diff --git a/tzpfms.pdf b/tzpfms.pdf index 30ede75..7c7f941 100644 Binary files a/tzpfms.pdf and b/tzpfms.pdf differ diff --git a/tzpfms.ps b/tzpfms.ps index 98bfd7e..668d4b0 100644 --- a/tzpfms.ps +++ b/tzpfms.ps @@ -1,6 +1,6 @@ %!PS-Adobe-3.0 %%Creator: groff version 1.22.4 -%%CreationDate: Thu Nov 25 15:34:51 2021 +%%CreationDate: Sun Nov 28 00:41:42 2021 %%DocumentNeededResources: font Times-Roman %%+ font Times-Bold %%+ font Courier-Bold @@ -9,7 +9,7 @@ %%+ font Symbol %%+ font Times-Italic %%DocumentSuppliedResources: procset grops 1.22 4 -%%Pages: 13 +%%Pages: 14 %%PageOrder: Ascend %%DocumentMedia: Default 595 842 0 () () %%Orientation: Portrait @@ -306,8 +306,8 @@ E F3(back-end)2.5 E F0(.)A F2103.666 474 Q F0 (tarta-zoot/home TPM2)102 654 R 6(unavailable yes)36 F($)102 678 Q F2 1.666(zfs-tpm-list \255ra)6 F F3(tarta-zoot)6 E F4 72(NAME BACK-END)102 690 R 18(KEYSTATUS COHERENT)12 F 36(tarta-zoot TPM1.X)102 702 R 18 -(available yes)24 F F0(tzpfms 0.1-23)72 750 Q(No)138.745 E -.15(ve)-.15 -G(mber 25, 2021).15 E(1)189.295 E 0 Cg EP +(available yes)24 F F0(tzpfms 0.1-27)72 750 Q(No)138.745 E -.15(ve)-.15 +G(mber 28, 2021).15 E(1)189.295 E 0 Cg EP %%Page: 2 2 %%BeginPageSetup BP @@ -329,8 +329,8 @@ E(ers)-.1 E F3(REPOR)72 300 Q 1.666(TING B)-.4 F(UGS)-.1 E (https://todo.sr)102 312 Q(.ht/~nabijaczleweli/tzpfms)-1 E F1 (~nabijaczleweli/tzpfms@lists.sr.ht)102 330 Q F0 2.5(,a)C(rchi)-2.5 E -.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F3(https://lists.sr)2.5 E -(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-23)72 750 Q(No) -138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(2)189.295 E 0 Cg EP +(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-27)72 750 Q(No) +138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E(2)189.295 E 0 Cg EP %%Page: 3 3 %%BeginPageSetup BP @@ -342,10 +342,11 @@ BP 108 Q F0 2.5<8a63>2.5 G(hange ZFS dataset k)-2.5 E .3 -.15(ey t)-.1 H 2.5(oo).15 G(ne stored on the TPM)-2.5 E F1(SYNOPSIS)72 132 Q F2 (zfs-tpm1x-change-key)102 144 Q F0([)3.333 E F22.499 E/F3 10 -/Courier-Oblique@0 SF(backup-file)6 E F0(]).833 E F3(dataset)2.5 E F1 -(DESCRIPTION)72 168 Q F0 4.76 -.8(To n)102 180 T 3.16(ormalise the).8 F -F3(dataset)5.66 E F0(,)A F2(zfs-tpm1x-change-key)5.66 E F0 3.16 -(will open its encryption root in its stead.)5.66 F F2 +/Courier-Oblique@0 SF(backup-file)6 E F0 3.333(][).833 G F2-.834 E +F3(PCR)6 E F0([)A F2(,)A F3(PCR)A F0 1.666(]...)C(])-.833 E F3(dataset) +2.5 E F1(DESCRIPTION)72 168 Q F0 4.76 -.8(To n)102 180 T 3.16 +(ormalise the).8 F F3(dataset)5.66 E F0(,)A F2(zfs-tpm1x-change-key)5.66 +E F0 3.16(will open its encryption root in its stead.)5.66 F F2 (zfs-tpm1x-change-key)102 192 Q F0(will)3.264 E/F4 10/Times-Italic@0 SF (ne)3.264 E(ver)-.15 E F0 .764(create or destro)3.264 F 3.264(ye)-.1 G .764(ncryption roots; use)-3.264 F/F5 10/Courier@0 SF(zfs-change-key) @@ -377,11 +378,11 @@ F F1(TPM1.X)4.731 E F0(-back-ended)A F2(tzpfms)4.731 E F0 3.897 (zfs-tpm1x-clear-key)2.5 E F0 -.834(\(8\) \) .)B F5(tzpfms.key)102 396 Q F0 .334(is a colon-separated pair of he)2.834 F .333 (xadecimal-string \(i.e. "4F7730" for "Ow0"\) blobs; the \214rst one) --.15 F .676(represents the RSA k)102 408 R .976 -.15(ey p)-.1 H .676 -(rotecting the blob, and it is protected with either the passw).15 F -.676(ord, if pro)-.1 F .677(vided, or the)-.15 F .236(SHA1 constant)102 -420 R F5(CE4CF677875B5EB8993591D5A9AF1ED24A3A8736)2.736 E F0 2.736(;t)C -.236(he second represents the sealed)-2.736 F 11.923 +-.15 F .362(represents the RSA k)102 408 R .662 -.15(ey p)-.1 H .362(ro\ +tecting the blob, and it is protected with either the passphrase, if pr\ +o).15 F .363(vided, or the)-.15 F .236(SHA1 constant)102 420 R F5 +(CE4CF677875B5EB8993591D5A9AF1ED24A3A8736)2.736 E F0 2.736(;t)C .236 +(he second represents the sealed)-2.736 F 11.923 (object containing the wrapping k)102 432 R -.15(ey)-.1 G 14.424(,a)-.5 G 11.924(nd is protected with the SHA1 constant)-14.424 F F5 (B9EE715DBE4B243FAA81EA04306E063710383E35)102 444 Q F0 7.438(.T)C 2.438 @@ -398,86 +399,102 @@ G .117(rror occurred, best ef)-2.617 F .117 (ention into the standard error stream.)-.15 E 3.911<418c>102 516 S 1.411(nal v)-3.911 F 1.411(eri\214cation should be made by running)-.15 F F2 3.077(zfs-tpm1x-load-key \255n)3.911 F F3(dataset)7.411 E F0 6.411 -(.I)C 3.911(ft)-6.411 G 1.412(hat com-)-3.911 F 2.176 -(mand succeeds, all is well, b)102 528 R 2.175 -(ut otherwise the dataset can be manually rolled back to a passw)-.2 F -2.175(ord with)-.1 F F2(zfs-tpm1x-clear-key)102 540 Q F3(dataset)12.878 -E F0 1.666(\(o)11.044 G 7.678 -.4(r, i)-1.666 H 9.378(ft).4 G 6.878 -(hat f)-9.378 F 6.878(ails to w)-.1 F(ork,)-.1 E F2 6.879 -(zfs change-key)9.378 F14.545 E F5(keyformat=passphrase)102 552 Q -F3(dataset)6 E F0 -3.332 1.666(\), a)1.666 H(nd you are hereby ask) --1.666 E(ed to report a b)-.1 E(ug, please.)-.2 E F2 -(zfs-tpm1x-clear-key)102 570 Q F3(dataset)6 E F0 -(can be used to clear the properties and go back to using a passw)2.5 E -(ord.)-.1 E F1(OPTIONS)72 594 Q F2103.666 606 Q F3(backup-file)6 E -F0(Sa)191 618 Q .806 -.15(ve a b)-.2 H .506(ack-up of the k).15 F .805 --.15(ey t)-.1 H(o).15 E F3(backup-file)3.005 E F0 3.005(,w)C .505 -(hich must not e)-3.005 F .505(xist beforehand.)-.15 F(This)5.505 E -(back-up)191 630 Q F4(must)3.181 E F0 .681(be stored securely)3.181 F -3.181(,o)-.65 G -.25(ff)-3.181 G 3.181(-site. In).25 F .682 -(case of a catastrophic e)3.181 F -.15(ve)-.25 G .682(nt, the k).15 F -.982 -.15(ey c)-.1 H(an).15 E(be loaded by running)191 642 Q F2 -(zfs load-key)221 654 Q F3(dataset)6 E F5(<)6 E F3(backup-file)6 E F1 -(ENVIR)72 678 Q 1.666(ONMENT V)-.3 F(ARIABLES)-1.35 E F0(tzpfms 0.1-23) -72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(3)189.295 E 0 -Cg EP +(.I)C 3.911(ft)-6.411 G 1.412(hat com-)-3.911 F 1.843 +(mand succeeds, all is well, b)102 528 R 1.843(ut otherwise the dataset\ + can be manually rolled back to a passphrase with)-.2 F F2 +(zfs-tpm1x-clear-key)102 540 Q F3(dataset)12.878 E F0 1.666(\(o)11.044 G +7.678 -.4(r, i)-1.666 H 9.378(ft).4 G 6.878(hat f)-9.378 F 6.878 +(ails to w)-.1 F(ork,)-.1 E F2 6.879(zfs change-key)9.378 F14.545 +E F5(keyformat=passphrase)102 552 Q F3(dataset)6 E F0 -3.332 1.666 +(\), a)1.666 H(nd you are hereby ask)-1.666 E(ed to report a b)-.1 E +(ug, please.)-.2 E F2(zfs-tpm1x-clear-key)102 570 Q F3(dataset)9.23 E F0 +3.23(can be used to clear the properties and go back to using a)5.73 F +(passphrase.)102 582 Q F1(OPTIONS)72 606 Q F2103.666 618 Q F3 +(backup-file)6 E F0(Sa)191 630 Q .805 -.15(ve a b)-.2 H .505 +(ack-up of the k).15 F .805 -.15(ey t)-.1 H(o).15 E F3(backup-file)3.005 +E F0 3.005(,w)C .506(hich must not e)-3.005 F .506(xist beforehand.)-.15 +F(This)5.506 E(back-up)191 642 Q F4(must)3.182 E F0 .682 +(be stored securely)3.182 F 3.182(,o)-.65 G -.25(ff)-3.182 G 3.182 +(-site. In).25 F .681(case of a catastrophic e)3.181 F -.15(ve)-.25 G +.681(nt, the k).15 F .981 -.15(ey c)-.1 H(an).15 E(be loaded by running) +191 654 Q F2(zfs load-key)221 666 Q F3(dataset)6 E F5(<)6 E F3 +(backup-file)6 E F0(tzpfms 0.1-27)72 750 Q(No)138.745 E -.15(ve)-.15 G +(mber 28, 2021).15 E(3)189.295 E 0 Cg EP %%Page: 4 4 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF -.834(ZFS-TPM1X-CHANGE-KEY \(8\))72 48 R (System Manager')46.109 E 2.5(sM)-.55 G 41.109 -(anual ZFS-TPM1X-CHANGE-KEY)-2.5 F(\(8\))1.666 E/F1 10/Courier@0 SF -(TZPFMS_PASSPHRASE_HELPER)102 96 Q F0 .466(By def)143 108 R .466(ault, \ -passphrases are prompted for and read in on the standard output and inp\ -ut streams.)-.1 F(If)5.465 E F1(TZPFMS_PASSPHRASE_HELPER)143 120 Q F0 -.516(is set and nonempty)3.016 F 3.016(,i)-.65 G 3.016(tw)-3.016 G .517 -(ill be run via)-3.016 F F1(/bin/)3.017 E/F2 10/Courier-Bold@0 SF 2.183 -(sh \255c)B F0 .517(to pro-)3.017 F(vide each passphrase, instead.)143 -132 Q .189(The standard output stream of the helper is tied to an anon) -143 150 R .188(ymous \214le and used in its entirety as the)-.15 F -(passphrase, e)143 162 Q(xcept for a trailing ne)-.15 E(w-line, if an) --.25 E 3.8 -.65(y. T)-.15 H(he ar).65 E(guments are:)-.18 E F1($1)155 -174 Q F0(Pre-formatted noun phrase with all the information belo)172 174 -Q 1.3 -.65(w, f)-.25 H(or use as a prompt).65 E F1($2)155 186 Q F0 -(Either the dataset name or the element of the TPM hierarch)172 186 Q -2.5(yb)-.05 G(eing prompted for)-2.5 E F1($3)155 198 Q F0("ne)172 198 Q +(anual ZFS-TPM1X-CHANGE-KEY)-2.5 F(\(8\))1.666 E/F1 10/Courier-Bold@0 SF +103.666 96 Q/F2 10/Courier-Oblique@0 SF(PCR)6 E F0([)A F1(,)A F2 +(PCR)A F0 1.666(]...)C .42(Bind the k)191 96 R .72 -.15(ey t)-.1 H 2.92 +(os).15 G .421(pace- or comma-separated)-2.92 F F2(PCR)2.921 E F0 2.921 +(s\212i)C 2.921(ft)-2.921 G(he)-2.921 E 2.921(yc)-.15 G .421 +(hange, the wrapping k)-2.921 F -.15(ey)-.1 G .807 +(will not be able to be unsealed.)191 108 R .807 +(The minimum amount of PCRs for a PC TPM is)5.807 F/F3 10/Times-Bold@0 +SF(24)3.307 E F0 1.666(\(n)192.666 120 S(umbered)-1.666 E F3(0)2.5 E F0 +(..)A F3(23)A F0 -.832 1.666(\). F)1.666 H +(or most, this is also the maximum.)-1.816 E F3(ENVIR)72 144 Q 1.666 +(ONMENT V)-.3 F(ARIABLES)-1.35 E/F4 10/Courier@0 SF +(TZPFMS_PASSPHRASE_HELPER)102 156 Q F0 .465(By def)143 168 R .466(ault,\ + passphrases are prompted for and read in on the standard output and in\ +put streams.)