3465c80729
Previously, we were expecting that the input is always utf8 encoded text. Since we just convert it to bytes, and print it back out as bytes, we can just skip the unicode parsing, and accept any provided input. Fixes: #5 Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org> |
||
---|---|---|
src | ||
tests | ||
.gitignore | ||
Cargo.toml | ||
LICENSE | ||
README.md |
clevis-pin-tpm2
Rewritten Clevis TPM2 PIN
This rewrite supports all previously encrypted values of the PCR-only clevis TPM2 PIN. Additionally, it supports Authorized Policies to delegate authorization of PCR values to an external party.
Creating policies
A reference implementation has been made available for creating policies as parsed by this pin.
To use this, first create a policy (see instructions in the repository) and take the output signed policy and the public key JSON.
These files need to be available when the PIN runs, so if the pin is used to encrypt the filesystem root, it will probably need to be in /boot.
Then run: $binary encrypt '{"policy_pubkey_path": "/boot/policy_pubkey.json", "policy_ref": "", "policy_path": "/boot/policy.json"}' <somefile
.
This results in an encrypted blob.
During the encryption, the policy pubkey needs to exist, the policy does not.
To decrypt this blob, the file specified in the policy_path during encrypt needs to contain a policy that matches the policy_ref with any steps that would match the current PCRs of the system.
If that's the case, $binary decrypt <blob
will return the contents of the original file back.