creds-util: permit credentials encrypted/signed by fixed zero length keys as fallback for systems lacking TPM2

This is supposed to be useful when generating credentials for immutable initrd environments, where it is is relevant to support credentials even on systems lacking a TPM2 chip. With this, if `systemd-creds encrypt --with-key=auto-initrd` is used a credential will be encrypted/signed with the TPM2 if it is available and recognized by the firmware. Otherwise it will be encrypted/signed with the fixed empty key, thus providing no confidentiality or authenticity. The idea is that distributions use this mode to generically create credentials that are as locked down as possible on the specific platform.
author: Lennart Poettering <lennart@poettering.net> 2022-04-14 14:46:40 +0200
committer: Lennart Poettering <lennart@poettering.net> 2022-04-20 17:49:17 +0200
commit: b6553329c03aec306351933843a5a3e0a5a7bfe2 (patch)
tree: c090de0a4d986a3e354be2f8f53948cd3edf02d5 /src/creds
parent: 571d829ee49147c588e53a1f107c29fd23968581 (diff)
download: systemd-b6553329c03aec306351933843a5a3e0a5a7bfe2.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/src/creds/creds.c b/src/creds/creds.c
index 501eb2deb8..c5a1dc506c 100644
--- a/src/creds/creds.c
+++ b/src/creds/creds.c
@@ -560,7 +560,7 @@ static int verb_help(int argc, char **argv, void *userdata) {
                "     --timestamp=TIME     Include specified timestamp in encrypted credential\n"
                "     --not-after=TIME     Include specified invalidation time in encrypted\n"
                "                          credential\n"
-               "     --with-key=host|tpm2|host+tpm2|auto\n"
+               "     --with-key=host|tpm2|host+tpm2|tpm2-absent|auto|auto-initrd\n"
                "                          Which keys to encrypt with\n"
                "  -H                      Shortcut for --with-key=host\n"
                "  -T                      Shortcut for --with-key=tpm2\n"
@@ -685,12 +685,16 @@ static int parse_argv(int argc, char *argv[]) {
                 case ARG_WITH_KEY:
                         if (isempty(optarg) || streq(optarg, "auto"))
                                 arg_with_key = _CRED_AUTO;
+                        else if (streq(optarg, "auto-initrd"))
+                                arg_with_key = _CRED_AUTO_INITRD;
                         else if (streq(optarg, "host"))
                                 arg_with_key = CRED_AES256_GCM_BY_HOST;
                         else if (streq(optarg, "tpm2"))
                                 arg_with_key = CRED_AES256_GCM_BY_TPM2_HMAC;
                         else if (STR_IN_SET(optarg, "host+tpm2", "tpm2+host"))
                                 arg_with_key = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC;
+                        else if (streq(optarg, "tpm2-absent"))
+                                arg_with_key = CRED_AES256_GCM_BY_TPM2_ABSENT;
                         else
                                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown key type: %s", optarg);
author	Lennart Poettering <lennart@poettering.net>	2022-04-14 14:46:40 +0200
committer	Lennart Poettering <lennart@poettering.net>	2022-04-20 17:49:17 +0200
commit	b6553329c03aec306351933843a5a3e0a5a7bfe2 (patch)
tree	c090de0a4d986a3e354be2f8f53948cd3edf02d5 /src/creds
parent	571d829ee49147c588e53a1f107c29fd23968581 (diff)
download	systemd-b6553329c03aec306351933843a5a3e0a5a7bfe2.tar.gz