-.1 F(If)5.466 E F4(TZPFMS_PASSPHRASE_HELPER)143 180 Q F0 +.517(is set and nonempty)3.017 F 3.017(,i)-.65 G 3.017(tw)-3.017 G .516 +(ill be run via)-3.017 F F4(/bin/)3.016 E F1 2.182(sh \255c)B F0 .516 +(to pro-)3.016 F(vide each passphrase, instead.)143 192 Q .188 +(The standard output stream of the helper is tied to an anon)143 210 R +.189(ymous \214le and used in its entirety as the)-.15 F(passphrase, e) +143 222 Q(xcept for a trailing ne)-.15 E(w-line, if an)-.25 E 3.8 -.65 +(y. T)-.15 H(he ar).65 E(guments are:)-.18 E F4($1)155 234 Q F0 +(Pre-formatted noun phrase with all the information belo)172 234 Q 1.3 +-.65(w, f)-.25 H(or use as a prompt).65 E F4($2)155 246 Q F0 +(Either the dataset name or the element of the TPM hierarch)172 246 Q +2.5(yb)-.05 G(eing prompted for)-2.5 E F4($3)155 258 Q F0("ne)172 258 Q (w" if this is for a ne)-.25 E 2.5(wp)-.25 G(assphrase, otherwise blank) --2.5 E F1($4)155 210 Q F0("ag)172 210 Q(ain" if it')-.05 E 2.5(st)-.55 G +-2.5 E F4($4)155 270 Q F0("ag)172 270 Q(ain" if it')-.05 E 2.5(st)-.55 G (he second prompt for that passphrase, otherwise blank)-2.5 E .181 -(If the helper doesn')143 228 R 2.681(te)-.18 G 1.847(xist \()-2.831 F -.181(the shell e)1.666 F .181(xits with)-.15 F/F3 10/Times-Bold@0 SF -(127)2.681 E F0 -3.151 1.666(\), a d)1.666 H .181 -(iagnostic is issued and the normal prompt)-1.666 F(is used as f)143 240 -Q 2.5(all-back. If)-.1 F(it f)2.5 E(ails for an)-.1 E 2.5(yo)-.15 G -(ther reason, the prompting is aborted.)-2.5 E F3 1.666 -(TPM1.X back-end con\214guration)72 264 R .625(TPM selection)84 276 R F0 -(The)102 288 Q F2(tzpfms)2.768 E F0 .267(suite connects to a local)2.767 -F F1(tcsd)2.767 E F0 .267(\(8\) process)B 1.666(\(a)4.433 G(t)-1.666 E -F1(localhost:30003)2.767 E F0 4.433(\)b)1.666 G 2.767(yd)-4.433 G(ef) --2.767 E 2.767(ault. Use)-.1 F .267(the en-)2.767 F(vironment v)102 300 -Q(ariable)-.25 E F1(TZPFMS_TPM1X)2.5 E F0 -(to specify a remote TCS hostname.)2.5 E .391(The T)102 318 R(rouSerS) --.35 E F1(tcsd)2.891 E F0 .391(\(8\) daemon will try)B F1(/dev/tpm0) -2.892 E F0 2.892(,t)C(hen)-2.892 E F1(/udev/tpm0)2.892 E F0 2.892(,t)C -(hen)-2.892 E F1(/dev/tpm)2.892 E F0 2.892(;b)C 2.892(yo)-2.892 G(ccup) --2.892 E(ying)-.1 E(one of the earlier ones with, for e)102 330 Q +(If the helper doesn')143 288 R 2.681(te)-.18 G 1.847(xist \()-2.831 F +.181(the shell e)1.666 F .181(xits with)-.15 F F3(127)2.681 E F0 -3.151 +1.666(\), a d)1.666 H .181(iagnostic is issued and the normal prompt) +-1.666 F(is used as f)143 300 Q 2.5(all-back. If)-.1 F(it f)2.5 E +(ails for an)-.1 E 2.5(yo)-.15 G(ther reason, the prompting is aborted.) +-2.5 E F3 1.666(TPM1.X back-end con\214guration)72 324 R .625 +(TPM selection)84 336 R F0(The)102 348 Q F1(tzpfms)2.767 E F0 .267 +(suite connects to a local)2.767 F F4(tcsd)2.767 E F0 .267 +(\(8\) process)B 1.666(\(a)4.433 G(t)-1.666 E F4(localhost:30003)2.767 E +F0 4.433(\)b)1.666 G 2.767(yd)-4.433 G(ef)-2.767 E 2.767(ault. Use)-.1 F +.268(the en-)2.767 F(vironment v)102 360 Q(ariable)-.25 E F4 +(TZPFMS_TPM1X)2.5 E F0(to specify a remote TCS hostname.)2.5 E .392 +(The T)102 378 R(rouSerS)-.35 E F4(tcsd)2.892 E F0 .392 +(\(8\) daemon will try)B F4(/dev/tpm0)2.892 E F0 2.892(,t)C(hen)-2.892 E +F4(/udev/tpm0)2.892 E F0 2.891(,t)C(hen)-2.891 E F4(/dev/tpm)2.891 E F0 +2.891(;b)C 2.891(yo)-2.891 G(ccup)-2.891 E(ying)-.1 E +(one of the earlier ones with, for e)102 390 Q (xample, shell redirection, a later one can be selected.)-.15 E F3 .625 -(See also)84 354 R F0(The T)102 366 Q(rouSerS project page at)-.35 E F3 +(See also)84 414 R F0(The T)102 426 Q(rouSerS project page at)-.35 E F3 (https://sour)2.5 E(cef)-.18 E(or)-.25 E(ge.net/pr)-.1 E(ojects/tr)-.18 -E(ousers)-.18 E F0(.)A 5.109(The TPM 1.2 main speci\214cation inde)102 -384 R 7.608(xa)-.15 G(t)-7.608 E F3(https://trustedcomputinggr)7.608 E +E(ousers)-.18 E F0(.)A 5.108(The TPM 1.2 main speci\214cation inde)102 +444 R 7.609(xa)-.15 G(t)-7.609 E F3(https://trustedcomputinggr)7.609 E (oup.or)-.18 E(g/r)-.1 E(esour)-.18 E(ce/tpm-main-)-.18 E -(speci\214cation)102 396 Q F0(.)A F3 1.666(SPECIAL THANKS)72 420 R F0 -1.6 -.8(To a)102 432 T(ll who support further de).8 E -.15(ve)-.25 G -(lopment, in particular:).15 E F3<83>122 444 Q F0(ThePhD)2.5 E F3<83>122 -456 Q F0(Embark Studios)2.5 E F3<83>122 468 Q F0(Jasper Bekk)2.5 E(ers) --.1 E F3(REPOR)72 492 Q 1.666(TING B)-.4 F(UGS)-.1 E(https://todo.sr)102 -504 Q(.ht/~nabijaczleweli/tzpfms)-1 E F1 -(~nabijaczleweli/tzpfms@lists.sr.ht)102 522 Q F0 2.5(,a)C(rchi)-2.5 E +(speci\214cation)102 456 Q F0(.)A F3 1.666(SPECIAL THANKS)72 480 R F0 +1.6 -.8(To a)102 492 T(ll who support further de).8 E -.15(ve)-.25 G +(lopment, in particular:).15 E F3<83>122 504 Q F0(ThePhD)2.5 E F3<83>122 +516 Q F0(Embark Studios)2.5 E F3<83>122 528 Q F0(Jasper Bekk)2.5 E(ers) +-.1 E F3(REPOR)72 552 Q 1.666(TING B)-.4 F(UGS)-.1 E(https://todo.sr)102 +564 Q(.ht/~nabijaczleweli/tzpfms)-1 E F4 +(~nabijaczleweli/tzpfms@lists.sr.ht)102 582 Q F0 2.5(,a)C(rchi)-2.5 E -.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F3(https://lists.sr)2.5 E -(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-23)72 750 Q(No) -138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(4)189.295 E 0 Cg EP +(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A F3 1.666(SEE ALSO)72 606 R F0 +(PCR allocations:)102 618 Q F3(https://wiki.ar)2.5 E(chlinux.or)-.18 E +(g/title/T)-.1 E(rusted_Platf)-.74 E(orm_Module#Accessing_PCR_r)-.25 E +(egisters)-.18 E F0(and)102 630 Q F3(https://trustedcomputinggr)2.5 E +(oup.or)-.18 E(g/wp-content/uploads/PC-)-.1 E(ClientSpeci\214c_Platf)102 +642 Q(orm_Pr)-.25 E(o\214le_f)-.18 E(or_TPM_2p0_Systems_v51.pdf)-.25 E +F0 2.5(,S)C(ection 2.3.4 "PCR Usage", T)-2.5 E(able 1.)-.8 E +(tzpfms 0.1-27)72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E +(4)189.295 E 0 Cg EP %%Page: 5 5 %%BeginPageSetup BP @@ -492,31 +509,31 @@ BP (zfs-tpm1x-clear-key)102 144 Q/F3 10/Courier-Oblique@0 SF(dataset)2.5 E F1(DESCRIPTION)72 168 Q F0(After v)102 180 Q(erifying)-.15 E F3(dataset) 2.5 E F0 -.1(wa)2.5 G 2.5(se).1 G(ncrypted with)-2.5 E F2(tzpfms)2.5 E -F0(back)2.5 E(end)-.1 E F1(TPM1.X)2.5 E F0(:)A 6.984 +F0(back)2.5 E(end)-.1 E F1(TPM1.X)2.5 E F0(:)A 6.985 (1. performs the equi)122 192 R -.25(va)-.25 G 6.984(lent of).25 F F2 6.984(zfs change-key)9.484 F14.65 E/F4 10/Courier@0 SF -(keylocation=prompt)12.985 E F214.651 E F4(keyformat=passphrase) -127 204 Q F3(dataset)6 E F0(,)A(2. remo)122 216 Q -.15(ve)-.15 G 2.5(st) -.15 G(he)-2.5 E F4(xyz.nabijaczleweli:tzpfms.)2.5 E F0({)A F4(backend)A -F0(,)A F4(key)6 E F0 2.5(}p)C(roperties from)-2.5 E F3(dataset)2.5 E F0 -(.)A(See)102 234 Q F4(zfs-tpm1x-change-key)2.5 E F0 +(keylocation=prompt)12.984 E F214.65 E F4(keyformat=passphrase)127 +204 Q F3(dataset)6 E F0(,)A(2. remo)122 216 Q -.15(ve)-.15 G 2.5(st).15 +G(he)-2.5 E F4(xyz.nabijaczleweli:tzpfms.)2.5 E F0({)A F4(backend)A F0 +(,)A F4(key)6 E F0 2.5(}p)C(roperties from)-2.5 E F3(dataset)2.5 E F0(.) +A(See)102 234 Q F4(zfs-tpm1x-change-key)2.5 E F0 (\(8\) for a detailed description.)A F1 1.666 (TPM1.X back-end con\214guration)72 258 R .625(TPM selection)84 270 R F0 -(The)102 282 Q F2(tzpfms)2.768 E F0 .267(suite connects to a local)2.767 +(The)102 282 Q F2(tzpfms)2.767 E F0 .267(suite connects to a local)2.767 F F4(tcsd)2.767 E F0 .267(\(8\) process)B 1.666(\(a)4.433 G(t)-1.666 E F4(localhost:30003)2.767 E F0 4.433(\)b)1.666 G 2.767(yd)-4.433 G(ef) --2.767 E 2.767(ault. Use)-.1 F .267(the en-)2.767 F(vironment v)102 294 +-2.767 E 2.767(ault. Use)-.1 F .268(the en-)2.767 F(vironment v)102 294 Q(ariable)-.25 E F4(TZPFMS_TPM1X)2.5 E F0 -(to specify a remote TCS hostname.)2.5 E .391(The T)102 312 R(rouSerS) --.35 E F4(tcsd)2.891 E F0 .391(\(8\) daemon will try)B F4(/dev/tpm0) -2.892 E F0 2.892(,t)C(hen)-2.892 E F4(/udev/tpm0)2.892 E F0 2.892(,t)C -(hen)-2.892 E F4(/dev/tpm)2.892 E F0 2.892(;b)C 2.892(yo)-2.892 G(ccup) --2.892 E(ying)-.1 E(one of the earlier ones with, for e)102 324 Q +(to specify a remote TCS hostname.)2.5 E .392(The T)102 312 R(rouSerS) +-.35 E F4(tcsd)2.892 E F0 .392(\(8\) daemon will try)B F4(/dev/tpm0) +2.892 E F0 2.892(,t)C(hen)-2.892 E F4(/udev/tpm0)2.892 E F0 2.891(,t)C +(hen)-2.891 E F4(/dev/tpm)2.891 E F0 2.891(;b)C 2.891(yo)-2.891 G(ccup) +-2.891 E(ying)-.1 E(one of the earlier ones with, for e)102 324 Q (xample, shell redirection, a later one can be selected.)-.15 E F1 .625 (See also)84 348 R F0(The T)102 360 Q(rouSerS project page at)-.35 E F1 (https://sour)2.5 E(cef)-.18 E(or)-.25 E(ge.net/pr)-.1 E(ojects/tr)-.18 -E(ousers)-.18 E F0(.)A 5.109(The TPM 1.2 main speci\214cation inde)102 -378 R 7.608(xa)-.15 G(t)-7.608 E F1(https://trustedcomputinggr)7.608 E +E(ousers)-.18 E F0(.)A 5.108(The TPM 1.2 main speci\214cation inde)102 +378 R 7.609(xa)-.15 G(t)-7.609 E F1(https://trustedcomputinggr)7.609 E (oup.or)-.18 E(g/r)-.1 E(esour)-.18 E(ce/tpm-main-)-.18 E (speci\214cation)102 390 Q F0(.)A F1 1.666(SPECIAL THANKS)72 414 R F0 1.6 -.8(To a)102 426 T(ll who support further de).8 E -.15(ve)-.25 G @@ -526,8 +543,8 @@ E(ousers)-.18 E F0(.)A 5.109(The TPM 1.2 main speci\214cation inde)102 498 Q(.ht/~nabijaczleweli/tzpfms)-1 E F4 (~nabijaczleweli/tzpfms@lists.sr.ht)102 516 Q F0 2.5(,a)C(rchi)-2.5 E -.