[WIP] add TPM 2.0 token
This patch contains code based on !51 (closed) by Andreas Fuchs. The original MR added the TPM 2.0 token directly into cryptsetup which was not accepted. The intention is to keep in cryptsetup just the core functionality itself and keep separate tokens for functionality which may not be present on every device running cryptsetup (like TPM, smartcards, etc.).
This MR contains the original code, refactored to be usable with the token interface. Plus, I added code for listing the currently supported PCRs/banks combination, verification if the TPM supports currently chosen PCRs, generating a key using TPM, etc. It stores metadata in the tokens section of LUKS2 and uses libcryptsetup to build a separate binary (cryptsetup-tpm2) creating, activating and deleting TPM-enabled keyslots.
I am creating this MR to wip-tpm branch. In this branch, @mbroz added the to load tokens using dynamic libraries, such that the token can be from the main cryptsetup binaries (or targets which use libcryptsetup such as systemd). It is not sure if the dynamic loading feature will be merged upstream, its security implications still need to be discussed.
What still needs to be done on the TPM 2.0 token:
- fix build system: a new configure variable needs to be added to enable/disable TPM token building
- TPM identification
- we need to save TPM identifier in the metadata in case that, e.g. the disk is connected to a different PC where the original TPM is not present
- /dev/tpmX name is not enough if multiple TPMs are present because they can be relabeled
- the proper way is probably to save public EK when adding the TPM-enabled keyslot
- enable choosing an arbitrary interface to TPM (TCTI): specify raw device
path, use abrmd or simulator, etc.
- when using separate
cryptsetup-tpm2binary, this is just a matter of adding a new parameter but currently, there is no way to pass arguments to a token when loading it dynamically
- when using separate
- encrypting communication (session) with the TPM: TPM 2.0 allows encrypting
communication with the TPM to prevent MITM attacks
- we should probably create encrypting session any time we communicate with the TPM and use verify if the TPM EK matches the one saved when creating the token
- see https://pulsesecurity.co.nz/articles/TPM-sniffing
I appreciate any suggestions and comments on the current implementation and the above proposals.