diff --git a/SOURCES/90-tpm2-import.rules b/SOURCES/90-tpm2-import.rules new file mode 100644 index 0000000..301dd21 --- /dev/null +++ b/SOURCES/90-tpm2-import.rules @@ -0,0 +1 @@ +SUBSYSTEM=="block", ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/usr/sbin/tpm2-luks-import.sh /dev/$name" diff --git a/SOURCES/module-setup-cvm.sh b/SOURCES/module-setup-cvm.sh new file mode 100644 index 0000000..aa3d908 --- /dev/null +++ b/SOURCES/module-setup-cvm.sh @@ -0,0 +1,18 @@ +#!/usr/bin/bash +# SPDX-License-Identifier: GPL-2.0-or-later + +check() { + return 0 +} + +depends() { + echo tpm2-tss + return 0 +} + +install() { + inst_multiple -o \ + cryptsetup cut mktemp base64 uname hexdump \ + tpm2_flushcontext tpm2_import tpm2_load tpm2_unseal tpm2_create tpm2_createprimary \ + /usr/sbin/tpm2-luks-import.sh /lib/udev/rules.d/90-tpm2-import.rules +} diff --git a/SOURCES/module-setup.sh b/SOURCES/module-setup-udev.sh similarity index 100% rename from SOURCES/module-setup.sh rename to SOURCES/module-setup-udev.sh diff --git a/SOURCES/tpm2-luks-import.sh b/SOURCES/tpm2-luks-import.sh new file mode 100755 index 0000000..dc1ff0f --- /dev/null +++ b/SOURCES/tpm2-luks-import.sh @@ -0,0 +1,74 @@ +#! /bin/bash -e +# +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This script goes through all 'tpm2-import' tokens and converts them +# to 'systemd-tpm2' ones. +# + +getval () { + grep ^\"$2\" $1 | cut -f 2 -d ':' | sed 's/\"//g' +} + +if [[ ! -b "$1" ]]; then + echo "Device $1 does not exist!" 1>&2 + exit 1 +fi + +/usr/sbin/cryptsetup luksDump "$1" | sed -n '/^Tokens:/,/^Digests:/p' | grep ' tpm2-import' | cut -d ':' -f 1 | while read tokenid; do + echo "Importing token $tokenid from $1" + token=`mktemp` + /usr/sbin/cryptsetup token export --token-id "$tokenid" "$1" | sed -e 's/[{}]/''/g' -e 's/\[//g' -e 's/\]//g' -e 's/,\"/\n"/g' > "$token" + tempdir=`mktemp -d` + pushd "$tempdir" > /dev/null + # Save token data to inidividual files to process them with tpm2-tools + getval "$token" "parent_pub" | base64 -d > parent.pub + getval "$token" "parent_prv" | base64 -d > parent.prv + getval "$token" "parent_seed" | base64 -d > parent.seed + getval "$token" "seal_pub" | base64 -d > seal.pub + getval "$token" "seal_prv" | base64 -d > seal.prv + getval "$token" "pcrpolicy_dat" | base64 -d > pcrpolicy.dat + if [ ! -z `getval "$token" "unique_dat"` ]; then + getval "$token" "unique_dat" | base64 -d > unique.dat + fi + echo "Unsealing volume key" + # Import sealed object + tpm2_flushcontext -t + if [ ! -f "unique.dat" ]; then + tpm2_createprimary -Q -C o -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda' -g sha256 -G rsa -c primary.ctx + else + tpm2_createprimary -Q -C o -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda' -g sha256 -G rsa -u unique.dat -c primary.ctx + fi + tpm2_flushcontext -t + tpm2_import -Q -C primary.ctx -u parent.pub -i parent.prv -r parent_imported.prv -s parent.seed + tpm2_flushcontext -t + tpm2_load -Q -C primary.ctx -u parent.pub -r parent_imported.prv -c parent.ctx + tpm2_flushcontext -t + tpm2_load -Q -C parent.ctx -u seal.pub -r seal.prv -c seal.ctx + tpm2_flushcontext -t + tpm2_unseal -Q -c seal.ctx -p pcr:`getval "$token" tpm2-pcr-bank`:`getval "$token" tpm2-pcrs` > volume_key + tpm2_flushcontext -t + echo "Sealing new volume key" + # Create a new sealed object under primary ECC key + tpm2_createprimary -Q -C o -g sha256 -G ecc:null:aes128cfb -c primary_ecc.ctx + tpm2_flushcontext -t + tpm2_create -Q -u seal_local.pub -r seal_local.prv -C primary_ecc.ctx -L pcrpolicy.dat -i volume_key + # Create a new systemd-tpm2 compatible token + echo "Adding new LUKS token to $1" + echo '{"type":"systemd-tpm2","keyslots":["'`getval "$token" keyslots`'"], + "tpm2-blob":"'`cat seal_local.prv seal_local.pub | base64 -w0`'", + "tpm2-pcrs":['`getval "$token" tpm2-pcrs`'], + "tpm2-pcr-bank":"'`getval "$token" tpm2-pcr-bank`'", + "tpm2-primary-alg":"ecc", + "tpm2-policy-hash":"'`hexdump -ve '1/1 "%.2x"' pcrpolicy.dat`'", + "tpm2-pin": false, + "kversion": "'`uname -r`'"}' | /usr/sbin/cryptsetup token import "$1" + # Remove tpm2-import token now + echo "Removing now-unneeded