third-party-mirrors/tzpfms
1
0
Fork 0
mirror of https://git.sr.ht/~nabijaczleweli/tzpfms synced 2025-04-21 09:47:35 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Manpage update by job 637278

Browse Source
This commit is contained in:
наб autouploader 2021-11-28 00:41:42 +00:00
parent ec58fed379
commit 0ac29cb0e2
16 changed files with 552 additions and 329 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
tzpfms.pdf
View File

Binary file not shown.

624
tzpfms.ps
View File

@ -1,6 +1,6 @@
%!PS-Adobe-3.0
%%Creator: groff version 1.22.4
%%CreationDate: Thu Nov 25 15:34:51 2021
%%CreationDate: Sun Nov 28 00:41:42 2021
%%DocumentNeededResources: font Times-Roman
%%+ font Times-Bold
%%+ font Courier-Bold
@ -9,7 +9,7 @@
%%+ font Symbol
%%+ font Times-Italic
%%DocumentSuppliedResources: procset grops 1.22 4
%%Pages: 13
%%Pages: 14
%%PageOrder: Ascend
%%DocumentMedia: Default 595 842 0 () ()
%%Orientation: Portrait
@ -306,8 +306,8 @@ E F3(back-end)2.5 E F0(.)A F2<ad6c>103.666 474 Q F0
(tarta-zoot/home TPM2)102 654 R 6(unavailable yes)36 F($)102 678 Q F2
1.666(zfs-tpm-list \255ra)6 F F3(tarta-zoot)6 E F4 72(NAME BACK-END)102
690 R 18(KEYSTATUS COHERENT)12 F 36(tarta-zoot TPM1.X)102 702 R 18
(available yes)24 F F0(tzpfms 0.1-23)72 750 Q(No)138.745 E -.15(ve)-.15
G(mber 25, 2021).15 E(1)189.295 E 0 Cg EP
(available yes)24 F F0(tzpfms 0.1-27)72 750 Q(No)138.745 E -.15(ve)-.15
G(mber 28, 2021).15 E(1)189.295 E 0 Cg EP
%%Page: 2 2
%%BeginPageSetup
BP
@ -329,8 +329,8 @@ E(ers)-.1 E F3(REPOR)72 300 Q 1.666(TING B)-.4 F(UGS)-.1 E
(https://todo.sr)102 312 Q(.ht/~nabijaczleweli/tzpfms)-1 E F1
(~nabijaczleweli/tzpfms@lists.sr.ht)102 330 Q F0 2.5(,a)C(rchi)-2.5 E
-.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F3(https://lists.sr)2.5 E
(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-23)72 750 Q(No)
138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(2)189.295 E 0 Cg EP
(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-27)72 750 Q(No)
138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E(2)189.295 E 0 Cg EP
%%Page: 3 3
%%BeginPageSetup
BP
@ -342,10 +342,11 @@ BP
108 Q F0 2.5<8a63>2.5 G(hange ZFS dataset k)-2.5 E .3 -.15(ey t)-.1 H
2.5(oo).15 G(ne stored on the TPM)-2.5 E F1(SYNOPSIS)72 132 Q F2
(zfs-tpm1x-change-key)102 144 Q F0([)3.333 E F2<ad62>2.499 E/F3 10
/Courier-Oblique@0 SF(backup-file)6 E F0(]).833 E F3(dataset)2.5 E F1
(DESCRIPTION)72 168 Q F0 4.76 -.8(To n)102 180 T 3.16(ormalise the).8 F
F3(dataset)5.66 E F0(,)A F2(zfs-tpm1x-change-key)5.66 E F0 3.16
(will open its encryption root in its stead.)5.66 F F2
/Courier-Oblique@0 SF(backup-file)6 E F0 3.333(][).833 G F2<ad50>-.834 E
F3(PCR)6 E F0([)A F2(,)A F3(PCR)A F0 1.666(]...)C(])-.833 E F3(dataset)
2.5 E F1(DESCRIPTION)72 168 Q F0 4.76 -.8(To n)102 180 T 3.16
(ormalise the).8 F F3(dataset)5.66 E F0(,)A F2(zfs-tpm1x-change-key)5.66
E F0 3.16(will open its encryption root in its stead.)5.66 F F2
(zfs-tpm1x-change-key)102 192 Q F0(will)3.264 E/F4 10/Times-Italic@0 SF
(ne)3.264 E(ver)-.15 E F0 .764(create or destro)3.264 F 3.264(ye)-.1 G
.764(ncryption roots; use)-3.264 F/F5 10/Courier@0 SF(zfs-change-key)
@ -377,11 +378,11 @@ F F1(TPM1.X)4.731 E F0(-back-ended)A F2(tzpfms)4.731 E F0 3.897
(zfs-tpm1x-clear-key)2.5 E F0 -.834(\(8\) \) .)B F5(tzpfms.key)102 396 Q
F0 .334(is a colon-separated pair of he)2.834 F .333
(xadecimal-string \(i.e. "4F7730" for "Ow0"\) blobs; the \214rst one)
-.15 F .676(represents the RSA k)102 408 R .976 -.15(ey p)-.1 H .676
(rotecting the blob, and it is protected with either the passw).15 F
.676(ord, if pro)-.1 F .677(vided, or the)-.15 F .236(SHA1 constant)102
420 R F5(CE4CF677875B5EB8993591D5A9AF1ED24A3A8736)2.736 E F0 2.736(;t)C
.236(he second represents the sealed)-2.736 F 11.923
-.15 F .362(represents the RSA k)102 408 R .662 -.15(ey p)-.1 H .362(ro\
tecting the blob, and it is protected with either the passphrase, if pr\
o).15 F .363(vided, or the)-.15 F .236(SHA1 constant)102 420 R F5
(CE4CF677875B5EB8993591D5A9AF1ED24A3A8736)2.736 E F0 2.736(;t)C .236
(he second represents the sealed)-2.736 F 11.923
(object containing the wrapping k)102 432 R -.15(ey)-.1 G 14.424(,a)-.5
G 11.924(nd is protected with the SHA1 constant)-14.424 F F5
(B9EE715DBE4B243FAA81EA04306E063710383E35)102 444 Q F0 7.438(.T)C 2.438
@ -398,86 +399,102 @@ G .117(rror occurred, best ef)-2.617 F .117
(ention into the standard error stream.)-.15 E 3.911<418c>102 516 S
1.411(nal v)-3.911 F 1.411(eri\214cation should be made by running)-.15
F F2 3.077(zfs-tpm1x-load-key \255n)3.911 F F3(dataset)7.411 E F0 6.411
(.I)C 3.911(ft)-6.411 G 1.412(hat com-)-3.911 F 2.176
(mand succeeds, all is well, b)102 528 R 2.175
(ut otherwise the dataset can be manually rolled back to a passw)-.2 F
2.175(ord with)-.1 F F2(zfs-tpm1x-clear-key)102 540 Q F3(dataset)12.878
E F0 1.666(\(o)11.044 G 7.678 -.4(r, i)-1.666 H 9.378(ft).4 G 6.878
(hat f)-9.378 F 6.878(ails to w)-.1 F(ork,)-.1 E F2 6.879
(zfs change-key)9.378 F<ad6f>14.545 E F5(keyformat=passphrase)102 552 Q
F3(dataset)6 E F0 -3.332 1.666(\), a)1.666 H(nd you are hereby ask)
-1.666 E(ed to report a b)-.1 E(ug, please.)-.2 E F2
(zfs-tpm1x-clear-key)102 570 Q F3(dataset)6 E F0
(can be used to clear the properties and go back to using a passw)2.5 E
(ord.)-.1 E F1(OPTIONS)72 594 Q F2<ad62>103.666 606 Q F3(backup-file)6 E
F0(Sa)191 618 Q .806 -.15(ve a b)-.2 H .506(ack-up of the k).15 F .805
-.15(ey t)-.1 H(o).15 E F3(backup-file)3.005 E F0 3.005(,w)C .505
(hich must not e)-3.005 F .505(xist beforehand.)-.15 F(This)5.505 E
(back-up)191 630 Q F4(must)3.181 E F0 .681(be stored securely)3.181 F
3.181(,o)-.65 G -.25(ff)-3.181 G 3.181(-site. In).25 F .682
(case of a catastrophic e)3.181 F -.15(ve)-.25 G .682(nt, the k).15 F
.982 -.15(ey c)-.1 H(an).15 E(be loaded by running)191 642 Q F2
(zfs load-key)221 654 Q F3(dataset)6 E F5(<)6 E F3(backup-file)6 E F1
(ENVIR)72 678 Q 1.666(ONMENT V)-.3 F(ARIABLES)-1.35 E F0(tzpfms 0.1-23)
72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(3)189.295 E 0
Cg EP
(.I)C 3.911(ft)-6.411 G 1.412(hat com-)-3.911 F 1.843
(mand succeeds, all is well, b)102 528 R 1.843(ut otherwise the dataset\
can be manually rolled back to a passphrase with)-.2 F F2
(zfs-tpm1x-clear-key)102 540 Q F3(dataset)12.878 E F0 1.666(\(o)11.044 G
7.678 -.4(r, i)-1.666 H 9.378(ft).4 G 6.878(hat f)-9.378 F 6.878
(ails to w)-.1 F(ork,)-.1 E F2 6.879(zfs change-key)9.378 F<ad6f>14.545
E F5(keyformat=passphrase)102 552 Q F3(dataset)6 E F0 -3.332 1.666
(\), a)1.666 H(nd you are hereby ask)-1.666 E(ed to report a b)-.1 E
(ug, please.)-.2 E F2(zfs-tpm1x-clear-key)102 570 Q F3(dataset)9.23 E F0
3.23(can be used to clear the properties and go back to using a)5.73 F
(passphrase.)102 582 Q F1(OPTIONS)72 606 Q F2<ad62>103.666 618 Q F3
(backup-file)6 E F0(Sa)191 630 Q .805 -.15(ve a b)-.2 H .505
(ack-up of the k).15 F .805 -.15(ey t)-.1 H(o).15 E F3(backup-file)3.005
E F0 3.005(,w)C .506(hich must not e)-3.005 F .506(xist beforehand.)-.15
F(This)5.506 E(back-up)191 642 Q F4(must)3.182 E F0 .682
(be stored securely)3.182 F 3.182(,o)-.65 G -.25(ff)-3.182 G 3.182
(-site. In).25 F .681(case of a catastrophic e)3.181 F -.15(ve)-.25 G
.681(nt, the k).15 F .981 -.15(ey c)-.1 H(an).15 E(be loaded by running)
191 654 Q F2(zfs load-key)221 666 Q F3(dataset)6 E F5(<)6 E F3
(backup-file)6 E F0(tzpfms 0.1-27)72 750 Q(No)138.745 E -.15(ve)-.15 G
(mber 28, 2021).15 E(3)189.295 E 0 Cg EP
%%Page: 4 4
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF -.834(ZFS-TPM1X-CHANGE-KEY \(8\))72 48 R
(System Manager')46.109 E 2.5(sM)-.55 G 41.109
(anual ZFS-TPM1X-CHANGE-KEY)-2.5 F(\(8\))1.666 E/F1 10/Courier@0 SF
(TZPFMS_PASSPHRASE_HELPER)102 96 Q F0 .466(By def)143 108 R .466(ault, \
passphrases are prompted for and read in on the standard output and inp\
ut streams.)-.1 F(If)5.465 E F1(TZPFMS_PASSPHRASE_HELPER)143 120 Q F0
.516(is set and nonempty)3.016 F 3.016(,i)-.65 G 3.016(tw)-3.016 G .517
(ill be run via)-3.016 F F1(/bin/)3.017 E/F2 10/Courier-Bold@0 SF 2.183
(sh \255c)B F0 .517(to pro-)3.017 F(vide each passphrase, instead.)143
132 Q .189(The standard output stream of the helper is tied to an anon)
143 150 R .188(ymous \214le and used in its entirety as the)-.15 F
(passphrase, e)143 162 Q(xcept for a trailing ne)-.15 E(w-line, if an)
-.25 E 3.8 -.65(y. T)-.15 H(he ar).65 E(guments are:)-.18 E F1($1)155
174 Q F0(Pre-formatted noun phrase with all the information belo)172 174
Q 1.3 -.65(w, f)-.25 H(or use as a prompt).65 E F1($2)155 186 Q F0
(Either the dataset name or the element of the TPM hierarch)172 186 Q
2.5(yb)-.05 G(eing prompted for)-2.5 E F1($3)155 198 Q F0("ne)172 198 Q
(anual ZFS-TPM1X-CHANGE-KEY)-2.5 F(\(8\))1.666 E/F1 10/Courier-Bold@0 SF
<ad50>103.666 96 Q/F2 10/Courier-Oblique@0 SF(PCR)6 E F0([)A F1(,)A F2
(PCR)A F0 1.666(]...)C .42(Bind the k)191 96 R .72 -.15(ey t)-.1 H 2.92
(os).15 G .421(pace- or comma-separated)-2.92 F F2(PCR)2.921 E F0 2.921
