From 84bcb16fb9b87533d938e7247f471bc604205aa4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Old=C5=99ich=20Jedli=C4=8Dka?= Date: Tue, 2 Jul 2024 22:24:17 +0200 Subject: [PATCH] Mention TPM 1.2 support in README MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Oldřich Jedlička --- README.md | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 4e1784f7..1a13f46c 100644 --- a/README.md +++ b/README.md @@ -62,20 +62,40 @@ advertisement is stored, or the JSON contents of the advertisement itself. When the advertisement is specified manually like this, Clevis presumes that the advertisement is trusted. -#### PIN: TPM2 +#### PIN: TPM1 and TPM2 -Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2) -chip. The cryptographically-strong, random key used for encryption is encrypted -using the TPM2 chip, and is decrypted using TPM2 at the time of decryption to allow clevis to decrypt the secret stored in the JWE. +Clevis provides support to encrypt a key in a Trusted Platform Module 1.2 (TPM1) +and 2.0 (TPM2) chips. The cryptographically-strong, random key used for +encryption is encrypted using the TPM chip, and is decrypted using TPM at the +time of decryption to allow clevis to decrypt the secret stored in the JWE. -For example: +For example for TPM1 pin: + +```bash +$ echo hi | clevis encrypt tpm1 '{}' > hi.jwe +``` + +or TPM2 pin: ```bash $ echo hi | clevis encrypt tpm2 '{}' > hi.jwe ``` Clevis store the public and private keys of the encrypted key in the JWE object, -so those can be fetched on decryption to unseal the key encrypted using the TPM2. +so those can be fetched on decryption to unseal the key encrypted using the TPM +chip. + +Check manual pages for `clevis-encrypt-tpm1` and `clevis-encrypt-tpm2` tools for +more options, like binding to a particular PCR registry states and/or values. + +##### TPM1 PIN Limitations + +To prevent asking for the password during unlocking, encryption and decryption +expects that the well-known storage root key (SRK) has been configured when +gaining the TPM 1.2 chip ownership. This means that either the +`tpm_takeownership --srk-well-known` command has been used during setup or +`tpm_changeownerauth --srk --well-known` has been called to change it. Please +note that the _well-known key_ is not equivalent to an empty key. #### PIN: PKCS#11 @@ -455,7 +475,7 @@ $ sudo dnf install clevis clevis-dracut clevis-udisks2 ## Manual compilation As remarked in the previous section, **it is suggested not to install Clevis directly**. -However, in case no Clevis packages exist for your Linux distribution, the steps to +However, in case no Clevis packages exist for your Linux distribution, the steps to manually compile and install Clevis are next ones: * Download latest version of the binaries (not that the latest version could change): @@ -465,7 +485,7 @@ $ wget https://github.com/latchset/clevis/releases/download/v19/clevis-19.tar.xz * Untar the binaries file: ```bash -$ tar Jxvf clevis-19.tar.xz +$ tar Jxvf clevis-19.tar.xz ``` * Create build directory and change path to it: