Compare commits

...

9 Commits

Author SHA1 Message Date
наб
0b6378d820
Need ra.ws.co.ls for groff 1.23 2025-05-03 00:17:09 +02:00
наб
fd16dbbcd3
Force signed char since we have =-1 (fixes FTBFS on char=uchar) 2025-03-09 18:56:42 +01:00
наб
82b5118fcb
dracut: replace removed-from-dracut-ng inst_library with inst_libdir_file in TPM1
Equivalent calling convention, produces identical initrd

Fixes: https://todo.sr.ht/~nabijaczleweli/tzpfms/3
2025-03-09 04:15:15 +01:00
наб
2335a22bc7
dracut: use standard require_binaries error message in check() 2025-03-09 03:51:48 +01:00
наб
588cce3882
dracut: install TPM2 TCTIs with inst_libdir_file instead of removed-from-dracut-ng inst_library
We can't pull in 91tpm2-tss if installing TPM2 backend
instead of installing the TCTIs manually because it's
  require_binaries tpm2

Initrds produced are identical.

References: https://todo.sr.ht/~nabijaczleweli/tzpfms/3
2025-03-09 03:46:46 +01:00
наб
2764c6e0d3
format 2025-02-16 16:55:39 +01:00
наб
44f9b25314
srhtcdn.githack.com -> ra.ws.co.ls
Fixes: https://todo.sr.ht/~nabijaczleweli/tzpfms/2
2025-02-13 00:00:44 +01:00
наб
d6a2d4683d
mlockall() before calling the TPM 2024-05-31 17:58:42 +02:00
наб
dcf545a6f6
Don't destroy fzifdso manuals on CI 2024-03-29 13:31:38 +01:00
9 changed files with 17 additions and 14 deletions

View File

@ -32,10 +32,10 @@ tasks:
CC=clang CXX=clang++ make CC=clang CXX=clang++ make
find out/ -maxdepth 1 -type f -exec readelf -d {} + | tee /dev/stderr | grep Shared | LC_ALL=C sort -u find out/ -maxdepth 1 -type f -exec readelf -d {} + | tee /dev/stderr | grep Shared | LC_ALL=C sort -u
- manpages: | - manpages: |
sudo sh -c 'curl https://git.sr.ht/~nabijaczleweli/groff-1.23-unfucking/blob/trunk/mdoc.local >> /etc/groff/mdoc.local' sudo sh -c 'curl https://ra.ws.co.ls/~nabijaczleweli/groff-1.23-unfucking/blob/trunk/mdoc.local >> /etc/groff/mdoc.local'
git -C tzpfms/ worktree add ../tzpfms-man man git -C tzpfms/ worktree add ../tzpfms-man man
cd tzpfms-man cd tzpfms-man
git ls-tree -z --name-only HEAD | xargs -0 rm -r git ls-tree -z --name-only HEAD | grep -z tpm | xargs -0 rm -r
cp -pr ../tzpfms/out/man/* . cp -pr ../tzpfms/out/man/* .
sed -e 's/…/.../g' $(ls *.[12345678] | awk -F. '{print $2 "\t" $1}' | sort | awk -F'\t' '{print $2 "." $1}') | groff -K utf8 -tpe -mdoc -Tps -dpaper=a4 -P-pa4 > tzpfms.ps sed -e 's/…/.../g' $(ls *.[12345678] | awk -F. '{print $2 "\t" $1}' | sort | awk -F'\t' '{print $2 "." $1}') | groff -K utf8 -tpe -mdoc -Tps -dpaper=a4 -P-pa4 > tzpfms.ps
ps2pdf -sPAPERSIZE=a4 tzpfms.ps tzpfms.pdf ps2pdf -sPAPERSIZE=a4 tzpfms.ps tzpfms.pdf

