diff --git a/src/zlevis-encrypt b/src/zlevis-encrypt index 639c08a..3e50ffd 100644 --- a/src/zlevis-encrypt +++ b/src/zlevis-encrypt @@ -1,230 +1,242 @@ #!/bin/sh +# Exit immediately if a command exits with a non-zero status set -e -SUMMARY="Encrypts using a TPM2.0 chip binding policy" +# Summary of the script's functionality +summary="Encrypts using a TPM2.0 chip binding policy." + +# TPM2.0 owner hierarchy to be used by the Operating System auth="o" + +# Algorithm type for the TPM2 object with user-provided sensitive data alg_create_key="keyedhash" + +# Policy options for the TPM2 object +policy_options="" + +# Attributes for the created TPM2 object with the JWK as sensitive data obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy" -on_exit() { - if [ ! -d "$TMP" ] || ! rm -rf "$TMP"; then - echo "Delete temporary files failed!" >&2 - echo "You need to clean up: $TMP" >&2 - exit 1 - fi -} - +# Display summary if requested if [ "$1" = "--summary" ]; then - echo "$SUMMARY" + echo "$summary" exit 0 fi +# Display usage information if input is from a terminal if [ -t 0 ]; then exec >&2 + echo "Usage: zlevis-encrypt '{\"property\":\"value\"}' < tank.key > tank.jwe" echo - echo "Usage: zlevis-encrypt tpm2 CONFIG < PLAINTEXT > JWE" - echo - echo "$SUMMARY" + echo "$summary" echo echo "This command uses the following configuration properties:" - echo " hash: ; Hash algorithm used in the computation of the object name (default: sha256)." - echo " key: ; Algorithm type for the generated key (default: ecc)." - echo " pcr_bank: ; PCR algorithm bank to use for policy (default: first supported by TPM)." - echo " pcr_ids: ; PCR list used for policy. If not present, no policy is used." - echo " pcr_digest: ; Binary PCR hashes encoded in base64. If not present, the hash values are looked up." + echo " hash: -> Hash algorithm used in the computation of the object name (default: sha256)." + echo " key: -> Algorithm type for the generated key (default: ecc)." + echo " pcr_bank: -> PCR algorithm bank to use for policy (default: first supported by TPM)." + echo " pcr_ids: -> PCR list used for policy. If not present, no policy is used." + echo " pcr_digest: -> Binary PCR hashes encoded in base64. If not present, the hash values are looked up." exit 2 fi +# Function to validate PCRs validate_pcrs() { _tpm2_tools_v="${1}" _pcr_bank="${2}" _pcrs="${3}" + + # Return if PCR bank is not provided [ -z "${_pcr_bank}" ] && return 1 [ -z "${_pcrs}" ] && return 0 - _fail="" _pcrs_r="" case "${_tpm2_tools_v}" in - 3) _pcrs_r="$(tpm2_pcrlist -L "${_pcr_bank}":"${_pcrs}" | grep -v "^${_pcr_bank}")" || _fail=$?;; 4|5) _pcrs_r=$(tpm2_pcrread "${_pcr_bank}":"${_pcrs}" | grep -v " ${_pcr_bank}") || _fail=$?;; *) _fail=1 esac + # Check for errors in PCR validation if [ -n "${_fail}" ] || [ -z "${_pcrs_r}" ]; then return 1 fi return 0 } -TPM2TOOLS_VERSION=$(tpm2_createprimary -v | awk -F'version="' '{print $2}' | awk -F'.' '{print $1}') +# Function to clean up temporary files on exit +on_exit() { + if [ ! -d "$tmp" ] || ! rm -rf "$tmp"; then + echo "Delete temporary files failed" >&2 + echo "You need to clean up: $tmp" >&2 + exit 1 + fi +} -if [ -z "$TPM2TOOLS_VERSION" ] || [ $TPM2TOOLS_VERSION -lt 3 ] || [ $TPM2TOOLS_VERSION -gt 5 ]; then - echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" +# Get the version of tpm2-tools +tpm2tools_version=$(tpm2_createprimary -v | awk -F'version="' '{print $2}' | awk -F'.' '{print $1}') + +# Check if the tpm2-tools version is supported +if [ -z "$tpm2tools_version" ] || [ $tpm2tools_version -lt 4 ] || [ $tpm2tools_version -gt 5 ]; then + echo "The tpm2 pin requires a tpm2-tools version between 4 and 5" exit 1 fi -if [ -z "$TPM2TOOLS_TCTI" ]; then - export TPM2TOOLS_TCTI_NAME=device - export TPM2TOOLS_DEVICE_FILE= - for dev in /dev/tpmrm?; do - [ -e "$dev" ] || continue - TPM2TOOLS_DEVICE_FILE="$dev" - break - done - - export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:$TPM2TOOLS_DEVICE_FILE" - - if [ -z "$TPM2TOOLS_DEVICE_FILE" ]; then - echo "A TPM2 device with the in-kernel