New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable systemd-cryptenroll to support pcr literals on the command line. #28339
Conversation
An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released. |
An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm also working on adding this, BTW....
@poettering @ddstreet I have been traveling for the last two days. After your remark on the issue I have moved everything to hashmap and I am applying the coding style. My apologies for the (lack of) quality of this draft, but its purpose was only to show the proposal to get any architectural concerns. I hope I will finish this in the coming few days (I am still on the go, with limited time :-/). @ddstreet: on your remark about tpm2_pcr_from_string: I am currently changing the signature of tpm2_pcr_from_string so that it does not return the literals mask and the values themselves, but only a <bank, pcrs> hashmap, where pcrs is another <index, digest>, in which digest is a TPM2B_DIGEST. Additionally, I am providing a function that, given the pcrs hashmap, will return the mask for those literals. @poettering: I will incorporate your remarks in the coming commits. Thank you very much! I am having a bit of a problem accessing a hashmap whose values are also hashmaps, but I will update the PR as soon as I get around it. I am commiting my work in progress. It is not yet for review, but to show the status of the work. |
… review of draft PR
I don't mean to step on your work, but I have #28398 which I think is a more comprehensive approach. |
@ddstreet Good! then I stop on that. Good luck! |
THIS IS WORK IN PROGRESS.
Current implementation of tpm2-related tools in systemd-cryptenroll support specifying a PCR index, but not giving a literal hash value. This PR provides such functionality. The idea is to reuse as much code as possible, so the specification of the registers would go like