From b30fabd55d5091273bcff972209dfcd5c660dd2b Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Wed, 23 Jun 2021 17:01:27 -0400 Subject: [PATCH] Enable TPM2 on SUSE diskless for apikey Rather than remote sealed copy, store it in the TPM2 Will convert genesis and EL diskless for this to be the new preferred mechanism. --- .../hooks/cmdline/10-confluentdiskless.sh | 31 +++++++++++++------ imgutil/suse15/dracut/install | 2 +- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/confluent_osdeploy/suse15-diskless/initramfs/lib/dracut/hooks/cmdline/10-confluentdiskless.sh b/confluent_osdeploy/suse15-diskless/initramfs/lib/dracut/hooks/cmdline/10-confluentdiskless.sh index 85549139..d8a464af 100644 --- a/confluent_osdeploy/suse15-diskless/initramfs/lib/dracut/hooks/cmdline/10-confluentdiskless.sh +++ b/confluent_osdeploy/suse15-diskless/initramfs/lib/dracut/hooks/cmdline/10-confluentdiskless.sh @@ -65,28 +65,39 @@ fi needseal=1 oldumask=$(umask) umask 0077 +for hdl in $(tpm2_getcap handles-persistent|awk '{print $2}'); do + unsealeddata=$(tpm2_unseal -Q -c $hdl) + if [[ $unsealeddata == "CONFLUENT_APIKEY:"* ]]; then + confluent_apikey=${unsealeddata#CONFLUENT_APIKEY:} + fi +done +needseal=0 while [ -z "$confluent_apikey" ]; do /opt/confluent/bin/clortho $nodename $confluent_mgr > /etc/confluent/confluent.apikey if grep ^SEALED: /etc/confluent/confluent.apikey > /dev/null; then - needseal=0 - sed -e s/^SEALED:// /etc/confluent/confluent.apikey | clevis-decrypt-tpm2 > /etc/confluent/confluent.apikey.decrypt - mv /etc/confluent/confluent.apikey.decrypt /etc/confluent/confluent.apikey + # we don't support remote sealed api keys + echo > /etc/confluent/confluent.apikey fi confluent_apikey=$(cat /etc/confluent/confluent.apikey) if [ -z "$confluent_apikey" ]; then - echo "Unable to acquire node api key, no TPM2 sealed nor fresh token available, retrying..." + echo "Unable to acquire node api key, set deployment.apiarmed=once on node '$nodename', retrying..." sleep 10 fi + needseal=1 done if [[ $confluent_mgr == *:* ]]; then confluent_mgr="[$confluent_mgr]" fi -#if [ $needseal == 1 ]; then -# sealed=$(echo $confluent_apikey | clevis-encrypt-tpm2 {}) -# if [ ! -z "$sealed" ]; then -# curl -sf -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $confluent_apikey" -d $sealed https://$confluent_mgr/confluent-api/self/saveapikey -# fi -#fi +if [ $needseal == 1 ]; then + tmpdir=$(mktemp -d) + cd $tmpdir + tpm2_createprimary -G ecc -Q --key-context=prim.ctx + (echo -n "CONFLUENT_APIKEY:";cat /etc/confluent/confluent.apikey) | tpm2_create -Q --public=data.pub --private=data.priv -i - -C prim.ctx + tpm2_load -Q --parent-context=prim.ctx --public=data.pub --private=data.priv --name=confluent.apikey --key-context=data.ctx + tpm2_evictcontrol -Q -c data.ctx + cd - + rm -rf $tmpdir +fi curl -sf -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $confluent_apikey" https://$confluent_mgr/confluent-api/self/deploycfg > /etc/confluent/confluent.deploycfg umask $oldumask autoconfigmethod=$(grep ipv4_method /etc/confluent/confluent.deploycfg |awk '{print $2}') diff --git a/imgutil/suse15/dracut/install b/imgutil/suse15/dracut/install index d6136148..daefcf41 100644 --- a/imgutil/suse15/dracut/install +++ b/imgutil/suse15/dracut/install @@ -1,6 +1,6 @@ dracut_install /usr/bin/mktemp dracut_install /usr/lib64/libtss2-tcti-device.so.* -dracut_install /usr/bin/tpm2_create /usr/bin/tpm2_pcrread /usr/bin/tpm2_createpolicy /usr/bin/tpm2_createprimary /usr/bin/tpm2_load /usr/bin/tpm2_unseal +dracut_install /usr/bin/tpm2_create /usr/bin/tpm2_pcrread /usr/bin/tpm2_createpolicy /usr/bin/tpm2_createprimary /usr/bin/tpm2_load /usr/bin/tpm2_unseal /usr/bin/tpm2_getcap /usr/bin/tpm2_evictcontrol dracut_install curl openssl tar cpio gzip lsmod ethtool xz lsmod ethtool dracut_install modprobe touch echo cut wc bash uniq grep ip hostname dracut_install awk egrep dirname expr sort