Enable systemd-cryptenroll to support pcr literals on the command line. #28339

flixman · 2023-07-10T11:58:50Z

THIS IS WORK IN PROGRESS.
Current implementation of tpm2-related tools in systemd-cryptenroll support specifying a PCR index, but not giving a literal hash value. This PR provides such functionality. The idea is to reuse as much code as possible, so the specification of the registers would go like

 --tpm2-pcrs=7+11:sha256=<hash>+14

…unctions

github-actions · 2023-07-10T12:01:46Z

An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released.

github-actions · 2023-07-10T12:07:55Z

An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released.

src/shared/tpm2-util.c

src/creds/creds.c

src/shared/tpm2-util.c

src/test/test-tpm2.c

ddstreet

I'm also working on adding this, BTW....

src/shared/tpm2-util.c

flixman · 2023-07-13T06:05:52Z

@poettering @ddstreet I have been traveling for the last two days. After your remark on the issue I have moved everything to hashmap and I am applying the coding style. My apologies for the (lack of) quality of this draft, but its purpose was only to show the proposal to get any architectural concerns. I hope I will finish this in the coming few days (I am still on the go, with limited time :-/).

@ddstreet: on your remark about tpm2_pcr_from_string: I am currently changing the signature of tpm2_pcr_from_string so that it does not return the literals mask and the values themselves, but only a <bank, pcrs> hashmap, where pcrs is another <index, digest>, in which digest is a TPM2B_DIGEST. Additionally, I am providing a function that, given the pcrs hashmap, will return the mask for those literals.

@poettering: I will incorporate your remarks in the coming commits. Thank you very much! I am having a bit of a problem accessing a hashmap whose values are also hashmaps, but I will update the PR as soon as I get around it.

I am commiting my work in progress. It is not yet for review, but to show the status of the work.

… review of draft PR

src/test/test-tpm2.c

ddstreet · 2023-07-14T14:59:32Z

I don't mean to step on your work, but I have #28398 which I think is a more comprehensive approach.

flixman · 2023-07-14T19:04:18Z

@ddstreet Good! then I stop on that. Good luck!

flixman added 4 commits July 9, 2023 14:39

First attempt to introduce pcr literals in command line

094c196

Refactoring as consequence of the signature changes in inner shared f…

1d05461

…unctions

Fixed unit tests for tpm2

f2b64b1

Extended tests for parsing of digest literals

8e3fecb

github-actions bot added util-lib tests repart tpm2 please-review PR is ready for (re-)review by a maintainer labels Jul 10, 2023

flixman closed this Jul 10, 2023

flixman reopened this Jul 10, 2023

flixman marked this pull request as draft July 10, 2023 12:00

github-actions bot added please-review PR is ready for (re-)review by a maintainer and removed please-review PR is ready for (re-)review by a maintainer labels Jul 10, 2023

flixman changed the title ~~Tpm/pcr literals~~ Enable systemd-cryptenroll to support pcr literals on the command line. Jul 10, 2023

Fixed use of outdated variable

1c263d3