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F1(https://lists.sr)2.5 E -(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-23)72 750 Q(No) -138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(5)189.295 E 0 Cg EP +(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-27)72 750 Q(No) +138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E(5)189.295 E 0 Cg EP %%Page: 6 6 %%BeginPageSetup BP @@ -539,31 +556,31 @@ BP (oad TPM1.X-encrypted ZFS dataset k)-2.5 E -.15(ey)-.1 G F1(SYNOPSIS)72 132 Q F2(zfs-tpm1x-load-key)102 144 Q F0([)3.333 E F22.499 E F0(]) .833 E/F3 10/Courier-Oblique@0 SF(dataset)2.5 E F1(DESCRIPTION)72 168 Q -F0 1.155(After v)102 180 R(erifying)-.15 E F3(dataset)3.655 E F0 -.1(wa) -3.655 G 3.655(se).1 G 1.155(ncrypted with)-3.655 F F2(tzpfms)3.655 E F0 -(back)3.655 E(end)-.1 E F1(TPM1.X)3.655 E F0 1.156(will unseal the k) -3.655 F 1.456 -.15(ey a)-.1 H 1.156(nd load it).15 F(into)102 192 Q F3 -(dataset)2.5 E F0(.)A .694 +F0 1.156(After v)102 180 R(erifying)-.15 E F3(dataset)3.656 E F0 -.1(wa) +3.656 G 3.656(se).1 G 1.156(ncrypted with)-3.656 F F2(tzpfms)3.655 E F0 +(back)3.655 E(end)-.1 E F1(TPM1.X)3.655 E F0 1.155(will unseal the k) +3.655 F 1.455 -.15(ey a)-.1 H 1.155(nd load it).15 F(into)102 192 Q F3 +(dataset)2.5 E F0(.)A .693 (The user is \214rst prompted for the SRK passphrase, set when taking o) -102 210 R .693(wnership, if not "well-kno)-.25 F .693(wn" \(all ze-)-.25 +102 210 R .694(wnership, if not "well-kno)-.25 F .694(wn" \(all ze-)-.25 F(roes\); then for the additional passphrase, set when creating the k) 102 222 Q -.15(ey)-.1 G 2.5(,i)-.5 G 2.5(fo)-2.5 G(ne w)-2.5 E(as set.) -.1 E(See)102 240 Q/F4 10/Courier@0 SF(zfs-tpm1x-change-key)2.5 E F0 (\(8\) for a detailed description.)A F1(OPTIONS)72 264 Q F2103.666 -276 Q F0 .178(Do a no-op/dry run, can be used e)119 288 R -.15(ve)-.25 G -2.678(ni).15 G 2.679(ft)-2.678 G .179(he k)-2.679 F .479 -.15(ey i)-.1 H -2.679(sa).15 G .179(lready loaded.)-2.679 F(Equi)5.179 E -.25(va)-.25 G -.179(lent to).25 F F2 .179(zfs load-key)2.679 F F0 -.55('s)C F2 -4.895 E F0(option.)119 300 Q F1(ENVIR)72 324 Q 1.666(ONMENT V)-.3 F -(ARIABLES)-1.35 E F4(TZPFMS_PASSPHRASE_HELPER)102 336 Q F0 .466(By def) +276 Q F0 .179(Do a no-op/dry run, can be used e)119 288 R -.15(ve)-.25 G +2.679(ni).15 G 2.679(ft)-2.679 G .179(he k)-2.679 F .478 -.15(ey i)-.1 H +2.678(sa).15 G .178(lready loaded.)-2.678 F(Equi)5.178 E -.25(va)-.25 G +.178(lent to).25 F F2 .178(zfs load-key)2.678 F F0 -.55('s)C F2 +4.894 E F0(option.)119 300 Q F1(ENVIR)72 324 Q 1.666(ONMENT V)-.3 F +(ARIABLES)-1.35 E F4(TZPFMS_PASSPHRASE_HELPER)102 336 Q F0 .465(By def) 143 348 R .466(ault, passphrases are prompted for and read in on the st\ -andard output and input streams.)-.1 F(If)5.465 E F4 -(TZPFMS_PASSPHRASE_HELPER)143 360 Q F0 .516(is set and nonempty)3.016 F -3.016(,i)-.65 G 3.016(tw)-3.016 G .517(ill be run via)-3.016 F F4(/bin/) -3.017 E F2 2.183(sh \255c)B F0 .517(to pro-)3.017 F -(vide each passphrase, instead.)143 372 Q .189 +andard output and input streams.)-.1 F(If)5.466 E F4 +(TZPFMS_PASSPHRASE_HELPER)143 360 Q F0 .517(is set and nonempty)3.017 F +3.017(,i)-.65 G 3.017(tw)-3.017 G .516(ill be run via)-3.017 F F4(/bin/) +3.016 E F2 2.182(sh \255c)B F0 .516(to pro-)3.016 F +(vide each passphrase, instead.)143 372 Q .188 (The standard output stream of the helper is tied to an anon)143 390 R -.188(ymous \214le and used in its entirety as the)-.15 F(passphrase, e) +.189(ymous \214le and used in its entirety as the)-.15 F(passphrase, e) 143 402 Q(xcept for a trailing ne)-.15 E(w-line, if an)-.25 E 3.8 -.65 (y. T)-.15 H(he ar).65 E(guments are:)-.18 E F4($1)155 414 Q F0 (Pre-formatted noun phrase with all the information belo)172 414 Q 1.3 @@ -579,27 +596,27 @@ andard output and input streams.)-.1 F(If)5.465 E F4 -1.666 F(is used as f)143 480 Q 2.5(all-back. If)-.1 F(it f)2.5 E (ails for an)-.1 E 2.5(yo)-.15 G(ther reason, the prompting is aborted.) -2.5 E F1 1.666(TPM1.X back-end con\214guration)72 504 R .625 -(TPM selection)84 516 R F0(The)102 528 Q F2(tzpfms)2.768 E F0 .267 +(TPM selection)84 516 R F0(The)102 528 Q F2(tzpfms)2.767 E F0 .267 (suite connects to a local)2.767 F F4(tcsd)2.767 E F0 .267 (\(8\) process)B 1.666(\(a)4.433 G(t)-1.666 E F4(localhost:30003)2.767 E F0 4.433(\)b)1.666 G 2.767(yd)-4.433 G(ef)-2.767 E 2.767(ault. Use)-.1 F -.267(the en-)2.767 F(vironment v)102 540 Q(ariable)-.25 E F4 -(TZPFMS_TPM1X)2.5 E F0(to specify a remote TCS hostname.)2.5 E .391 -(The T)102 558 R(rouSerS)-.35 E F4(tcsd)2.891 E F0 .391 +.268(the en-)2.767 F(vironment v)102 540 Q(ariable)-.25 E F4 +(TZPFMS_TPM1X)2.5 E F0(to specify a remote TCS hostname.)2.5 E .392 +(The T)102 558 R(rouSerS)-.35 E F4(tcsd)2.892 E F0 .392 (\(8\) daemon will try)B F4(/dev/tpm0)2.892 E F0 2.892(,t)C(hen)-2.892 E -F4(/udev/tpm0)2.892 E F0 2.892(,t)C(hen)-2.892 E F4(/dev/tpm)2.892 E F0 -2.892(;b)C 2.892(yo)-2.892 G(ccup)-2.892 E(ying)-.1 E +F4(/udev/tpm0)2.892 E F0 2.891(,t)C(hen)-2.891 E F4(/dev/tpm)2.891 E F0 +2.891(;b)C 2.891(yo)-2.891 G(ccup)-2.891 E(ying)-.1 E (one of the earlier ones with, for e)102 570 Q (xample, shell redirection, a later one can be selected.)-.15 E F1 .625 (See also)84 594 R F0(The T)102 606 Q(rouSerS project page at)-.35 E F1 (https://sour)2.5 E(cef)-.18 E(or)-.25 E(ge.net/pr)-.1 E(ojects/tr)-.18 -E(ousers)-.18 E F0(.)A 5.109(The TPM 1.2 main speci\214cation inde)102 -624 R 7.608(xa)-.15 G(t)-7.608 E F1(https://trustedcomputinggr)7.608 E +E(ousers)-.18 E F0(.)A 5.108(The TPM 1.2 main speci\214cation inde)102 +624 R 7.609(xa)-.15 G(t)-7.609 E F1(https://trustedcomputinggr)7.609 E (oup.or)-.18 E(g/r)-.1 E(esour)-.18 E(ce/tpm-main-)-.18 E (speci\214cation)102 636 Q F0(.)A F1 1.666(SPECIAL THANKS)72 660 R F0 1.6 -.8(To a)102 672 T(ll who support further de).8 E -.15(ve)-.25 G -(lopment, in particular:).15 E(tzpfms 0.1-23)72 750 Q(No)138.745 E -.15 -(ve)-.15 G(mber 25, 2021).15 E(6)189.295 E 0 Cg EP +(lopment, in particular:).15 E(tzpfms 0.1-27)72 750 Q(No)138.745 E -.15 +(ve)-.15 G(mber 28, 2021).15 E(6)189.295 E 0 Cg EP %%Page: 7 7 %%BeginPageSetup BP @@ -612,8 +629,8 @@ BP -.1 E(https://todo.sr)102 156 Q(.ht/~nabijaczleweli/tzpfms)-1 E/F2 10 /Courier@0 SF(~nabijaczleweli/tzpfms@lists.sr.ht)102 174 Q F0 2.5(,a)C (rchi)-2.5 E -.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F1(https://lists.sr) -2.5 E(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-23)72 750 Q(No) -138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(7)189.295 E 0 Cg EP +2.5 E(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-27)72 750 Q(No) +138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E(7)189.295 E 0 Cg EP %%Page: 8 8 %%BeginPageSetup BP @@ -625,154 +642,207 @@ BP 108 Q F0 2.5<8a63>2.5 G(hange ZFS dataset k)-2.5 E .3 -.15(ey t)-.1 H 2.5(oo).15 G(ne stored on the TPM)-2.5 E F1(SYNOPSIS)72 132 Q F2 (zfs-tpm2-change-key)102 144 Q F0([)3.333 E F22.499 E/F3 10 -/Courier-Oblique@0 SF(backup-file)6 E F0(]).833 E F3(dataset)2.5 E F1 -(DESCRIPTION)72 168 Q F0 6.93 -.8(To n)102 180 T(ormalise).8 E F3 -(dataset)7.831 E F0(,)A F2(zfs-tpm2-change-key)7.831 E F0 5.331 +/Courier-Oblique@0 SF(backup-file)6 E F0 2.5(][).833 G F2-.834 E +F3(algorithm)222 156 Q F2(:)A F3(PCR)A F0([)A F2(,)A F3(PCR)A F0 1.666 +(]...)C([)-1.666 E F2(+)A F3(algorithm)A F2(:)A F3(PCR)A F0([)A F2(,)A +F3(PCR)A F0 1.666(]...)C -2.499 1.666(]... [)-1.666 H F2.833 E F0 +(]]).833 E F3(dataset)222 168 Q F1(DESCRIPTION)72 192 Q F0 6.931 -.8 +(To n)102 204 T(ormalise).8 E F3(dataset)7.831 E F0(,)A F2 +(zfs-tpm2-change-key)7.831 E F0 5.331 (will open its encryption root in its stead.)7.831 F F2 -(zfs-tpm2-change-key)102 192 Q F0(will)3.864 E/F4 10/Times-Italic@0 SF +(zfs-tpm2-change-key)102 216 Q F0(will)3.864 E/F4 10/Times-Italic@0 SF (ne)3.864 E(ver)-.15 E F0 1.364(create or destro)3.864 F 3.864(ye)-.1 G 1.364(ncryption roots; use)-3.864 F/F5 10/Courier@0 SF(zfs-change-key) -3.864 E F0 1.364(\(8\) for)B(that.)102 204 Q -(First, a connection is made to the TPM, which)102 222 Q F4(must)2.5 E -F0(be TPM-2.0-compatible.)2.5 E(If)102 240 Q F3(dataset)3.42 E F0 -.1 +3.864 E F0 1.364(\(8\) for)B(that.)102 228 Q +(First, a connection is made to the TPM, which)102 246 Q F4(must)2.5 E +F0(be TPM-2.0-compatible.)2.5 E(If)102 264 Q F3(dataset)3.42 E F0 -.1 (wa)3.42 G 3.42(sp).1 G(re)-3.42 E .92(viously encrypted with)-.25 F F2 (tzpfms)3.42 E F0 .92(and the)3.42 F F1(TPM2)3.42 E F0 .92(back-end w) 3.42 F .92(as used, the pre)-.1 F .92(vious k)-.25 F -.15(ey)-.1 G .382 -(will be freed from the TPM.)102 252 R .382 +(will be freed from the TPM.)102 276 R .382 (Otherwise, or in case of an error)5.382 F 2.882(,d)-.4 G .382 -(ata required for manual interv)-2.882 F .382(ention will be)-.15 F -(printed to the standard error stream.)102 264 Q(Ne)102 282 Q .197 +(ata required for manual interv)-2.882 F .383(ention will be)-.15 F +(printed to the standard error stream.)102 288 Q(Ne)102 306 Q .197 (xt, a ne)-.15 F 2.697(ww)-.25 G .197(rapping k)-2.697 F .497 -.15(ey i) -.1 H 2.697(sg).15 G .197(enerated on the TPM, optionally back)-2.697 F .197(ed up)-.1 F 1.666(\(s)4.363 G(ee)-1.666 E F1(OPTIONS)2.697 E F0 -3.135 1.666(\), a)1.666 H .197(nd sealed to a)-1.666 F .504 -(persistent object on the TPM under the o)102 294 R .504(wner hierarch) --.25 F .504(y; if there is a passphrase set on the o)-.05 F .503 -(wner hierarch)-.25 F -.65(y,)-.05 G .04 -(the user is prompted for it; the user is al)102 306 R -.1(wa)-.1 G .041 +(persistent object on the TPM under the o)102 318 R .504(wner hierarch) +-.25 F .504(y; if there is a passphrase set on the o)-.05 F .504 +(wner hierarch)-.25 F -.65(y,)-.05 G .041 +(the user is prompted for it; the user is al)102 330 R -.1(wa)-.1 G .04 (ys prompted for an optional passphrase to protect the sealed object).1 -F(with.)102 318 Q(The follo)102 336 Q(wing properties are set on)-.25 E -F3(dataset)2.5 E F0(:)A F1<83>122 348 Q F5 -(xyz.nabijaczleweli:tzpfms.backend)7.5 E F0(=)A F1(TPM2)A<83>122 360 Q -F5(xyz.nabijaczleweli:tzpfms.key)7.5 E F0(=)A F3 -(ID of persistent object)A F5(tzpfms.backend)102 378 Q F0 3.203 +F(with.)102 342 Q(The follo)102 360 Q(wing properties are set on)-.25 E +F3(dataset)2.5 E F0(:)A F1<83>122 372 Q F5 +(xyz.nabijaczleweli:tzpfms.backend)7.5 E F0(=)A F1(TPM2)A<83>122 384 Q +F5(xyz.nabijaczleweli:tzpfms.key)7.5 E F0(=)A F3(persistent-object-ID)A +F0([).833 E F2(;).833 E F3(algorithm)133 396 Q F2(:)A F3(PCR)A F0([)A F2 +(,)A F3(PCR)A F0 1.666(]...)C([)-1.666 E F2(+)A F3(algorithm)A F2(:)A F3 +(PCR)A F0([)A F2(,)A F3(PCR)A F0 1.666(]...)C 1.666(]...)