#pin #encryption #policy #tpm2

app clevis-pin-tpm2

Clevis TPM2 PIN with policy support

6 releases (breaking)

0.5.1 Dec 10, 2021
0.4.1 Oct 4, 2021
0.3.0 Apr 6, 2021
0.2.0 Dec 3, 2020
0.1.2 Aug 21, 2020

#309 in Cryptography

Download history 12/week @ 2022-07-25 19/week @ 2022-08-01 1/week @ 2022-08-15 6/week @ 2022-08-22 13/week @ 2022-09-05 6/week @ 2022-09-12 1/week @ 2022-09-26

88 downloads per month

MIT license

698 lines


Rewritten Clevis TPM2 PIN

This rewrite supports all previously encrypted values of the PCR-only clevis TPM2 PIN. Additionally, it supports Authorized Policies to delegate authorization of PCR values to an external party.

Creating policies

A reference implementation has been made available for creating policies as parsed by this pin. To use this, first create a policy (see instructions in the repository) and take the output signed policy and the public key JSON. These files need to be available when the PIN runs, so if the pin is used to encrypt the filesystem root, it will probably need to be in /boot. Then run: $binary encrypt '{"policy_pubkey_path": "/boot/policy_pubkey.json", "policy_ref": "", "policy_path": "/boot/policy.json"}' <somefile. This results in an encrypted blob. During the encryption, the policy pubkey needs to exist, the policy does not.

To decrypt this blob, the file specified in the policy_path during encrypt needs to contain a policy that matches the policy_ref with any steps that would match the current PCRs of the system. If that's the case, $binary decrypt <blob will return the contents of the original file back.


~257K SLoC