From b6553329c03aec306351933843a5a3e0a5a7bfe2 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 14 Apr 2022 14:46:40 +0200
Subject: creds-util: permit credentials encrypted/signed by fixed zero length
 keys as fallback for systems lacking TPM2

This is supposed to be useful when generating credentials for immutable
initrd environments, where it is is relevant to support credentials even
on systems lacking a TPM2 chip.

With this, if `systemd-creds encrypt --with-key=auto-initrd` is used a
credential will be encrypted/signed with the TPM2 if it is available and
recognized by the firmware. Otherwise it will be encrypted/signed with
the fixed empty key, thus providing no confidentiality or authenticity.

The idea is that distributions use this mode to generically create
credentials that are as locked down as possible on the specific
platform.
---
 src/creds/creds.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'src/creds')

diff --git a/src/creds/creds.c b/src/creds/creds.c
index 501eb2deb8..c5a1dc506c 100644
--- a/src/creds/creds.c
+++ b/src/creds/creds.c
@@ -560,7 +560,7 @@ static int verb_help(int argc, char **argv, void *userdata) {
                "     --timestamp=TIME     Include specified timestamp in encrypted credential\n"
                "     --not-after=TIME     Include specified invalidation time in encrypted\n"
                "                          credential\n"
-               "     --with-key=host|tpm2|host+tpm2|auto\n"
+               "     --with-key=host|tpm2|host+tpm2|tpm2-absent|auto|auto-initrd\n"
                "                          Which keys to encrypt with\n"
                "  -H                      Shortcut for --with-key=host\n"
                "  -T                      Shortcut for --with-key=tpm2\n"
@@ -685,12 +685,16 @@ static int parse_argv(int argc, char *argv[]) {
                 case ARG_WITH_KEY:
                         if (isempty(optarg) || streq(optarg, "auto"))
                                 arg_with_key = _CRED_AUTO;
+                        else if (streq(optarg, "auto-initrd"))
+                                arg_with_key = _CRED_AUTO_INITRD;
                         else if (streq(optarg, "host"))
                                 arg_with_key = CRED_AES256_GCM_BY_HOST;
                         else if (streq(optarg, "tpm2"))
                                 arg_with_key = CRED_AES256_GCM_BY_TPM2_HMAC;
                         else if (STR_IN_SET(optarg, "host+tpm2", "tpm2+host"))
                                 arg_with_key = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC;
+                        else if (streq(optarg, "tpm2-absent"))
+                                arg_with_key = CRED_AES256_GCM_BY_TPM2_ABSENT;
                         else
                                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown key type: %s", optarg);
 
-- 
cgit v1.2.1