(s\212i)C 2.921(ft)-2.921 G(he)-2.921 E 2.921(yc)-.15 G .421
(hange, the wrapping k)-2.921 F -.15(ey)-.1 G .807
(will not be able to be unsealed.)191 108 R .807
(The minimum amount of PCRs for a PC TPM is)5.807 F/F3 10/Times-Bold@0
SF(24)3.307 E F0 1.666(\(n)192.666 120 S(umbered)-1.666 E F3(0)2.5 E F0
(..)A F3(23)A F0 -.832 1.666(\). F)1.666 H
(or most, this is also the maximum.)-1.816 E F3(ENVIR)72 144 Q 1.666
(ONMENT V)-.3 F(ARIABLES)-1.35 E/F4 10/Courier@0 SF
(TZPFMS_PASSPHRASE_HELPER)102 156 Q F0 .465(By def)143 168 R .466(ault,\
passphrases are prompted for and read in on the standard output and in\
put streams.)-.1 F(If)5.466 E F4(TZPFMS_PASSPHRASE_HELPER)143 180 Q F0
.517(is set and nonempty)3.017 F 3.017(,i)-.65 G 3.017(tw)-3.017 G .516
(ill be run via)-3.017 F F4(/bin/)3.016 E F1 2.182(sh \255c)B F0 .516
(to pro-)3.016 F(vide each passphrase, instead.)143 192 Q .188
(The standard output stream of the helper is tied to an anon)143 210 R
.189(ymous \214le and used in its entirety as the)-.15 F(passphrase, e)
143 222 Q(xcept for a trailing ne)-.15 E(w-line, if an)-.25 E 3.8 -.65
(y. T)-.15 H(he ar).65 E(guments are:)-.18 E F4($1)155 234 Q F0
(Pre-formatted noun phrase with all the information belo)172 234 Q 1.3
-.65(w, f)-.25 H(or use as a prompt).65 E F4($2)155 246 Q F0
(Either the dataset name or the element of the TPM hierarch)172 246 Q
2.5(yb)-.05 G(eing prompted for)-2.5 E F4($3)155 258 Q F0("ne)172 258 Q
(w" if this is for a ne)-.25 E 2.5(wp)-.25 G(assphrase, otherwise blank)
-2.5 E F1($4)155 210 Q F0("ag)172 210 Q(ain" if it')-.05 E 2.5(st)-.55 G
-2.5 E F4($4)155 270 Q F0("ag)172 270 Q(ain" if it')-.05 E 2.5(st)-.55 G
(he second prompt for that passphrase, otherwise blank)-2.5 E .181
(If the helper doesn')143 228 R 2.681(te)-.18 G 1.847(xist \()-2.831 F
.181(the shell e)1.666 F .181(xits with)-.15 F/F3 10/Times-Bold@0 SF
(127)2.681 E F0 -3.151 1.666(\), a d)1.666 H .181
(iagnostic is issued and the normal prompt)-1.666 F(is used as f)143 240
Q 2.5(all-back. If)-.1 F(it f)2.5 E(ails for an)-.1 E 2.5(yo)-.15 G
(ther reason, the prompting is aborted.)-2.5 E F3 1.666
(TPM1.X back-end con\214guration)72 264 R .625(TPM selection)84 276 R F0
(The)102 288 Q F2(tzpfms)2.768 E F0 .267(suite connects to a local)2.767
F F1(tcsd)2.767 E F0 .267(\(8\) process)B 1.666(\(a)4.433 G(t)-1.666 E
F1(localhost:30003)2.767 E F0 4.433(\)b)1.666 G 2.767(yd)-4.433 G(ef)
-2.767 E 2.767(ault. Use)-.1 F .267(the en-)2.767 F(vironment v)102 300
Q(ariable)-.25 E F1(TZPFMS_TPM1X)2.5 E F0
(to specify a remote TCS hostname.)2.5 E .391(The T)102 318 R(rouSerS)
-.35 E F1(tcsd)2.891 E F0 .391(\(8\) daemon will try)B F1(/dev/tpm0)
2.892 E F0 2.892(,t)C(hen)-2.892 E F1(/udev/tpm0)2.892 E F0 2.892(,t)C
(hen)-2.892 E F1(/dev/tpm)2.892 E F0 2.892(;b)C 2.892(yo)-2.892 G(ccup)
-2.892 E(ying)-.1 E(one of the earlier ones with, for e)102 330 Q
(If the helper doesn')143 288 R 2.681(te)-.18 G 1.847(xist \()-2.831 F
.181(the shell e)1.666 F .181(xits with)-.15 F F3(127)2.681 E F0 -3.151
1.666(\), a d)1.666 H .181(iagnostic is issued and the normal prompt)
-1.666 F(is used as f)143 300 Q 2.5(all-back. If)-.1 F(it f)2.5 E
(ails for an)-.1 E 2.5(yo)-.15 G(ther reason, the prompting is aborted.)
-2.5 E F3 1.666(TPM1.X back-end con\214guration)72 324 R .625
(TPM selection)84 336 R F0(The)102 348 Q F1(tzpfms)2.767 E F0 .267
(suite connects to a local)2.767 F F4(tcsd)2.767 E F0 .267
(\(8\) process)B 1.666(\(a)4.433 G(t)-1.666 E F4(localhost:30003)2.767 E
F0 4.433(\)b)1.666 G 2.767(yd)-4.433 G(ef)-2.767 E 2.767(ault. Use)-.1 F
.268(the en-)2.767 F(vironment v)102 360 Q(ariable)-.25 E F4
(TZPFMS_TPM1X)2.5 E F0(to specify a remote TCS hostname.)2.5 E .392
(The T)102 378 R(rouSerS)-.35 E F4(tcsd)2.892 E F0 .392
(\(8\) daemon will try)B F4(/dev/tpm0)2.892 E F0 2.892(,t)C(hen)-2.892 E
F4(/udev/tpm0)2.892 E F0 2.891(,t)C(hen)-2.891 E F4(/dev/tpm)2.891 E F0
2.891(;b)C 2.891(yo)-2.891 G(ccup)-2.891 E(ying)-.1 E
(one of the earlier ones with, for e)102 390 Q
(xample, shell redirection, a later one can be selected.)-.15 E F3 .625
(See also)84 354 R F0(The T)102 366 Q(rouSerS project page at)-.35 E F3
(See also)84 414 R F0(The T)102 426 Q(rouSerS project page at)-.35 E F3
(https://sour)2.5 E(cef)-.18 E(or)-.25 E(ge.net/pr)-.1 E(ojects/tr)-.18
E(ousers)-.18 E F0(.)A 5.109(The TPM 1.2 main speci\214cation inde)102
384 R 7.608(xa)-.15 G(t)-7.608 E F3(https://trustedcomputinggr)7.608 E
E(ousers)-.18 E F0(.)A 5.108(The TPM 1.2 main speci\214cation inde)102
444 R 7.609(xa)-.15 G(t)-7.609 E F3(https://trustedcomputinggr)7.609 E
(oup.or)-.18 E(g/r)-.1 E(esour)-.18 E(ce/tpm-main-)-.18 E
(speci\214cation)102 396 Q F0(.)A F3 1.666(SPECIAL THANKS)72 420 R F0
1.6 -.8(To a)102 432 T(ll who support further de).8 E -.15(ve)-.25 G
(lopment, in particular:).15 E F3<83>122 444 Q F0(ThePhD)2.5 E F3<83>122
456 Q F0(Embark Studios)2.5 E F3<83>122 468 Q F0(Jasper Bekk)2.5 E(ers)
-.1 E F3(REPOR)72 492 Q 1.666(TING B)-.4 F(UGS)-.1 E(https://todo.sr)102
504 Q(.ht/~nabijaczleweli/tzpfms)-1 E F1
(~nabijaczleweli/tzpfms@lists.sr.ht)102 522 Q F0 2.5(,a)C(rchi)-2.5 E
(speci\214cation)102 456 Q F0(.)A F3 1.666(SPECIAL THANKS)72 480 R F0
1.6 -.8(To a)102 492 T(ll who support further de).8 E -.15(ve)-.25 G
(lopment, in particular:).15 E F3<83>122 504 Q F0(ThePhD)2.5 E F3<83>122
516 Q F0(Embark Studios)2.5 E F3<83>122 528 Q F0(Jasper Bekk)2.5 E(ers)
-.1 E F3(REPOR)72 552 Q 1.666(TING B)-.4 F(UGS)-.1 E(https://todo.sr)102
564 Q(.ht/~nabijaczleweli/tzpfms)-1 E F4
(~nabijaczleweli/tzpfms@lists.sr.ht)102 582 Q F0 2.5(,a)C(rchi)-2.5 E
-.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F3(https://lists.sr)2.5 E
(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-23)72 750 Q(No)
138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(4)189.295 E 0 Cg EP
(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A F3 1.666(SEE ALSO)72 606 R F0
(PCR allocations:)102 618 Q F3(https://wiki.ar)2.5 E(chlinux.or)-.18 E
(g/title/T)-.1 E(rusted_Platf)-.74 E(orm_Module#Accessing_PCR_r)-.25 E
(egisters)-.18 E F0(and)102 630 Q F3(https://trustedcomputinggr)2.5 E
(oup.or)-.18 E(g/wp-content/uploads/PC-)-.1 E(ClientSpeci\214c_Platf)102
642 Q(orm_Pr)-.25 E(o\214le_f)-.18 E(or_TPM_2p0_Systems_v51.pdf)-.25 E
F0 2.5(,S)C(ection 2.3.4 "PCR Usage", T)-2.5 E(able 1.)-.8 E
(tzpfms 0.1-27)72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E
(4)189.295 E 0 Cg EP
%%Page: 5 5
%%BeginPageSetup
BP
@ -492,31 +509,31 @@ BP
(zfs-tpm1x-clear-key)102 144 Q/F3 10/Courier-Oblique@0 SF(dataset)2.5 E
F1(DESCRIPTION)72 168 Q F0(After v)102 180 Q(erifying)-.15 E F3(dataset)
2.5 E F0 -.1(wa)2.5 G 2.5(se).1 G(ncrypted with)-2.5 E F2(tzpfms)2.5 E
F0(back)2.5 E(end)-.1 E F1(TPM1.X)2.5 E F0(:)A 6.984
F0(back)2.5 E(end)-.1 E F1(TPM1.X)2.5 E F0(:)A 6.985
(1. performs the equi)122 192 R -.25(va)-.25 G 6.984(lent of).25 F F2
6.984(zfs change-key)9.484 F<ad6f>14.65 E/F4 10/Courier@0 SF
(keylocation=prompt)12.985 E F2<ad6f>14.651 E F4(keyformat=passphrase)
127 204 Q F3(dataset)6 E F0(,)A(2. remo)122 216 Q -.15(ve)-.15 G 2.5(st)
.15 G(he)-2.5 E F4(xyz.nabijaczleweli:tzpfms.)2.5 E F0({)A F4(backend)A
F0(,)A F4(key)6 E F0 2.5(}p)C(roperties from)-2.5 E F3(dataset)2.5 E F0
(.)A(See)102 234 Q F4(zfs-tpm1x-change-key)2.5 E F0
(keylocation=prompt)12.984 E F2<ad6f>14.65 E F4(keyformat=passphrase)127
204 Q F3(dataset)6 E F0(,)A(2. remo)122 216 Q -.15(ve)-.15 G 2.5(st).15
G(he)-2.5 E F4(xyz.nabijaczleweli:tzpfms.)2.5 E F0({)A F4(backend)A F0
(,)A F4(key)6 E F0 2.5(}p)C(roperties from)-2.5 E F3(dataset)2.5 E F0(.)
A(See)102 234 Q F4(zfs-tpm1x-change-key)2.5 E F0
(\(8\) for a detailed description.)A F1 1.666
(TPM1.X back-end con\214guration)72 258 R .625(TPM selection)84 270 R F0
(The)102 282 Q F2(tzpfms)2.768 E F0 .267(suite connects to a local)2.767
(The)102 282 Q F2(tzpfms)2.767 E F0 .267(suite connects to a local)2.767
F F4(tcsd)2.767 E F0 .267(\(8\) process)B 1.666(\(a)4.433 G(t)-1.666 E
F4(localhost:30003)2.767 E F0 4.433(\)b)1.666 G 2.767(yd)-4.433 G(ef)
-2.767 E 2.767(ault. Use)-.1 F .267(the en-)2.767 F(vironment v)102 294
-2.767 E 2.767(ault. Use)-.1 F .268(the en-)2.767 F(vironment v)102 294
Q(ariable)-.25 E F4(TZPFMS_TPM1X)2.5 E F0
(to specify a remote TCS hostname.)2.5 E .391(The T)102 312 R(rouSerS)
-.35 E F4(tcsd)2.891 E F0 .391(\(8\) daemon will try)B F4(/dev/tpm0)
2.892 E F0 2.892(,t)C(hen)-2.892 E F4(/udev/tpm0)2.892 E F0 2.892(,t)C
(hen)-2.892 E F4(/dev/tpm)2.892 E F0 2.892(;b)C 2.892(yo)-2.892 G(ccup)
-2.892 E(ying)-.1 E(one of the earlier ones with, for e)102 324 Q
(to specify a remote TCS hostname.)2.5 E .392(The T)102 312 R(rouSerS)
-.35 E F4(tcsd)2.892 E F0 .392(\(8\) daemon will try)B F4(/dev/tpm0)
2.892 E F0 2.892(,t)C(hen)-2.892 E F4(/udev/tpm0)2.892 E F0 2.891(,t)C
(hen)-2.891 E F4(/dev/tpm)2.891 E F0 2.891(;b)C 2.891(yo)-2.891 G(ccup)
-2.891 E(ying)-.1 E(one of the earlier ones with, for e)102 324 Q
