v/tpm2-store
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add defaults for policy path and pubkey path

Browse source 
This should send people strongly to use the defaults, so that other
tools can easily determine whether policies are in use and what their
values are.
It still allows overriding them.

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
This commit is contained in:
Patrick Uiterwijk 2020-12-03 16:41:48 +00:00
parent 9f19dfa344
commit 3dcb2874e0
2 changed files with 30 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
src/cli.rs
View file

@ -15,6 +15,8 @@ pub(super) struct TPM2Config {
// PCR IDs can be passed in as comma-separated string or json array // PCR IDs can be passed in as comma-separated string or json array
pub pcr_ids: Option<serde_json::Value>, pub pcr_ids: Option<serde_json::Value>,
pub pcr_digest: Option<String>, pub pcr_digest: Option<String>,
// Whether to use a policy. If this is specified without pubkey path or policy path, they get set to defaults
pub use_policy: Option<bool>,
// Public key (in JSON format) for a wildcard policy that's possibly OR'd with the PCR one // Public key (in JSON format) for a wildcard policy that's possibly OR'd with the PCR one
pub policy_pubkey_path: Option<String>, pub policy_pubkey_path: Option<String>,
pub policy_ref: Option<String>, pub policy_ref: Option<String>,
@ -62,6 +64,10 @@ impl TryFrom<&TPM2Config> for TPMPolicyStep {
} }
} }
pub(crate) const DEFAULT_POLICY_PATH: &str = "/boot/clevis_policy.json";
pub(crate) const DEFAULT_PUBKEY_PATH: &str = "/boot/clevis_pubkey.json";
pub(crate) const DEFAULT_POLICY_REF: &str = "";
impl TPM2Config { impl TPM2Config {
pub(super) fn get_pcr_hash_alg(&self) -> tss_esapi::constants::algorithm::HashingAlgorithm { pub(super) fn get_pcr_hash_alg(&self) -> tss_esapi::constants::algorithm::HashingAlgorithm {
crate::utils::get_pcr_hash_alg_from_name(self.pcr_bank.as_ref()) crate::utils::get_pcr_hash_alg_from_name(self.pcr_bank.as_ref())
@ -95,6 +101,23 @@ impl TPM2Config {
if self.pcr_ids.is_some() && self.pcr_bank.is_none() { if self.pcr_ids.is_some() && self.pcr_bank.is_none() {
self.pcr_bank = Some("sha256".to_string()); self.pcr_bank = Some("sha256".to_string());
} }
// Make use of the defaults if not specified
if self.use_policy.is_some() && self.use_policy.unwrap() {
if self.policy_path.is_none() {
self.policy_path = Some(DEFAULT_POLICY_PATH.to_string());
}
if self.policy_pubkey_path.is_none() {
self.policy_pubkey_path = Some(DEFAULT_PUBKEY_PATH.to_string());
}
if self.policy_ref.is_none() {
self.policy_ref = Some(DEFAULT_POLICY_REF.to_string());
}
} else if self.policy_pubkey_path.is_some()
|| self.policy_path.is_some()
|| self.policy_ref.is_some()
{
eprintln!("To use a policy, please specifiy use_policy: true. Not specifying this will be a fatal error in a next release");
}
if (self.policy_pubkey_path.is_some() if (self.policy_pubkey_path.is_some()
|| self.policy_path.is_some() || self.policy_path.is_some()
|| self.policy_ref.is_some()) || self.policy_ref.is_some())

11
src/main.rs
View file

@ -413,12 +413,15 @@ This command uses the following configuration properties:
pcr_ids: <string> PCR list used for policy. If not present, no PCR policy is used pcr_ids: <string> PCR list used for policy. If not present, no PCR policy is used
policy_pubkey_path: <string> Path to the policy public key for authorized policy decryption use_policy: <bool> Whether to use a policy
policy_ref: <string> Reference to search for in signed policy file policy_ref: <string> Reference to search for in signed policy file (default: {})
policy_path: <string> Path to the policy path to search for decryption policy > For policies, the path is {}, and the public key is at {}
" ",
cli::DEFAULT_POLICY_REF,
cli::DEFAULT_POLICY_PATH,
cli::DEFAULT_PUBKEY_PATH,
); );
std::process::exit(2); std::process::exit(2);