mirror of
https://github.com/systemd/systemd
synced 2024-10-07 00:30:59 +00:00
creds: rename "tpm2-absent" encryption to "null" encryption
This is what it is after all: encryption with a NULL key. This is more descriptive, but also relevant since we want to use this kind of credentials in a different context soon: for carrying pcrlock data into a UKI. In that case we don#t want encryption, since the pcrlock data is intended to help unlocking secrets, hence should not be a secret itself. This only changes the code labels and the way this is labelled in the output. We retain compat with the old name.
This commit is contained in:
parent
01ae684782
commit
6d78dc2827
|
@ -310,7 +310,7 @@
|
|||
|
||||
<listitem><para>When specified with the <command>encrypt</command> command controls the
|
||||
encryption/signature key to use. Takes one of <literal>host</literal>, <literal>tpm2</literal>,
|
||||
<literal>host+tpm2</literal>, <literal>tpm2-absent</literal>, <literal>auto</literal>,
|
||||
<literal>host+tpm2</literal>, <literal>null</literal>, <literal>auto</literal>,
|
||||
<literal>auto-initrd</literal>. See above for details on the three key types. If set to
|
||||
<literal>auto</literal> (which is the default) the TPM2 key is used if a TPM2 device is found and not
|
||||
running in a container. The host key is used if <filename>/var/lib/systemd/</filename> is on
|
||||
|
@ -318,13 +318,13 @@
|
|||
chip and the OS installation, and both need to be available to decrypt the credential again. If
|
||||
<literal>auto</literal> is selected but neither TPM2 is available (or running in container) nor
|
||||
<filename>/var/lib/systemd/</filename> is on persistent media, encryption will fail. If set to
|
||||
<literal>tpm2-absent</literal> a fixed zero length key is used (thus, in this mode no confidentiality
|
||||
<literal>null</literal> a fixed zero length key is used (thus, in this mode no confidentiality
|
||||
nor authenticity are provided!). This logic is useful to cover for systems that lack a TPM2 chip but
|
||||
where credentials shall be generated. Note that decryption of such credentials is refused on systems
|
||||
that have a TPM2 chip and where UEFI SecureBoot is enabled (this is done so that such a locked down
|
||||
system cannot be tricked into loading a credential generated this way that lacks authentication
|
||||
information). If set to <literal>auto-initrd</literal> a TPM2 key is used if a TPM2 is found. If not
|
||||
a fixed zero length key is used, equivalent to <literal>tpm2-absent</literal> mode. This option is
|
||||
a fixed zero length key is used, equivalent to <literal>null</literal> mode. This option is
|
||||
particularly useful to generate credentials files that are encrypted/authenticated against TPM2 where
|
||||
available but still work on systems lacking support for this.</para>
|
||||
|
||||
|
|
|
@ -843,8 +843,8 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
arg_with_key = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC;
|
||||
else if (STR_IN_SET(optarg, "host+tpm2-with-public-key", "tpm2-with-public-key+host"))
|
||||
arg_with_key = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK;
|
||||
else if (streq(optarg, "tpm2-absent"))
|
||||
arg_with_key = CRED_AES256_GCM_BY_TPM2_ABSENT;
|
||||
else if (STR_IN_SET(optarg, "null", "tpm2-absent"))
|
||||
arg_with_key = CRED_AES256_GCM_BY_NULL;
|
||||
else
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown key type: %s", optarg);
|
||||
|
||||
|
|
|
@ -760,7 +760,7 @@ int encrypt_credential_and_warn(
|
|||
CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
|
||||
CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
|
||||
CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK,
|
||||
CRED_AES256_GCM_BY_TPM2_ABSENT))
|
||||
CRED_AES256_GCM_BY_NULL))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid key type: " SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(with_key));
