Add TPM 1.2 support

[oldium]

This patch series adds TPM 1.2 support and fixes few other things (I can split this into multiple Pull Requests if you wish):

• Added missing shutdown SystemD dependencies when using DefaultDependencies=no.
• When Dracut without SystemD is used, benefit cryptsetup unlocking workflow to let it handle the crypttab and other options. This uses pipe to unlock with password similarly like the initramfs-tools image does. See commit message for more details.
• Added full support for TPM 1.2.

Status:

• [✅ Done] Clevis encrypt, decrypt, bind support
• [✅ Done] initramfs-tools support
• [✅ Done] Systemd support
• [✅ Done] Manual page for clevis-encrypt-tpm1
• [✅ Done] Tests for tpm1 pin
• [✅ Done] Dracut support

Example usage:

• Boot and unlock with TPM1.2:
  clevis luks bind -d /dev/<device> tpm1 '{"pcr_ids":"0,4,7"}'
• Encrypt and decrypt:
  echo test | clevis encrypt tpm1 '{"pcr_ids":"0,4,7"}' | clevis decrypt

Tested:

• Tested with initramfs-tools, used both TPM 1.2 and null pins with "fail":true to test success and failed unlocking
• Tested with Dracut with SystemD. Tested both success and failed cases
• Tested with Dracut without SystemD (module was disabled). Tested both success and failed cases
• Tested with Dracut without SystemD (module was disabled), with programmatically changed detection that null pin is a network pin. Tested that with rd.neednet the unlocking happens after network gets online.

Fixes: #84, #456

[oldium]

Work is done, pre-built packages for Debian 12 and amd64 arch are available here https://github.com/oldium/clevis/releases/tag/v20_tpm1

[oldium]

The CentOS test build image needs some love, the mirrorlist.centos.org site does not exist any more it seems.

[oldium]

Rebased to latest master to fix the build.

[aadnehovda]

Would this play nicely together with #467? Anything missing? Great for proxmox ZFS root on older TPM 1.2 only hardware.

[oldium]

Would this play nicely together with #467? Anything missing? Great for proxmox ZFS root on older TPM 1.2 only hardware.

Hard to say without looking more into the ZFS support. I see some code duplication in the ZFS initramfs hook, it installs basically the same binaries as the regular clevis hook. It misses TPM1.2 completely (for obvious reasons).

From the brief look I was not able to tell how exactly the ZFS unlocking works, but if it uses the same clevis functionality to decrypt the password, it should (in theory) work.

Side note: I have rebased my patches and changed them according to code-review input plus few fixes more (also for easier packaging of the new file pin in Debian). I will send an update within a week or two after testing it.

[oldium]

Possibly there will be some startup changes necessary to line-up with the ZFS support, because the clevis initramfs local-top script just starts the tcsd (TPM1.2 daemon) only in case the tpm1 pin is detected by get_pid_device_pins function (again, I do not know how the ZFS integration works). For dracut startup I can imagine missing optional startup dependency on tcsd.

Anyway, nothing impossible to do.

[oldium]

Added several fixup! commits ready to be rebased after code review (with git rebase --autosquash). It is ready to be read one-by-one, the commits are small and self-explanatory.

On top of the code-review fixes, I added the following:

• Few additional safety checks and local variable declarations.
• Fixed usage of uninitialized variable in tpm2/tpm1 test code (the test did not test what it should test for a looooooong time...).
• Fixed new template and file pins to allow installation under Debian. Debian installs all Dracut scripts and uses check() function to determine if the pin is actually installed on the system.

On top of that, I created a new tpm1u8 version and published GPG signed packages in the public repository – see the Release Notes.

[sarroutbi]

LGTM. Thanks for your PR. @sergio-correia : A double opinion is welcome here

[oldium]

Just a kind reminder: Please do not merge without auto-squashing first (git rebase --autosquash), I would be sad to have the commit history in this state 😁. I would like to do it when the reviews are finished.

[akostadinov]

Who needs to approve this PR for merge?

[sarroutbi]

Who needs to approve this PR for merge?

Changes LGTM. Waiting for @sergio-correia to check if anything else is required (it seems all suggested nits were resolved)