View File

@ -3,7 +3,7 @@ TPM-based encryption keys for ZFS datasets.
See also [fzifdso](//git.sr.ht/~nabijaczleweli/fzifdso) for FIDO2/WebAuthn-based (YubiKey, Somu, &c.) keys. See also [fzifdso](//git.sr.ht/~nabijaczleweli/fzifdso) for FIDO2/WebAuthn-based (YubiKey, Somu, &c.) keys.
## [Manpages](//srhtcdn.githack.com/~nabijaczleweli/tzpfms/blob/man/zfs-tpm-list.8.html) ([PDF](//srhtcdn.githack.com/~nabijaczleweli/tzpfms/blob/man/tzpfms.pdf)) ## [Manpages](//ra.ws.co.ls/~nabijaczleweli/tzpfms/blob/man/zfs-tpm-list.8.html) ([PDF](//ra.ws.co.ls/~nabijaczleweli/tzpfms/blob/man/tzpfms.pdf))
### Why? ### Why?
@ -41,7 +41,7 @@ As an example, for a sensible default value of `exec systemd-ask-password --id="
### Installation ### Installation
Copy the `out/zfs-tpm*` binaries corresponding to the back-ends you want to `/sbin`, Copy the `out/zfs-tpm*` binaries corresponding to the back-ends you want to `/sbin`,
continue as the [manual](//srhtcdn.githack.com/~nabijaczleweli/tzpfms/blob/man/zfs-tpm2-change-key.8.html) [page](//srhtcdn.githack.com/~nabijaczleweli/tzpfms/blob/man/zfs-tpm1x-change-key.8.html) instructs. continue as the [manual](//ra.ws.co.ls/~nabijaczleweli/tzpfms/blob/man/zfs-tpm2-change-key.8.html) [page](//ra.ws.co.ls/~nabijaczleweli/tzpfms/blob/man/zfs-tpm1x-change-key.8.html) instructs.
For initrd support, copy the content of either `out/dracut/` or `out/initramfs-tools/` over `/`; For initrd support, copy the content of either `out/dracut/` or `out/initramfs-tools/` over `/`;
these need `zfs-tpm-list` but will work with any combination of back-end `*-load-key` binaries these need `zfs-tpm-list` but will work with any combination of back-end `*-load-key` binaries

View File

@ -25,20 +25,19 @@ _get_backend() {
_install_tpm2() { _install_tpm2() {
inst_binary zfs-tpm2-load-key inst_binary zfs-tpm2-load-key
# shellcheck disable=SC2046 inst_libdir_file 'libtss2-tcti*.so*'
inst_library $(find /usr/lib -name 'libtss2-tcti*.so*') # TODO: there's got to be a better way™!
command -v tpm2_dictionarylockout > /dev/null && inst_binary tpm2_dictionarylockout command -v tpm2_dictionarylockout > /dev/null && inst_binary tpm2_dictionarylockout
} }
_install_tpm1x() { _install_tpm1x() {
inst_binary zfs-tpm1x-load-key inst_binary zfs-tpm1x-load-key
INSTALL_TPM1X{inst_binary tcsd; inst_binary ip; inst_binary ss, initdir, inst_simple, inst_simple, inst_simple, inst_library} INSTALL_TPM1X{inst_binary tcsd; inst_binary ip; inst_binary ss, initdir, inst_simple, inst_simple, inst_simple, inst_libdir_file}
command -v tpm_resetdalock > /dev/null && inst_binary tpm_resetdalock command -v tpm_resetdalock > /dev/null && inst_binary tpm_resetdalock
} }
check() { check() {
command -v zfs-tpm-list > /dev/null || return 1 require_binaries zfs-tpm-list || return
# shellcheck disable=SC2154 # shellcheck disable=SC2154
if [ -n "$hostonly" ]; then if [ -n "$hostonly" ]; then

View File

@ -12,7 +12,7 @@
#define TZPFMS_BACKEND_MAX_LEN 16 #define TZPFMS_BACKEND_MAX_LEN 16
enum class key_loadedness : char { enum class key_loadedness : signed char {
none = -1, none = -1,
unloaded = 0, unloaded = 0,
loaded = 1, loaded = 1,