|
||||
|
||||
if (name && !credential_name_valid(name))
|
||||
|
@ -911,14 +911,14 @@ int encrypt_credential_and_warn(
|
|||
else if (host_key)
|
||||
id = CRED_AES256_GCM_BY_HOST;
|
||||
else if (sd_id128_equal(with_key, _CRED_AUTO_INITRD))
|
||||
id = CRED_AES256_GCM_BY_TPM2_ABSENT;
|
||||
id = CRED_AES256_GCM_BY_NULL;
|
||||
else
|
||||
return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
||||
"TPM2 not available and host key located on temporary file system, no encryption key available.");
|
||||
} else
|
||||
id = with_key;
|
||||
|
||||
if (sd_id128_equal(id, CRED_AES256_GCM_BY_TPM2_ABSENT))
|
||||
if (sd_id128_equal(id, CRED_AES256_GCM_BY_NULL))
|
||||
log_warning("Using a null key for encryption and signing. Confidentiality or authenticity will not be provided.");
|
||||
|
||||
/* Let's now take the host key and the TPM2 key and hash it together, to use as encryption key for the data */
|
||||
|
@ -1092,7 +1092,7 @@ int decrypt_credential_and_warn(
|
|||
struct encrypted_credential_header *h;
|
||||
struct metadata_credential_header *m;
|
||||
uint8_t md[SHA256_DIGEST_LENGTH];
|
||||
bool with_tpm2, with_host_key, is_tpm2_absent, with_tpm2_pk;
|
||||
bool with_tpm2, with_tpm2_pk, with_host_key, with_null;
|
||||
const EVP_CIPHER *cc;
|
||||
int r, added;
|
||||
|
||||
|
@ -1109,9 +1109,9 @@ int decrypt_credential_and_warn(
|
|||
with_host_key = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK);
|
||||
with_tpm2_pk = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK);
|
||||
with_tpm2 = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC) || with_tpm2_pk;
|
||||
is_tpm2_absent = sd_id128_equal(h->id, CRED_AES256_GCM_BY_TPM2_ABSENT);
|
||||
with_null = sd_id128_equal(h->id, CRED_AES256_GCM_BY_NULL);
|
||||
|
||||
if (!with_host_key && !with_tpm2 && !is_tpm2_absent)
|
||||
if (!with_host_key && !with_tpm2 && !with_null)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unknown encryption format, or corrupted data: %m");
|
||||
|
||||
if (with_tpm2_pk) {
|
||||
|
@ -1120,7 +1120,7 @@ int decrypt_credential_and_warn(
|
|||
return log_error_errno(r, "Failed to load pcr signature: %m");
|
||||
}
|
||||
|
||||
if (is_tpm2_absent) {
|
||||
if (with_null) {
|
||||
/* So this is a credential encrypted with a zero length key. We support this to cover for the
|
||||
* case where neither a host key not a TPM2 are available (specifically: initrd environments
|
||||
* where the host key is not yet accessible and no TPM2 chip exists at all), to minimize
|
||||
|
@ -1257,7 +1257,7 @@ int decrypt_credential_and_warn(
|
|||
return log_error_errno(r, "Failed to determine local credential key: %m");
|
||||
}
|
||||
|
||||
if (is_tpm2_absent)
|
||||
if (with_null)
|
||||
log_warning("Warning: using a null key for decryption and authentication. Confidentiality or authenticity are not provided.");
|
||||
|
||||
sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md);
|
||||
|
|
|
@ -67,7 +67,7 @@ int get_credential_user_password(const char *username, char **ret_password, bool
|
|||
#define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC SD_ID128_MAKE(93,a8,94,09,48,74,44,90,90,ca,f2,fc,93,ca,b5,53)
|
||||
#define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK \
|
||||
SD_ID128_MAKE(af,49,50,a8,49,13,4e,b1,a7,38,46,30,4f,f3,0c,05)
|
||||
#define CRED_AES256_GCM_BY_TPM2_ABSENT SD_ID128_MAKE(05,84,69,da,f6,f5,43,24,80,05,49,da,0f,8e,a2,fb)
|
||||
#define CRED_AES256_GCM_BY_NULL SD_ID128_MAKE(05,84,69,da,f6,f5,43,24,80,05,49,da,0f,8e,a2,fb)
|
||||
|
||||
/* Two special IDs to pick a general automatic mode (i.e. tpm2+host if TPM2 exists, only host otherwise) or
|
||||
* an initrd-specific automatic mode (i.e. tpm2 if firmware can do it, otherwise fixed zero-length key, and
|
||||
|
|
Loading…
Reference in a new issue