(xample, shell redirection, a later one can be selected.)-.15 E F1 .625
(See also)84 348 R F0(The T)102 360 Q(rouSerS project page at)-.35 E F1
(https://sour)2.5 E(cef)-.18 E(or)-.25 E(ge.net/pr)-.1 E(ojects/tr)-.18
E(ousers)-.18 E F0(.)A 5.109(The TPM 1.2 main speci\214cation inde)102
378 R 7.608(xa)-.15 G(t)-7.608 E F1(https://trustedcomputinggr)7.608 E
E(ousers)-.18 E F0(.)A 5.108(The TPM 1.2 main speci\214cation inde)102
378 R 7.609(xa)-.15 G(t)-7.609 E F1(https://trustedcomputinggr)7.609 E
(oup.or)-.18 E(g/r)-.1 E(esour)-.18 E(ce/tpm-main-)-.18 E
(speci\214cation)102 390 Q F0(.)A F1 1.666(SPECIAL THANKS)72 414 R F0
1.6 -.8(To a)102 426 T(ll who support further de).8 E -.15(ve)-.25 G
@ -526,8 +543,8 @@ E(ousers)-.18 E F0(.)A 5.109(The TPM 1.2 main speci\214cation inde)102
498 Q(.ht/~nabijaczleweli/tzpfms)-1 E F4
(~nabijaczleweli/tzpfms@lists.sr.ht)102 516 Q F0 2.5(,a)C(rchi)-2.5 E
-.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F1(https://lists.sr)2.5 E
(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-23)72 750 Q(No)
138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(5)189.295 E 0 Cg EP
(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-27)72 750 Q(No)
138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E(5)189.295 E 0 Cg EP
%%Page: 6 6
%%BeginPageSetup
BP
@ -539,31 +556,31 @@ BP
(oad TPM1.X-encrypted ZFS dataset k)-2.5 E -.15(ey)-.1 G F1(SYNOPSIS)72
132 Q F2(zfs-tpm1x-load-key)102 144 Q F0([)3.333 E F2<ad6e>2.499 E F0(])
.833 E/F3 10/Courier-Oblique@0 SF(dataset)2.5 E F1(DESCRIPTION)72 168 Q
F0 1.155(After v)102 180 R(erifying)-.15 E F3(dataset)3.655 E F0 -.1(wa)
3.655 G 3.655(se).1 G 1.155(ncrypted with)-3.655 F F2(tzpfms)3.655 E F0
(back)3.655 E(end)-.1 E F1(TPM1.X)3.655 E F0 1.156(will unseal the k)
3.655 F 1.456 -.15(ey a)-.1 H 1.156(nd load it).15 F(into)102 192 Q F3
(dataset)2.5 E F0(.)A .694
F0 1.156(After v)102 180 R(erifying)-.15 E F3(dataset)3.656 E F0 -.1(wa)
3.656 G 3.656(se).1 G 1.156(ncrypted with)-3.656 F F2(tzpfms)3.655 E F0
(back)3.655 E(end)-.1 E F1(TPM1.X)3.655 E F0 1.155(will unseal the k)
3.655 F 1.455 -.15(ey a)-.1 H 1.155(nd load it).15 F(into)102 192 Q F3
(dataset)2.5 E F0(.)A .693
(The user is \214rst prompted for the SRK passphrase, set when taking o)
102 210 R .693(wnership, if not "well-kno)-.25 F .693(wn" \(all ze-)-.25
102 210 R .694(wnership, if not "well-kno)-.25 F .694(wn" \(all ze-)-.25
F(roes\); then for the additional passphrase, set when creating the k)
102 222 Q -.15(ey)-.1 G 2.5(,i)-.5 G 2.5(fo)-2.5 G(ne w)-2.5 E(as set.)
-.1 E(See)102 240 Q/F4 10/Courier@0 SF(zfs-tpm1x-change-key)2.5 E F0
(\(8\) for a detailed description.)A F1(OPTIONS)72 264 Q F2<ad6e>103.666
276 Q F0 .178(Do a no-op/dry run, can be used e)119 288 R -.15(ve)-.25 G
2.678(ni).15 G 2.679(ft)-2.678 G .179(he k)-2.679 F .479 -.15(ey i)-.1 H
2.679(sa).15 G .179(lready loaded.)-2.679 F(Equi)5.179 E -.25(va)-.25 G
.179(lent to).25 F F2 .179(zfs load-key)2.679 F F0 -.55('s)C F2<ad6e>
4.895 E F0(option.)119 300 Q F1(ENVIR)72 324 Q 1.666(ONMENT V)-.3 F
(ARIABLES)-1.35 E F4(TZPFMS_PASSPHRASE_HELPER)102 336 Q F0 .466(By def)
276 Q F0 .179(Do a no-op/dry run, can be used e)119 288 R -.15(ve)-.25 G
2.679(ni).15 G 2.679(ft)-2.679 G .179(he k)-2.679 F .478 -.15(ey i)-.1 H
2.678(sa).15 G .178(lready loaded.)-2.678 F(Equi)5.178 E -.25(va)-.25 G
.178(lent to).25 F F2 .178(zfs load-key)2.678 F F0 -.55('s)C F2<ad6e>
4.894 E F0(option.)119 300 Q F1(ENVIR)72 324 Q 1.666(ONMENT V)-.3 F
(ARIABLES)-1.35 E F4(TZPFMS_PASSPHRASE_HELPER)102 336 Q F0 .465(By def)
143 348 R .466(ault, passphrases are prompted for and read in on the st\
andard output and input streams.)-.1 F(If)5.465 E F4
(TZPFMS_PASSPHRASE_HELPER)143 360 Q F0 .516(is set and nonempty)3.016 F
3.016(,i)-.65 G 3.016(tw)-3.016 G .517(ill be run via)-3.016 F F4(/bin/)
3.017 E F2 2.183(sh \255c)B F0 .517(to pro-)3.017 F
(vide each passphrase, instead.)143 372 Q .189
andard output and input streams.)-.1 F(If)5.466 E F4
(TZPFMS_PASSPHRASE_HELPER)143 360 Q F0 .517(is set and nonempty)3.017 F
3.017(,i)-.65 G 3.017(tw)-3.017 G .516(ill be run via)-3.017 F F4(/bin/)
3.016 E F2 2.182(sh \255c)B F0 .516(to pro-)3.016 F
(vide each passphrase, instead.)143 372 Q .188
(The standard output stream of the helper is tied to an anon)143 390 R
.188(ymous \214le and used in its entirety as the)-.15 F(passphrase, e)
.189(ymous \214le and used in its entirety as the)-.15 F(passphrase, e)
143 402 Q(xcept for a trailing ne)-.15 E(w-line, if an)-.25 E 3.8 -.65
(y. T)-.15 H(he ar).65 E(guments are:)-.18 E F4($1)155 414 Q F0
(Pre-formatted noun phrase with all the information belo)172 414 Q 1.3
@ -579,27 +596,27 @@ andard output and input streams.)-.1 F(If)5.465 E F4
-1.666 F(is used as f)143 480 Q 2.5(all-back. If)-.1 F(it f)2.5 E
(ails for an)-.1 E 2.5(yo)-.15 G(ther reason, the prompting is aborted.)
-2.5 E F1 1.666(TPM1.X back-end con\214guration)72 504 R .625
(TPM selection)84 516 R F0(The)102 528 Q F2(tzpfms)2.768 E F0 .267
(TPM selection)84 516 R F0(The)102 528 Q F2(tzpfms)2.767 E F0 .267
(suite connects to a local)2.767 F F4(tcsd)2.767 E F0 .267
(\(8\) process)B 1.666(\(a)4.433 G(t)-1.666 E F4(localhost:30003)2.767 E
F0 4.433(\)b)1.666 G 2.767(yd)-4.433 G(ef)-2.767 E 2.767(ault. Use)-.1 F
.267(the en-)2.767 F(vironment v)102 540 Q(ariable)-.25 E F4
(TZPFMS_TPM1X)2.5 E F0(to specify a remote TCS hostname.)2.5 E .391
(The T)102 558 R(rouSerS)-.35 E F4(tcsd)2.891 E F0 .391
.268(the en-)2.767 F(vironment v)102 540 Q(ariable)-.25 E F4
(TZPFMS_TPM1X)2.5 E F0(to specify a remote TCS hostname.)2.5 E .392
(The T)102 558 R(rouSerS)-.35 E F4(tcsd)2.892 E F0 .392
(\(8\) daemon will try)B F4(/dev/tpm0)2.892 E F0 2.892(,t)C(hen)-2.892 E
F4(/udev/tpm0)2.892 E F0 2.892(,t)C(hen)-2.892 E F4(/dev/tpm)2.892 E F0
2.892(;b)C 2.892(yo)-2.892 G(ccup)-2.892 E(ying)-.1 E
F4(/udev/tpm0)2.892 E F0 2.891(,t)C(hen)-2.891 E F4(/dev/tpm)2.891 E F0
2.891(;b)C 2.891(yo)-2.891 G(ccup)-2.891 E(ying)-.1 E
(one of the earlier ones with, for e)102 570 Q
(xample, shell redirection, a later one can be selected.)-.15 E F1 .625
(See also)84 594 R F0(The T)102 606 Q(rouSerS project page at)-.35 E F1
(https://sour)2.5 E(cef)-.18 E(or)-.25 E(ge.net/pr)-.1 E(ojects/tr)-.18
E(ousers)-.18 E F0(.)A 5.109(The TPM 1.2 main speci\214cation inde)102
624 R 7.608(xa)-.15 G(t)-7.608 E F1(https://trustedcomputinggr)7.608 E
E(ousers)-.18 E F0(.)A 5.108(The TPM 1.2 main speci\214cation inde)102
624 R 7.609(xa)-.15 G(t)-7.609 E F1(https://trustedcomputinggr)7.609 E
(oup.or)-.18 E(g/r)-.1 E(esour)-.18 E(ce/tpm-main-)-.18 E
(speci\214cation)102 636 Q F0(.)A F1 1.666(SPECIAL THANKS)72 660 R F0
1.6 -.8(To a)102 672 T(ll who support further de).8 E -.15(ve)-.25 G
(lopment, in particular:).15 E(tzpfms 0.1-23)72 750 Q(No)138.745 E -.15
(ve)-.15 G(mber 25, 2021).15 E(6)189.295 E 0 Cg EP
(lopment, in particular:).15 E(tzpfms 0.1-27)72 750 Q(No)138.745 E -.15
(ve)-.15 G(mber 28, 2021).15 E(6)189.295 E 0 Cg EP
%%Page: 7 7
%%BeginPageSetup
BP
@ -612,8 +629,8 @@ BP
-.1 E(https://todo.sr)102 156 Q(.ht/~nabijaczleweli/tzpfms)-1 E/F2 10
/Courier@0 SF(~nabijaczleweli/tzpfms@lists.sr.ht)102 174 Q F0 2.5(,a)C
(rchi)-2.5 E -.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F1(https://lists.sr)
2.5 E(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-23)72 750 Q(No)
138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(7)189.295 E 0 Cg EP
2.5 E(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-27)72 750 Q(No)
138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E(7)189.295 E 0 Cg EP
%%Page: 8 8
%%BeginPageSetup
BP
@ -625,154 +642,207 @@ BP
108 Q F0 2.5<8a63>2.5 G(hange ZFS dataset k)-2.5 E .3 -.15(ey t)-.1 H
2.5(oo).15 G(ne stored on the TPM)-2.5 E F1(SYNOPSIS)72 132 Q F2
(zfs-tpm2-change-key)102 144 Q F0([)3.333 E F2<ad62>2.499 E/F3 10
/Courier-Oblique@0 SF(backup-file)6 E F0(]).833 E F3(dataset)2.5 E F1
(DESCRIPTION)72 168 Q F0 6.93 -.8(To n)102 180 T(ormalise).8 E F3
(dataset)7.831 E F0(,)A F2(zfs-tpm2-change-key)7.831 E F0 5.331
/Courier-Oblique@0 SF(backup-file)6 E F0 2.5(][).833 G F2<ad50>-.834 E
F3(algorithm)222 156 Q F2(:)A F3(PCR)A F0([)A F2(,)A F3(PCR)A F0 1.666
(]...)C([)-1.666 E F2(+)A F3(algorithm)A F2(:)A F3(PCR)A F0([)A F2(,)A
F3(PCR)A F0 1.666(]...)C -2.499 1.666(]... [)-1.666 H F2<ad41>.833 E F0
(]]).833 E F3(dataset)222 168 Q F1(DESCRIPTION)72 192 Q F0 6.931 -.8
(To n)102 204 T(ormalise).8 E F3(dataset)7.831 E F0(,)A F2
(zfs-tpm2-change-key)7.831 E F0 5.331
(will open its encryption root in its stead.)7.831 F F2
(zfs-tpm2-change-key)102 192 Q F0(will)3.864 E/F4 10/Times-Italic@0 SF
(zfs-tpm2-change-key)102 216 Q F0(will)3.864 E/F4 10/Times-Italic@0 SF
(ne)3.864 E(ver)-.15 E F0 1.364(create or destro)3.864 F 3.864(ye)-.1 G
1.364(ncryption roots; use)-3.864 F/F5 10/Courier@0 SF(zfs-change-key)
3.864 E F0 1.364(\(8\) for)B(that.)102 204 Q
(First, a connection is made to the TPM, which)102 222 Q F4(must)2.5 E