resource manager is needed!" >&2 - exit 1 - fi - - if [ ! -r "$TPM2TOOLS_DEVICE_FILE" ] || [ ! -w "$TPM2TOOLS_DEVICE_FILE" ]; then - echo "The $TPM2TOOLS_DEVICE_FILE device must be readable and writable!" >&2 - exit 1 - fi +# Create a temporary directory for TPM files +mkdir -p "${tmpdir:-/tmp}" +if ! tmp="$(mktemp -d)"; then + echo "Creating a temporary dir for TPM files failed" >&2 + exit 1 fi +# Set up cleanup on exit +trap 'on_exit' EXIT + +# Validate the configuration input if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then - echo "Configuration is malformed!" >&2 + echo "Configuration is malformed" >&2 exit 1 fi -mkdir -p "${TMPDIR:-/tmp}" -if ! TMP="$(mktemp -d)"; then - echo "Creating a temporary dir for TPM files failed!" >&2 - exit 1 -fi +# Store the configuration in a temporary file +echo "$cfg" > "$tmp"/cfg -echo $cfg > "$TMP"/cfg -hash="$(jose fmt -j- -Og hash -u- < "$TMP"/cfg)" || hash="sha256" -key="$(jose fmt -j- -Og key -u- < "$TMP"/cfg)" || key="ecc" +# Extract hash and key from the configuration, defaulting if not present +hash="$(jose fmt -j- -Og hash -u- < "$tmp"/cfg)" || hash="sha256" +key="$(jose fmt -j- -Og key -u- < "$tmp"/cfg)" || key="ecc" -pcr_bank="$(jose fmt -j- -Og pcr_bank -u- < "$TMP"/cfg)" || { - if ! pcr_bank=$(tpm2_getcap pcrs | - awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \ - {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit} - END {exit !found}'); then +# Determine the PCR bank to use for policy +pcr_bank="$(jose fmt -j- -Og pcr_bank -u- < "$tmp"/cfg)" || { + # If not specified, find a non-empty PCR algorithm bank + if ! pcr_bank=$(tpm2_getcap pcrs | awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit} END {exit !found}'); then echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2 exit 1 fi } -pcr_cfg=$(tr -d '[:space:]' < "$TMP"/cfg) -echo $pcr_cfg > "$TMP"/pcr_cfg +# Trim spaces from the configuration for parsing PCR IDs +pcr_cfg=$(tr -d '[:space:]' < "$tmp"/cfg) +echo "$pcr_cfg" > "$tmp"/pcr_cfg -if jose fmt -j- -Og pcr_ids 2>/dev/null < "$TMP"/pcr_cfg && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$TMP"/pcr_cfg)"; then - - if jose fmt -j- -Og pcr_ids -A 2>/dev/null < "$TMP"/pcr_cfg; then - pcr_ids= - for pcr in $(jose fmt -j- -Og pcr_ids -Af- < "$TMP"/pcr_cfg | tr -d '"'); do +# Handle both string and JSON array formats for pcr_ids +if jose fmt -j- -Og pcr_ids 2>/dev/null < "$tmp"/pcr_cfg && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$tmp"/pcr_cfg)"; then + # Attempt to parse as a JSON array if string parsing fails + if jose fmt -j- -Og pcr_ids -A 2>/dev/null < "$tmp"/pcr_cfg; then + # Construct a comma-separated string from the array + for pcr in $(jose fmt -j- -Og pcr_ids -Af- < "$tmp"/pcr_cfg | tr -d '"'); do pcr_ids=$(printf '%s,%s' "${pcr_ids}" "${pcr}") done + # Remove leading comma pcr_ids=${pcr_ids#,} else - echo "Parsing the requested policy failed!" >&2 + echo "Parsing the requested policy failed" >&2 exit 1 fi fi -if ! validate_pcrs "${TPM2TOOLS_VERSION}" "${pcr_bank}" "${pcr_ids}"; then - echo "Unable to validate combination of PCR bank '${pcr_bank}' and PCR IDs '${pcr_ids}'." >&2 +# Validate the combination of PCR bank and PCR IDs +if ! validate_pcrs "${tpm2tools_version}" "${pcr_bank}" "${pcr_ids}"; then + echo "Unable to validate combination of PCR bank '${pcr_bank}' and PCR IDs '${pcr_ids}'" >&2 exit 1 fi -pcr_digest="$(jose fmt -j- -Og pcr_digest -u- < "$TMP"/cfg)" || true -echo $pcr_digest > "$TMP"/pcr_digest +# Get the PCR digest from the configuration or read it if not provided +pcr_digest="$(jose fmt -j- -Og pcr_digest -u- < "$tmp"/cfg)" || true +echo "$pcr_digest" > "$tmp"/pcr_digest +# Generate a JSON Web Key (JWK) if ! jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"; then - echo "Generating a jwk failed!" >&2 + echo "Generating a jwk failed" >&2 exit 1 fi -echo $jwk > "$TMP"/jwk +echo "$jwk" > "$tmp"/jwk -trap 'on_exit' EXIT - -case "$TPM2TOOLS_VERSION" in - 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;; - 4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;; +# Create