Removed unnecessary code and added comments to zlevis-encrypt.

README.md

@@ -1,3 +1,3 @@
-# zlevis
+# Zlevis
 
-A minimal fork of clevis, rewritten in POSIX shell to accommodate automatic decryption of a ZFS root pool with TPM2. 
+A minimal fork of [Clevis](https://github.com/latchset/clevis), rewritten in POSIX shell to accommodate automatic decryption of a ZFS root pool with TPM2. 

src/zlevis-encrypt

@@ -0,0 +1,242 @@
+#!/bin/sh
+
+# Exit immediately if a command exits with a non-zero status
+set -e
+
+# Summary of the script's functionality
+summary="Encrypts using a TPM2.0 chip binding policy."
+
+# TPM2.0 owner hierarchy to be used by the Operating System
+auth="o"
+
+# Algorithm type for the TPM2 object with user-provided sensitive data
+alg_create_key="keyedhash"
+
+# Policy options for the TPM2 object
+policy_options=""
+
+# Attributes for the created TPM2 object with the JWK as sensitive data
+obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy"
+
+# Display summary if requested
+if [ "$1" = "--summary" ]; then
+    echo "$summary"
+    exit 0
+fi
+
+# Display usage information if input is from a terminal
+if [ -t 0 ]; then
+    exec >&2
+    echo "Usage: zlevis-encrypt '{\"property\":\"value\"}' < tank.key > tank.jwe"
+    echo
+    echo "$summary"
+    echo
+    echo "This command uses the following configuration properties:"
+    echo "  hash: <string> -> Hash algorithm used in the computation of the object name (default: sha256)."
+    echo "  key: <string> -> Algorithm type for the generated key (default: ecc)."
+    echo "  pcr_bank: <string> -> PCR algorithm bank to use for policy (default: first supported by TPM)."
+    echo "  pcr_ids: <string> -> PCR list used for policy. If not present, no policy is used."
+    echo "  pcr_digest: <string> -> Binary PCR hashes encoded in base64. If not present, the hash values are looked up."
+    exit 2
+fi
+
+# Function to validate PCRs
+validate_pcrs() {
+    _tpm2_tools_v="${1}"
+    _pcr_bank="${2}"
+    _pcrs="${3}"
+
+    # Return if PCR bank is not provided
+    [ -z "${_pcr_bank}" ] && return 1
+    [ -z "${_pcrs}" ] && return 0
+
+    _pcrs_r=""
+    case "${_tpm2_tools_v}" in
+    4|5) _pcrs_r=$(tpm2_pcrread "${_pcr_bank}":"${_pcrs}" | grep -v "  ${_pcr_bank}")  || _fail=$?;;
+    *) _fail=1
+    esac
+
+    # Check for errors in PCR validation
+    if [ -n "${_fail}" ] || [ -z "${_pcrs_r}" ]; then
+        return 1
+    fi
+    return 0
+}
+
+# Function to clean up temporary files on exit
+on_exit() {
+    if [ ! -d "$tmp" ] || ! rm -rf "$tmp"; then
+        echo "Delete temporary files failed" >&2
+        echo "You need to clean up: $tmp" >&2
+        exit 1
+    fi
+}
+
+# Get the version of tpm2-tools
+tpm2tools_version=$(tpm2_createprimary -v | awk -F'version="' '{print $2}' | awk -F'.' '{print $1}')
+
+# Check if the tpm2-tools version is supported
+if [ -z "$tpm2tools_version" ] || [ $tpm2tools_version -lt 4 ] || [ $tpm2tools_version -gt 5 ]; then
+    echo "The tpm2 pin requires a tpm2-tools version between 4 and 5"
+    exit 1
+fi
+
+# Create a temporary directory for TPM files
+mkdir -p "${tmpdir:-/tmp}"
+if ! tmp="$(mktemp -d)"; then
+    echo "Creating a temporary dir for TPM files failed" >&2
+    exit 1
+fi
+
+# Set up cleanup on exit
+trap 'on_exit' EXIT
+
+# Validate the configuration input
+if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
+    echo "Configuration is malformed" >&2
+    exit 1
+fi
+
+# Store the configuration in a temporary file
+echo "$cfg" > "$tmp"/cfg
+
+# Extract hash and key from the configuration, defaulting if not present
+hash="$(jose fmt -j- -Og hash -u- < "$tmp"/cfg)" || hash="sha256"
+key="$(jose fmt -j- -Og key -u- < "$tmp"/cfg)" || key="ecc"
+
+# Determine the PCR bank to use for policy
+pcr_bank="$(jose fmt -j- -Og pcr_bank -u- < "$tmp"/cfg)" || {
+    # If not specified, find a non-empty PCR algorithm bank
+    if ! pcr_bank=$(tpm2_getcap pcrs | awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit} END {exit !found}'); then
+        echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2
+        exit 1
+    fi
+}
+
+# Trim spaces from the configuration for parsing PCR IDs
+pcr_cfg=$(tr -d '[:space:]' < "$tmp"/cfg)
+echo "$pcr_cfg" > "$tmp"/pcr_cfg
+
+# Handle both string and JSON array formats for pcr_ids