F0(be TPM-2.0-compatible.)2.5 E(If)102 240 Q F3(dataset)3.42 E F0 -.1
3.864 E F0 1.364(\(8\) for)B(that.)102 228 Q
(First, a connection is made to the TPM, which)102 246 Q F4(must)2.5 E
F0(be TPM-2.0-compatible.)2.5 E(If)102 264 Q F3(dataset)3.42 E F0 -.1
(wa)3.42 G 3.42(sp).1 G(re)-3.42 E .92(viously encrypted with)-.25 F F2
(tzpfms)3.42 E F0 .92(and the)3.42 F F1(TPM2)3.42 E F0 .92(back-end w)
3.42 F .92(as used, the pre)-.1 F .92(vious k)-.25 F -.15(ey)-.1 G .382
(will be freed from the TPM.)102 252 R .382
(will be freed from the TPM.)102 276 R .382
(Otherwise, or in case of an error)5.382 F 2.882(,d)-.4 G .382
(ata required for manual interv)-2.882 F .382(ention will be)-.15 F
(printed to the standard error stream.)102 264 Q(Ne)102 282 Q .197
(ata required for manual interv)-2.882 F .383(ention will be)-.15 F
(printed to the standard error stream.)102 288 Q(Ne)102 306 Q .197
(xt, a ne)-.15 F 2.697(ww)-.25 G .197(rapping k)-2.697 F .497 -.15(ey i)
-.1 H 2.697(sg).15 G .197(enerated on the TPM, optionally back)-2.697 F
.197(ed up)-.1 F 1.666(\(s)4.363 G(ee)-1.666 E F1(OPTIONS)2.697 E F0
-3.135 1.666(\), a)1.666 H .197(nd sealed to a)-1.666 F .504
(persistent object on the TPM under the o)102 294 R .504(wner hierarch)
-.25 F .504(y; if there is a passphrase set on the o)-.05 F .503
(wner hierarch)-.25 F -.65(y,)-.05 G .04
(the user is prompted for it; the user is al)102 306 R -.1(wa)-.1 G .041
(persistent object on the TPM under the o)102 318 R .504(wner hierarch)
-.25 F .504(y; if there is a passphrase set on the o)-.05 F .504
(wner hierarch)-.25 F -.65(y,)-.05 G .041
(the user is prompted for it; the user is al)102 330 R -.1(wa)-.1 G .04
(ys prompted for an optional passphrase to protect the sealed object).1
F(with.)102 318 Q(The follo)102 336 Q(wing properties are set on)-.25 E
F3(dataset)2.5 E F0(:)A F1<83>122 348 Q F5
(xyz.nabijaczleweli:tzpfms.backend)7.5 E F0(=)A F1(TPM2)A<83>122 360 Q
F5(xyz.nabijaczleweli:tzpfms.key)7.5 E F0(=)A F3
(ID of persistent object)A F5(tzpfms.backend)102 378 Q F0 3.203
F(with.)102 342 Q(The follo)102 360 Q(wing properties are set on)-.25 E
F3(dataset)2.5 E F0(:)A F1<83>122 372 Q F5
(xyz.nabijaczleweli:tzpfms.backend)7.5 E F0(=)A F1(TPM2)A<83>122 384 Q
F5(xyz.nabijaczleweli:tzpfms.key)7.5 E F0(=)A F3(persistent-object-ID)A
F0([).833 E F2(;).833 E F3(algorithm)133 396 Q F2(:)A F3(PCR)A F0([)A F2
(,)A F3(PCR)A F0 1.666(]...)C([)-1.666 E F2(+)A F3(algorithm)A F2(:)A F3
(PCR)A F0([)A F2(,)A F3(PCR)A F0 1.666(]...)C 1.666(]...)-1.666 G(])
-.833 E F5(tzpfms.backend)102 414 Q F0 3.203
(identi\214es this dataset for w)5.703 F 3.203(ork with)-.1 F F1(TPM2)
5.703 E F0(-back-ended)A F2(tzpfms)5.703 E F0 4.868(tools \()5.702 F
(namely)1.666 E F5(zfs-tpm2-change-key)102 390 Q F0(\(8\),)A F5
(namely)1.666 E F5(zfs-tpm2-change-key)102 426 Q F0(\(8\),)A F5
(zfs-tpm2-load-key)2.5 E F0(\(8\), and)A F5(zfs-tpm2-clear-key)2.5 E F0
-.834(\(8\) \) .)B F5(tzpfms.key)102 408 Q F0 1.11(is an inte)3.61 F
1.111
(ger representing the sealed object; if needed, it can be passed to)-.15
F F2(tpm2_unseal)3.611 E<ad63>103.666 420 Q F5(${tzpfms.key})6.032 E F0
([)6.865 E F2<ad70>2.499 E F5(${password})6.032 E F0 2.532(]o).833 G
2.532(re)-2.532 G(qui)-2.532 E -.25(va)-.25 G .032(lent for back-up).25
F 1.666(\(s)4.198 G(ee)-1.666 E F1(OPTIONS)2.532 E F0 -.8 1.666(\). I)
1.666 H 2.532(fy)-1.666 G .032(ou ha)-2.532 F .331 -.15(ve a)-.2 H .434
(sealed k)102 432 R .734 -.15(ey y)-.1 H .434
(ou can access with that or equi).15 F -.25(va)-.25 G .435
(lent tool and set both of these properties, it will funxion seam-).25 F
(lessly)102 444 Q(.)-.65 E(Finally)102 462 Q 4.141(,t)-.65 G 1.641
-.834(\(8\) \) .)B F5(tzpfms.key)102 444 Q F0 .414(is an inte)2.914 F
.414(ger representing the sealed object, optionally follo)-.15 F .414
(wed by a semicolon and PCR list)-.25 F 1.298(as speci\214ed with)102
456 R F2<ad50>5.464 E F0 3.798(,n)C 1.298(ormalised to be)-3.798 F F2
(tpm-tools)3.797 E F0 1.297
(-toolchain-compatible; if needed, it can be passed to)B F2 11.056
(tpm2_unseal \255c)102 468 R F5(${tzpfms.key)15.39 E F2(%%)A F5(;)A/F6
10/Symbol SF(*)A F5(})A F0(with)11.89 E F2<ad70>13.556 E F0(")15.39 E F5
(str:${passphrase})A F0 11.891("o)C(r)-11.891 E F2<ad70>13.557 E F0(")
102 480 Q F5(pcr:${tzpfms.key)A F2(#)A F6(*)A F5(;})A F0 1.177
(", as the case may be, or equi)B -.25(va)-.25 G 1.177
(lent, for back-up).25 F 1.666(\(s)5.342 G(ee)-1.666 E F1(OPTIONS)3.676
E F0 .344 1.666(\). I)1.666 H 3.676(fy)-1.666 G(ou)-3.676 E(ha)102 492 Q
.633 -.15(ve a s)-.2 H .333(ealed k).15 F .633 -.15(ey y)-.1 H .333
(ou can access with that or equi).15 F -.25(va)-.25 G .334
(lent tool and set both of these properties, it will funxion).25 F
(seamlessly)102 504 Q(.)-.65 E(Finally)102 522 Q 4.141(,t)-.65 G 1.641
(he equi)-4.141 F -.25(va)-.25 G 1.641(lent of).25 F F2 1.641
(zfs change-key)4.141 F<ad6f>9.307 E F5(keylocation=prompt)7.641 E F2
<ad6f>9.307 E F5(keyformat=raw)7.64 E F3(dataset)102 474 Q F0 .336
<ad6f>9.307 E F5(keyformat=raw)7.64 E F3(dataset)102 534 Q F0 .336
(is performed with the ne)2.836 F 2.836(wk)-.25 G -.15(ey)-2.936 G 5.336
(.I)-.5 G 2.836(fa)-5.336 G 2.836(ne)-2.836 G .336
(rror occurred, best ef)-2.836 F .337
(fort is made to clean up the persistent)-.25 F
(object and properties, or to issue a note for manual interv)102 486 Q
(ention into the standard error stream.)-.15 E 2.92<418c>102 504 S .42
(object and properties, or to issue a note for manual interv)102 546 Q
(ention into the standard error stream.)-.15 E 2.92<418c>102 564 S .42
(nal v)-2.92 F .42(eri\214cation should be made by running)-.15 F F2
2.085(zfs-tpm2-load-key \255n)2.919 F F3(dataset)6.419 E F0 5.419(.I)C
2.919(ft)-5.419 G .419(hat command)-2.919 F 3.856
(succeeds, all is well, b)102 516 R 3.856
(ut otherwise the dataset can be manually rolled back to a passw)-.2 F
3.857(ord with)-.1 F F2(zfs-tpm2-clear-key)102 528 Q F3(dataset)13.479 E
F0 1.666(\(o)11.645 G 8.278 -.4(r, i)-1.666 H 9.978(ft).4 G 7.478(hat f)
-9.978 F 7.478(ails to w)-.1 F(ork,)-.1 E F2 7.478(zfs change-key)9.978
F<ad6f>15.144 E F5(keyformat=passphrase)102 540 Q F3(dataset)6 E F0
-3.332 1.666(\), a)1.666 H(nd you are hereby ask)-1.666 E
(ed to report a b)-.1 E(ug, please.)-.2 E F2(zfs-tpm2-clear-key)102 558
Q F3(dataset)6.423 E F0 .423
2.919(ft)-5.419 G .419(hat command)-2.919 F 3.503
(succeeds, all is well, b)102 576 R 3.503(ut otherwise the dataset can \
be manually rolled back to a passphrase with)-.2 F F2
(zfs-tpm2-clear-key)102 588 Q F3(dataset)13.479 E F0 1.666(\(o)11.645 G
8.278 -.4(r, i)-1.666 H 9.978(ft).4 G 7.478(hat f)-9.978 F 7.478
(ails to w)-.1 F(ork,)-.1 E F2 7.478(zfs change-key)9.978 F<ad6f>15.144
E F5(keyformat=passphrase)102 600 Q F3(dataset)6 E F0 -3.332 1.666
(\), a)1.666 H(nd you are hereby ask)-1.666 E(ed to report a b)-.1 E
(ug, please.)-.2 E F2(zfs-tpm2-clear-key)102 618 Q F3(dataset)6.423 E F0
.423
(can be used to free the TPM persistent object and go back to using a)
2.923 F(passw)102 570 Q(ord.)-.1 E F1(OPTIONS)72 594 Q F2<ad62>103.666
606 Q F3(backup-file)6 E F0(Sa)191 618 Q .806 -.15(ve a b)-.2 H .506
2.923 F(passphrase.)102 630 Q F1(OPTIONS)72 654 Q F2<ad62>103.666 666 Q
F3(backup-file)6 E F0(Sa)191 678 Q .806 -.15(ve a b)-.2 H .506
(ack-up of the k).15 F .805 -.15(ey t)-.1 H(o).15 E F3(backup-file)3.005
E F0 3.005(,w)C .505(hich must not e)-3.005 F .505(xist beforehand.)-.15
F(This)5.505 E(back-up)191 630 Q F4(must)3.181 E F0 .681
F(This)5.505 E(back-up)191 690 Q F4(must)3.181 E F0 .681
(be stored securely)3.181 F 3.181(,o)-.65 G -.25(ff)-3.181 G 3.181
(-site. In).25 F .682(case of a catastrophic e)3.181 F -.15(ve)-.25 G
.682(nt, the k).15 F .982 -.15(ey c)-.1 H(an).15 E(be loaded by running)
191 642 Q F2(zfs load-key)221 654 Q F3(dataset)6 E F5(<)6 E F3
(backup-file)6 E F1(ENVIR)72 678 Q 1.666(ONMENT V)-.3 F(ARIABLES)-1.35 E
F0(tzpfms 0.1-23)72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 25, 2021).15
E(8)189.295 E 0 Cg EP
191 702 Q(tzpfms 0.1-27)72 750 Q(No)138.745 E -.15(ve)-.15 G
(mber 28, 2021).15 E(8)189.295 E 0 Cg EP
%%Page: 9 9
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF -.834(ZFS-TPM2-CHANGE-KEY \(8\))72 48 R
(System Manager')53.329 E 2.5(sM)-.55 G 48.329
(anual ZFS-TPM2-CHANGE-KEY)-2.5 F(\(8\))1.666 E/F1 10/Courier@0 SF
(TZPFMS_PASSPHRASE_HELPER)102 96 Q F0 .466(By def)143 108 R .466(ault, \
passphrases are prompted for and read in on the standard output and inp\
ut streams.)-.1 F(If)5.465 E F1(TZPFMS_PASSPHRASE_HELPER)143 120 Q F0
.516(is set and nonempty)3.016 F 3.016(,i)-.65 G 3.016(tw)-3.016 G .517
(ill be run via)-3.016 F F1(/bin/)3.017 E/F2 10/Courier-Bold@0 SF 2.183
(sh \255c)B F0 .517(to pro-)3.017 F(vide each passphrase, instead.)143
132 Q .189(The standard output stream of the helper is tied to an anon)
143 150 R .188(ymous \214le and used in its entirety as the)-.15 F
(passphrase, e)143 162 Q(xcept for a trailing ne)-.15 E(w-line, if an)
-.25 E 3.8 -.65(y. T)-.15 H(he ar).65 E(guments are:)-.18 E F1($1)155
174 Q F0(Pre-formatted noun phrase with all the information belo)172 174
Q 1.3 -.65(w, f)-.25 H(or use as a prompt).65 E F1($2)155 186 Q F0
(Either the dataset name or the element of the TPM hierarch)172 186 Q
2.5(yb)-.05 G(eing prompted for)-2.5 E F1($3)155 198 Q F0("ne)172 198 Q
(anual ZFS-TPM2-CHANGE-KEY)-2.5 F(\(8\))1.666 E/F1 10/Courier-Bold@0 SF
(zfs load-key)221 96 Q/F2 10/Courier-Oblique@0 SF(dataset)6 E/F3 10
/Courier@0 SF(<)6 E F2(backup-file)6 E F1<ad50>103.666 114 Q F2
(algorithm)6 E F1(:)A F2(PCR)A F0([)A F1(,)A F2(PCR)A F0 1.666(]...)C([)
-1.666 E F1(+)A F2(algorithm)A F1(:)A F2(PCR)A F0([)A F1(,)A F2(PCR)A F0
1.666(]...)C 1.666(]...)-1.666 G .851(Bind the k)191 126 R 1.151 -.15
(ey t)-.1 H 3.351(os).15 G .851(pace- or comma-separated)-3.351 F F2
(PCR)3.351 E F0 3.351(sw)C .851(ithin their corresponding hashing)-3.351
F F2(algorithm)191 138 Q F0 4.119<8a69>4.119 G 4.119(ft)-4.119 G(he)
-4.119 E 4.119(yc)-.15 G 1.619(hange, the wrapping k)-4.119 F 1.919 -.15
(ey w)-.1 H 1.62(ill not be able to be unsealed.).15 F(There are)191 150
Q/F4 10/Times-Bold@0 SF(24)2.5 E F0(PCRs, numbered)2.5 E F4(0)2.5 E F0
(..)A F4(23)A F0(.)A F2(algorithm)191 168 Q F0 1.096(may be an)3.596 F
3.596(yo)-.15 G 3.596(fc)-3.596 G(ase-insensiti)-3.596 E 1.395 -.15
(ve ")-.25 H F4(sha1).15 E F0 1.095(", ")B F4(sha256)A F0 1.095(", ")B
F4(sha384)A F0 1.095(", ")B F4(sha512)A F0(",)A(")191 180 Q F4(sm3_256)A
F0 9.062(", ")B F4(sm3-256)A F0 9.062(", ")B F4(sha3_256)A F0 9.062
(", ")B F4(sha3-256)A F0 9.062(", ")B F4(sha3_384)A F0 9.062(", ")B F4
(sha3-384)A F0(",)A(")191 192 Q F4(sha3_512)A F0(", or ")A F4(sha3-512)A
F0(", and must be supported by the TPM.)A F1<ad41>103.666 210 Q F0 -.4
(Wi)191 210 S(th).4 E F1<ad50>6.798 E F0 5.132(,a)C 2.632
(lso prompt for a passphrase.)-5.132 F 2.632(This is skipped by def)
7.632 F 2.631(ault because the)-.1 F .833(passphrase is)191 222 R/F5 10
/Times-Italic@0 SF(OR)3.333 E F0 .833(ed with the PCR polic)B 3.334
(y\212t)-.15 G .834(he wrapping k)-3.334 F 1.134 -.15(ey c)-.1 H .834
(an be unsealed).15 F F5(either)3.334 E F0 .703
(passphraseless with the right PCRs)191 234 R F5(or)3.203 E F0 .703
(with the passphrase, and this is usually not the)3.203 F(intent.)191
246 Q F4(ENVIR)72 270 Q 1.666(ONMENT V)-.3 F(ARIABLES)-1.35 E F3
(TZPFMS_PASSPHRASE_HELPER)102 282 Q F0 .465(By def)143 294 R .466(ault,\
passphrases are prompted for and read in on the standard output and in\
put streams.)-.1 F(If)5.466 E F3(TZPFMS_PASSPHRASE_HELPER)143 306 Q F0
.517(is set and nonempty)3.017 F 3.017(,i)-.65 G 3.017(tw)-3.017 G .516
(ill be run via)-3.017 F F3(/bin/)3.016 E F1 2.182(sh \255c)B F0 .516
(to pro-)3.016 F(vide each passphrase, instead.)143 318 Q .188
(The standard output stream of the helper is tied to an anon)143 336 R
.189(ymous \214le and used in its entirety as the)-.15 F(passphrase, e)
143 348 Q(xcept for a trailing ne)-.15 E(w-line, if an)-.25 E 3.8 -.65
(y. T)-.15 H(he ar).65 E(guments are:)-.18 E F3($1)155 360 Q F0
(Pre-formatted noun phrase with all the information belo)172 360 Q 1.3
-.65(w, f)-.25 H(or use as a prompt).65 E F3($2)155 372 Q F0
(Either the dataset name or the element of the TPM hierarch)172 372 Q
2.5(yb)-.05 G(eing prompted for)-2.5 E F3($3)155 384 Q F0("ne)172 384 Q
(w" if this is for a ne)-.25 E 2.5(wp)-.25 G(assphrase, otherwise blank)
-2.5 E F1($4)155 210 Q F0("ag)172 210 Q(ain" if it')-.05 E 2.5(st)-.55 G
-2.5 E F3($4)155 396 Q F0("ag)172 396 Q(ain" if it')-.05 E 2.5(st)-.55 G
(he second prompt for that passphrase, otherwise blank)-2.5 E .181
(If the helper doesn')143 228 R 2.681(te)-.18 G 1.847(xist \()-2.831 F
.181(the shell e)1.666 F .181(xits with)-.15 F/F3 10/Times-Bold@0 SF
(127)2.681 E F0 -3.151 1.666(\), a d)1.666 H .181
(iagnostic is issued and the normal prompt)-1.666 F(is used as f)143 240
Q 2.5(all-back. If)-.1 F(it f)2.5 E(ails for an)-.1 E 2.5(yo)-.15 G
(ther reason, the prompting is aborted.)-2.5 E F3 1.666
(TPM2 back-end con\214guration)72 264 R(En)84 276 Q(vir)-.4 E .625
(onment v)-.18 F(ariables)-.1 E F1(TSS2_LOG)102 288 Q F0(An)155 288 Q
2.5(yo)-.15 G(f:)-2.5 E F3(NONE)2.5 E F0(,)A F3(ERR)2.5 E(OR)-.3 E F0(,)
A F3 -1.2(WA)2.5 G(RNING)1.2 E F0(,)A F3(INFO)2.5 E F0(,)A F3(DEB)2.5 E
(UG)-.1 E F0(,)A F3(TRA)2.5 E(CE)-.55 E F0 5(.D)C(ef)-5 E(ault:)-.1 E F3
-1.2(WA)2.5 G(RNING)1.2 E F0(.)A F3 .625(TPM selection)84 312 R F0 .517
(The library)102 324 R F2(libtss2-tcti-default.so)3.017 E F0 .517
(can be link)3.017 F .516(ed to an)-.1 F 3.016(yo)-.15 G 3.016(ft)-3.016
G(he)-3.016 E F1(libtss2-tcti-)3.016 E/F4 10/Symbol SF(*)A F1(.so)A F0
(libraries)3.016 E .575(to select the def)102 336 R .576
(ault, otherwise)-.1 F F1(/dev/tpmrm0)3.076 E F0 3.076(,t)C(hen)-3.076 E
F1(/dev/tpm0)3.076 E F0 3.076(,t)C(hen)-3.076 E F1(localhost:2321)3.076
E F0 .576(will be tried,)3.076 F(in order)102 348 Q 1.666(\(s)4.166 G
(ee)-1.666 E F1(ESYS_CONTEXT)2.5 E F0 -.834(\(3\) \) .)B F3 .625
(See also)84 372 R F0 3.488(The tpm2-tss git repository at)102 384 R F3
(If the helper doesn')143 414 R 2.681(te)-.18 G 1.847(xist \()-2.831 F
.181(the shell e)1.666 F .181(xits with)-.15 F F4(127)2.681 E F0 -3.151
1.666(\), a d)1.666 H .181(iagnostic is issued and the normal prompt)
-1.666 F(is used as f)143 426 Q 2.5(all-back. If)-.1 F(it f)2.5 E
(ails for an)-.1 E 2.5(yo)-.15 G(ther reason, the prompting is aborted.)
-2.5 E F4 1.666(TPM2 back-end con\214guration)72 450 R(En)84 462 Q(vir)
-.4 E .625(onment v)-.18 F(ariables)-.1 E F3(TSS2_LOG)102 474 Q F0(An)
155 474 Q 2.5(yo)-.15 G(f:)-2.5 E F4(NONE)2.5 E F0(,)A F4(ERR)2.5 E(OR)
-.3 E F0(,)A F4 -1.2(WA)2.5 G(RNING)1.2 E F0(,)A F4(INFO)2.5 E F0(,)A F4
(DEB)2.5 E(UG)-.1 E F0(,)A F4(TRA)2.5 E(CE)-.55 E F0 5(.D)C(ef)-5 E
(ault:)-.1 E F4 -1.2(WA)2.5 G(RNING)1.2 E F0(.)A F4 .625(TPM selection)
84 498 R F0 .516(The library)102 510 R F1(libtss2-tcti-default.so)3.016
E F0 .516(can be link)3.016 F .516(ed to an)-.1 F 3.017(yo)-.15 G 3.017
(ft)-3.017 G(he)-3.017 E F3(libtss2-tcti-)3.017 E/F6 10/Symbol SF(*)A F3
(.so)A F0(libraries)3.017 E .576(to select the def)102 522 R .576
(ault, otherwise)-.1 F F3(/dev/tpmrm0)3.076 E F0 3.076(,t)C(hen)-3.076 E
F3(/dev/tpm0)3.076 E F0 3.076(,t)C(hen)-3.076 E F3(localhost:2321)3.076
E F0 .575(will be tried,)3.076 F(in order)102 534 Q 1.666(\(s)4.166 G
(ee)-1.666 E F3(ESYS_CONTEXT)2.5 E F0 -.834(\(3\) \) .)B F4 .625
(See also)84 558 R F0 3.487(The tpm2-tss git repository at)102 570 R F4
(https://github)5.988 E(.com/tpm2-softwar)-.4 E(e/tpm2-tss)-.18 E F0
3.487(and the documentation at)5.988 F F3(https://tpm2-tss.r)102 396 Q
(eadthedocs.io)-.18 E F0(.)A 3.092
(The TPM 2.0 speci\214cations, mainly at)102 414 R F3
(https://trustedcomputinggr)5.592 E(oup.or)-.18 E
(g/wp-content/uploads/TPM-)-.1 E(Re)102 426 Q(v-2.0-P)-.15 E(art-1-Ar)
-.1 E(chitectur)-.18 E(e-01.38.pdf)-.18 E F0(and related pages.)2.5 E F3
1.666(SPECIAL THANKS)72 450 R F0 1.6 -.8(To a)102 462 T
3.488(and the documentation at)5.988 F F4(https://tpm2-tss.r)102 582 Q
(eadthedocs.io)-.18 E F0(.)A 6.305
(The TPM 2.0 speci\214cations, mainly at)102 600 R F4
(https://trustedcomputinggr)8.805 E(oup.or)-.18 E(g/r)-.1 E(esour)-.18 E
(ce/tpm-library-)-.18 E(speci\214cation/)102 612 Q F0(,)A F4
(https://trustedcomputinggr)116.04 E(oup.or)-.18 E
(g/wp-content/uploads/TPM-)-.1 E(Re)102 624 Q(v-2.0-P)-.15 E(art-1-Ar)
-.1 E(chitectur)-.18 E(e-01.38.pdf)-.18 E F0 2.5(,a)C(nd related pages.)
-2.5 E F4 1.666(SPECIAL THANKS)72 648 R F0 1.6 -.8(To a)102 660 T
(ll who support further de).8 E -.15(ve)-.25 G(lopment, in particular:)
.15 E F3<83>122 474 Q F0(ThePhD)2.5 E F3<83>122 486 Q F0(Embark Studios)
2.5 E F3<83>122 498 Q F0(Jasper Bekk)2.5 E(ers)-.1 E F3(REPOR)72 522 Q
1.666(TING B)-.4 F(UGS)-.1 E(https://todo.sr)102 534 Q
(.ht/~nabijaczleweli/tzpfms)-1 E F1(~nabijaczleweli/tzpfms@lists.sr.ht)
102 552 Q F0 2.5(,a)C(rchi)-2.5 E -.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E
F3(https://lists.sr)2.5 E(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A F3
1.666(SEE ALSO)72 576 R F1(tpm2_unseal)102 588 Q F0(\(1\))A
(tzpfms 0.1-23)72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E
(9)189.295 E 0 Cg EP
.15 E F4<83>122 672 Q F0(ThePhD)2.5 E(tzpfms 0.1-27)72 750 Q(No)138.745
E -.15(ve)-.15 G(mber 28, 2021).15 E(9)189.295 E 0 Cg EP
%%Page: 10 10
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF -.834(ZFS-TPM2-CHANGE-KEY \(8\))72 48 R
(System Manager')53.329 E 2.5(sM)-.55 G 48.329
(anual ZFS-TPM2-CHANGE-KEY)-2.5 F(\(8\))1.666 E/F1 10/Times-Bold@0 SF
<83>122 96 Q F0(Embark Studios)2.5 E F1<83>122 108 Q F0(Jasper Bekk)2.5
E(ers)-.1 E F1(REPOR)72 132 Q 1.666(TING B)-.4 F(UGS)-.1 E
(https://todo.sr)102 144 Q(.ht/~nabijaczleweli/tzpfms)-1 E/F2 10
/Courier@0 SF(~nabijaczleweli/tzpfms@lists.sr.ht)102 162 Q F0 2.5(,a)C
(rchi)-2.5 E -.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F1(https://lists.sr)