-1.666 G(]) +-.833 E F5(tzpfms.backend)102 414 Q F0 3.203 (identi\214es this dataset for w)5.703 F 3.203(ork with)-.1 F F1(TPM2) 5.703 E F0(-back-ended)A F2(tzpfms)5.703 E F0 4.868(tools \()5.702 F -(namely)1.666 E F5(zfs-tpm2-change-key)102 390 Q F0(\(8\),)A F5 +(namely)1.666 E F5(zfs-tpm2-change-key)102 426 Q F0(\(8\),)A F5 (zfs-tpm2-load-key)2.5 E F0(\(8\), and)A F5(zfs-tpm2-clear-key)2.5 E F0 --.834(\(8\) \) .)B F5(tzpfms.key)102 408 Q F0 1.11(is an inte)3.61 F -1.111 -(ger representing the sealed object; if needed, it can be passed to)-.15 -F F2(tpm2_unseal)3.611 E103.666 420 Q F5(${tzpfms.key})6.032 E F0 -([)6.865 E F22.499 E F5(${password})6.032 E F0 2.532(]o).833 G -2.532(re)-2.532 G(qui)-2.532 E -.25(va)-.25 G .032(lent for back-up).25 -F 1.666(\(s)4.198 G(ee)-1.666 E F1(OPTIONS)2.532 E F0 -.8 1.666(\). I) -1.666 H 2.532(fy)-1.666 G .032(ou ha)-2.532 F .331 -.15(ve a)-.2 H .434 -(sealed k)102 432 R .734 -.15(ey y)-.1 H .434 -(ou can access with that or equi).15 F -.25(va)-.25 G .435 -(lent tool and set both of these properties, it will funxion seam-).25 F -(lessly)102 444 Q(.)-.65 E(Finally)102 462 Q 4.141(,t)-.65 G 1.641 +-.834(\(8\) \) .)B F5(tzpfms.key)102 444 Q F0 .414(is an inte)2.914 F +.414(ger representing the sealed object, optionally follo)-.15 F .414 +(wed by a semicolon and PCR list)-.25 F 1.298(as speci\214ed with)102 +456 R F25.464 E F0 3.798(,n)C 1.298(ormalised to be)-3.798 F F2 +(tpm-tools)3.797 E F0 1.297 +(-toolchain-compatible; if needed, it can be passed to)B F2 11.056 +(tpm2_unseal \255c)102 468 R F5(${tzpfms.key)15.39 E F2(%%)A F5(;)A/F6 +10/Symbol SF(*)A F5(})A F0(with)11.89 E F213.556 E F0(")15.39 E F5 +(str:${passphrase})A F0 11.891("o)C(r)-11.891 E F213.557 E F0(") +102 480 Q F5(pcr:${tzpfms.key)A F2(#)A F6(*)A F5(;})A F0 1.177 +(", as the case may be, or equi)B -.25(va)-.25 G 1.177 +(lent, for back-up).25 F 1.666(\(s)5.342 G(ee)-1.666 E F1(OPTIONS)3.676 +E F0 .344 1.666(\). I)1.666 H 3.676(fy)-1.666 G(ou)-3.676 E(ha)102 492 Q +.633 -.15(ve a s)-.2 H .333(ealed k).15 F .633 -.15(ey y)-.1 H .333 +(ou can access with that or equi).15 F -.25(va)-.25 G .334 +(lent tool and set both of these properties, it will funxion).25 F +(seamlessly)102 504 Q(.)-.65 E(Finally)102 522 Q 4.141(,t)-.65 G 1.641 (he equi)-4.141 F -.25(va)-.25 G 1.641(lent of).25 F F2 1.641 (zfs change-key)4.141 F9.307 E F5(keylocation=prompt)7.641 E F2 -9.307 E F5(keyformat=raw)7.64 E F3(dataset)102 474 Q F0 .336 +9.307 E F5(keyformat=raw)7.64 E F3(dataset)102 534 Q F0 .336 (is performed with the ne)2.836 F 2.836(wk)-.25 G -.15(ey)-2.936 G 5.336 (.I)-.5 G 2.836(fa)-5.336 G 2.836(ne)-2.836 G .336 (rror occurred, best ef)-2.836 F .337 (fort is made to clean up the persistent)-.25 F -(object and properties, or to issue a note for manual interv)102 486 Q -(ention into the standard error stream.)-.15 E 2.92<418c>102 504 S .42 +(object and properties, or to issue a note for manual interv)102 546 Q +(ention into the standard error stream.)-.15 E 2.92<418c>102 564 S .42 (nal v)-2.92 F .42(eri\214cation should be made by running)-.15 F F2 2.085(zfs-tpm2-load-key \255n)2.919 F F3(dataset)6.419 E F0 5.419(.I)C -2.919(ft)-5.419 G .419(hat command)-2.919 F 3.856 -(succeeds, all is well, b)102 516 R 3.856 -(ut otherwise the dataset can be manually rolled back to a passw)-.2 F -3.857(ord with)-.1 F F2(zfs-tpm2-clear-key)102 528 Q F3(dataset)13.479 E -F0 1.666(\(o)11.645 G 8.278 -.4(r, i)-1.666 H 9.978(ft).4 G 7.478(hat f) --9.978 F 7.478(ails to w)-.1 F(ork,)-.1 E F2 7.478(zfs change-key)9.978 -F15.144 E F5(keyformat=passphrase)102 540 Q F3(dataset)6 E F0 --3.332 1.666(\), a)1.666 H(nd you are hereby ask)-1.666 E -(ed to report a b)-.1 E(ug, please.)-.2 E F2(zfs-tpm2-clear-key)102 558 -Q F3(dataset)6.423 E F0 .423 +2.919(ft)-5.419 G .419(hat command)-2.919 F 3.503 +(succeeds, all is well, b)102 576 R 3.503(ut otherwise the dataset can \ +be manually rolled back to a passphrase with)-.2 F F2 +(zfs-tpm2-clear-key)102 588 Q F3(dataset)13.479 E F0 1.666(\(o)11.645 G +8.278 -.4(r, i)-1.666 H 9.978(ft).4 G 7.478(hat f)-9.978 F 7.478 +(ails to w)-.1 F(ork,)-.1 E F2 7.478(zfs change-key)9.978 F15.144 +E F5(keyformat=passphrase)102 600 Q F3(dataset)6 E F0 -3.332 1.666 +(\), a)1.666 H(nd you are hereby ask)-1.666 E(ed to report a b)-.1 E +(ug, please.)-.2 E F2(zfs-tpm2-clear-key)102 618 Q F3(dataset)6.423 E F0 +.423 (can be used to free the TPM persistent object and go back to using a) -2.923 F(passw)102 570 Q(ord.)-.1 E F1(OPTIONS)72 594 Q F2103.666 -606 Q F3(backup-file)6 E F0(Sa)191 618 Q .806 -.15(ve a b)-.2 H .506 +2.923 F(passphrase.)102 630 Q F1(OPTIONS)72 654 Q F2103.666 666 Q +F3(backup-file)6 E F0(Sa)191 678 Q .806 -.15(ve a b)-.2 H .506 (ack-up of the k).15 F .805 -.15(ey t)-.1 H(o).15 E F3(backup-file)3.005 E F0 3.005(,w)C .505(hich must not e)-3.005 F .505(xist beforehand.)-.15 -F(This)5.505 E(back-up)191 630 Q F4(must)3.181 E F0 .681 +F(This)5.505 E(back-up)191 690 Q F4(must)3.181 E F0 .681 (be stored securely)3.181 F 3.181(,o)-.65 G -.25(ff)-3.181 G 3.181 (-site. In).25 F .682(case of a catastrophic e)3.181 F -.15(ve)-.25 G .682(nt, the k).15 F .982 -.15(ey c)-.1 H(an).15 E(be loaded by running) -191 642 Q F2(zfs load-key)221 654 Q F3(dataset)6 E F5(<)6 E F3 -(backup-file)6 E F1(ENVIR)72 678 Q 1.666(ONMENT V)-.3 F(ARIABLES)-1.35 E -F0(tzpfms 0.1-23)72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 25, 2021).15 -E(8)189.295 E 0 Cg EP +191 702 Q(tzpfms 0.1-27)72 750 Q(No)138.745 E -.15(ve)-.15 G +(mber 28, 2021).15 E(8)189.295 E 0 Cg EP %%Page: 9 9 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF -.834(ZFS-TPM2-CHANGE-KEY \(8\))72 48 R (System Manager')53.329 E 2.5(sM)-.55 G 48.329 -(anual ZFS-TPM2-CHANGE-KEY)-2.5 F(\(8\))1.666 E/F1 10/Courier@0 SF -(TZPFMS_PASSPHRASE_HELPER)102 96 Q F0 .466(By def)143 108 R .466(ault, \ -passphrases are prompted for and read in on the standard output and inp\ -ut streams.)-.1 F(If)5.465 E F1(TZPFMS_PASSPHRASE_HELPER)143 120 Q F0 -.516(is set and nonempty)3.016 F 3.016(,i)-.65 G 3.016(tw)-3.016 G .517 -(ill be run via)-3.016 F F1(/bin/)3.017 E/F2 10/Courier-Bold@0 SF 2.183 -(sh \255c)B F0 .517(to pro-)3.017 F(vide each passphrase, instead.)143 -132 Q .189(The standard output stream of the helper is tied to an anon) -143 150 R .188(ymous \214le and used in its entirety as the)-.15 F -(passphrase, e)143 162 Q(xcept for a trailing ne)-.15 E(w-line, if an) --.25 E 3.8 -.65(y. T)-.15 H(he ar).65 E(guments are:)-.18 E F1($1)155 -174 Q F0(Pre-formatted noun phrase with all the information belo)172 174 -Q 1.3 -.65(w, f)-.25 H(or use as a prompt).65 E F1($2)155 186 Q F0 -(Either the dataset name or the element of the TPM hierarch)172 186 Q -2.5(yb)-.05 G(eing prompted for)-2.5 E F1($3)155 198 Q F0("ne)172 198 Q +(anual ZFS-TPM2-CHANGE-KEY)-2.5 F(\(8\))1.666 E/F1 10/Courier-Bold@0 SF +(zfs load-key)221 96 Q/F2 10/Courier-Oblique@0 SF(dataset)6 E/F3 10 +/Courier@0 SF(<)6 E F2(backup-file)6 E F1103.666 114 Q F2 +(algorithm)6 E F1(:)A F2(PCR)A F0([)A F1(,)A F2(PCR)A F0 1.666(]...)C([) +-1.666 E F1(+)A F2(algorithm)A F1(:)A F2(PCR)A F0([)A F1(,)A F2(PCR)A F0 +1.666(]...)C 1.666(]...)-1.666 G .851(Bind the k)191 126 R 1.151 -.15 +(ey t)-.1 H 3.351(os).15 G .851(pace- or comma-separated)-3.351 F F2 +(PCR)3.351 E F0 3.351(sw)C .851(ithin their corresponding hashing)-3.351 +F F2(algorithm)191 138 Q F0 4.119<8a69>4.119 G 4.119(ft)-4.119 G(he) +-4.119 E 4.119(yc)-.15 G 1.619(hange, the wrapping k)-4.119 F 1.919 -.15 +(ey w)-.1 H 1.62(ill not be able to be unsealed.).15 F(There are)191 150 +Q/F4 10/Times-Bold@0 SF(24)2.5 E F0(PCRs, numbered)2.5 E F4(0)2.5 E F0 +(..)A F4(23)A F0(.)A F2(algorithm)191 168 Q F0 1.096(may be an)3.596 F +3.596(yo)-.15 G 3.596(fc)-3.596 G(ase-insensiti)-3.596 E 1.395 -.15 +(ve ")-.25 H F4(sha1).15 E F0 1.095(", ")B F4(sha256)A F0 1.095(", ")B +F4(sha384)A F0 1.095(", ")B F4(sha512)A F0(",)A(")191 180 Q F4(sm3_256)A +F0 9.062(", ")B F4(sm3-256)A F0 9.062(", ")B F4(sha3_256)A F0 9.062 +(", ")B F4(sha3-256)A F0 9.062(", ")B F4(sha3_384)A F0 9.062(", ")B F4 +(sha3-384)A F0(",)A(")191 192 Q F4(sha3_512)A F0(", or ")A F4(sha3-512)A +F0(", and must be supported by the TPM.)A F1103.666 210 Q F0 -.4 +(Wi)191 210 S(th).4 E F16.798 E F0 5.132(,a)C 2.632 +(lso prompt for a passphrase.)-5.132 F 2.632(This is skipped by def) +7.632 F 2.631(ault because the)-.1 F .833(passphrase is)191 222 R/F5 10 +/Times-Italic@0 SF(OR)3.333 E F0 .833(ed with the PCR polic)B 3.334 +(y\212t)-.15 G .834(he wrapping k)-3.334 F 1.134 -.15(ey c)-.1 H .834 +(an be unsealed).15 F F5(either)3.334 E F0 .703 +(passphraseless with the right PCRs)191 234 R F5(or)3.203 E F0 .703 +(with the passphrase, and this is usually not the)3.203 F(intent.)191 +246 Q F4(ENVIR)72 270 Q 1.666(ONMENT V)-.3 F(ARIABLES)-1.35 E F3 +(TZPFMS_PASSPHRASE_HELPER)102 282 Q F0 .465(By def)143 294 R .466(ault,\ + passphrases are prompted for and read in on the standard output and in\ +put streams.)