#!/bin/sh # Exit immediately if a command exits with a non-zero status set -e # Summary of the script's functionality summary="Encrypts using a TPM2.0 chip binding policy." # TPM2.0 owner hierarchy to be used by the Operating System auth="o" # Attributes for the created TPM2 object with the JWK as sensitive data obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy" # Display summary if requested if [ "$1" = "--summary" ]; then echo "$summary" exit 0 fi # Display usage information if input is from a terminal if [ -t 0 ]; then exec >&2 echo "$summary" echo echo "This command uses the following configuration properties:" echo " hash: -> Hash algorithm used in the computation of the object name (default: sha256)." echo " key: -> Algorithm type for the generated key (default: ecc)." echo " pcr_bank: -> PCR algorithm bank to use for policy (default: first supported by TPM)." echo " pcr_ids: -> PCR list used for policy. If not present, no policy is used." echo " pcr_digest: -> Binary PCR hashes encoded in base64. If not present, the hash values are looked up." echo echo "Usage: \"zlevis-encrypt '{\"property\":\"value\"}' < file.key > file.jwe\"" echo "Usage ZFS: \"zfs set tpm:jwe=\$(zlevis-encrypt '{\"property\":\"value\"}' < tank.key) \"" exit 2 fi # Function to validate PCRs validate_pcrs() { _tpm2_tools_v="${1}" _pcr_bank="${2}" _pcrs="${3}" # Return if PCR bank is not provided [ -z "${_pcr_bank}" ] && return 1 [ -z "${_pcrs}" ] && return 0 _pcrs_r="" case "${_tpm2_tools_v}" in 4|5) _pcrs_r=$(tpm2_pcrread "${_pcr_bank}":"${_pcrs}" | grep -v " ${_pcr_bank}") || _fail=$?;; *) _fail=1;; esac # Check for errors in PCR validation if [ -n "${_fail}" ] || [ -z "${_pcrs_r}" ]; then return 1 fi return 0 } # Function to clean up temporary files on exit on_exit() { if [ ! -d "$tmp" ] || ! rm -rf "$tmp"; then echo "Delete temporary files failed" >&2 echo "You need to clean up: $tmp" >&2 exit 1 fi } # Get the version of tpm2-tools tpm2tools_version=$(tpm2_createprimary -v | awk -F'version="' '{print $2}' | awk -F'.' '{print $1}') # Check if the tpm2-tools version is supported if [ -z "$tpm2tools_version" ] || [ "$tpm2tools_version" -lt 4 ] || [ "$tpm2tools_version" -gt 5 ]; then echo "The tpm2 pin requires a tpm2-tools version between 4 and 5" exit 1 fi # Create a temporary directory for TPM files if ! tmp="$(mktemp -d)"; then echo "Creating a temporary dir for TPM files failed" >&2 exit 1 fi # Set up cleanup on exit trap 'on_exit' EXIT # Validate the configuration input if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then echo "Configuration is malformed" >&2 exit 1 fi # Store the configuration in a temporary file echo "$cfg" > "$tmp"/cfg # Extract hash and key from the configuration, defaulting if not present hash="$(jose fmt -j- -Og hash -u- < "$tmp"/cfg)" || hash="sha256" key="$(jose fmt -j- -Og key -u- < "$tmp"/cfg)" || key="ecc" # Determine the PCR bank to use for policy pcr_bank="$(jose fmt -j- -Og pcr_bank -u- < "$tmp"/cfg)" || { # If not specified, find a non-empty PCR algorithm bank if ! pcr_bank=$(tpm2_getcap pcrs | awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit} END {exit !found}'); then echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2 exit 1 fi } # Trim spaces from the configuration for parsing PCR IDs pcr_cfg=$(tr -d '[:space:]' < "$tmp"/cfg) echo "$pcr_cfg" > "$tmp"/pcr_cfg # Handle both string and JSON array formats for pcr_ids if jose fmt -j- -Og pcr_ids 2>/dev/null < "$tmp"/pcr_cfg && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$tmp"/pcr_cfg)"; then # Attempt to parse as a JSON array if string parsing fails if jose fmt -j- -Og pcr_ids -A 