3dcb2874e0
This should send people strongly to use the defaults, so that other tools can easily determine whether policies are in use and what their values are. It still allows overriding them. Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org> |
||
|---|---|---|
| src | ||
| tests | ||
| .gitignore | ||
| Cargo.toml | ||
| LICENSE | ||
| README.md | ||
clevis-pin-tpm2
Rewritten Clevis TPM2 PIN
This rewrite supports all previously encrypted values of the PCR-only clevis TPM2 PIN. Additionally, it supports Authorized Policies to delegate authorization of PCR values to an external party.
Creating policies
A reference implementation has been made available for creating policies as parsed by this pin.
To use this, first create a policy (see instructions in the repository) and take the output signed policy and the public key JSON.
These files need to be available when the PIN runs, so if the pin is used to encrypt the filesystem root, it will probably need to be in /boot.
Then run: $binary encrypt '{"policy_pubkey_path": "/boot/policy_pubkey.json", "policy_ref": "", "policy_path": "/boot/policy.json"}' <somefile.
This results in an encrypted blob.
During the encryption, the policy pubkey needs to exist, the policy does not.
To decrypt this blob, the file specified in the policy_path during encrypt needs to contain a policy that matches the policy_ref with any steps that would match the current PCRs of the system.
If that's the case, $binary decrypt <blob will return the contents of the original file back.