the primary key in the TPM +case "$tpm2tools_version" in + 4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$tmp"/primary.context || fail=$?;; *) fail=1;; esac if [ -n "$fail" ]; then - echo "Creating TPM2 primary key failed!" >&2 + echo "Creating TPM2 primary key failed" >&2 exit 1 fi tpm2_flushcontext -t -policy_options="" +# Handle PCRs and policy creation if PCR IDs are provided if [ -n "$pcr_ids" ]; then if [ -z "$pcr_digest" ]; then - case "$TPM2TOOLS_VERSION" in - 3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;; - 4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;; + case "$tpm2tools_version" in + 4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$tmp"/pcr.digest || fail=$?;; *) fail=1;; esac if [ -n "$fail" ]; then - echo "Creating PCR hashes file failed!" >&2 + echo "Creating PCR hashes file failed" >&2 exit 1 fi tpm2_flushcontext -t else - if ! jose b64 dec -i- -O "$TMP"/pcr.digest < "$TMP"/pcr_digest; then - echo "Error decoding PCR digest!" >&2 + if ! jose b64 dec -i- -O "$tmp"/pcr.digest < "$tmp"/pcr_digest; then + echo "Error decoding PCR digest" >&2 exit 1 fi fi - case "$TPM2TOOLS_VERSION" in - 3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;; - 4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;; + # Create the policy based on PCRs + case "$tpm2tools_version" in + 4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" -f "$tmp"/pcr.digest -L "$tmp"/pcr.policy || fail=$?;; *) fail=1;; esac if [ -n "$fail" ]; then - echo "create policy fail, please check the environment or parameters!" + echo "create policy fail, please check the environment or parameters" exit 1 fi tpm2_flushcontext -t tpm2_flushcontext -l - policy_options="$TMP/pcr.policy" + # Set the policy options to the created policy file + policy_options="$tmp/pcr.policy" else + # If no PCR IDs are provided, add user authentication to the object attributes obj_attr="$obj_attr|userwithauth" fi -case "$TPM2TOOLS_VERSION" in - 3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv -A "$obj_attr" -L "$policy_options" -I- < "$TMP"/jwk || fail=$?;; - 4|5) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv -a "$obj_attr" -L "$policy_options" -i- < "$TMP"/jwk || fail=$?;; +# Create the TPM2 object for the JWK +case "$tpm2tools_version" in + 4|5) tpm2_create -Q -g "$hash" -C "$tmp"/primary.context -u "$tmp"/jwk.pub -r "$tmp"/jwk.priv -a "$obj_attr" -L "$policy_options" -i- < "$tmp"/jwk || fail=$?;; *) fail=1;; esac if [ -n "$fail" ]; then - echo "Creating TPM2 object for jwk failed!" >&2 + echo "Creating TPM2 object for jwk failed" >&2 exit 1 fi tpm2_flushcontext -t -if ! jwk_pub="$(jose b64 enc -I "$TMP"/jwk.pub)"; then - echo "Encoding jwk.pub in Base64 failed!" >&2 - exit 1 -fi - -if ! jwk_priv="$(jose b64 enc -I "$TMP"/jwk.priv)"; then - echo "Encoding jwk.priv in Base64 failed!" >&2 +# Encode the JWK public and private keys in Base64 +if ! jwk_pub="$(jose b64 enc -I "$tmp"/jwk.pub)"; then + echo "Encoding jwk.pub in Base64 failed" >&2 + exit 1 +fi +if ! jwk_priv="$(jose b64 enc -I "$tmp"/jwk.priv)"; then + echo "Encoding jwk.priv in Base64 failed" >&2 exit 1 fi +# Construct the JWE (JSON Web Encryption) structure jwe='{"protected":{"clevis":{"pin":"tpm2","tpm2":{}}}}' jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$hash" -s hash -UUUUo-)" jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$key" -s key -UUUUo-)" +# Include PCR bank and IDs in the JWE if they are provided if [ -n "$pcr_ids" ]; then jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_bank" -s pcr_bank -UUUUo-)" jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_ids" -s pcr_ids -UUUUo-)" fi +# Add the Base64 encoded JWK public and private keys to the JWE jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)" jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)" -[ -d "${TMP}" ] && rm -rf "${TMP}" +# Clean up the temporary directory at the end of the script +[ -d "${tmp}" ] && rm -rf "${tmp}" +# Output the final JWE exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat) \ No newline at end of file