2.5 E(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A F1 1.666(SEE ALSO)72 186 R
F2(tpm2_unseal)102 198 Q F0(\(1\))A(PCR allocations:)102 216 Q F1
(https://wiki.ar)2.5 E(chlinux.or)-.18 E(g/title/T)-.1 E(rusted_Platf)
-.74 E(orm_Module#Accessing_PCR_r)-.25 E(egisters)-.18 E F0(and)102 228
Q F1(https://trustedcomputinggr)2.5 E(oup.or)-.18 E
(g/wp-content/uploads/PC-)-.1 E(ClientSpeci\214c_Platf)102 240 Q(orm_Pr)
-.25 E(o\214le_f)-.18 E(or_TPM_2p0_Systems_v51.pdf)-.25 E F0 2.5(,S)C
(ection 2.3.4 "PCR Usage", T)-2.5 E(able 1.)-.8 E(tzpfms 0.1-27)72 750 Q
(No)138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E(10)184.295 E 0 Cg EP
%%Page: 11 11
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF -.834(ZFS-TPM2-CLEAR-KEY \(8\))72 48 R
(System Manager')62.209 E 2.5(sM)-.55 G 57.209(anual ZFS-TPM2-CLEAR-KEY)
-2.5 F(\(8\))1.666 E/F1 10/Times-Bold@0 SF -.2(NA)72 96 S(ME).2 E/F2 10
@ -832,30 +902,32 @@ E F0 .575(will be tried,)3.076 F(in order)102 534 Q 1.666(\(s)4.166 G
(See also)84 558 R F0 3.487(The tpm2-tss git repository at)102 570 R F1
(https://github)5.988 E(.com/tpm2-softwar)-.4 E(e/tpm2-tss)-.18 E F0
3.488(and the documentation at)5.988 F F1(https://tpm2-tss.r)102 582 Q
(eadthedocs.io)-.18 E F0(.)A 3.092
(eadthedocs.io)-.18 E F0(.)A 6.305
(The TPM 2.0 speci\214cations, mainly at)102 600 R F1
(https://trustedcomputinggr)5.591 E(oup.or)-.18 E
(g/wp-content/uploads/TPM-)-.1 E(Re)102 612 Q(v-2.0-P)-.15 E(art-1-Ar)
-.1 E(chitectur)-.18 E(e-01.38.pdf)-.18 E F0(and related pages.)2.5 E F1
1.666(SPECIAL THANKS)72 636 R F0 1.6 -.8(To a)102 648 T
(https://trustedcomputinggr)8.805 E(oup.or)-.18 E(g/r)-.1 E(esour)-.18 E
(ce/tpm-library-)-.18 E(speci\214cation/)102 612 Q F0(,)A F1
(https://trustedcomputinggr)116.04 E(oup.or)-.18 E
(g/wp-content/uploads/TPM-)-.1 E(Re)102 624 Q(v-2.0-P)-.15 E(art-1-Ar)
-.1 E(chitectur)-.18 E(e-01.38.pdf)-.18 E F0 2.5(,a)C(nd related pages.)
-2.5 E F1 1.666(SPECIAL THANKS)72 648 R F0 1.6 -.8(To a)102 660 T
(ll who support further de).8 E -.15(ve)-.25 G(lopment, in particular:)
.15 E F1<83>122 660 Q F0(ThePhD)2.5 E F1<83>122 672 Q F0(Embark Studios)
2.5 E(tzpfms 0.1-23)72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 25, 2021)
.15 E(10)184.295 E 0 Cg EP
%%Page: 11 11
.15 E F1<83>122 672 Q F0(ThePhD)2.5 E(tzpfms 0.1-27)72 750 Q(No)138.745
E -.15(ve)-.15 G(mber 28, 2021).15 E(11)184.295 E 0 Cg EP
%%Page: 12 12
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF -.834(ZFS-TPM2-CLEAR-KEY \(8\))72 48 R
(System Manager')62.209 E 2.5(sM)-.55 G 57.209(anual ZFS-TPM2-CLEAR-KEY)
-2.5 F(\(8\))1.666 E/F1 10/Times-Bold@0 SF<83>122 96 Q F0(Jasper Bekk)
2.5 E(ers)-.1 E F1(REPOR)72 120 Q 1.666(TING B)-.4 F(UGS)-.1 E
(https://todo.sr)102 132 Q(.ht/~nabijaczleweli/tzpfms)-1 E/F2 10
/Courier@0 SF(~nabijaczleweli/tzpfms@lists.sr.ht)102 150 Q F0 2.5(,a)C
(rchi)-2.5 E -.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F1(https://lists.sr)
2.5 E(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-23)72 750 Q(No)
138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(11)184.295 E 0 Cg EP
%%Page: 12 12
-2.5 F(\(8\))1.666 E/F1 10/Times-Bold@0 SF<83>122 96 Q F0
(Embark Studios)2.5 E F1<83>122 108 Q F0(Jasper Bekk)2.5 E(ers)-.1 E F1
(REPOR)72 132 Q 1.666(TING B)-.4 F(UGS)-.1 E(https://todo.sr)102 144 Q
(.ht/~nabijaczleweli/tzpfms)-1 E/F2 10/Courier@0 SF
(~nabijaczleweli/tzpfms@lists.sr.ht)102 162 Q F0 2.5(,a)C(rchi)-2.5 E
-.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F1(https://lists.sr)2.5 E
(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-27)72 750 Q(No)
138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E(12)184.295 E 0 Cg EP
%%Page: 13 13
%%BeginPageSetup
BP
%%EndPageSetup
@ -874,20 +946,20 @@ F F3(dataset)102 192 Q F0(.)A(The user is prompted for the additional p\
assphrase, set when creating the k)102 210 Q -.15(ey)-.1 G 2.5(,i)-.5 G
2.5(fo)-2.5 G(ne w)-2.5 E(as set.)-.1 E(See)102 228 Q/F4 10/Courier@0 SF
(zfs-tpm2-change-key)2.5 E F0(\(8\) for a detailed description.)A F1
(OPTIONS)72 252 Q F2<ad6e>103.666 264 Q F0 .179
(Do a no-op/dry run, can be used e)119 276 R -.15(ve)-.25 G 2.679(ni).15
G 2.679(ft)-2.679 G .179(he k)-2.679 F .478 -.15(ey i)-.1 H 2.678(sa).15
G .178(lready loaded.)-2.678 F(Equi)5.178 E -.25(va)-.25 G .178(lent to)
.25 F F2 .178(zfs load-key)2.678 F F0 -.55('s)C F2<ad6e>4.894 E F0
(OPTIONS)72 252 Q F2<ad6e>103.666 264 Q F0 .178
(Do a no-op/dry run, can be used e)119 276 R -.15(ve)-.25 G 2.678(ni).15
G 2.679(ft)-2.678 G .179(he k)-2.679 F .479 -.15(ey i)-.1 H 2.679(sa).15
G .179(lready loaded.)-2.679 F(Equi)5.179 E -.25(va)-.25 G .179(lent to)
.25 F F2 .179(zfs load-key)2.679 F F0 -.55('s)C F2<ad6e>4.895 E F0
(option.)119 288 Q F1(ENVIR)72 312 Q 1.666(ONMENT V)-.3 F(ARIABLES)-1.35
E F4(TZPFMS_PASSPHRASE_HELPER)102 324 Q F0 .465(By def)143 336 R .466(a\
E F4(TZPFMS_PASSPHRASE_HELPER)102 324 Q F0 .466(By def)143 336 R .466(a\
ult, passphrases are prompted for and read in on the standard output an\
d input streams.)-.1 F(If)5.466 E F4(TZPFMS_PASSPHRASE_HELPER)143 348 Q
F0 .517(is set and nonempty)3.017 F 3.017(,i)-.65 G 3.017(tw)-3.017 G
.516(ill be run via)-3.017 F F4(/bin/)3.016 E F2 2.182(sh \255c)B F0
.516(to pro-)3.016 F(vide each passphrase, instead.)143 360 Q .188
d input streams.)-.1 F(If)5.465 E F4(TZPFMS_PASSPHRASE_HELPER)143 348 Q
F0 .516(is set and nonempty)3.016 F 3.016(,i)-.65 G 3.016(tw)-3.016 G
.517(ill be run via)-3.016 F F4(/bin/)3.017 E F2 2.183(sh \255c)B F0
.517(to pro-)3.017 F(vide each passphrase, instead.)143 360 Q .189
(The standard output stream of the helper is tied to an anon)143 378 R
.189(ymous \214le and used in its entirety as the)-.15 F(passphrase, e)
.188(ymous \214le and used in its entirety as the)-.15 F(passphrase, e)
143 390 Q(xcept for a trailing ne)-.15 E(w-line, if an)-.25 E 3.8 -.65
(y. T)-.15 H(he ar).65 E(guments are:)-.18 E F4($1)155 402 Q F0
(Pre-formatted noun phrase with all the information belo)172 402 Q 1.3
@ -903,29 +975,29 @@ F0 .517(is set and nonempty)3.017 F 3.017(,i)-.65 G 3.017(tw)-3.017 G
-1.666 F(is used as f)143 468 Q 2.5(all-back. If)-.1 F(it f)2.5 E
(ails for an)-.1 E 2.5(yo)-.15 G(ther reason, the prompting is aborted.)
-2.5 E F1 1.666(TPM1.X back-end con\214guration)72 492 R .625
(TPM selection)84 504 R F0(The)102 516 Q F2(tzpfms)2.767 E F0 .267
(TPM selection)84 504 R F0(The)102 516 Q F2(tzpfms)2.768 E F0 .267
(suite connects to a local)2.767 F F4(tcsd)2.767 E F0 .267
(\(8\) process)B 1.666(\(a)4.433 G(t)-1.666 E F4(localhost:30003)2.767 E
F0 4.433(\)b)1.666 G 2.767(yd)-4.433 G(ef)-2.767 E 2.767(ault. Use)-.1 F
.268(the en-)2.767 F(vironment v)102 528 Q(ariable)-.25 E F4
(TZPFMS_TPM1X)2.5 E F0(to specify a remote TCS hostname.)2.5 E .392
(The T)102 546 R(rouSerS)-.35 E F4(tcsd)2.892 E F0 .392
.267(the en-)2.767 F(vironment v)102 528 Q(ariable)-.25 E F4
(TZPFMS_TPM1X)2.5 E F0(to specify a remote TCS hostname.)2.5 E .391
(The T)102 546 R(rouSerS)-.35 E F4(tcsd)2.891 E F0 .391
(\(8\) daemon will try)B F4(/dev/tpm0)2.892 E F0 2.892(,t)C(hen)-2.892 E
F4(/udev/tpm0)2.892 E F0 2.891(,t)C(hen)-2.891 E F4(/dev/tpm)2.891 E F0
2.891(;b)C 2.891(yo)-2.891 G(ccup)-2.891 E(ying)-.1 E
F4(/udev/tpm0)2.892 E F0 2.892(,t)C(hen)-2.892 E F4(/dev/tpm)2.892 E F0
2.892(;b)C 2.892(yo)-2.892 G(ccup)-2.892 E(ying)-.1 E
(one of the earlier ones with, for e)102 558 Q
(xample, shell redirection, a later one can be selected.)-.15 E F1 .625
(See also)84 582 R F0(The T)102 594 Q(rouSerS project page at)-.35 E F1
(https://sour)2.5 E(cef)-.18 E(or)-.25 E(ge.net/pr)-.1 E(ojects/tr)-.18
E(ousers)-.18 E F0(.)A 5.108(The TPM 1.2 main speci\214cation inde)102
612 R 7.609(xa)-.15 G(t)-7.609 E F1(https://trustedcomputinggr)7.609 E
E(ousers)-.18 E F0(.)A 5.109(The TPM 1.2 main speci\214cation inde)102
612 R 7.608(xa)-.15 G(t)-7.608 E F1(https://trustedcomputinggr)7.608 E
(oup.or)-.18 E(g/r)-.1 E(esour)-.18 E(ce/tpm-main-)-.18 E
(speci\214cation)102 624 Q F0(.)A F1 1.666(SPECIAL THANKS)72 648 R F0
1.6 -.8(To a)102 660 T(ll who support further de).8 E -.15(ve)-.25 G
(lopment, in particular:).15 E F1<83>122 672 Q F0(ThePhD)2.5 E
(tzpfms 0.1-23)72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E
(12)184.295 E 0 Cg EP
%%Page: 13 13
(tzpfms 0.1-27)72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E
(13)184.295 E 0 Cg EP
%%Page: 14 14
%%BeginPageSetup
BP
%%EndPageSetup
@ -937,8 +1009,8 @@ BP
(.ht/~nabijaczleweli/tzpfms)-1 E/F2 10/Courier@0 SF
(~nabijaczleweli/tzpfms@lists.sr.ht)102 162 Q F0 2.5(,a)C(rchi)-2.5 E
-.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F1(https://lists.sr)2.5 E
(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-23)72 750 Q(No)
138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(13)184.295 E 0 Cg EP
(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-27)72 750 Q(No)
138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E(14)184.295 E 0 Cg EP
%%Trailer
end
%%EOF