-.1 F(If)5.466 E F3(TZPFMS_PASSPHRASE_HELPER)143 306 Q F0 +.517(is set and nonempty)3.017 F 3.017(,i)-.65 G 3.017(tw)-3.017 G .516 +(ill be run via)-3.017 F F3(/bin/)3.016 E F1 2.182(sh \255c)B F0 .516 +(to pro-)3.016 F(vide each passphrase, instead.)143 318 Q .188 +(The standard output stream of the helper is tied to an anon)143 336 R +.189(ymous \214le and used in its entirety as the)-.15 F(passphrase, e) +143 348 Q(xcept for a trailing ne)-.15 E(w-line, if an)-.25 E 3.8 -.65 +(y. T)-.15 H(he ar).65 E(guments are:)-.18 E F3($1)155 360 Q F0 +(Pre-formatted noun phrase with all the information belo)172 360 Q 1.3 +-.65(w, f)-.25 H(or use as a prompt).65 E F3($2)155 372 Q F0 +(Either the dataset name or the element of the TPM hierarch)172 372 Q +2.5(yb)-.05 G(eing prompted for)-2.5 E F3($3)155 384 Q F0("ne)172 384 Q (w" if this is for a ne)-.25 E 2.5(wp)-.25 G(assphrase, otherwise blank) --2.5 E F1($4)155 210 Q F0("ag)172 210 Q(ain" if it')-.05 E 2.5(st)-.55 G +-2.5 E F3($4)155 396 Q F0("ag)172 396 Q(ain" if it')-.05 E 2.5(st)-.55 G (he second prompt for that passphrase, otherwise blank)-2.5 E .181 -(If the helper doesn')143 228 R 2.681(te)-.18 G 1.847(xist \()-2.831 F -.181(the shell e)1.666 F .181(xits with)-.15 F/F3 10/Times-Bold@0 SF -(127)2.681 E F0 -3.151 1.666(\), a d)1.666 H .181 -(iagnostic is issued and the normal prompt)-1.666 F(is used as f)143 240 -Q 2.5(all-back. If)-.1 F(it f)2.5 E(ails for an)-.1 E 2.5(yo)-.15 G -(ther reason, the prompting is aborted.)-2.5 E F3 1.666 -(TPM2 back-end con\214guration)72 264 R(En)84 276 Q(vir)-.4 E .625 -(onment v)-.18 F(ariables)-.1 E F1(TSS2_LOG)102 288 Q F0(An)155 288 Q -2.5(yo)-.15 G(f:)-2.5 E F3(NONE)2.5 E F0(,)A F3(ERR)2.5 E(OR)-.3 E F0(,) -A F3 -1.2(WA)2.5 G(RNING)1.2 E F0(,)A F3(INFO)2.5 E F0(,)A F3(DEB)2.5 E -(UG)-.1 E F0(,)A F3(TRA)2.5 E(CE)-.55 E F0 5(.D)C(ef)-5 E(ault:)-.1 E F3 --1.2(WA)2.5 G(RNING)1.2 E F0(.)A F3 .625(TPM selection)84 312 R F0 .517 -(The library)102 324 R F2(libtss2-tcti-default.so)3.017 E F0 .517 -(can be link)3.017 F .516(ed to an)-.1 F 3.016(yo)-.15 G 3.016(ft)-3.016 -G(he)-3.016 E F1(libtss2-tcti-)3.016 E/F4 10/Symbol SF(*)A F1(.so)A F0 -(libraries)3.016 E .575(to select the def)102 336 R .576 -(ault, otherwise)-.1 F F1(/dev/tpmrm0)3.076 E F0 3.076(,t)C(hen)-3.076 E -F1(/dev/tpm0)3.076 E F0 3.076(,t)C(hen)-3.076 E F1(localhost:2321)3.076 -E F0 .576(will be tried,)3.076 F(in order)102 348 Q 1.666(\(s)4.166 G -(ee)-1.666 E F1(ESYS_CONTEXT)2.5 E F0 -.834(\(3\) \) .)B F3 .625 -(See also)84 372 R F0 3.488(The tpm2-tss git repository at)102 384 R F3 +(If the helper doesn')143 414 R 2.681(te)-.18 G 1.847(xist \()-2.831 F +.181(the shell e)1.666 F .181(xits with)-.15 F F4(127)2.681 E F0 -3.151 +1.666(\), a d)1.666 H .181(iagnostic is issued and the normal prompt) +-1.666 F(is used as f)143 426 Q 2.5(all-back. If)-.1 F(it f)2.5 E +(ails for an)-.1 E 2.5(yo)-.15 G(ther reason, the prompting is aborted.) +-2.5 E F4 1.666(TPM2 back-end con\214guration)72 450 R(En)84 462 Q(vir) +-.4 E .625(onment v)-.18 F(ariables)-.1 E F3(TSS2_LOG)102 474 Q F0(An) +155 474 Q 2.5(yo)-.15 G(f:)-2.5 E F4(NONE)2.5 E F0(,)A F4(ERR)2.5 E(OR) +-.3 E F0(,)A F4 -1.2(WA)2.5 G(RNING)1.2 E F0(,)A F4(INFO)2.5 E F0(,)A F4 +(DEB)2.5 E(UG)-.1 E F0(,)A F4(TRA)2.5 E(CE)-.55 E F0 5(.D)C(ef)-5 E +(ault:)-.1 E F4 -1.2(WA)2.5 G(RNING)1.2 E F0(.)A F4 .625(TPM selection) +84 498 R F0 .516(The library)102 510 R F1(libtss2-tcti-default.so)3.016 +E F0 .516(can be link)3.016 F .516(ed to an)-.1 F 3.017(yo)-.15 G 3.017 +(ft)-3.017 G(he)-3.017 E F3(libtss2-tcti-)3.017 E/F6 10/Symbol SF(*)A F3 +(.so)A F0(libraries)3.017 E .576(to select the def)102 522 R .576 +(ault, otherwise)-.1 F F3(/dev/tpmrm0)3.076 E F0 3.076(,t)C(hen)-3.076 E +F3(/dev/tpm0)3.076 E F0 3.076(,t)C(hen)-3.076 E F3(localhost:2321)3.076 +E F0 .575(will be tried,)3.076 F(in order)102 534 Q 1.666(\(s)4.166 G +(ee)-1.666 E F3(ESYS_CONTEXT)2.5 E F0 -.834(\(3\) \) .)B F4 .625 +(See also)84 558 R F0 3.487(The tpm2-tss git repository at)102 570 R F4 (https://github)5.988 E(.com/tpm2-softwar)-.4 E(e/tpm2-tss)-.18 E F0 -3.487(and the documentation at)5.988 F F3(https://tpm2-tss.r)102 396 Q -(eadthedocs.io)-.18 E F0(.)A 3.092 -(The TPM 2.0 speci\214cations, mainly at)102 414 R F3 -(https://trustedcomputinggr)5.592 E(oup.or)-.18 E -(g/wp-content/uploads/TPM-)-.1 E(Re)102 426 Q(v-2.0-P)-.15 E(art-1-Ar) --.1 E(chitectur)-.18 E(e-01.38.pdf)-.18 E F0(and related pages.)2.5 E F3 -1.666(SPECIAL THANKS)72 450 R F0 1.6 -.8(To a)102 462 T +3.488(and the documentation at)5.988 F F4(https://tpm2-tss.r)102 582 Q +(eadthedocs.io)-.18 E F0(.)A 6.305 +(The TPM 2.0 speci\214cations, mainly at)102 600 R F4 +(https://trustedcomputinggr)8.805 E(oup.or)-.18 E(g/r)-.1 E(esour)-.18 E +(ce/tpm-library-)-.18 E(speci\214cation/)102 612 Q F0(,)A F4 +(https://trustedcomputinggr)116.04 E(oup.or)-.18 E +(g/wp-content/uploads/TPM-)-.1 E(Re)102 624 Q(v-2.0-P)-.15 E(art-1-Ar) +-.1 E(chitectur)-.18 E(e-01.38.pdf)-.18 E F0 2.5(,a)C(nd related pages.) +-2.5 E F4 1.666(SPECIAL THANKS)72 648 R F0 1.6 -.8(To a)102 660 T (ll who support further de).8 E -.15(ve)-.25 G(lopment, in particular:) -.15 E F3<83>122 474 Q F0(ThePhD)2.5 E F3<83>122 486 Q F0(Embark Studios) -2.5 E F3<83>122 498 Q F0(Jasper Bekk)2.5 E(ers)-.1 E F3(REPOR)72 522 Q -1.666(TING B)-.4 F(UGS)-.1 E(https://todo.sr)102 534 Q -(.ht/~nabijaczleweli/tzpfms)-1 E F1(~nabijaczleweli/tzpfms@lists.sr.ht) -102 552 Q F0 2.5(,a)C(rchi)-2.5 E -.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E -F3(https://lists.sr)2.5 E(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A F3 -1.666(SEE ALSO)72 576 R F1(tpm2_unseal)102 588 Q F0(\(1\))A -(tzpfms 0.1-23)72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E -(9)189.295 E 0 Cg EP +.15 E F4<83>122 672 Q F0(ThePhD)2.5 E(tzpfms 0.1-27)72 750 Q(No)138.745 +E -.15(ve)-.15 G(mber 28, 2021).15 E(9)189.295 E 0 Cg EP %%Page: 10 10 %%BeginPageSetup BP %%EndPageSetup +/F0 10/Times-Roman@0 SF -.834(ZFS-TPM2-CHANGE-KEY \(8\))72 48 R +(System Manager')53.329 E 2.5(sM)-.55 G 48.329 +(anual ZFS-TPM2-CHANGE-KEY)-2.5 F(\(8\))1.666 E/F1 10/Times-Bold@0 SF +<83>122 96 Q F0(Embark Studios)2.5 E F1<83>122 108 Q F0(Jasper Bekk)2.5 +E(ers)-.1 E F1(REPOR)72 132 Q 1.666(TING B)-.4 F(UGS)-.1 E +(https://todo.sr)102 144 Q(.ht/~nabijaczleweli/tzpfms)-1 E/F2 10 +/Courier@0 SF(~nabijaczleweli/tzpfms@lists.sr.ht)102 162 Q F0 2.5(,a)C +(rchi)-2.5 E -.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F1(https://lists.sr) +2.5 E(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A F1 1.666(SEE ALSO)72 186 R +F2(tpm2_unseal)102 198 Q F0(\(1\))A(PCR allocations:)102 216 Q F1 +(https://wiki.ar)2.5 E(chlinux.or)-.18 E(g/title/T)-.1 E(rusted_Platf) +-.74 E(orm_Module#Accessing_PCR_r)-.25 E(egisters)-.18 E F0(and)102 228 +Q F1(https://trustedcomputinggr)2.5 E(oup.or)-.18 E +(g/wp-content/uploads/PC-)-.1 E(ClientSpeci\214c_Platf)102 240 Q(orm_Pr) +-.25 E(o\214le_f)-.18 E(or_TPM_2p0_Systems_v51.pdf)-.25 E F0 2.5(,S)C +(ection 2.3.4 "PCR Usage", T)-2.5 E(able 1.)-.8 E(tzpfms 0.1-27)72 750 Q +(No)138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E(10)184.295 E 0 Cg EP +%%Page: 11 11 +%%BeginPageSetup +BP +%%EndPageSetup /F0 10/Times-Roman@0 SF -.834(ZFS-TPM2-CLEAR-KEY \(8\))72 48 R (System Manager')62.209 E 2.5(sM)-.55 G 57.209(anual ZFS-TPM2-CLEAR-KEY) -2.5 F(\(8\))1.666 E/F1 10/Times-Bold@0 SF -.2(NA)72 96 S(ME).2 E/F2 10 @@ -832,30 +902,32 @@ E F0 .575(will be tried,)3.076 F(in order)102 534 Q 1.666(\(s)4.166 G (See also)84 558 R F0 3.487(The tpm2-tss git repository at)102 570 R F1 (https://github)5.988 E(.com/tpm2-softwar)-.4 E(e/tpm2-tss)-.18 E F0 3.488(and the documentation at)5.988 F F1(https://tpm2-tss.r)102 582 Q -(eadthedocs.io)-.18 E F0(.)A 3.092 +(eadthedocs.io)-.18 E F0(.)A 6.305 (The TPM 2.0 speci\214cations, mainly at)102 600 R F1 -(https://trustedcomputinggr)5.591 E(oup.or)-.18 E -(g/wp-content/uploads/TPM-)-.1 E(Re)102 612 Q(v-2.0-P)-.15 E(art-1-Ar) --.1 E(chitectur)-.18 E(e-01.38.pdf)-.18 E F0(and related pages.)2.5 E F1 -1.666(SPECIAL THANKS)72 636 R F0 1.6 -.8(To a)102 648 T +(https://trustedcomputinggr)8.805 E(oup.or)-.18 E(g/r)-.1 E(esour)-.18 E +(ce/tpm-library-)-.18 E(speci\214cation/)102 612 Q F0(,)A F1 +(https://trustedcomputinggr)116.04 E(oup.or)-.18 E +(g/wp-content/uploads/TPM-)-.1 E(Re)102 624 Q(v-2.0-P)-.15 E(art-1-Ar) +-.1 E(chitectur)-.18 E(e-01.38.pdf)-.18 E F0 2.5(,a)C(nd related pages.) +-2.5 E F1 1.666(SPECIAL THANKS)72 648 R F0 1.6 -.8(To a)102 660 T (ll who support further de).8 E -.15(ve)-.25 G(lopment, in particular:) -.15 E F1<83>122 660 Q F0(ThePhD)2.5 E F1<83>122 672 Q F0(Embark Studios) -2.5 E(tzpfms 0.1-23)72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 25, 2021) -.15 E(10)184.295 E 0 Cg EP -%%Page: 11 11 +.15 E F1<83>122 672 Q F0(ThePhD)2.5 E(tzpfms 0.1-27)72 750 Q(No)138.745 +E -.15(ve)-.15 G(mber 28, 2021).15 E(11)184.295 E 0 Cg EP +%%Page: 12 12 %%BeginPageSetup BP %%EndPageSetup /F0 10/Times-Roman@0 SF -.834(ZFS-TPM2-CLEAR-KEY \(8\))72 48 R (System Manager')62.209 E 2.5(sM)-.55 G 57.209(anual ZFS-TPM2-CLEAR-KEY) --2.5 F(\(8\))1.666 E/F1 10/Times-Bold@0 SF<83>122 96 Q F0(Jasper Bekk) -2.5 E(ers)-.1 E F1(REPOR)72 120 Q 1.666(TING B)-.4 F(UGS)-.1 E -(https://todo.sr)102 132 Q(.ht/~nabijaczleweli/tzpfms)-1 E/F2 10 -/Courier@0 SF(~nabijaczleweli/tzpfms@lists.sr.ht)102 150 Q F0 2.5(,a)C -(rchi)-2.5 E -.