2>/dev/null < "$tmp"/pcr_cfg; then # Construct a comma-separated string from the array for pcr in $(jose fmt -j- -Og pcr_ids -Af- < "$tmp"/pcr_cfg | tr -d '"'); do pcr_ids=$(printf '%s,%s' "${pcr_ids}" "${pcr}") done # Remove leading comma pcr_ids=${pcr_ids#,} else echo "Parsing the requested policy failed" >&2 exit 1 fi fi # Validate the combination of PCR bank and PCR IDs if ! validate_pcrs "${tpm2tools_version}" "${pcr_bank}" "${pcr_ids}"; then echo "Unable to validate combination of PCR bank '${pcr_bank}' and PCR IDs '${pcr_ids}'" >&2 exit 1 fi # Get the PCR digest from the configuration or read it if not provided pcr_digest="$(jose fmt -j- -Og pcr_digest -u- < "$tmp"/cfg)" || true echo "$pcr_digest" > "$tmp"/pcr_digest # Generate a JSON Web Key (JWK) if ! jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"; then echo "Generating a jwk failed" >&2 exit 1 fi echo "$jwk" > "$tmp"/jwk # Create the primary key in the TPM case "$tpm2tools_version" in 4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$tmp"/primary.context || fail=$?;; *) fail=1;; esac if [ -n "$fail" ]; then echo "Creating TPM2 primary key failed" >&2 exit 1 fi tpm2_flushcontext -t # Handle PCRs and policy creation if PCR IDs are provided policy_options="" if [ -n "$pcr_ids" ]; then if [ -z "$pcr_digest" ]; then case "$tpm2tools_version" in 4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$tmp"/pcr.digest || fail=$?;; *) fail=1;; esac if [ -n "$fail" ]; then echo "Creating PCR hashes file failed" >&2 exit 1 fi tpm2_flushcontext -t else if ! jose b64 dec -i- -O "$tmp"/pcr.digest < "$tmp"/pcr_digest; then echo "Error decoding PCR digest" >&2 exit 1 fi fi # Create the policy based on PCRs case "$tpm2tools_version" in 4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" -f "$tmp"/pcr.digest -L "$tmp"/pcr.policy || fail=$?;; *) fail=1;; esac if [ -n "$fail" ]; then echo "create policy fail, please check the environment or parameters" exit 1 fi tpm2_flushcontext -t tpm2_flushcontext -l # Set the policy options to the created policy file policy_options="$tmp/pcr.policy" else # If no PCR IDs are provided, add user authentication to the object attributes obj_attr="$obj_attr|userwithauth" fi # Create the TPM2 object for the JWK case "$tpm2tools_version" in 4|5) tpm2_create -Q -g "$hash" -C "$tmp"/primary.context -u "$tmp"/jwk.pub -r "$tmp"/jwk.priv -a "$obj_attr" -L "$policy_options" -i- < "$tmp"/jwk || fail=$?;; *) fail=1;; esac if [ -n "$fail" ]; then echo "Creating TPM2 object for jwk failed" >&2 exit 1 fi tpm2_flushcontext -t # Encode the JWK public and private keys in Base64 if ! jwk_pub="$(jose b64 enc -I "$tmp"/jwk.pub)"; then echo "Encoding jwk.pub in Base64 failed" >&2 exit 1 fi if ! jwk_priv="$(jose b64 enc -I "$tmp"/jwk.priv)"; then echo "Encoding jwk.priv in Base64 failed" >&2 exit 1 fi # Construct the JWE (JSON Web Encryption) structure jwe='{"protected":{"zlevis":{"pin":"tpm2","tpm2":{}}}}' jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$hash" -s hash -UUUUo-)" jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$key" -s key -UUUUo-)" # Include PCR bank and IDs in the JWE if they are provided if [ -n "$pcr_ids" ]; then jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$pcr_bank" -s pcr_bank -UUUUo-)" jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$pcr_ids" -s pcr_ids -UUUUo-)" fi # Add the Base64 encoded JWK public and private keys to the JWE jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)" jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)" # Output the final JWE (echo "$jwe$jwk$(/bin/cat)") | jose jwe enc -i- -k- -I- -c # Exit with the status of the last command exit $?