creds-util: permit credentials encrypted/signed by fixed zero length keys as fallback for systems lacking TPM2

This is supposed to be useful when generating credentials for immutable initrd environments, where it is is relevant to support credentials even on systems lacking a TPM2 chip. With this, if `systemd-creds encrypt --with-key=auto-initrd` is used a credential will be encrypted/signed with the TPM2 if it is available and recognized by the firmware. Otherwise it will be encrypted/signed with the fixed empty key, thus providing no confidentiality or authenticity. The idea is that distributions use this mode to generically create credentials that are as locked down as possible on the specific platform.
author: Lennart Poettering <lennart@poettering.net> 2022-04-14 14:46:40 +0200
committer: Lennart Poettering <lennart@poettering.net> 2022-04-20 17:49:17 +0200
commit: b6553329c03aec306351933843a5a3e0a5a7bfe2 (patch)
tree: c090de0a4d986a3e354be2f8f53948cd3edf02d5 /man/systemd-creds.xml
parent: 571d829ee49147c588e53a1f107c29fd23968581 (diff)
download: systemd-b6553329c03aec306351933843a5a3e0a5a7bfe2.tar.gz
1 files changed, 20 insertions, 11 deletions
diff --git a/man/systemd-creds.xml b/man/systemd-creds.xml
index d3c0295d64..5fa6067ed1 100644
--- a/man/systemd-creds.xml
+++ b/man/systemd-creds.xml
@@ -263,23 +263,32 @@
         <term><option>-H</option></term>
         <term><option>-T</option></term>
 
-        <listitem><para>When specified with the <command>encrypt</command> command controls the encryption
-        key to use. Takes one of <literal>host</literal>, <literal>tpm2</literal>,
-        <literal>host+tpm2</literal> or <literal>auto</literal>. See above for details on the three key
-        types. If set to <literal>auto</literal> (which is the default) the TPM2 key is used if a TPM2 device
-        is found and not running in a container. The host key is used if
-        <filename>/var/lib/systemd/</filename> is on persistent media. This means on typical systems the
-        encryption is by default bound to both the TPM2 chip and the OS installation, and both need to be
-        available to decrypt the credential again. If <literal>auto</literal> is selected but neither TPM2 is
-        available (or running in container) nor <filename>/var/lib/systemd/</filename> is on persistent
-        media, encryption will fail.</para>
+        <listitem><para>When specified with the <command>encrypt</command> command controls the
+        encryption/signature key to use. Takes one of <literal>host</literal>, <literal>tpm2</literal>,
+        <literal>host+tpm2</literal>, <literal>tpm2-absent</literal>, <literal>auto</literal>,
+        <literal>auto-initrd</literal>. See above for details on the three key types. If set to
+        <literal>auto</literal> (which is the default) the TPM2 key is used if a TPM2 device is found and not
+        running in a container. The host key is used if <filename>/var/lib/systemd/</filename> is on
+        persistent media. This means on typical systems the encryption is by default bound to both the TPM2
+        chip and the OS installation, and both need to be available to decrypt the credential again. If
+        <literal>auto</literal> is selected but neither TPM2 is available (or running in container) nor
+        <filename>/var/lib/systemd/</filename> is on persistent media, encryption will fail. If set to
+        <literal>tpm2-absent</literal> a fixed zero length key is used (thus, in this mode no confidentiality
+        nor authenticity are provided!). This logic is useful to cover for systems that lack a TPM2 chip but
+        where credentials shall be generated. Note that decryption of such credentials is refused on systems
+        that have a TPM2 chip and where UEFI SecureBoot is enabled (this is done so that such a locked down
+        system cannot be tricked into loading a credential generated this way that lacks authentication
+        information). If set to <literal>auto-initrd</literal> a TPM2 key is used if a TPM2 is found. If not
+        a fixed zero length key is used, equivalent to <literal>tpm2-absent</literal> mode. This option is
+        particularly useful to generate credentials files that are encrypted/authenticated against TPM2 where
+        available but still work on systems lacking support for this.</para>
 
         <para>The <option>-H</option> switch is a shortcut for <option>--with-key=host</option>. Similar,
         <option>-T</option> is a shortcut for <option>--with-key=tpm2</option>.</para>
 
         <para>When encrypting credentials that shall be used in the initial RAM disk (initrd) where
         <filename>/var/lib/systemd/</filename> is typically not available make sure to use
-        <option>--with-key=tpm2</option> mode, to disable binding against the host secret.</para>
+        <option>--with-key=auto-initrd</option> mode, to disable binding against the host secret.</para>
 
         <para>This switch has no effect on the <command>decrypt</command> command, as information on which
         key to use for decryption is included in the encrypted credential already.</para></listitem>
author	Lennart Poettering <lennart@poettering.net>	2022-04-14 14:46:40 +0200
committer	Lennart Poettering <lennart@poettering.net>	2022-04-20 17:49:17 +0200
commit	b6553329c03aec306351933843a5a3e0a5a7bfe2 (patch)
tree	c090de0a4d986a3e354be2f8f53948cd3edf02d5 /man/systemd-creds.xml
parent	571d829ee49147c588e53a1f107c29fd23968581 (diff)
download	systemd-b6553329c03aec306351933843a5a3e0a5a7bfe2.tar.gz