View File

@ -8,6 +8,5 @@
int main(int argc, char ** argv) { int main(int argc, char ** argv) {
return do_clear_main( return do_clear_main(argc, argv, THIS_BACKEND, [](auto, auto) { return 0; }, [] { return 0; });
argc, argv, THIS_BACKEND, [](auto, auto) { return 0; }, [] { return 0; });
} }

View File

@ -133,7 +133,7 @@ static int get_key_material_raw(const char * whom, bool again, bool newkey, uint
if(from_tty) { if(from_tty) {
// Handle SIGINT and ignore SIGSTP. // Handle SIGINT and ignore SIGSTP.
// This is necessary to restore the state of the terminal. // This is necessary to restore the state of the terminal.
struct sigaction act {}; struct sigaction act{};
sigemptyset(&act.sa_mask); sigemptyset(&act.sa_mask);
caught_interrupt = 0; caught_interrupt = 0;

View File

@ -64,8 +64,7 @@ static int do_bare_main(
} }
template <class G, class M, class V = int (*)()> template <class G, class M, class V = int (*)()>
static int do_main( static int do_main(int argc, char ** argv, const char * getoptions, const char * usage, G && getoptfn, M && main, V && validate = [] { return 0; }) {
int argc, char ** argv, const char * getoptions, const char * usage, G && getoptfn, M && main, V && validate = [] { return 0; }) {
return do_bare_main( return do_bare_main(
// as-in argument in a usage string // as-in argument in a usage string
argc, argv, getoptions, usage, gettext_noop("dataset"), getoptfn, argc, argv, getoptions, usage, gettext_noop("dataset"), getoptfn,

View File

@ -9,6 +9,7 @@
#include "main.hpp" #include "main.hpp"
#include <stdlib.h> #include <stdlib.h>
#include <sys/mman.h>
#include <tss/platform.h> #include <tss/platform.h>
#include <tss/tspi.h> #include <tss/tspi.h>
@ -29,6 +30,8 @@ static const constexpr uint8_t parent_key_secret[TPM_SHA1_160_HASH_LEN]{0xCE, 0x
template <class F> template <class F>
int with_tpm1x_session(F && func) { int with_tpm1x_session(F && func) {
mlockall(MCL_CURRENT | MCL_FUTURE);
TSS_HCONTEXT ctx{}; // All memory lives as long as this does TSS_HCONTEXT ctx{}; // All memory lives as long as this does
TRY_TPM1X("create TPM context", Tspi_Context_Create(&ctx)); TRY_TPM1X("create TPM context", Tspi_Context_Create(&ctx));

View File

@ -6,6 +6,7 @@
#include "common.hpp" #include "common.hpp"
#include <sys/mman.h>
#include <tss2/tss2_common.h> #include <tss2/tss2_common.h>
#include <tss2/tss2_esys.h> #include <tss2/tss2_esys.h>
#include <tss2/tss2_rc.h> #include <tss2/tss2_rc.h>
@ -20,6 +21,8 @@ static const constexpr TPMT_SYM_DEF tpm2_session_key{.algorithm = TPM2_ALG_AES,
template <class F> template <class F>
int with_tpm2_session(F && func) { int with_tpm2_session(F && func) {
mlockall(MCL_CURRENT | MCL_FUTURE);
// https://trustedcomputinggroup.org/wp-content/uploads/TSS_ESAPI_v1p00_r05_pubrev.pdf // https://trustedcomputinggroup.org/wp-content/uploads/TSS_ESAPI_v1p00_r05_pubrev.pdf
// mainly "3.4. The ESAPI Session" and "3.5. ESAPI Use Model" // mainly "3.4. The ESAPI Session" and "3.5. ESAPI Use Model"
// https://tpm2-tss.readthedocs.io/en/latest/group___e_s_y_s___c_o_n_t_e_x_t.html // https://tpm2-tss.readthedocs.io/en/latest/group___e_s_y_s___c_o_n_t_e_x_t.html