token $tokenid from $1" + /usr/sbin/cryptsetup token remove --token-id "$tokenid" "$1" + echo "Importing token $tokenid from $1 finished successfully" + popd > /dev/null + # Cleanup + rm -rf "$tempdir" + rm -f "$token" +done diff --git a/SPECS/WALinuxAgent.spec b/SPECS/WALinuxAgent.spec index 6ec1f9c..b296881 100644 --- a/SPECS/WALinuxAgent.spec +++ b/SPECS/WALinuxAgent.spec @@ -1,15 +1,19 @@ %global with_legacy 0 -%global dracut_modname 97walinuxagent +%global dracut_modname_udev 97walinuxagent +%global dracut_modname_cvm 97walinuxagentcvm Name: WALinuxAgent Version: 2.7.0.6 -Release: 6%{?dist}.1 +Release: 9%{?dist} Summary: The Microsoft Azure Linux Agent License: ASL 2.0 URL: https://github.com/Azure/%{name} Source0: https://github.com/Azure/%{name}/archive/v%{version}.tar.gz -Source1: module-setup.sh +Source1: module-setup-udev.sh +Source2: module-setup-cvm.sh +Source3: 90-tpm2-import.rules +Source4: tpm2-luks-import.sh # Python3.9 fixes Patch0001: 0001-Initial-redhat-build-configuation.patch @@ -66,6 +70,14 @@ Summary: Udev rules for Microsoft Azure %description udev Udev rules specific to Microsoft Azure Virtual Machines. +%package cvm +Summary: Microsoft Azure CVM specific tools +Requires: tpm2-tools +Requires: cryptsetup + +%description cvm +Scripts and udev rules specific to Microsoft Azure Confidential Virtual Machines. + %prep %setup -q %autopatch -p1 @@ -95,7 +107,15 @@ rm -f %{buildroot}%{_sbindir}/waagent2.0 mv %{buildroot}%{_sysconfdir}/logrotate.d/waagent.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name} -install -m0755 -D -t %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname}/ %{SOURCE1} +mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname_udev} +cp %{SOURCE1} %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname_udev}/module-setup.sh +chmod 0755 %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname_udev}/module-setup.sh + +mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname_cvm} +cp %{SOURCE2} %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname_cvm}/module-setup.sh +chmod 0755 %{buildroot}%{_prefix}/lib/dracut/modules.d/%{dracut_modname_cvm}/module-setup.sh +install -m0644 -D -t %{buildroot}%{_udevrulesdir}/ %{SOURCE3} +install -m0755 -D -t %{buildroot}%{_sbindir} %{SOURCE4} %post %systemd_post waagent.service @@ -122,8 +142,16 @@ rm -rf %{_unitdir}/waagent.service.d/ %{python3_sitelib}/*.egg-info %files udev -%{_udevrulesdir}/*.rules -%{_prefix}/lib/dracut/modules.d/%{dracut_modname}/*.sh +%{_udevrulesdir}/66-azure-storage.rules +%{_udevrulesdir}/99-azure-product-uuid.rules +%dir %{_prefix}/lib/dracut/modules.d/%{dracut_modname_udev} +%{_prefix}/lib/dracut/modules.d/%{dracut_modname_udev}/*.sh + +%files cvm +%{_sbindir}/tpm2-luks-import.sh +%{_udevrulesdir}/90-tpm2-import.rules +%dir %{_prefix}/lib/dracut/modules.d/%{dracut_modname_cvm} +%{_prefix}/lib/dracut/modules.d/%{dracut_modname_cvm}/*.sh %if 0%{?with_legacy} %files legacy @@ -134,10 +162,20 @@ rm -rf %{_unitdir}/waagent.service.d/ * Wed Mar 15 2023 MSVSphere Packaging Team - 2.7.0.6-6 - Rebuilt for MSVSphere 9.1. -* Tue Feb 14 2023 Miroslav Rezanina - 2.7.0.6-6.el9_1.1 -- wla-redhat-Explicitly-list-udev-rule-requirements-in-the.patch [bz#2168913] -- Resolves: bz#2168913 - (/dev/disk/azure/ is created as symlink to sr0 or sda and not as a directory[Azure] [rhel-9.1.0.z]) +* Wed Feb 08 2023 Miroslav Rezanina - 2.7.0.6-9 +- wla-redhat-Adjust-tpm2_createprimary-key-attributes-to-m.patch [bz#2167322] +- Resolves: bz#2167322 + (Adjust TPM primary key creation parameters to match Azure) + +* Mon Feb 06 2023 Miroslav Rezanina - 2.7.0.6-8 +- wla-redhat-Explicitly-list-udev-rule-requirements-in-the.patch [bz#2165042] +- Resolves: bz#2165042 + ([9.0.z] /dev/disk/azure/ is created as symlink to sr0 or sda and not as a directory[Azure]) + +* Mon Jan 23 2023 Miroslav Rezanina - 2.7.0.6-7 +- wla-redhat-Azure-CVM-specific-udev-rules.patch [bz#2162668] +- Resolves: bz#2162668 + (Add support for importing remotely sealed TPM2 objects) * Mon Aug 29 2022 Miroslav Rezanina - 2.7.0.6-6 - wla-redhat-Remove-files-inside-WALA-services-directory.patch [bz#2114768]