File fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch of Package fde-tools
From fcabeca594d090e4172b88ae5176c947b2dd7c45 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 1 Dec 2023 17:11:22 +0800
Subject: [PATCH] Switch to "--target-platform" when available
Check if pcr-oracle supports "--target-platform" and replace
"--key-format" with "--target-platform" if the option is available.
Signed-off-by: Gary Lin <glin@suse.com>
---
share/grub2 | 5 +++++
share/systemd-boot | 10 ++++++++++
share/tpm | 37 +++++++++++++++++++++++++++----------
3 files changed, 42 insertions(+), 10 deletions(-)
Index: fde-tools-0.7.2/share/grub2
===================================================================
--- fde-tools-0.7.2.orig/share/grub2
+++ fde-tools-0.7.2/share/grub2
@@ -34,6 +34,7 @@ alias bootloader_get_keyslots=grub_get_k
alias bootloader_remove_keyslots=grub_remove_keyslots
alias bootloader_wipe=grub_wipe
alias bootloader_rsa_sizes=grub_rsa_sizes
+alias bootloader_platform_parameters=grub_platform_parameters
##################################################################
# Edit a variable in /etc/default/grub
@@ -244,3 +245,7 @@ function grub_rsa_sizes {
# TPM 2.0 should at least support RSA2048.
echo "2048"
}
+
+function grub_platform_parameters {
+ echo "--target-platform tpm2.0"
+}
Index: fde-tools-0.7.2/share/systemd-boot
===================================================================
--- fde-tools-0.7.2.orig/share/systemd-boot
+++ fde-tools-0.7.2/share/systemd-boot
@@ -37,6 +37,7 @@ alias bootloader_get_keyslots=systemd_ge
alias bootloader_remove_keyslots=systemd_remove_keyslots
alias bootloader_wipe=systemd_wipe
alias bootloader_rsa_sizes=systemd_rsa_sizes
+alias bootloader_platform_parameters=systemd_platform_parameters
function not_implemented {
@@ -183,3 +184,12 @@ function systemd_wipe {
function systemd_rsa_sizes {
echo "2048"
}
+
+##################################################################
+# This function shows the boot loader specific parameters for
+# pcr-oracle.
+##################################################################
+function systemd_platform_parameters {
+
+ echo "--target-platform systemd"
+}
Index: fde-tools-0.7.2/share/tpm
===================================================================
--- fde-tools-0.7.2.orig/share/tpm
+++ fde-tools-0.7.2/share/tpm
@@ -82,22 +82,40 @@ function tpm_get_rsa_key_size {
echo "$__fde_rsa_key_size"
}
+function tpm_platform_parameters {
+ declare -g __fde_platform_param
+
+ if [ -n "$__fde_platform_param" ]; then
+ echo "$__fde_platform_param"
+ return
+ fi
+
+ # Check if pcr-oracle supports "--target-platform"
+ if pcr-oracle --target-platform 2>&1 | grep -q "unrecognized option"; then
+ __fde_platform_param="--key-format tpm2.0"
+ echo "$__fde_platform_param"
+ return
+ fi
+
+ __fde_platform_param=$(bootloader_platform_parameters)
+ echo "$__fde_platform_param"
+}
+
function tpm_seal_key {
local secret=$1
local sealed_secret=$2
- local opt_rsa_bits=
+ local extra_opts=$(tpm_platform_parameters)
local rsa_size=$(tpm_get_rsa_key_size)
if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
- opt_rsa_bits="--rsa-bits ${rsa_size}"
+ extra_opts="${extra_opts} --rsa-bits ${rsa_size}"
fi
echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2
- pcr-oracle ${opt_rsa_bits} \
+ pcr-oracle ${extra_opts} \
--input "$secret" --output "$sealed_secret" \
- --key-format tpm2.0 \
--algorithm "$FDE_SEAL_PCR_BANK" \
--from eventlog \
--stop-event "$FDE_STOP_EVENT" \
@@ -151,19 +169,18 @@ function tpm_seal_secret {
local sealed_secret="$2"
local authorized_policy="$3"
- local opt_rsa_bits=
+ local extra_opts=$(tpm_platform_parameters)
local rsa_size=$(tpm_get_rsa_key_size)
if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
- opt_rsa_bits="--rsa-bits ${rsa_size}"
+ extra_opts="${extra_opts} --rsa-bits ${rsa_size}"
fi
# If we are expected to use an authorized policy, seal the secret
# against that, using pcr-oracle rather than the tpm2 tools
if [ -n "$authorized_policy" ]; then
- pcr-oracle ${opt_rsa_bits} \
+ pcr-oracle ${extra_opts} \
--authorized-policy "$authorized_policy" \
- --key-format tpm2.0 \
--input $secret \
--output $sealed_secret \
seal-secret
@@ -246,8 +263,9 @@ function tpm_authorize {
sealed_key_file="$2"
signed_key_file="$3"
- pcr-oracle \
- --key-format tpm2.0 \
+ local extra_opts=$(tpm_platform_parameters)
+
+ pcr-oracle ${extra_opts} \
--algorithm "$FDE_SEAL_PCR_BANK" \
--private-key "$private_key_file" \
--from eventlog \