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F1(https://lists.sr) -2.5 E(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-23)72 750 Q(No) -138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(11)184.295 E 0 Cg EP -%%Page: 12 12 +-2.5 F(\(8\))1.666 E/F1 10/Times-Bold@0 SF<83>122 96 Q F0 +(Embark Studios)2.5 E F1<83>122 108 Q F0(Jasper Bekk)2.5 E(ers)-.1 E F1 +(REPOR)72 132 Q 1.666(TING B)-.4 F(UGS)-.1 E(https://todo.sr)102 144 Q +(.ht/~nabijaczleweli/tzpfms)-1 E/F2 10/Courier@0 SF +(~nabijaczleweli/tzpfms@lists.sr.ht)102 162 Q F0 2.5(,a)C(rchi)-2.5 E +-.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F1(https://lists.sr)2.5 E +(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-27)72 750 Q(No) +138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E(12)184.295 E 0 Cg EP +%%Page: 13 13 %%BeginPageSetup BP %%EndPageSetup @@ -874,20 +946,20 @@ F F3(dataset)102 192 Q F0(.)A(The user is prompted for the additional p\ assphrase, set when creating the k)102 210 Q -.15(ey)-.1 G 2.5(,i)-.5 G 2.5(fo)-2.5 G(ne w)-2.5 E(as set.)-.1 E(See)102 228 Q/F4 10/Courier@0 SF (zfs-tpm2-change-key)2.5 E F0(\(8\) for a detailed description.)A F1 -(OPTIONS)72 252 Q F2103.666 264 Q F0 .179 -(Do a no-op/dry run, can be used e)119 276 R -.15(ve)-.25 G 2.679(ni).15 -G 2.679(ft)-2.679 G .179(he k)-2.679 F .478 -.15(ey i)-.1 H 2.678(sa).15 -G .178(lready loaded.)-2.678 F(Equi)5.178 E -.25(va)-.25 G .178(lent to) -.25 F F2 .178(zfs load-key)2.678 F F0 -.55('s)C F24.894 E F0 +(OPTIONS)72 252 Q F2103.666 264 Q F0 .178 +(Do a no-op/dry run, can be used e)119 276 R -.15(ve)-.25 G 2.678(ni).15 +G 2.679(ft)-2.678 G .179(he k)-2.679 F .479 -.15(ey i)-.1 H 2.679(sa).15 +G .179(lready loaded.)-2.679 F(Equi)5.179 E -.25(va)-.25 G .179(lent to) +.25 F F2 .179(zfs load-key)2.679 F F0 -.55('s)C F24.895 E F0 (option.)119 288 Q F1(ENVIR)72 312 Q 1.666(ONMENT V)-.3 F(ARIABLES)-1.35 -E F4(TZPFMS_PASSPHRASE_HELPER)102 324 Q F0 .465(By def)143 336 R .466(a\ +E F4(TZPFMS_PASSPHRASE_HELPER)102 324 Q F0 .466(By def)143 336 R .466(a\ ult, passphrases are prompted for and read in on the standard output an\ -d input streams.)-.1 F(If)5.466 E F4(TZPFMS_PASSPHRASE_HELPER)143 348 Q -F0 .517(is set and nonempty)3.017 F 3.017(,i)-.65 G 3.017(tw)-3.017 G -.516(ill be run via)-3.017 F F4(/bin/)3.016 E F2 2.182(sh \255c)B F0 -.516(to pro-)3.016 F(vide each passphrase, instead.)143 360 Q .188 +d input streams.)-.1 F(If)5.465 E F4(TZPFMS_PASSPHRASE_HELPER)143 348 Q +F0 .516(is set and nonempty)3.016 F 3.016(,i)-.65 G 3.016(tw)-3.016 G +.517(ill be run via)-3.016 F F4(/bin/)3.017 E F2 2.183(sh \255c)B F0 +.517(to pro-)3.017 F(vide each passphrase, instead.)143 360 Q .189 (The standard output stream of the helper is tied to an anon)143 378 R -.189(ymous \214le and used in its entirety as the)-.15 F(passphrase, e) +.188(ymous \214le and used in its entirety as the)-.15 F(passphrase, e) 143 390 Q(xcept for a trailing ne)-.15 E(w-line, if an)-.25 E 3.8 -.65 (y. T)-.15 H(he ar).65 E(guments are:)-.18 E F4($1)155 402 Q F0 (Pre-formatted noun phrase with all the information belo)172 402 Q 1.3 @@ -903,29 +975,29 @@ F0 .517(is set and nonempty)3.017 F 3.017(,i)-.65 G 3.017(tw)-3.017 G -1.666 F(is used as f)143 468 Q 2.5(all-back. If)-.1 F(it f)2.5 E (ails for an)-.1 E 2.5(yo)-.15 G(ther reason, the prompting is aborted.) -2.5 E F1 1.666(TPM1.X back-end con\214guration)72 492 R .625 -(TPM selection)84 504 R F0(The)102 516 Q F2(tzpfms)2.767 E F0 .267 +(TPM selection)84 504 R F0(The)102 516 Q F2(tzpfms)2.768 E F0 .267 (suite connects to a local)2.767 F F4(tcsd)2.767 E F0 .267 (\(8\) process)B 1.666(\(a)4.433 G(t)-1.666 E F4(localhost:30003)2.767 E F0 4.433(\)b)1.666 G 2.767(yd)-4.433 G(ef)-2.767 E 2.767(ault. Use)-.1 F -.268(the en-)2.767 F(vironment v)102 528 Q(ariable)-.25 E F4 -(TZPFMS_TPM1X)2.5 E F0(to specify a remote TCS hostname.)2.5 E .392 -(The T)102 546 R(rouSerS)-.35 E F4(tcsd)2.892 E F0 .392 +.267(the en-)2.767 F(vironment v)102 528 Q(ariable)-.25 E F4 +(TZPFMS_TPM1X)2.5 E F0(to specify a remote TCS hostname.)2.5 E .391 +(The T)102 546 R(rouSerS)-.35 E F4(tcsd)2.891 E F0 .391 (\(8\) daemon will try)B F4(/dev/tpm0)2.892 E F0 2.892(,t)C(hen)-2.892 E -F4(/udev/tpm0)2.892 E F0 2.891(,t)C(hen)-2.891 E F4(/dev/tpm)2.891 E F0 -2.891(;b)C 2.891(yo)-2.891 G(ccup)-2.891 E(ying)-.1 E +F4(/udev/tpm0)2.892 E F0 2.892(,t)C(hen)-2.892 E F4(/dev/tpm)2.892 E F0 +2.892(;b)C 2.892(yo)-2.892 G(ccup)-2.892 E(ying)-.1 E (one of the earlier ones with, for e)102 558 Q (xample, shell redirection, a later one can be selected.)-.15 E F1 .625 (See also)84 582 R F0(The T)102 594 Q(rouSerS project page at)-.35 E F1 (https://sour)2.5 E(cef)-.18 E(or)-.25 E(ge.net/pr)-.1 E(ojects/tr)-.18 -E(ousers)-.18 E F0(.)A 5.108(The TPM 1.2 main speci\214cation inde)102 -612 R 7.609(xa)-.15 G(t)-7.609 E F1(https://trustedcomputinggr)7.609 E +E(ousers)-.18 E F0(.)A 5.109(The TPM 1.2 main speci\214cation inde)102 +612 R 7.608(xa)-.15 G(t)-7.608 E F1(https://trustedcomputinggr)7.608 E (oup.or)-.18 E(g/r)-.1 E(esour)-.18 E(ce/tpm-main-)-.18 E (speci\214cation)102 624 Q F0(.)A F1 1.666(SPECIAL THANKS)72 648 R F0 1.6 -.8(To a)102 660 T(ll who support further de).8 E -.15(ve)-.25 G (lopment, in particular:).15 E F1<83>122 672 Q F0(ThePhD)2.5 E -(tzpfms 0.1-23)72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E -(12)184.295 E 0 Cg EP -%%Page: 13 13 +(tzpfms 0.1-27)72 750 Q(No)138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E +(13)184.295 E 0 Cg EP +%%Page: 14 14 %%BeginPageSetup BP %%EndPageSetup @@ -937,8 +1009,8 @@ BP (.ht/~nabijaczleweli/tzpfms)-1 E/F2 10/Courier@0 SF (~nabijaczleweli/tzpfms@lists.sr.ht)102 162 Q F0 2.5(,a)C(rchi)-2.5 E -.15(ve)-.25 G 2.5(da).15 G(t)-2.5 E F1(https://lists.sr)2.5 E -(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-23)72 750 Q(No) -138.745 E -.15(ve)-.15 G(mber 25, 2021).15 E(13)184.295 E 0 Cg EP +(.ht/~nabijaczleweli/tzpfms)-1 E F0(.)A(tzpfms 0.1-27)72 750 Q(No) +138.745 E -.15(ve)-.15 G(mber 28, 2021).15 E(14)184.295 E 0 Cg EP %%Trailer end %%EOF diff --git a/zfs-tpm-list.8 b/zfs-tpm-list.8 index da8657a..fc64368 100644 --- a/zfs-tpm-list.8 +++ b/zfs-tpm-list.8 @@ -1,9 +1,9 @@ .\" SPDX-License-Identifier: MIT . -.Dd November 25, 2021 +.Dd November 28, 2021 .ds doc-volume-operating-system .Dt ZFS-TPM-LIST 8 -.Os tzpfms 0.1-23 +.Os tzpfms 0.1-27 . .Sh NAME .Nm zfs-tpm-list diff --git a/zfs-tpm-list.8.html b/zfs-tpm-list.8.html index 0077fbf..1aa3fd2 100644 --- a/zfs-tpm-list.8.html +++ b/zfs-tpm-list.8.html @@ -164,8 +164,8 @@ tarta-zoot/vm - available yes - - + +
November 25, 2021tzpfms 0.1-23November 28, 2021tzpfms 0.1-27
diff --git a/zfs-tpm1x-change-key.8 b/zfs-tpm1x-change-key.8 index 0063c77..ca8ddac 100644 --- a/zfs-tpm1x-change-key.8 +++ b/zfs-tpm1x-change-key.8 @@ -1,9 +1,9 @@ .\" SPDX-License-Identifier: MIT . -.Dd November 25, 2021 +.Dd November 28, 2021 .ds doc-volume-operating-system .Dt ZFS-TPM1X-CHANGE-KEY 8 -.Os tzpfms 0.1-23 +.Os tzpfms 0.1-27 . .Sh NAME .Nm zfs-tpm1x-change-key @@ -11,6 +11,7 @@ .Sh SYNOPSIS .Nm .Op Fl b Ar backup-file +.Op Fl P Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns … .Ar dataset . .Sh DESCRIPTION @@ -63,7 +64,7 @@ tools .Li tzpfms.key is a colon-separated pair of hexadecimal-string (i.e. "4F7730" for "Ow0") blobs; the first one represents the RSA key protecting the blob, -and it is protected with either the password, if provided, or the SHA1 constant +and it is protected with either the passphrase, if provided, or the SHA1 constant .Li CE4CF677875B5EB8993591D5A9AF1ED24A3A8736 ; the second represents the sealed object containing the wrapping key, and is protected with the SHA1 constant @@ -80,13 +81,13 @@ or to issue a note for manual intervention into the standard error stream. A final verification should be made by running .Nm zfs-tpm1x-load-key Fl n Ar dataset . If that command succeeds, all is well, -but otherwise the dataset can be manually rolled back to a password with +but otherwise the dataset can be manually rolled back to a passphrase with .Nm zfs-tpm1x-clear-key Ar dataset .Pq or, if that fails to work, Nm zfs Cm change-key Fl o Li keyformat=passphrase Ar dataset , and you are hereby asked to report a bug, please. .Pp .Nm zfs-tpm1x-clear-key Ar dataset -can be used to clear the properties and go back to using a password. +can be used to clear the properties and go back to using a passphrase. . .Sh OPTIONS .Bl -tag -compact -width "-b backup-file" @@ -99,6 +100,15 @@ This back-up be stored securely, off-site. In case of a catastrophic event, the key can be loaded by running .Dl Nm zfs Cm load-key Ar dataset Li < Ar backup-file +.Pp +. +.It Fl P Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns … +Bind the key to space- or comma-separated +.Ar PCR Ns s +\(em if they change, the wrapping key will not be able to be unsealed. +The minimum amount of PCRs for a PC TPM is +.Sy 24 Pq numbered Sy 0 Ns .. Ns Sy 23 . +For most, this is also the maximum. .El . .\" SPDX-License-Identifier: MIT @@ -189,3 +199,11 @@ Jasper Bekkers .Mt ~nabijaczleweli/tzpfms@lists.sr.ht , archived at .Lk https:/\&/lists.sr.ht/~nabijaczleweli/tzpfms . +. +.Sh SEE ALSO +.\" Match this to zfs-tpm2-change-key.8: +PCR allocations: +.Lk https:/\&/wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers +and +.Lk https:/\&/trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf , +Section 2.3.4 "PCR Usage", Table 1. diff --git a/zfs-tpm1x-change-key.8.html b/zfs-tpm1x-change-key.8.html index f915e04..59efb4e 100644 --- a/zfs-tpm1x-change-key.8.html +++ b/zfs-tpm1x-change-key.8.html @@ -29,6 +29,8 @@ zfs-tpm1x-change-key [-b backup-file] + [-P + PCR[,PCR]…] dataset @@ -70,7 +72,7 @@

