luc/zlevis
1
1
Fork 0
Code Issues Pull requests Releases 5 Wiki Activity
zlevis/src/zlevis-encrypt
Luc e2135379d8 src/zlevis-encrypt: update
2025-02-14 23:48:04 +01:00

233 lines
No EOL
8.1 KiB
Bash
Executable file
Raw Blame History

#!/bin/sh
# Exit immediately if a command exits with a non-zero status
set -e
# Summary of the script's functionality
summary="Encrypts using a TPM2.0 chip binding policy."
# TPM2.0 owner hierarchy to be used by the Operating System
auth="o"
# Attributes for the created TPM2 object with the JWK as sensitive data
obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy"
# Display summary if requested
if [ "$1" = "--summary" ]; then
echo "$summary"
exit 0
fi
# Display usage information if input is from a terminal
if [ -t 0 ]; then
exec >&2
echo "Usage: \"zlevis-encrypt '{\"property\":\"value\"}' < file.key > file.jwe\""
echo
echo "This command uses the following configuration properties:"
echo " hash: <string> -> Hash algorithm used in the computation of the object name (default: sha256)."
echo " key: <string> -> Algorithm type for the generated key (default: ecc)."
echo " pcr_bank: <string> -> PCR algorithm bank to use for policy (default: first supported by TPM)."
echo " pcr_ids: <string> -> PCR list used for policy. If not present, no policy is used."
echo " pcr_digest: <string> -> Binary PCR hashes encoded in base64. If not present, the hash values are looked up."
exit 2
fi
# Function to validate PCRs
validate_pcrs() {
_tpm2_tools_v="${1}"
_pcr_bank="${2}"
_pcrs="${3}"
# Return if PCR bank is not provided
[ -z "${_pcr_bank}" ] && return 1
[ -z "${_pcrs}" ] && return 0
_pcrs_r=""
case "${_tpm2_tools_v}" in
4|5) _pcrs_r=$(tpm2_pcrread "${_pcr_bank}":"${_pcrs}" | grep -v " ${_pcr_bank}") || _fail=$?;;
*) _fail=1;;
esac
# Check for errors in PCR validation
if [ -n "${_fail}" ] || [ -z "${_pcrs_r}" ]; then
return 1
fi
return 0
}
# Get the version of tpm2-tools
tpm2tools_version=$(tpm2_createprimary -v | awk -F'version="' '{print $2}' | awk -F'.' '{print $1}')
# Check if the tpm2-tools version is supported
if [ -z "$tpm2tools_version" ] || [ "$tpm2tools_version" -lt 4 ] || [ "$tpm2tools_version" -gt 5 ]; then
echo "The tpm2 pin requires a tpm2-tools version between 4 and 5"
exit 1
fi
# Validate the configuration input
if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
echo "Configuration '{\"property\":\"value\"}' is not present or malformed" >&2
exit 1
fi
# Extract hash and key from the configuration, defaulting if not present
hash="$(printf "%s" "$cfg" | jose fmt -j- -Og hash -u-)" || hash="sha256"
key="$(printf "%s" "$cfg" | jose fmt -j- -Og key -u-)" || key="ecc"
# Determine the PCR bank to use for policy
pcr_bank="$(printf "%s" "$cfg" | jose fmt -j- -Og pcr_bank -u-)" || {
# If not specified, find a non-empty PCR algorithm bank
if ! pcr_bank=$(tpm2_getcap pcrs | awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit} END {exit !found}'); then
echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2
exit 1
fi
}
# Trim spaces from the configuration for parsing PCR IDs
pcr_cfg=$(printf "%s" "$cfg" | tr -d '[:space:]')
# Handle both string and JSON array formats for pcr_ids
if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids 2>/dev/null && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$tmp"/pcr_cfg)"; then
# Attempt to parse as a JSON array if string parsing fails
if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids -A 2>/dev/null; then
# Construct a comma-separated string from the array
for pcr in $(printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids -Af- | tr -d '"'); do
pcr_ids=$(printf '%s,%s' "${pcr_ids}" "${pcr}")
done
# Remove leading comma
pcr_ids=${pcr_ids#,}
else
echo "Parsing the requested policy failed" >&2
exit 1
fi
fi
# Validate the combination of PCR bank and PCR IDs
if ! validate_pcrs "${tpm2tools_version}" "${pcr_bank}" "${pcr_ids}"; then
