kcrypt-challenger/cmd/discovery/client/enc.go

package client

import (
	"encoding/json"
	"fmt"

	"github.com/kairos-io/kairos-challenger/pkg/constants"

	"github.com/jaypipes/ghw/pkg/block"
	"github.com/kairos-io/tpm-helpers"
	"github.com/mudler/yip/pkg/utils"
	"github.com/pkg/errors"
)

func getPass(server string, partition *block.Partition) (string, bool, error) {
	msg, err := tpm.Get(server,
		tpm.WithAdditionalHeader("label", partition.Label),
		tpm.WithAdditionalHeader("name", partition.Name),
		tpm.WithAdditionalHeader("uuid", partition.UUID))
	if err != nil {
		return "", false, err
	}
	result := map[string]interface{}{}
	err = json.Unmarshal(msg, &result)
	if err != nil {
		return "", false, errors.Wrap(err, string(msg))
	}
	gen, generated := result["generated"]
	p, ok := result["passphrase"]
	if ok {
		return fmt.Sprint(p), generated && gen == constants.TPMSecret, nil
	}
	return "", false, partNotFound
}

func genAndStore(k Config) (string, error) {
	opts := []tpm.TPMOption{}
	if k.Kcrypt.TPMDevice != "" {
		opts = append(opts, tpm.WithDevice(k.Kcrypt.TPMDevice))
	}
	if k.Kcrypt.CIndex != "" {
		opts = append(opts, tpm.WithIndex(k.Kcrypt.CIndex))
	}

	// Generate a new one, and return it to luks
	rand := utils.RandomString(32)
	blob, err := tpm.EncodeBlob([]byte(rand))
	if err != nil {
		return "", err
	}
	nvindex := "0x1500000"
	if k.Kcrypt.NVIndex != "" {
		nvindex = k.Kcrypt.NVIndex
	}
	opts = append(opts, tpm.WithIndex(nvindex))
	return rand, tpm.StoreBlob(blob, opts...)
}

func localPass(k Config) (string, error) {
	index := "0x1500000"
	if k.Kcrypt.NVIndex != "" {
		index = k.Kcrypt.NVIndex
	}
	opts := []tpm.TPMOption{tpm.WithIndex(index)}
	if k.Kcrypt.TPMDevice != "" {
		opts = append(opts, tpm.WithDevice(k.Kcrypt.TPMDevice))
	}
	encodedPass, err := tpm.ReadBlob(opts...)
	if err != nil {
		// Generate if we fail to read from the assigned blob
		return genAndStore(k)
	}

	// Decode and give it back
	opts = []tpm.TPMOption{}
	if k.Kcrypt.CIndex != "" {
		opts = append(opts, tpm.WithIndex(k.Kcrypt.CIndex))
	}
	if k.Kcrypt.TPMDevice != "" {
		opts = append(opts, tpm.WithDevice(k.Kcrypt.TPMDevice))
	}
	pass, err := tpm.DecodeBlob(encodedPass, opts...)
	return string(pass), err
}
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`package client`

			`import (`
			`"encoding/json"`
			`"fmt"`

			`"github.com/kairos-io/kairos-challenger/pkg/constants"`

			`"github.com/jaypipes/ghw/pkg/block"`
			`"github.com/kairos-io/tpm-helpers"`
			`"github.com/mudler/yip/pkg/utils"`
			`"github.com/pkg/errors"`
			`)`

			`func getPass(server string, partition *block.Partition) (string, bool, error) {`
			`msg, err := tpm.Get(server,`
			`tpm.WithAdditionalHeader("label", partition.Label),`
			`tpm.WithAdditionalHeader("name", partition.Name),`
			`tpm.WithAdditionalHeader("uuid", partition.UUID))`
			`if err != nil {`
			`return "", false, err`
			`}`
			`result := map[string]interface{}{}`
			`err = json.Unmarshal(msg, &result)`
			`if err != nil {`
			`return "", false, errors.Wrap(err, string(msg))`
			`}`
			`gen, generated := result["generated"]`
			`p, ok := result["passphrase"]`
			`if ok {`
			`return fmt.Sprint(p), generated && gen == constants.TPMSecret, nil`
			`}`
			`return "", false, partNotFound`
			`}`

			`func genAndStore(k Config) (string, error) {`
			`opts := []tpm.TPMOption{}`
			`if k.Kcrypt.TPMDevice != "" {`
			`opts = append(opts, tpm.WithDevice(k.Kcrypt.TPMDevice))`
			`}`
			`if k.Kcrypt.CIndex != "" {`
			`opts = append(opts, tpm.WithIndex(k.Kcrypt.CIndex))`
			`}`

			`// Generate a new one, and return it to luks`
			`rand := utils.RandomString(32)`
			`blob, err := tpm.EncodeBlob([]byte(rand))`
			`if err != nil {`
			`return "", err`
			`}`
			`nvindex := "0x1500000"`
			`if k.Kcrypt.NVIndex != "" {`
			`nvindex = k.Kcrypt.NVIndex`
			`}`
			`opts = append(opts, tpm.WithIndex(nvindex))`
			`return rand, tpm.StoreBlob(blob, opts...)`
			`}`

			`func localPass(k Config) (string, error) {`
			`index := "0x1500000"`
			`if k.Kcrypt.NVIndex != "" {`
			`index = k.Kcrypt.NVIndex`
			`}`
			`opts := []tpm.TPMOption{tpm.WithIndex(index)}`
			`if k.Kcrypt.TPMDevice != "" {`
			`opts = append(opts, tpm.WithDevice(k.Kcrypt.TPMDevice))`
			`}`
			`encodedPass, err := tpm.ReadBlob(opts...)`
			`if err != nil {`
			`// Generate if we fail to read from the assigned blob`
			`return genAndStore(k)`
			`}`

			`// Decode and give it back`
			`opts = []tpm.TPMOption{}`
			`if k.Kcrypt.CIndex != "" {`
			`opts = append(opts, tpm.WithIndex(k.Kcrypt.CIndex))`
			`}`
			`if k.Kcrypt.TPMDevice != "" {`
			`opts = append(opts, tpm.WithDevice(k.Kcrypt.TPMDevice))`
			`}`
			`pass, err := tpm.DecodeBlob(encodedPass, opts...)`
			`return string(pass), err`
			`}`