4
zfs-tpm-list.8
View File

@ -1,9 +1,9 @@
.\" SPDX-License-Identifier: MIT
.
.Dd November 25, 2021
.Dd November 28, 2021
.ds doc-volume-operating-system
.Dt ZFS-TPM-LIST 8
.Os tzpfms 0.1-23
.Os tzpfms 0.1-27
.
.Sh NAME
.Nm zfs-tpm-list

4
zfs-tpm-list.8.html
View File

@ -164,8 +164,8 @@ tarta-zoot/vm - available yes</div>
</div>
<table class="foot">
<tr>
<td class="foot-date">November 25, 2021</td>
<td class="foot-os">tzpfms 0.1-23</td>
<td class="foot-date">November 28, 2021</td>
<td class="foot-os">tzpfms 0.1-27</td>
</tr>
</table>
</body>

28
zfs-tpm1x-change-key.8
View File

@ -1,9 +1,9 @@
.\" SPDX-License-Identifier: MIT
.
.Dd November 25, 2021
.Dd November 28, 2021
.ds doc-volume-operating-system
.Dt ZFS-TPM1X-CHANGE-KEY 8
.Os tzpfms 0.1-23
.Os tzpfms 0.1-27
.
.Sh NAME
.Nm zfs-tpm1x-change-key
@ -11,6 +11,7 @@
.Sh SYNOPSIS
.Nm
.Op Fl b Ar backup-file
.Op Fl P Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns
.Ar dataset
.
.Sh DESCRIPTION
@ -63,7 +64,7 @@ tools
.Li tzpfms.key
is a colon-separated pair of hexadecimal-string (i.e. "4F7730" for "Ow0") blobs;
the first one represents the RSA key protecting the blob,
and it is protected with either the password, if provided, or the SHA1 constant
and it is protected with either the passphrase, if provided, or the SHA1 constant
.Li CE4CF677875B5EB8993591D5A9AF1ED24A3A8736 ;
the second represents the sealed object containing the wrapping key,
and is protected with the SHA1 constant
@ -80,13 +81,13 @@ or to issue a note for manual intervention into the standard error stream.
A final verification should be made by running
.Nm zfs-tpm1x-load-key Fl n Ar dataset .
If that command succeeds, all is well,
but otherwise the dataset can be manually rolled back to a password with
but otherwise the dataset can be manually rolled back to a passphrase with
.Nm zfs-tpm1x-clear-key Ar dataset
.Pq or, if that fails to work, Nm zfs Cm change-key Fl o Li keyformat=passphrase Ar dataset ,
and you are hereby asked to report a bug, please.
.Pp
.Nm zfs-tpm1x-clear-key Ar dataset
can be used to clear the properties and go back to using a password.
can be used to clear the properties and go back to using a passphrase.
.
.Sh OPTIONS
.Bl -tag -compact -width "-b backup-file"
@ -99,6 +100,15 @@ This back-up
be stored securely, off-site.
In case of a catastrophic event, the key can be loaded by running
.Dl Nm zfs Cm load-key Ar dataset Li < Ar backup-file
.Pp
.
.It Fl P Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns
Bind the key to space- or comma-separated
.Ar PCR Ns s
\(em if they change, the wrapping key will not be able to be unsealed.
The minimum amount of PCRs for a PC TPM is
.Sy 24 Pq numbered Sy 0 Ns .. Ns Sy 23 .
For most, this is also the maximum.
.El
.
.\" SPDX-License-Identifier: MIT
@ -189,3 +199,11 @@ Jasper Bekkers
.Mt ~nabijaczleweli/tzpfms@lists.sr.ht ,
archived at
.Lk https:/\&/lists.sr.ht/~nabijaczleweli/tzpfms .
.
.Sh SEE ALSO
.\" Match this to zfs-tpm2-change-key.8:
PCR allocations:
.Lk https:/\&/wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers
and
.Lk https:/\&/trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf ,
Section 2.3.4 "PCR Usage", Table 1.

30
zfs-tpm1x-change-key.8.html
View File

@ -29,6 +29,8 @@
<tr>
<td><code class="Nm">zfs-tpm1x-change-key</code></td>
<td>[<code class="Fl">-b</code> <var class="Ar">backup-file</var>]
[<code class="Fl">-P</code>
<var class="Ar">PCR</var>[<code class="Cm">,</code><var class="Ar">PCR</var>]&#x2026;]
<var class="Ar">dataset</var></td>
</tr>
</table>
@ -70,7 +72,7 @@
<p class="Pp"><code class="Li">tzpfms.key</code> is a colon-separated pair of
hexadecimal-string (i.e. &quot;4F7730&quot; for &quot;Ow0&quot;) blobs; the
first one represents the RSA key protecting the blob, and it is protected
with either the password, if provided, or the SHA1 constant
with either the passphrase, if provided, or the SHA1 constant
<code class="Li">CE4CF677875B5EB8993591D5A9AF1ED24A3A8736</code>; the second
represents the sealed object containing the wrapping key, and is protected
with the SHA1 constant
@ -87,7 +89,7 @@
<p class="Pp">A final verification should be made by running
<code class="Nm">zfs-tpm1x-load-key</code> <code class="Fl">-n</code>
<var class="Ar">dataset</var>. If that command succeeds, all is well, but
otherwise the dataset can be manually rolled back to a password with
otherwise the dataset can be manually rolled back to a passphrase with
<code class="Nm">zfs-tpm1x-clear-key</code> <var class="Ar">dataset</var>
(or, if that fails to work, <code class="Nm">zfs</code>
<code class="Cm">change-key</code> <code class="Fl">-o</code>
@ -95,7 +97,7 @@
and you are hereby asked to report a bug, please.</p>
<p class="Pp"><code class="Nm">zfs-tpm1x-clear-key</code>
<var class="Ar">dataset</var> can be used to clear the properties and go
back to using a password.</p>
back to using a passphrase.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="OPTIONS"><a class="permalink" href="#OPTIONS">OPTIONS</a></h1>
@ -110,7 +112,16 @@
<code class="Cm">load-key</code> <var class="Ar">dataset</var>
<code class="Li">&lt;</code>
<var class="Ar">backup-file</var></code></div>
<p class="Pp"></p>
</dd>
<dt id="P"><a class="permalink" href="#P"><code class="Fl">-P</code></a>
<var class="Ar">PCR</var>[<code class="Cm">,</code><var class="Ar">PCR</var>]&#x2026;</dt>
<dd>Bind the key to space- or comma-separated <var class="Ar">PCR</var>s
&#x2014; if they change, the wrapping key will not be able to be unsealed.
The minimum amount of PCRs for a PC TPM is
<a class="permalink" href="#24"><b class="Sy" id="24">24</b></a> (numbered
<a class="permalink" href="#0"><b class="Sy" id="0">0</b></a>..<a class="permalink" href="#23"><b class="Sy" id="23">23</b></a>).
For most, this is also the maximum.</dd>
</dl>
</section>
<section class="Sh">
@ -193,11 +204,20 @@
archived at
<a class="Lk" href="https://lists.sr.ht/~nabijaczleweli/tzpfms">https://lists.sr.ht/~nabijaczleweli/tzpfms</a>.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp">PCR allocations:
<a class="Lk" href="https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers">https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers</a>
and
<a class="Lk" href="https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf">https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf</a>,
Section 2.3.4 &quot;PCR Usage&quot;, Table 1.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">November 25, 2021</td>
<td class="foot-os">tzpfms 0.1-23</td>
<td class="foot-date">November 28, 2021</td>
<td class="foot-os">tzpfms 0.1-27</td>
</tr>
</table>
</body>

4
zfs-tpm1x-clear-key.8
View File

@ -1,9 +1,9 @@
.\" SPDX-License-Identifier: MIT
.
.Dd November 25, 2021
.Dd November 28, 2021
.ds doc-volume-operating-system
.Dt ZFS-TPM1X-CLEAR-KEY 8
.Os tzpfms 0.1-23
.Os tzpfms 0.1-27
.
.Sh NAME
.Nm zfs-tpm1x-clear-key

4
zfs-tpm1x-clear-key.8.html
View File

@ -101,8 +101,8 @@
</div>
<table class="foot">
<tr>
<td class="foot-date">November 25, 2021</td>
<td class="foot-os">tzpfms 0.1-23</td>
<td class="foot-date">November 28, 2021</td>
<td class="foot-os">tzpfms 0.1-27</td>
</tr>
</table>
</body>

4
zfs-tpm1x-load-key.8
View File

@ -1,9 +1,9 @@
.\" SPDX-License-Identifier: MIT
.
.Dd November 25, 2021
.Dd November 28, 2021
.ds doc-volume-operating-system
.Dt ZFS-TPM1X-LOAD-KEY 8
.Os tzpfms 0.1-23
.Os tzpfms 0.1-27
.
.Sh NAME
.Nm zfs-tpm1x-load-key

4
zfs-tpm1x-load-key.8.html
View File

@ -137,8 +137,8 @@
</div>
<table class="foot">
<tr>
<td class="foot-date">November 25, 2021</td>
<td class="foot-os">tzpfms 0.1-23</td>
<td class="foot-date">November 28, 2021</td>
<td class="foot-os">tzpfms 0.1-27</td>
</tr>
</table>
</body>

79
zfs-tpm2-change-key.8
View File

@ -1,9 +1,9 @@
.\" SPDX-License-Identifier: MIT
.
.Dd November 25, 2021
.Dd November 28, 2021
.ds doc-volume-operating-system
.Dt ZFS-TPM2-CHANGE-KEY 8
.Os tzpfms 0.1-23
.Os tzpfms 0.1-27
.
.Sh NAME
.Nm zfs-tpm2-change-key
@ -11,6 +11,10 @@
.Sh SYNOPSIS
.Nm
.Op Fl b Ar backup-file
.Oo
.Fl P Ar algorithm Ns Cm \&: Ns Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns Ns Oo Cm + Ns Ar algorithm Ns Cm \&: Ns Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns Oc Ns
.Op Fl A
.Oc
.Ar dataset
.
.Sh DESCRIPTION
@ -50,7 +54,7 @@ The following properties are set on
.It
.Li xyz.nabijaczleweli:tzpfms.backend Ns = Ns Sy TPM2
.It
.Li xyz.nabijaczleweli:tzpfms.key Ns = Ns Ar ID of persistent object
.Li xyz.nabijaczleweli:tzpfms.key Ns = Ns Ar persistent-object-ID Ns Op Cm ;\& Ar algorithm Ns Cm \&: Ns Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns Ns Oo Cm + Ns Ar algorithm Ns Cm \&: Ns Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns Oc Ns
.El
.Pp
.Li tzpfms.backend
@ -61,10 +65,17 @@ tools
.Pq namely Xr zfs-tpm2-change-key 8 , Xr zfs-tpm2-load-key 8 , and Xr zfs-tpm2-clear-key 8 .
.Pp
.Li tzpfms.key
is an integer representing the sealed object;
is an integer representing the sealed object, optionally followed by a semicolon and PCR list as specified with
.Fl P ,
normalised to be
.Nm tpm-tools Ns -toolchain-compatible ;
if needed, it can be passed to
.Nm tpm2_unseal Fl c Ev ${tzpfms.key} Op Fl p Ev ${password}
or equivalent for back-up
.Nm tpm2_unseal Fl c Ev ${tzpfms.key Ns Cm %% Ns Li ;* Ns Ev }\&
with
.Fl p Qq Li str:\& Ns Ev ${passphrase}
or
.Fl p Qq Li pcr:\& Ns Ev ${tzpfms.key Ns Cm # Ns Li *; Ns Ev }\& ,
as the case may be, or equivalent, for back-up
.Pq see Sx OPTIONS .
If you have a sealed key you can access with that or equivalent tool and set both of these properties, it will funxion seamlessly.
.Pp
@ -77,13 +88,13 @@ or to issue a note for manual intervention into the standard error stream.
A final verification should be made by running
.Nm zfs-tpm2-load-key Fl n Ar dataset .
If that command succeeds, all is well,
but otherwise the dataset can be manually rolled back to a password with
but otherwise the dataset can be manually rolled back to a passphrase with
.Nm zfs-tpm2-clear-key Ar dataset
.Pq or, if that fails to work, Nm zfs Cm change-key Fl o Li keyformat=passphrase Ar dataset ,
and you are hereby asked to report a bug, please.
.Pp
.Nm zfs-tpm2-clear-key Ar dataset
can be used to free the TPM persistent object and go back to using a password.
can be used to free the TPM persistent object and go back to using a passphrase.
.
.Sh OPTIONS
.Bl -tag -compact -width "-b backup-file"
@ -96,6 +107,48 @@ This back-up
be stored securely, off-site.
In case of a catastrophic event, the key can be loaded by running
.Dl Nm zfs Cm load-key Ar dataset Li < Ar backup-file
.Pp
.
.It Fl P Ar algorithm Ns Cm \&: Ns Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns Ns Oo Cm + Ns Ar algorithm Ns Cm \&: Ns Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns Oc Ns
Bind the key to space- or comma-separated
.Ar PCR Ns s
within their corresponding hashing
.Ar algorithm
\(em if they change, the wrapping key will not be able to be unsealed.
There are
.Sy 24
PCRs, numbered
.Sy 0 Ns .. Ns Sy 23 .
.Pp
.Ar algorithm
may be any of case-insensitive
.Qq Sy sha1 ,
.Qq Sy sha256 ,
.Qq Sy sha384 ,
.Qq Sy sha512 ,
.Qq Sy sm3_256 ,
.Qq Sy sm3-256 ,
.Qq Sy sha3_256 ,
.Qq Sy sha3-256 ,
.Qq Sy sha3_384 ,
.Qq Sy sha3-384 ,
.Qq Sy sha3_512 ,
or
.Qq Sy sha3-512 ,
and must be supported by the TPM.
.Pp
.
.It Fl A
With
.Fl P ,
also prompt for a passphrase.
This is skipped by default because the passphrase is
.Em OR Ns ed
with the PCR policy \(em the wrapping key can be unsealed
.Em either
passphraseless with the right PCRs
.Em or
with the passphrase, and this is usually not the intent.
.El
.
.\" SPDX-License-Identifier: MIT
@ -168,7 +221,8 @@ and the documentation at
.Lk https:/\&/tpm2-tss.readthedocs.io .
.Pp
The TPM 2.0 specifications, mainly at
.Lk https:/\&/trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf
.Lk https:/\&/trustedcomputinggroup.org/resource/tpm-library-specification/ ,
.Lk https:/\&/trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf ,
and related pages.
.
.\" SPDX-License-Identifier: MIT
@ -193,3 +247,10 @@ archived at
.
.Sh SEE ALSO
.Xr tpm2_unseal 1
.Pp
.\" Match this to zfs-tpm1x-change-key.8:
PCR allocations:
.Lk https:/\&/wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers
and
.Lk https:/\&/trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf ,
Section 2.3.4 "PCR Usage", Table 1.