tzpfms.key is a colon-separated pair of hexadecimal-string (i.e. "4F7730" for "Ow0") blobs; the first one represents the RSA key protecting the blob, and it is protected - with either the password, if provided, or the SHA1 constant + with either the passphrase, if provided, or the SHA1 constant CE4CF677875B5EB8993591D5A9AF1ED24A3A8736; the second represents the sealed object containing the wrapping key, and is protected with the SHA1 constant @@ -87,7 +89,7 @@

A final verification should be made by running zfs-tpm1x-load-key -n dataset. If that command succeeds, all is well, but - otherwise the dataset can be manually rolled back to a password with + otherwise the dataset can be manually rolled back to a passphrase with zfs-tpm1x-clear-key dataset (or, if that fails to work, zfs change-key -o @@ -95,7 +97,7 @@ and you are hereby asked to report a bug, please.

zfs-tpm1x-clear-key dataset can be used to clear the properties and go - back to using a password.

+ back to using a passphrase.

@@ -110,7 +112,16 @@ load-key dataset < backup-file +

+
+ PCR[,PCR]…
+
Bind the key to space- or comma-separated PCRs + — if they change, the wrapping key will not be able to be unsealed. + The minimum amount of PCRs for a PC TPM is + (numbered + ..). + For most, this is also the maximum.
@@ -193,11 +204,20 @@ archived at https://lists.sr.ht/~nabijaczleweli/tzpfms.

+
+

+

PCR allocations: + https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers + and + https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf, + Section 2.3.4 "PCR Usage", Table 1.

