Enable TPM2 on SUSE diskless for apikey

Rather than remote sealed copy, store it in the TPM2 Will convert genesis and EL diskless for this to be the new preferred mechanism.
2024-11-22 01:22:00 +00:00 · 2021-06-23 17:01:27 -04:00 · 2021-06-23 17:01:27 -04:00 · b30fabd55d
commit b30fabd55d
parent b8c9e9c535
2 changed files with 22 additions and 11 deletions
--- a/confluent_osdeploy/suse15-diskless/initramfs/lib/dracut/hooks/cmdline/10-confluentdiskless.sh
+++ b/confluent_osdeploy/suse15-diskless/initramfs/lib/dracut/hooks/cmdline/10-confluentdiskless.sh
@ -65,28 +65,39 @@ fi
 needseal=1
 oldumask=$(umask)
 umask 0077
+for hdl in $(tpm2_getcap handles-persistent|awk '{print $2}'); do
+    unsealeddata=$(tpm2_unseal -Q -c $hdl)
+    if [[ $unsealeddata == "CONFLUENT_APIKEY:"* ]]; then
+        confluent_apikey=${unsealeddata#CONFLUENT_APIKEY:}
+    fi
+done
+needseal=0
 while [ -z "$confluent_apikey" ]; do
    /opt/confluent/bin/clortho $nodename $confluent_mgr > /etc/confluent/confluent.apikey
    if grep ^SEALED: /etc/confluent/confluent.apikey > /dev/null; then
-	needseal=0
-        sed -e s/^SEALED:// /etc/confluent/confluent.apikey | clevis-decrypt-tpm2 > /etc/confluent/confluent.apikey.decrypt
-        mv /etc/confluent/confluent.apikey.decrypt /etc/confluent/confluent.apikey
+        # we don't support remote sealed api keys
+        echo > /etc/confluent/confluent.apikey
    fi
    confluent_apikey=$(cat /etc/confluent/confluent.apikey)
    if [ -z "$confluent_apikey" ]; then
-        echo "Unable to acquire node api key, no TPM2 sealed nor fresh token available, retrying..."
+        echo "Unable to acquire node api key, set deployment.apiarmed=once on node '$nodename', retrying..."
        sleep 10
    fi
+    needseal=1
 done
 if [[ $confluent_mgr == *:* ]]; then
    confluent_mgr="[$confluent_mgr]"
 fi
-#if [ $needseal == 1 ]; then
-#    sealed=$(echo $confluent_apikey | clevis-encrypt-tpm2 {})
-#    if [ ! -z "$sealed" ]; then
-#        curl -sf -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $confluent_apikey" -d $sealed https://$confluent_mgr/confluent-api/self/saveapikey
-#    fi
-#fi
+if [ $needseal == 1 ]; then
+    tmpdir=$(mktemp -d)
+    cd $tmpdir
+    tpm2_createprimary -G ecc -Q --key-context=prim.ctx
+    (echo -n "CONFLUENT_APIKEY:";cat /etc/confluent/confluent.apikey) | tpm2_create -Q --public=data.pub --private=data.priv -i - -C prim.ctx
+    tpm2_load -Q --parent-context=prim.ctx --public=data.pub --private=data.priv --name=confluent.apikey --key-context=data.ctx
+    tpm2_evictcontrol -Q -c data.ctx
+    cd -
+    rm -rf $tmpdir
+fi
 curl -sf -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $confluent_apikey" https://$confluent_mgr/confluent-api/self/deploycfg > /etc/confluent/confluent.deploycfg
 umask $oldumask
 autoconfigmethod=$(grep ipv4_method /etc/confluent/confluent.deploycfg |awk '{print $2}')
--- a/imgutil/suse15/dracut/install
+++ b/imgutil/suse15/dracut/install
@ -1,6 +1,6 @@
 dracut_install /usr/bin/mktemp
 dracut_install /usr/lib64/libtss2-tcti-device.so.*
-dracut_install /usr/bin/tpm2_create /usr/bin/tpm2_pcrread /usr/bin/tpm2_createpolicy /usr/bin/tpm2_createprimary /usr/bin/tpm2_load /usr/bin/tpm2_unseal
+dracut_install /usr/bin/tpm2_create /usr/bin/tpm2_pcrread /usr/bin/tpm2_createpolicy /usr/bin/tpm2_createprimary /usr/bin/tpm2_load /usr/bin/tpm2_unseal /usr/bin/tpm2_getcap /usr/bin/tpm2_evictcontrol
 dracut_install curl openssl tar cpio gzip lsmod ethtool xz lsmod ethtool
 dracut_install modprobe touch echo cut wc bash uniq grep ip hostname
 dracut_install awk egrep dirname expr sort