|
| 1 | +CLEVIS-ENCRYPT-TPM1(1) |
| 2 | +====================== |
| 3 | +:doctype: manpage |
| 4 | + |
| 5 | + |
| 6 | +== NAME |
| 7 | + |
| 8 | +clevis-encrypt-tpm1 - Encrypts using a TPM 1.2 chip binding policy |
| 9 | + |
| 10 | +== SYNOPSIS |
| 11 | + |
| 12 | +*clevis encrypt tpm1* CONFIG < PT > JWE |
| 13 | + |
| 14 | +== OVERVIEW |
| 15 | + |
| 16 | +The *clevis encrypt tpm1* command encrypts using a Trusted Platform |
| 17 | +Module{nbsp}1.2 (TPM{nbsp}1.2) chip. It might work with Trusted Platform |
| 18 | +Module{nbsp}1.1 too, but it is untested. The tpm1 pin does not support Trusted |
| 19 | +Platform Module{nbsp}2.0 and higher, please use the tpm2 pin instead. |
| 20 | + |
| 21 | +The only argument is the JSON configuration object. |
| 22 | + |
| 23 | +When using the tpm1 pin, we create a new, cryptographically-strong, random key. |
| 24 | +This key is encrypted using the TPM{nbsp}1.2 chip. Then at decryption time, the |
| 25 | +key is decrypted again using the TPM{nbsp}1.2 chip. |
| 26 | + |
| 27 | + $ clevis encrypt tpm1 '{}' < PT > JWE |
| 28 | + |
| 29 | +To decrypt the data, simply provide the ciphertext (JWE): |
| 30 | + |
| 31 | + $ clevis decrypt < JWE > PT |
| 32 | + |
| 33 | +Note that like other pins no configuration is used for decryption, this is due |
| 34 | +to clevis storing the sealed encryption key in the JWE so clevis can fetch that |
| 35 | +key from there and unseal it by using the TPM{nbsp}1.2 chip. |
| 36 | + |
| 37 | +The pin also supports sealing data to a Platform Configuration Registers (PCR) |
| 38 | +state. That way the data can only be unsealed if the PCRs hash values match |
| 39 | +the values used when sealing. |
| 40 | + |
| 41 | +For example, to seal the data to the PCR with indexes 0, 4 and 7, use: |
| 42 | + |
| 43 | + $ clevis encrypt tpm1 '{"pcr_ids":"0,4,7"}' < PT > JWE |
| 44 | + |
| 45 | +The BIOS, boot loader, Grub and Linux kernel incrementally add hashes of the |
| 46 | +various system states to the registers. The added hashes represent state of |
| 47 | +different components such as the BIOS (PCR{nbsp}0 and{nbsp}1), option ROMs |
| 48 | +(PCR{nbsp}2 and{nbsp}3), boot loader (PCR{nbsp}4), EFI Secure Boot state |
| 49 | +(PCR{nbsp}0 and{nbsp}7), etc. The requirement for exact matching of values |
| 50 | +ensures that the TPM{nbsp}1.2 chip unseals the data only when the system state |
| 51 | +measured by the selected registers has not changed. |
| 52 | + |
| 53 | +Although the usage of Platform Configuration Registers is standardized, the BIOS |
| 54 | +implementation might differ slightly, so always test how the particular register |
| 55 | +value changes when the system is updated, most notably when the Grub boot |
| 56 | +loaded or Linux kernel is updated. The PCR values can be checked with: |
| 57 | + |
| 58 | + $ cat /sys/class/tpm/tpm0/pcrs |
| 59 | + |
| 60 | +== Threat model |
| 61 | + |
| 62 | +The Clevis security model relies in the fact that an attacker will not be able |
| 63 | +to access both the encrypted data and the decryption key. |
| 64 | + |
| 65 | +For most Clevis pins, the decryption key is not locally stored, so the |
| 66 | +decryption policy is only satisfied if the decryption key can be remotely |
| 67 | +accessed. It could for example be stored in a remote server or in a hardware |
| 68 | +authentication device that has to be plugged into the machine. |
| 69 | + |
| 70 | +The tpm1 pin is different in this regard, since a key is wrapped by |
| 71 | +a{nbsp}TPM{nbsp}1.2 chip that is always present in the machine. This does not |
| 72 | +mean that there are not use cases for this pin, but it is important to |
| 73 | +understand the fact that an attacker that has access to both the encrypted data |
| 74 | +and the local TPM{nbsp}1.2 chip will be able to decrypt the data. |
| 75 | + |
| 76 | +The use of specific Platform Configuration Registers along with Secure Boot |
| 77 | +limits the attack surface because an attacker must reproduce the exact register |
| 78 | +values that are present during sealing before the TPM{nbsp}1.2 chip will allow |
| 79 | +the encryption key to be unsealed. Careful selection of registers ensures that |
| 80 | +any change to the boot process will prevent the TPM{nbsp}1.2 from unsealing the |
| 81 | +encryption key. |
| 82 | + |
| 83 | +== CONFIG |
| 84 | + |
| 85 | +This command uses the following configuration properties: |
| 86 | + |
| 87 | +* *pcr_ids* (string) : |
| 88 | + Comma separated list of PCR used for policy. If not present, no policy is used |
| 89 | + |
| 90 | +== SEE ALSO |
| 91 | + |
| 92 | +link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)], |
| 93 | +link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)] |
0 commit comments