+if jose fmt -j- -Og pcr_ids 2>/dev/null < "$tmp"/pcr_cfg && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$tmp"/pcr_cfg)"; then
+    # Attempt to parse as a JSON array if string parsing fails
+    if jose fmt -j- -Og pcr_ids -A 2>/dev/null < "$tmp"/pcr_cfg; then
+        # Construct a comma-separated string from the array
+        for pcr in $(jose fmt -j- -Og pcr_ids -Af- < "$tmp"/pcr_cfg | tr -d '"'); do
+            pcr_ids=$(printf '%s,%s' "${pcr_ids}" "${pcr}")
+        done
+        # Remove leading comma
+         pcr_ids=${pcr_ids#,}
+    else
+        echo "Parsing the requested policy failed" >&2
+        exit 1
+    fi
+fi
+
+# Validate the combination of PCR bank and PCR IDs
+if ! validate_pcrs "${tpm2tools_version}" "${pcr_bank}" "${pcr_ids}"; then
+    echo "Unable to validate combination of PCR bank '${pcr_bank}' and PCR IDs '${pcr_ids}'" >&2
+    exit 1
+fi
+
+# Get the PCR digest from the configuration or read it if not provided
+pcr_digest="$(jose fmt -j- -Og pcr_digest -u- < "$tmp"/cfg)" || true
+echo "$pcr_digest" > "$tmp"/pcr_digest
+
+# Generate a JSON Web Key (JWK)
+if ! jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"; then
+    echo "Generating a jwk failed" >&2
+    exit 1
+fi
+echo "$jwk" > "$tmp"/jwk
+
+# Create the primary key in the TPM
+case "$tpm2tools_version" in
+    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$tmp"/primary.context || fail=$?;;
+    *) fail=1;;
+esac
+if [ -n "$fail" ]; then
+    echo "Creating TPM2 primary key failed" >&2
+    exit 1
+fi
+tpm2_flushcontext -t
+
+# Handle PCRs and policy creation if PCR IDs are provided
+if [ -n "$pcr_ids" ]; then
+    if [ -z "$pcr_digest" ]; then
+        case "$tpm2tools_version" in
+            4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$tmp"/pcr.digest || fail=$?;;
+            *) fail=1;;
+        esac
+        if [ -n "$fail" ]; then
+            echo "Creating PCR hashes file failed" >&2
+            exit 1
+        fi
+        tpm2_flushcontext -t
+    else
+        if ! jose b64 dec -i- -O "$tmp"/pcr.digest < "$tmp"/pcr_digest; then
+            echo "Error decoding PCR digest" >&2
+            exit 1
+        fi
+    fi
+
+    # Create the policy based on PCRs
+    case "$tpm2tools_version" in
+        4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" -f "$tmp"/pcr.digest -L "$tmp"/pcr.policy || fail=$?;;
+        *) fail=1;;
+    esac
+    if [ -n "$fail" ]; then
+        echo "create policy fail, please check the environment or parameters"
+        exit 1
+    fi
+    tpm2_flushcontext -t
+    tpm2_flushcontext -l
+
+    # Set the policy options to the created policy file
+    policy_options="$tmp/pcr.policy"
+else
+    # If no PCR IDs are provided, add user authentication to the object attributes
+    obj_attr="$obj_attr|userwithauth"
+fi
+
+# Create the TPM2 object for the JWK
+case "$tpm2tools_version" in
+    4|5) tpm2_create -Q -g "$hash" -C "$tmp"/primary.context -u "$tmp"/jwk.pub -r "$tmp"/jwk.priv -a "$obj_attr" -L "$policy_options" -i- < "$tmp"/jwk || fail=$?;;
+    *) fail=1;;
+esac
+if [ -n "$fail" ]; then
+    echo "Creating TPM2 object for jwk failed" >&2
+    exit 1
+fi
+tpm2_flushcontext -t
+
+# Encode the JWK public and private keys in Base64
+if ! jwk_pub="$(jose b64 enc -I "$tmp"/jwk.pub)"; then
+    echo "Encoding jwk.pub in Base64 failed" >&2
+    exit 1
+fi
+if ! jwk_priv="$(jose b64 enc -I "$tmp"/jwk.priv)"; then
+    echo "Encoding jwk.priv in Base64 failed" >&2
+    exit 1
+fi
+
+# Construct the JWE (JSON Web Encryption) structure
+jwe='{"protected":{"clevis":{"pin":"tpm2","tpm2":{}}}}'
+jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$hash" -s hash -UUUUo-)"
+jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$key" -s key -UUUUo-)"
+
+# Include PCR bank and IDs in the JWE if they are provided
+if [ -n "$pcr_ids" ]; then
+    jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_bank" -s pcr_bank -UUUUo-)"
+    jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_ids" -s pcr_ids -UUUUo-)"
+fi
+
+# Add the Base64 encoded JWK public and private keys to the JWE
+jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)"
+jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)"
+
+# Clean up the temporary directory at the end of the script
+[ -d "${tmp}" ] && rm -rf "${tmp}"
+
+# Output the final JWE
+exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)