74
zfs-tpm2-change-key.8.html
View File

@ -29,7 +29,9 @@
<tr>
<td><code class="Nm">zfs-tpm2-change-key</code></td>
<td>[<code class="Fl">-b</code> <var class="Ar">backup-file</var>]
<var class="Ar">dataset</var></td>
[<code class="Fl">-P</code>
<var class="Ar">algorithm</var><code class="Cm">:</code><var class="Ar">PCR</var>[<code class="Cm">,</code><var class="Ar">PCR</var>]&#x2026;[<code class="Cm">+</code><var class="Ar">algorithm</var><code class="Cm">:</code><var class="Ar">PCR</var>[<code class="Cm">,</code><var class="Ar">PCR</var>]&#x2026;]&#x2026;
[<code class="Fl">-A</code>]] <var class="Ar">dataset</var></td>
</tr>
</table>
</section>
@ -59,8 +61,8 @@
<var class="Ar">dataset</var>:</p>
<ul class="Bl-bullet Bd-indent Bl-compact">
<li id="xyz.nabijaczleweli:tzpfms.backend"><a class="permalink" href="#xyz.nabijaczleweli:tzpfms.backend"><code class="Li">xyz.nabijaczleweli:tzpfms.backend</code></a>=<b class="Sy">TPM2</b></li>
<li id="xyz.nabijaczleweli:tzpfms.key"><a class="permalink" href="#xyz.nabijaczleweli:tzpfms.key"><code class="Li">xyz.nabijaczleweli:tzpfms.key</code></a>=<var class="Ar">ID
of persistent object</var></li>
<li id="xyz.nabijaczleweli:tzpfms.key"><a class="permalink" href="#xyz.nabijaczleweli:tzpfms.key"><code class="Li">xyz.nabijaczleweli:tzpfms.key</code></a>=<var class="Ar">persistent-object-ID</var>[<code class="Cm">;</code>
<var class="Ar">algorithm</var><code class="Cm">:</code><var class="Ar">PCR</var>[<code class="Cm">,</code><var class="Ar">PCR</var>]&#x2026;[<code class="Cm">+</code><var class="Ar">algorithm</var><code class="Cm">:</code><var class="Ar">PCR</var>[<code class="Cm">,</code><var class="Ar">PCR</var>]&#x2026;]&#x2026;]</li>
</ul>
<p class="Pp"><code class="Li">tzpfms.backend</code> identifies this dataset for
work with <b class="Sy">TPM2</b>-back-ended <code class="Nm">tzpfms</code>
@ -69,10 +71,16 @@
<a class="Xr" href="zfs-tpm2-load-key.8.html">zfs-tpm2-load-key(8)</a>, and
<a class="Xr" href="zfs-tpm2-clear-key.8.html">zfs-tpm2-clear-key(8)</a>).</p>
<p class="Pp"><code class="Li">tzpfms.key</code> is an integer representing the
sealed object; if needed, it can be passed to
<code class="Nm">tpm2_unseal</code> <code class="Fl">-c</code>
<code class="Ev">${tzpfms.key}</code> [<code class="Fl">-p</code>
<code class="Ev">${password}</code>] or equivalent for back-up (see
sealed object, optionally followed by a semicolon and PCR list as specified
with <code class="Fl">-P</code>, normalised to be
<code class="Nm">tpm-tools</code>-toolchain-compatible; if needed, it can be
passed to <code class="Nm">tpm2_unseal</code> <code class="Fl">-c</code>
<code class="Ev">${tzpfms.key</code><code class="Cm">%%</code><code class="Li">;*</code><code class="Ev">}</code>
with <code class="Fl">-p</code>
&quot;<code class="Li">str:</code><code class="Ev">${passphrase}</code>&quot;
or <code class="Fl">-p</code>
&quot;<code class="Li">pcr:</code><code class="Ev">${tzpfms.key</code><code class="Cm">#</code><code class="Li">*;</code><code class="Ev">}</code>&quot;,
as the case may be, or equivalent, for back-up (see
<a class="Sx" href="#OPTIONS">OPTIONS</a>). If you have a sealed key you can
access with that or equivalent tool and set both of these properties, it
will funxion seamlessly.</p>
@ -86,7 +94,7 @@
<p class="Pp">A final verification should be made by running
<code class="Nm">zfs-tpm2-load-key</code> <code class="Fl">-n</code>
<var class="Ar">dataset</var>. If that command succeeds, all is well, but
otherwise the dataset can be manually rolled back to a password with
otherwise the dataset can be manually rolled back to a passphrase with
<code class="Nm">zfs-tpm2-clear-key</code> <var class="Ar">dataset</var>
(or, if that fails to work, <code class="Nm">zfs</code>
<code class="Cm">change-key</code> <code class="Fl">-o</code>
@ -94,7 +102,7 @@
and you are hereby asked to report a bug, please.</p>
<p class="Pp"><code class="Nm">zfs-tpm2-clear-key</code>
<var class="Ar">dataset</var> can be used to free the TPM persistent object
and go back to using a password.</p>
and go back to using a passphrase.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="OPTIONS"><a class="permalink" href="#OPTIONS">OPTIONS</a></h1>
@ -109,7 +117,43 @@
<code class="Cm">load-key</code> <var class="Ar">dataset</var>
<code class="Li">&lt;</code>
<var class="Ar">backup-file</var></code></div>
<p class="Pp"></p>
</dd>
<dt id="P"><a class="permalink" href="#P"><code class="Fl">-P</code></a>
<var class="Ar">algorithm</var><code class="Cm">:</code><var class="Ar">PCR</var>[<code class="Cm">,</code><var class="Ar">PCR</var>]&#x2026;[<code class="Cm">+</code><var class="Ar">algorithm</var><code class="Cm">:</code><var class="Ar">PCR</var>[<code class="Cm">,</code><var class="Ar">PCR</var>]&#x2026;]&#x2026;</dt>
<dd>Bind the key to space- or comma-separated <var class="Ar">PCR</var>s
within their corresponding hashing <var class="Ar">algorithm</var>
&#x2014; if they change, the wrapping key will not be able to be unsealed.
There are <a class="permalink" href="#24"><b class="Sy" id="24">24</b></a>
PCRs, numbered
<a class="permalink" href="#0"><b class="Sy" id="0">0</b></a>..<a class="permalink" href="#23"><b class="Sy" id="23">23</b></a>.
<p class="Pp" id="sha1"><var class="Ar">algorithm</var> may be any of
case-insensitive
&quot;<a class="permalink" href="#sha1"><b class="Sy">sha1</b></a>&quot;,
&quot;<a class="permalink" href="#sha256"><b class="Sy" id="sha256">sha256</b></a>&quot;,
&quot;<a class="permalink" href="#sha384"><b class="Sy" id="sha384">sha384</b></a>&quot;,
&quot;<a class="permalink" href="#sha512"><b class="Sy" id="sha512">sha512</b></a>&quot;,
&quot;<a class="permalink" href="#sm3_256"><b class="Sy" id="sm3_256">sm3_256</b></a>&quot;,
&quot;<a class="permalink" href="#sm3-256"><b class="Sy" id="sm3-256">sm3-256</b></a>&quot;,
&quot;<a class="permalink" href="#sha3_256"><b class="Sy" id="sha3_256">sha3_256</b></a>&quot;,
&quot;<a class="permalink" href="#sha3-256"><b class="Sy" id="sha3-256">sha3-256</b></a>&quot;,
&quot;<a class="permalink" href="#sha3_384"><b class="Sy" id="sha3_384">sha3_384</b></a>&quot;,
&quot;<a class="permalink" href="#sha3-384"><b class="Sy" id="sha3-384">sha3-384</b></a>&quot;,
&quot;<a class="permalink" href="#sha3_512"><b class="Sy" id="sha3_512">sha3_512</b></a>&quot;,
or
&quot;<a class="permalink" href="#sha3-512"><b class="Sy" id="sha3-512">sha3-512</b></a>&quot;,
and must be supported by the TPM.</p>
<p class="Pp"></p>
</dd>
<dt id="A"><a class="permalink" href="#A"><code class="Fl">-A</code></a></dt>
<dd>With <code class="Fl">-P</code>, also prompt for a passphrase. This is
skipped by default because the passphrase is
<a class="permalink" href="#OR"><i class="Em" id="OR">OR</i></a>ed with
the PCR policy &#x2014; the wrapping key can be unsealed
<a class="permalink" href="#either"><i class="Em" id="either">either</i></a>
passphraseless with the right PCRs
<a class="permalink" href="#or"><i class="Em" id="or">or</i></a> with the
passphrase, and this is usually not the intent.</dd>
</dl>
</section>
<section class="Sh">
@ -183,7 +227,8 @@
and the documentation at
<a class="Lk" href="https://tpm2-tss.readthedocs.io">https://tpm2-tss.readthedocs.io</a>.</p>
<p class="Pp">The TPM 2.0 specifications, mainly at
<a class="Lk" href="https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf">https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf</a>
<a class="Lk" href="https://trustedcomputinggroup.org/resource/tpm-library-specification/">https://trustedcomputinggroup.org/resource/tpm-library-specification/</a>,
<a class="Lk" href="https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf">https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf</a>,
and related pages.</p>
</section>
</section>
@ -209,12 +254,17 @@
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp"><a class="Xr" href="https://manpages.debian.org/bullseye/tpm2_unseal.1">tpm2_unseal(1)</a></p>
<p class="Pp">PCR allocations:
<a class="Lk" href="https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers">https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers</a>
and
<a class="Lk" href="https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf">https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf</a>,
Section 2.3.4 &quot;PCR Usage&quot;, Table 1.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">November 25, 2021</td>
<td class="foot-os">tzpfms 0.1-23</td>
<td class="foot-date">November 28, 2021</td>
<td class="foot-os">tzpfms 0.1-27</td>
</tr>
</table>
</body>

7
zfs-tpm2-clear-key.8
View File

@ -1,9 +1,9 @@
.\" SPDX-License-Identifier: MIT
.
.Dd November 25, 2021
.Dd November 28, 2021
.ds doc-volume-operating-system
.Dt ZFS-TPM2-CLEAR-KEY 8
.Os tzpfms 0.1-23
.Os tzpfms 0.1-27
.
.Sh NAME
.Nm zfs-tpm2-clear-key
@ -107,7 +107,8 @@ and the documentation at
.Lk https:/\&/tpm2-tss.readthedocs.io .
.Pp
The TPM 2.0 specifications, mainly at
.Lk https:/\&/trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf
.Lk https:/\&/trustedcomputinggroup.org/resource/tpm-library-specification/ ,
.Lk https:/\&/trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf ,
and related pages.
.
.\" SPDX-License-Identifier: MIT

7
zfs-tpm2-clear-key.8.html
View File

@ -126,7 +126,8 @@
and the documentation at
<a class="Lk" href="https://tpm2-tss.readthedocs.io">https://tpm2-tss.readthedocs.io</a>.</p>
<p class="Pp">The TPM 2.0 specifications, mainly at
<a class="Lk" href="https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf">https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf</a>
<a class="Lk" href="https://trustedcomputinggroup.org/resource/tpm-library-specification/">https://trustedcomputinggroup.org/resource/tpm-library-specification/</a>,
<a class="Lk" href="https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf">https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf</a>,
and related pages.</p>
</section>
</section>
@ -151,8 +152,8 @@
</div>
<table class="foot">
<tr>
<td class="foot-date">November 25, 2021</td>
<td class="foot-os">tzpfms 0.1-23</td>
<td class="foot-date">November 28, 2021</td>
<td class="foot-os">tzpfms 0.1-27</td>
</tr>
</table>
</body>

4
zfs-tpm2-load-key.8
View File

@ -1,9 +1,9 @@
.\" SPDX-License-Identifier: MIT
.
.Dd November 25, 2021
.Dd November 28, 2021
.ds doc-volume-operating-system
.Dt ZFS-TPM2-LOAD-KEY 8
.Os tzpfms 0.1-23
.Os tzpfms 0.1-27
.
.Sh NAME
.Nm zfs-tpm2-load-key

4
zfs-tpm2-load-key.8.html
View File

@ -136,8 +136,8 @@
</div>
<table class="foot">
<tr>
<td class="foot-date">November 25, 2021</td>
<td class="foot-os">tzpfms 0.1-23</td>
<td class="foot-date">November 28, 2021</td>
<td class="foot-os">tzpfms 0.1-27</td>
</tr>
</table>
</body>