Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Store LUKS passphrase in TPM NVRAM #3498

Draft
wants to merge 11 commits into
base: master
Choose a base branch
from
Draft

Store LUKS passphrase in TPM NVRAM #3498

wants to merge 11 commits into from

Commits on Nov 28, 2024

  1. v6.0.47

    @flowzone-app @jakogut
    flowzone-app[bot] authored and jakogut committed Nov 28, 2024
    Configuration menu
    Copy the full SHA
    bc3ab7b View commit details
    Browse the repository at this point in the history

  2. os-helpers-tpm2: add tpm_nvram_retrieve_passphrase 

    Add function to tpm2 helpers to retrieve a passphrase stored in the
TPM's nvram.

Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
    @jakogut
    jakogut committed Nov 28, 2024
    Configuration menu
    Copy the full SHA
    d135b72 View commit details
    Browse the repository at this point in the history

  3. cryptsetup-efi-tpm: retrieve passphrase from TPM 

    Attempt to retrieve the LUKS passphrase from TPM nvram during boot.

Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
    @jakogut
    jakogut committed Nov 28, 2024
    Configuration menu
    Copy the full SHA
    6e12845 View commit details
    Browse the repository at this point in the history

  4. os-helpers-tpm2: add size param to hw_gen_passphrase 

    Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
    @jakogut
    jakogut committed Nov 28, 2024
    Configuration menu
    Copy the full SHA
    92ddc37 View commit details
    Browse the repository at this point in the history

  5. os-helpers-tpm2: add tpm_nvram_store_passphrase 

    Add function to tpm2 helpers to store a LUKS passphrase in the TPM's
NVRAM, protected by a policy.

Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
    @jakogut
    jakogut committed Nov 28, 2024
    Configuration menu
    Copy the full SHA
    1c3773c View commit details
    Browse the repository at this point in the history

  6. os-helpers-tpm2: add generate_pcr_digests 

    In several places currently, a PCR digest value binary is generated to
create a PCR policy from, either to secure a secret using the TPM, or
update an existing policy.

Add a function to os-helpers-tpm2 to unify this.

Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
    @jakogut
    jakogut committed Nov 28, 2024
    Configuration menu
    Copy the full SHA
    5d52b26 View commit details
    Browse the repository at this point in the history

  7. balena-init-flasher-tpm: write LUKS passphrase to TPM nvram 

    Change-type: minor
Signed-off-by: Joseph Kogut <joseph@balena.io>
    @jakogut
    jakogut committed Nov 28, 2024
    Configuration menu
    Copy the full SHA
    aca3ddd View commit details
    Browse the repository at this point in the history

  8. balena-init-flasher-tpm: use generate_pcr_digests 

    Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
    @jakogut
    jakogut committed Nov 28, 2024
    Configuration menu
    Copy the full SHA
    0a8b8d1 View commit details
    Browse the repository at this point in the history

  9. hostapp-update-hooks: use generate_pcr_digests 

    Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
    @jakogut
    jakogut committed Nov 28, 2024
    Configuration menu
    Copy the full SHA
    33a2ea6 View commit details
    Browse the repository at this point in the history

  10. hup: signed-update: store passphrase in TPM 

    Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
    @jakogut
    jakogut committed Nov 28, 2024
    Configuration menu
    Copy the full SHA
    e6c8daf View commit details
    Browse the repository at this point in the history

  11. os-helpers-tpm2: lowercase vars in print_pcr_val_bin 

    Rename vars in print_pcr_val_bin to prevent conflicts and accidental
changes to globals.

Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
    @jakogut
    jakogut committed Nov 28, 2024
    Configuration menu
    Copy the full SHA
    e96f042 View commit details
    Browse the repository at this point in the history