Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Store LUKS passphrase in TPM NVRAM #3498

Draft
wants to merge 11 commits into
base: master
Choose a base branch
from
Draft

Store LUKS passphrase in TPM NVRAM #3498

wants to merge 11 commits into from

Conversation

jakogut
Copy link
Contributor

@jakogut jakogut commented Aug 23, 2024

Contributor checklist

Reviewer Guidelines

  • When submitting a review, please pick:
    • 'Approve' if this change would be acceptable in the codebase (even if there are minor or cosmetic tweaks that could be improved).
    • 'Request Changes' if this change would not be acceptable in our codebase (e.g. bugs, changes that will make development harder in future, security/performance issues, etc).
    • 'Comment' if you don't feel you have enough information to decide either way (e.g. if you have major questions, or you don't understand the context of the change sufficiently to fully review yourself, but want to make a comment)

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 23, 2024
edited by flowzone-app bot
Loading

Website deployed to CF Pages, 👀 preview link https://90ae82ad.balena-os.pages.dev

@jakogut jakogut force-pushed the jakogut/luks-passphrase-nvram branch from 5b17e35 to 19336fa Compare September 30, 2024 16:21
flowzone-app bot and others added 11 commits November 27, 2024 16:54
@flowzone-app @jakogut
v6.0.47
bc3ab7b
@jakogut
os-helpers-tpm2: add tpm_nvram_retrieve_passphrase
d135b72 
Add function to tpm2 helpers to retrieve a passphrase stored in the
TPM's nvram.

Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
@jakogut
cryptsetup-efi-tpm: retrieve passphrase from TPM
6e12845 
Attempt to retrieve the LUKS passphrase from TPM nvram during boot.

Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
@jakogut
os-helpers-tpm2: add size param to hw_gen_passphrase
92ddc37 
Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
@jakogut
os-helpers-tpm2: add tpm_nvram_store_passphrase
1c3773c 
Add function to tpm2 helpers to store a LUKS passphrase in the TPM's
NVRAM, protected by a policy.

Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
@jakogut
os-helpers-tpm2: add generate_pcr_digests
5d52b26 
In several places currently, a PCR digest value binary is generated to
create a PCR policy from, either to secure a secret using the TPM, or
update an existing policy.

Add a function to os-helpers-tpm2 to unify this.

Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
@jakogut
balena-init-flasher-tpm: write LUKS passphrase to TPM nvram
aca3ddd 
Change-type: minor
Signed-off-by: Joseph Kogut <joseph@balena.io>
@jakogut
balena-init-flasher-tpm: use generate_pcr_digests
0a8b8d1 
Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
@jakogut
hostapp-update-hooks: use generate_pcr_digests
33a2ea6 
Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
@jakogut
hup: signed-update: store passphrase in TPM
e6c8daf 
Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
@jakogut
os-helpers-tpm2: lowercase vars in print_pcr_val_bin
e96f042 
Rename vars in print_pcr_val_bin to prevent conflicts and accidental
changes to globals.

Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
@jakogut jakogut force-pushed the jakogut/luks-passphrase-nvram branch from 9b5e487 to e96f042 Compare November 28, 2024 01:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jakogut