+
- - + +
November 25, 2021tzpfms 0.1-23November 28, 2021tzpfms 0.1-27
diff --git a/zfs-tpm1x-clear-key.8 b/zfs-tpm1x-clear-key.8 index 30b7649..fb5ade0 100644 --- a/zfs-tpm1x-clear-key.8 +++ b/zfs-tpm1x-clear-key.8 @@ -1,9 +1,9 @@ .\" SPDX-License-Identifier: MIT . -.Dd November 25, 2021 +.Dd November 28, 2021 .ds doc-volume-operating-system .Dt ZFS-TPM1X-CLEAR-KEY 8 -.Os tzpfms 0.1-23 +.Os tzpfms 0.1-27 . .Sh NAME .Nm zfs-tpm1x-clear-key diff --git a/zfs-tpm1x-clear-key.8.html b/zfs-tpm1x-clear-key.8.html index 558a6fc..d55f2c4 100644 --- a/zfs-tpm1x-clear-key.8.html +++ b/zfs-tpm1x-clear-key.8.html @@ -101,8 +101,8 @@ - - + +
November 25, 2021tzpfms 0.1-23November 28, 2021tzpfms 0.1-27
diff --git a/zfs-tpm1x-load-key.8 b/zfs-tpm1x-load-key.8 index da056d0..4c4e3fb 100644 --- a/zfs-tpm1x-load-key.8 +++ b/zfs-tpm1x-load-key.8 @@ -1,9 +1,9 @@ .\" SPDX-License-Identifier: MIT . -.Dd November 25, 2021 +.Dd November 28, 2021 .ds doc-volume-operating-system .Dt ZFS-TPM1X-LOAD-KEY 8 -.Os tzpfms 0.1-23 +.Os tzpfms 0.1-27 . .Sh NAME .Nm zfs-tpm1x-load-key diff --git a/zfs-tpm1x-load-key.8.html b/zfs-tpm1x-load-key.8.html index 4ef80e6..c2e5a8d 100644 --- a/zfs-tpm1x-load-key.8.html +++ b/zfs-tpm1x-load-key.8.html @@ -137,8 +137,8 @@ - - + +
November 25, 2021tzpfms 0.1-23November 28, 2021tzpfms 0.1-27
diff --git a/zfs-tpm2-change-key.8 b/zfs-tpm2-change-key.8 index 5689723..d9b1e29 100644 --- a/zfs-tpm2-change-key.8 +++ b/zfs-tpm2-change-key.8 @@ -1,9 +1,9 @@ .\" SPDX-License-Identifier: MIT . -.Dd November 25, 2021 +.Dd November 28, 2021 .ds doc-volume-operating-system .Dt ZFS-TPM2-CHANGE-KEY 8 -.Os tzpfms 0.1-23 +.Os tzpfms 0.1-27 . .Sh NAME .Nm zfs-tpm2-change-key @@ -11,6 +11,10 @@ .Sh SYNOPSIS .Nm .Op Fl b Ar backup-file +.Oo +.Fl P Ar algorithm Ns Cm \&: Ns Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns … Ns Oo Cm + Ns Ar algorithm Ns Cm \&: Ns Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns … Oc Ns … +.Op Fl A +.Oc .Ar dataset . .Sh DESCRIPTION @@ -50,7 +54,7 @@ The following properties are set on .It .Li xyz.nabijaczleweli:tzpfms.backend Ns = Ns Sy TPM2 .It -.Li xyz.nabijaczleweli:tzpfms.key Ns = Ns Ar ID of persistent object +.Li xyz.nabijaczleweli:tzpfms.key Ns = Ns Ar persistent-object-ID Ns Op Cm ;\& Ar algorithm Ns Cm \&: Ns Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns … Ns Oo Cm + Ns Ar algorithm Ns Cm \&: Ns Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns … Oc Ns … .El .Pp .Li tzpfms.backend @@ -61,10 +65,17 @@ tools .Pq namely Xr zfs-tpm2-change-key 8 , Xr zfs-tpm2-load-key 8 , and Xr zfs-tpm2-clear-key 8 . .Pp .Li tzpfms.key -is an integer representing the sealed object; +is an integer representing the sealed object, optionally followed by a semicolon and PCR list as specified with +.Fl P , +normalised to be +.Nm tpm-tools Ns -toolchain-compatible ; if needed, it can be passed to -.Nm tpm2_unseal Fl c Ev ${tzpfms.key} Op Fl p Ev ${password} -or equivalent for back-up +.Nm tpm2_unseal Fl c Ev ${tzpfms.key Ns Cm %% Ns Li ;* Ns Ev }\& +with +.Fl p Qq Li str:\& Ns Ev ${passphrase} +or +.Fl p Qq Li pcr:\& Ns Ev ${tzpfms.key Ns Cm # Ns Li *; Ns Ev }\& , +as the case may be, or equivalent, for back-up .Pq see Sx OPTIONS . If you have a sealed key you can access with that or equivalent tool and set both of these properties, it will funxion seamlessly. .Pp @@ -77,13 +88,13 @@ or to issue a note for manual intervention into the standard error stream. A final verification should be made by running .Nm zfs-tpm2-load-key Fl n Ar dataset . If that command succeeds, all is well, -but otherwise the dataset can be manually rolled back to a password with +but otherwise the dataset can be manually rolled back to a passphrase with .Nm zfs-tpm2-clear-key Ar dataset .Pq or, if that fails to work, Nm zfs Cm change-key Fl o Li keyformat=passphrase Ar dataset , and you are hereby asked to report a bug, please. .Pp .Nm zfs-tpm2-clear-key Ar dataset -can be used to free the TPM persistent object and go back to using a password. +can be used to free the TPM persistent object and go back to using a passphrase. . .Sh OPTIONS .Bl -tag -compact -width "-b backup-file" @@ -96,6 +107,48 @@ This back-up be stored securely, off-site. In case of a catastrophic event, the key can be loaded by running .Dl Nm zfs Cm load-key Ar dataset Li < Ar backup-file +.Pp +. +.It Fl P Ar algorithm Ns Cm \&: Ns Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns … Ns Oo Cm + Ns Ar algorithm Ns Cm \&: Ns Ar PCR Ns Oo Ns Cm \&, Ns Ar PCR Oc Ns … Oc Ns … +Bind the key to space- or comma-separated +.Ar PCR Ns s +within their corresponding hashing +.Ar algorithm +\(em if they change, the wrapping key will not be able to be unsealed. +There are +.Sy 24 +PCRs, numbered +.Sy 0 Ns .. Ns Sy 23 . +.Pp +.Ar algorithm +may be any of case-insensitive +.Qq Sy sha1 , +.Qq Sy sha256 , +.Qq Sy sha384 , +.Qq Sy sha512 , +.Qq Sy sm3_256 , +.Qq Sy sm3-256 , +.Qq Sy sha3_256 , +.Qq Sy sha3-256 , +.Qq Sy sha3_384 , +.Qq Sy sha3-384 , +.Qq Sy sha3_512 , +or +.Qq Sy sha3-512 , +and must be supported by the TPM. +.Pp +. +.It Fl A +With +.Fl P , +also prompt for a passphrase. +This is skipped by default because the passphrase is +.Em OR Ns ed +with the PCR policy \(em the wrapping key can be unsealed +.Em either +passphraseless with the right PCRs +.Em or +with the passphrase, and this is usually not the intent. .El . .\" SPDX-License-Identifier: MIT @@ -168,7 +221,8 @@ and the documentation at .Lk https:/\&/tpm2-tss.readthedocs.io . .Pp The TPM 2.0 specifications, mainly at -.Lk https:/\&/trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf +.Lk https:/\&/trustedcomputinggroup.org/resource/tpm-library-specification/ , +.Lk https:/\&/trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf , and related pages. . .\" SPDX-License-Identifier: MIT @@ -193,3 +247,10 @@ archived at . .Sh SEE ALSO .Xr tpm2_unseal 1 +.Pp +.\" Match this to zfs-tpm1x-change-key.8: +PCR allocations: +.Lk https:/\&/wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers +and +.Lk https:/\&/trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf , +Section 2.3.4 "PCR Usage", Table 1. diff --git a/zfs-tpm2-change-key.8.html b/zfs-tpm2-change-key.8.html index 86913b9..c2413f3 100644 --- a/zfs-tpm2-change-key.8.html +++ b/zfs-tpm2-change-key.8.html @@ -29,7 +29,9 @@ zfs-tpm2-change-key [-b backup-file] - dataset + [-P + algorithm:PCR[,PCR]…[+algorithm:PCR[,PCR]…]… + [-A]] dataset @@ -59,8 +61,8 @@ dataset:

tzpfms.backend identifies this dataset for work with TPM2-back-ended tzpfms @@ -69,10 +71,16 @@ zfs-tpm2-load-key(8), and zfs-tpm2-clear-key(8)).

tzpfms.key is an integer representing the - sealed object; if needed, it can be passed to - tpm2_unseal -c - ${tzpfms.key} [-p - ${password}] or equivalent for back-up (see + sealed object, optionally followed by a semicolon and PCR list as specified + with -P, normalised to be + tpm-tools-toolchain-compatible; if needed, it can be + passed to tpm2_unseal -c + ${tzpfms.key%%;*} + with -p + "str:${passphrase}" + or -p + "pcr:${tzpfms.key#*;}", + as the case may be, or equivalent, for back-up (see OPTIONS). If you have a sealed key you can access with that or equivalent tool and set both of these properties, it will funxion seamlessly.

@@ -86,7 +94,7 @@

A final verification should be made by running zfs-tpm2-load-key -n dataset. If that command succeeds, all is well, but - otherwise the dataset can be manually rolled back to a password with + otherwise the dataset can be manually rolled back to a passphrase with zfs-tpm2-clear-key dataset (or, if that fails to work, zfs change-key -o @@ -94,7 +102,7 @@ and you are hereby asked to report a bug, please.

zfs-tpm2-clear-key dataset can be used to free the TPM persistent object - and go back to using a password.

+ and go back to using a passphrase.

@@ -109,7 +117,43 @@ load-key dataset < backup-file +

+
+ algorithm:PCR[,PCR]…[+algorithm:PCR[,PCR]…]…
+
Bind the key to space- or comma-separated PCRs + within their corresponding hashing algorithm + — if they change, the wrapping key will not be able to be unsealed. + There are + PCRs, numbered + ... +

algorithm may be any of + case-insensitive + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + or + "", + and must be supported by the TPM.

+

+
+
+
With -P, also prompt for a passphrase. This is + skipped by default because the passphrase is + ed with + the PCR policy — the wrapping key can be unsealed + + passphraseless with the right PCRs + with the + passphrase, and this is usually not the intent.
@@ -183,7 +227,8 @@ and the documentation at https://tpm2-tss.readthedocs.io.

The TPM 2.0 specifications, mainly at - https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf + https://trustedcomputinggroup.org/resource/tpm-library-specification/, + https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf, and related pages.

@@ -209,12 +254,17 @@

tpm2_unseal(1)

+

PCR allocations: + https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers + and + https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf, + Section 2.3.4 "PCR Usage", Table 1.

- - + +
November 25, 2021tzpfms 0.1-23November 28, 2021tzpfms 0.1-27
diff --git a/zfs-tpm2-clear-key.8 b/zfs-tpm2-clear-key.8 index 2907962..0e7abae 100644 --- a/zfs-tpm2-clear-key.8 +++ b/zfs-tpm2-clear-key.8 @@ -1,9 +1,9 @@ .\" SPDX-License-Identifier: MIT . -.Dd November 25, 2021 +.Dd November 28, 2021 .ds doc-volume-operating-system .Dt ZFS-TPM2-CLEAR-KEY 8 -.Os tzpfms 0.1-23 +.Os tzpfms 0.1-27 . .Sh NAME .Nm zfs-tpm2-clear-key @@ -107,7 +107,8 @@ and the documentation at .Lk https:/\&/tpm2-tss.readthedocs.io . .Pp The TPM 2.0 specifications, mainly at -.Lk https:/\&/trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf +.Lk https:/\&/trustedcomputinggroup.org/resource/tpm-library-specification/ , +.Lk https:/\&/trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf , and related pages. . .\" SPDX-License-Identifier: MIT diff --git a/zfs-tpm2-clear-key.8.html b/zfs-tpm2-clear-key.8.html index 30d1ea1..fce0edb 100644 --- a/zfs-tpm2-clear-key.8.html +++ b/zfs-tpm2-clear-key.8.html @@ -126,7 +126,8 @@ and the documentation at https://tpm2-tss.readthedocs.io.

The TPM 2.0 specifications, mainly at - https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf + https://trustedcomputinggroup.org/resource/tpm-library-specification/, + https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf, and related pages.

@@ -151,8 +152,8 @@ - - + +
November 25, 2021tzpfms 0.1-23November 28, 2021tzpfms 0.1-27
diff --git a/zfs-tpm2-load-key.8 b/zfs-tpm2-load-key.8 index d3241f7..7c55ed1 100644 --- a/zfs-tpm2-load-key.8 +++ b/zfs-tpm2-load-key.8 @@ -1,9 +1,9 @@ .\" SPDX-License-Identifier: MIT . -.Dd November 25, 2021 +.Dd November 28, 2021 .ds doc-volume-operating-system .Dt ZFS-TPM2-LOAD-KEY 8 -.Os tzpfms 0.1-23 +.Os tzpfms 0.1-27 . .Sh NAME .Nm zfs-tpm2-load-key diff --git a/zfs-tpm2-load-key.8.html b/zfs-tpm2-load-key.8.html index f6502a6..a8b7f06 100644 --- a/zfs-tpm2-load-key.8.html +++ b/zfs-tpm2-load-key.8.html @@ -136,8 +136,8 @@ - - + +
November 25, 2021tzpfms 0.1-23November 28, 2021tzpfms 0.1-27