in case "$tpm2tools_version" in
4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" -f "$tmp"/pcr.digest -L "$tmp"/pcr.policy || fail=$?;; 4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" -f "$tmp_pcr_digest" -L "$tmp_pcr_policy" || fail=$?;;
*) fail=1;; *) fail=1;;
esac esac
if [ -n "$fail" ]; then if [ -n "$fail" ]; then
@ -188,15 +173,23 @@ if [ -n "$pcr_ids" ]; then
tpm2_flushcontext -l tpm2_flushcontext -l
# Set the policy options to the created policy file # Set the policy options to the created policy file
policy_options="$tmp/pcr.policy" policy_options="$tmp_pcr_policy"
else else
# If no PCR IDs are provided, add user authentication to the object attributes # If no PCR IDs are provided, add user authentication to the object attributes
obj_attr="$obj_attr|userwithauth" obj_attr="$obj_attr|userwithauth"
fi fi
# Remove tmp_pcr_digest and tmp_pcr_policy
rm -f "$tmp_pcr_digest" "$tmp_pcr_policy"
# Define and trap tmp jwk_pub and jwk_priv
tmp_jwk_pub="/tmp/jwk_pub.$$"
tmp_jwk_priv="/tmp/jwk_priv.$$"
trap 'rm -f "$tmp_primary_context" "$tmp_jwk_pub" "$tmp_jwk_priv"' EXIT
# Create the TPM2 object for the JWK # Create the TPM2 object for the JWK
case "$tpm2tools_version" in case "$tpm2tools_version" in
4|5) tpm2_create -Q -g "$hash" -C "$tmp"/primary.context -u "$tmp"/jwk.pub -r "$tmp"/jwk.priv -a "$obj_attr" -L "$policy_options" -i- < "$tmp"/jwk || fail=$?;; 4|5) printf "%s" "$jwk" | tpm2_create -Q -g "$hash" -C "$tmp_primary_context" -u "$tmp_jwk_pub" -r "$tmp_jwk_priv" -a "$obj_attr" -L "$policy_options" -i- || fail=$?;;
*) fail=1;; *) fail=1;;
esac esac
if [ -n "$fail" ]; then if [ -n "$fail" ]; then
@ -205,16 +198,22 @@ if [ -n "$fail" ]; then
fi fi
tpm2_flushcontext -t tpm2_flushcontext -t
# Remove tmp_primary_context
rm -f "$tmp_primary_context"
# Encode the JWK public and private keys in Base64 # Encode the JWK public and private keys in Base64
if ! jwk_pub="$(jose b64 enc -I "$tmp"/jwk.pub)"; then if ! jwk_pub="$(jose b64 enc -I "$tmp_jwk_pub")"; then
echo "Encoding jwk.pub in Base64 failed" >&2 echo "Encoding jwk.pub in Base64 failed" >&2
exit 1 exit 1
fi fi
if ! jwk_priv="$(jose b64 enc -I "$tmp"/jwk.priv)"; then if ! jwk_priv="$(jose b64 enc -I "$tmp_jwk_priv")"; then
echo "Encoding jwk.priv in Base64 failed" >&2 echo "Encoding jwk.priv in Base64 failed" >&2
exit 1 exit 1
fi fi
# Remove tmp_jwk_pub and tmp_jwk_priv
rm -f "$tmp_jwk_pub" "$tmp_jwk_priv"
# Construct the JWE (JSON Web Encryption) structure # Construct the JWE (JSON Web Encryption) structure
jwe='{"protected":{"zlevis":{"pin":"tpm2","tpm2":{}}}}' jwe='{"protected":{"zlevis":{"pin":"tpm2","tpm2":{}}}}'
jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$hash" -s hash -UUUUo-)" jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$hash" -s hash -UUUUo-)"