clevis-pin-tpm2

Crates.ioclevis-pin-tpm2
lib.rsclevis-pin-tpm2
version0.5.1
sourcesrc
created_at2020-08-21 08:03:08.617364
updated_at2021-12-10 10:14:33.564661
descriptionClevis TPM2 PIN with policy support
homepagehttps://github.com/fedora-iot/clevis-pin-tpm2
repository
max_upload_size
id279071
size55,910
Security Engineering (github:fedora-iot:security-engineering)

documentation

README

clevis-pin-tpm2

Rewritten Clevis TPM2 PIN

This rewrite supports all previously encrypted values of the PCR-only clevis TPM2 PIN. Additionally, it supports Authorized Policies to delegate authorization of PCR values to an external party.

Creating policies

A reference implementation has been made available for creating policies as parsed by this pin. To use this, first create a policy (see instructions in the repository) and take the output signed policy and the public key JSON. These files need to be available when the PIN runs, so if the pin is used to encrypt the filesystem root, it will probably need to be in /boot. Then run: $binary encrypt '{"policy_pubkey_path": "/boot/policy_pubkey.json", "policy_ref": "", "policy_path": "/boot/policy.json"}' <somefile. This results in an encrypted blob. During the encryption, the policy pubkey needs to exist, the policy does not.

To decrypt this blob, the file specified in the policy_path during encrypt needs to contain a policy that matches the policy_ref with any steps that would match the current PCRs of the system. If that's the case, $binary decrypt <blob will return the contents of the original file back.

Commit count: 0

cargo fmt