echo "Unable to validate combination of PCR bank '${pcr_bank}' and PCR IDs '${pcr_ids}'" >&2
exit 1
fi
# Get the PCR digest from the configuration or read it if not provided
pcr_digest="$(printf "%s" "$cfg" | jose fmt -j- -Og pcr_digest -u-)" || true
# Generate a JSON Web Key (JWK)
if ! jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"; then
echo "Generating a jwk failed" >&2
exit 1
fi
# Define and trap primary_context
tmp_primary_context="/tmp/primary_context.$$"
trap 'rm -f "$tmp_primary_context"' EXIT
# Create the primary key in the TPM
case "$tpm2tools_version" in
4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$tmp_primary_context" || fail=$?;;
*) fail=1;;
esac
if [ -n "$fail" ]; then
echo "Creating TPM2 primary key failed" >&2
exit 1
fi
tpm2_flushcontext -t
# Define and trap pcr_digest and pcr_policy
tmp_pcr_digest="/tmp/pcr_digest.$$"
tmp_pcr_policy="/tmp/pcr_policy.$$"
trap 'rm -f "$tmp_primary_context" "$tmp_pcr_digest" "$tmp_pcr_policy"' EXIT
# Handle PCRs and policy creation if PCR IDs are provided
policy_options=""
if [ -n "$pcr_ids" ]; then
if [ -z "$pcr_digest" ]; then
case "$tpm2tools_version" in
4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$tmp_pcr_digest" || fail=$?;;
*) fail=1;;
esac
if [ -n "$fail" ]; then
echo "Creating PCR hashes file failed" >&2
exit 1
fi
tpm2_flushcontext -t
else
if ! printf "%s" "$pcr_digest" | jose b64 dec -i- -O "$tmp_pcr_digest"; then
echo "Error decoding PCR digest" >&2
exit 1
fi
fi
# Create the policy based on PCRs
case "$tpm2tools_version" in
4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" -f "$tmp_pcr_digest" -L "$tmp_pcr_policy" || fail=$?;;
*) fail=1;;
esac
if [ -n "$fail" ]; then
echo "create policy fail, please check the environment or parameters"
exit 1
fi
tpm2_flushcontext -t
tpm2_flushcontext -l
# Set the policy options to the created policy file
policy_options="$tmp_pcr_policy"
else
# If no PCR IDs are provided, add user authentication to the object attributes
obj_attr="$obj_attr|userwithauth"
fi
# Remove tmp_pcr_digest and tmp_pcr_policy
rm -f "$tmp_pcr_digest" "$tmp_pcr_policy"
# Define and trap tmp jwk_pub and jwk_priv
tmp_jwk_pub="/tmp/jwk_pub.$$"
tmp_jwk_priv="/tmp/jwk_priv.$$"
trap 'rm -f "$tmp_primary_context" "$tmp_jwk_pub" "$tmp_jwk_priv"' EXIT
# Create the TPM2 object for the JWK
case "$tpm2tools_version" in
4|5) printf "%s" "$jwk" | tpm2_create -Q -g "$hash" -C "$tmp_primary_context" -u "$tmp_jwk_pub" -r "$tmp_jwk_priv" -a "$obj_attr" -L "$policy_options" -i- || fail=$?;;
*) fail=1;;
esac
if [ -n "$fail" ]; then
echo "Creating TPM2 object for jwk failed" >&2
exit 1
fi
tpm2_flushcontext -t
# Remove tmp_primary_context
rm -f "$tmp_primary_context"
# Encode the JWK public and private keys in Base64
if ! jwk_pub="$(jose b64 enc -I "$tmp_jwk_pub")"; then
echo "Encoding jwk.pub in Base64 failed" >&2
exit 1
fi
if ! jwk_priv="$(jose b64 enc -I "$tmp_jwk_priv")"; then
echo "Encoding jwk.priv in Base64 failed" >&2
exit 1
fi
# Remove tmp_jwk_pub and tmp_jwk_priv
rm -f "$tmp_jwk_pub" "$tmp_jwk_priv"
# Construct the JWE (JSON Web Encryption) structure
jwe='{"protected":{"zlevis":{"pin":"tpm2","tpm2":{}}}}'
jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$hash" -s hash -UUUUo-)"
jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$key" -s key -UUUUo-)"
# Include PCR bank and IDs in the JWE if they are provided
if [ -n "$pcr_ids" ]; then
jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$pcr_bank" -s pcr_bank -UUUUo-)"
jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$pcr_ids" -s pcr_ids -UUUUo-)"
fi
# Add the Base64 encoded JWK public and private keys to the JWE
jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)"
jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)"
# Output the final JWE
(echo "$jwe$jwk$(/bin/cat)") | jose jwe enc -i- -k- -I- -c
# Exit with the status of the last command
exit $?
Reference in a new issue View git blame Copy permalink