Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new pcrlock tool for generating signed PCR policies for PCR 0, 1, 4, … #28891

Merged
merged 21 commits into from Nov 3, 2023
Merged

new pcrlock tool for generating signed PCR policies for PCR 0, 1, 4, … #28891

merged 21 commits into from Nov 3, 2023

Commits on Nov 3, 2023

  1. efivars: add UEFI 'database' variable uuid

    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    981f762 View commit details
    Browse the repository at this point in the history

  2. tpm2-util: add various uefi event log definitions

    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    a63b260 View commit details
    Browse the repository at this point in the history

  3. tpm2-util: add helper for returning path to EFI event log blob

    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    f88f929 View commit details
    Browse the repository at this point in the history

  4. tpm2-util: pick up a few new symbols from tpm2-tss

    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    199d758 View commit details
    Browse the repository at this point in the history

  5. tpm2-util: export a couple of functions we'd like to use for pcrlock

    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    8f3f9c2 View commit details
    Browse the repository at this point in the history

  6. tpm2-util: add helpers for marshalling public/private keys 

    Note: we export these new symbols for now. A later commit in this PR
will make them static again. The only reason they are exported here is
to make sure gcc doesn't complain about unused static symbols, and I
really wanted to commit them in a separate commit.
    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    9fe3b63 View commit details
    Browse the repository at this point in the history

  7. tpm2-util: add helpers for marshalling NV index public areas

    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    3600620 View commit details
    Browse the repository at this point in the history

  8. tpm2-util: add helper for setting TPM2B_AUTH in binary

    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    f7be7a2 View commit details
    Browse the repository at this point in the history

  9. tpm2-util: add helper that calculates name of NV index

    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    34657b1 View commit details
    Browse the repository at this point in the history

  10. tpm2-util: add calls for calculating/submitting PolicyAuthorizeNV + P… 

    …olicyOR TPM2 policies
    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    2cd8f75 View commit details
    Browse the repository at this point in the history

  11. tpm2-util: add helper for creating/removing/updating NV index with st… 

    …ored policy

This is the primary core of what pcrlock is supposed to do eventually:
maintain a TPM2 policy hash inside an NV index which we then can
reference via a PolicyAuthorizeNV expression to lock other objects
against it.
    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    48d0605 View commit details
    Browse the repository at this point in the history

  12. tpm2-util: add generic helpers for sealing/unsealing data 

    These helpers tpm2_seal_data()/tpm2_unseal_data() are useful for
sealing/unsealing data without any further semantics around them. This
is different from the existing tpm2_seal()/tpm2_unseal() which seal with
a specific policy and serialize in a specific way, as we use it for disk
encryption.

These new helpers are more generic, they do not serialize in a specific
way or imply policy, they are just the core of the sealing/unsealing.

(We should look into porting tpm2_seal()/tpm2_unseal() onto these new
helpers, but this isn#t trivial, since the classic serialization we use
uses a merged marshalling of private/public key, which we'd have to
change in one way or another)
    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    ce80da0 View commit details
    Browse the repository at this point in the history

  13. tpm2-util: make various marshalling/unmarshalling calls static, as we… 

    … only use them internally in tpm2-util.c

Note, some of these were just added in this same PR. We only exported
them initially to make sure gcc doesn't complained about unused local
symbols.
    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    40ce732 View commit details
    Browse the repository at this point in the history

  14. tpm2-util: add common array for TPM2 hash algorithms 

    This is useful to enumerate all hash algorithms we want to predict
measurements for.
    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    b52e950 View commit details
    Browse the repository at this point in the history

  15. pcrlock: add new pcrlock tool

    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    a434270 View commit details
    Browse the repository at this point in the history

  16. tree-wide: hook everything up with pcrlock policy 

    Make sure cryptenroll and repart can enroll TPM2 policies with pcrlock
logic.

Make sure cryptsetup can unlock TPM2 policies with pcrlock in effect.
    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    404aea7 View commit details
    Browse the repository at this point in the history

  17. pcrlock: add pre-defined pcrlock files 

    These cover well-known measurements done by the UEFI firmware or
systemd.
    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    8e35338 View commit details
    Browse the repository at this point in the history

  18. units: add units that put together and install a TPM2 PCR policy at boot 

    (This is disabled by default, for now)
    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    809def1 View commit details
    Browse the repository at this point in the history

  19. man: document pcrlock

    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    e206210 View commit details
    Browse the repository at this point in the history

  20. test: add pcrlock integration test 

    (Contains various test additions added by @mrc0mmand)
    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    3e6a25a View commit details
    Browse the repository at this point in the history

  21. update TODO

    @poettering
    poettering committed Nov 3, 2023
    Configuration menu
    Copy the full SHA
    e43f87a View commit details
    Browse the repository at this point in the history