rancher/kcrypt
1
0
Fork 0
mirror of https://github.com/kairos-io/kcrypt.git synced 2025-04-28 03:30:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Sign uki tpm stuff with a policy (#39)

Browse Source
This commit is contained in:
Itxaka 2023-12-15 16:47:56 +01:00 committed by GitHub
parent 12a8d5d33c
commit 99c1c93d26
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/lib/lock.go
View File

@ -71,8 +71,13 @@ func Luksify(label, version string, tpm bool) (string, error) {
return "", err
}
if tpm {
// Enroll PCR values as an unlock method
args := []string{"--tpm2-device=auto", "--tpm2-pcrs=7+8+9", part}
// Enroll PCR policy as a keyslot
// We pass the current signature of the booted system to confirm that we would be able to unlock with the current booted system
// That checks the policy against the signatures and fails if a UKI with those signatures wont be able to unlock the device
// Files are generated by systemd automatically and are extracted from the UKI binary directly
// public pem cert -> .pcrpkey section fo the elf file
// signatures -> .pcrsig section of the elf file
args := []string{"--tpm2-public-key=/run/systemd/tpm2-pcr-public-key.pem", "--tpm2-signature=/run/systemd/tpm2-pcr-signature.json", "--tpm2-device=auto", part}
cmd := exec.Command("systemd-cryptenroll", args...)
cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", pass)) // cannot pass it via stdin
cmd.Stdout = os.Stdout