| Message ID | 20240524163509.2372441-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [isar-cip-core] encrypt_partition.clevis: clevis > v19 support multiple tpm2 device | expand |
On 24.05.24 18:18, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This allows use to select a tpm2 device which supports > all requirements. This is not yet an accurate subject and description. You are fixing a code path in clevis which exists for systemd, and that code path has the task to open a specific tpm device according to the interface between the generic part and the clevis/systemd scripts. Is that right? Jan > > Reported-by: Gokhan Cetin <gokhan.cetin@siemens.com> > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > .../files/encrypt_partition.clevis.script | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > index ddb3eab..a7a5009 100644 > --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script > @@ -13,8 +13,8 @@ > open_tpm2_partition() { > partition_device="$1" > crypt_mount_name="$2" > - #tpm_device="$3" > - if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \ > + tpm_device="$3" > + if ! TPM2TOOLS_TCTI=$tpm_device usr/bin/clevis luks unlock -n "$crypt_mount_name" \ > -d "$partition_device"; then > panic "Can't decrypt '$partition_device' !" > fi > @@ -23,11 +23,11 @@ open_tpm2_partition() { > enroll_tpm2_token() { > partition_device="$1" > passphrase="$2" > - #tpm_device="$3" > + tpm_device="$3" > tpm_key_algorithm="$4" > pcr_bank_hash_type="$5" > if [ -x /usr/bin/clevis ]; then > - clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" > + TPM2TOOLS_TCTI=$tpm_device clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" > else > panic "clevis not available cannot enroll tpm2 key!" > fi
diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script index ddb3eab..a7a5009 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.clevis.script @@ -13,8 +13,8 @@ open_tpm2_partition() { partition_device="$1" crypt_mount_name="$2" - #tpm_device="$3" - if ! /usr/bin/clevis luks unlock -n "$crypt_mount_name" \ + tpm_device="$3" + if ! TPM2TOOLS_TCTI=$tpm_device usr/bin/clevis luks unlock -n "$crypt_mount_name" \ -d "$partition_device"; then panic "Can't decrypt '$partition_device' !" fi @@ -23,11 +23,11 @@ open_tpm2_partition() { enroll_tpm2_token() { partition_device="$1" passphrase="$2" - #tpm_device="$3" + tpm_device="$3" tpm_key_algorithm="$4" pcr_bank_hash_type="$5" if [ -x /usr/bin/clevis ]; then - clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" + TPM2TOOLS_TCTI=$tpm_device clevis luks bind -d "$partition_device" tpm2 '{"key":"'"$tpm_key_algorithm"'", "pcr_bank":"'"$pcr_bank_hash_type"'","pcr_ids":"7"}' < "$passphrase" else panic "clevis not available cannot enroll tpm2 key!" fi