If there is a TPM device available to the machine, you should see
/dev/tpm0 and
/dev/tpmrm0. If you do not see a TPM device, try starting the tpm2-abrmd service:
Code: Select all
$ sudo systemctl start tpm2-abrmd.service
$ sudo systemctl enable tpm2-abrmd.service
You may notice the permissions of the character device are assigned to root. I noticed this after installing the required packages for the first time. Use
udevadm to reset the permissions appropriately, or reboot the machine.
Code: Select all
$ ls -l /dev/tpm*
crw-------. 1 root root 10, 224 Mar 15 14:58 /dev/tpm0
crw-------. 1 root root 254, 65536 Mar 15 14:58 /dev/tpmrm0
$ sudo udevadm trigger
$ ls -l /dev/tpm*
crw-rw----. 1 tss root 10, 224 Mar 15 14:58 /dev/tpm0
crw-rw----. 1 tss tss 254, 65536 Mar 15 14:58 /dev/tpmrm0
Test Clevis encryption and decryption with TPM device
Let’s ensure we can properly communicate with the TPM device. Use
tpm2_pcrlist to display all possible PCR values. In my case I have a sha1 and sha256 bank.
Code: Select all
$ tpm2_pcrlist -s
Supported Bank/Algorithm: sha1(0x0004) sha256(0x000b)
$ tpm2_pcrlist
sha1 :
0 : 0000000000000000000000000000000000000000
1 : 0000000000000000000000000000000000000000
2 : 0000000000000000000000000000000000000000
3 : 0000000000000000000000000000000000000000
4 : 0000000000000000000000000000000000000000
5 : 0000000000000000000000000000000000000000
6 : 0000000000000000000000000000000000000000
7 : 0000000000000000000000000000000000000000
8 : 0000000000000000000000000000000000000000
9 : 0000000000000000000000000000000000000000
10 : 0000000000000000000000000000000000000000
11 : 0000000000000000000000000000000000000000
12 : 0000000000000000000000000000000000000000
13 : 0000000000000000000000000000000000000000
14 : 0000000000000000000000000000000000000000
15 : 0000000000000000000000000000000000000000
16 : 0000000000000000000000000000000000000000
17 : ffffffffffffffffffffffffffffffffffffffff
18 : ffffffffffffffffffffffffffffffffffffffff
19 : ffffffffffffffffffffffffffffffffffffffff
20 : ffffffffffffffffffffffffffffffffffffffff
21 : ffffffffffffffffffffffffffffffffffffffff
22 : ffffffffffffffffffffffffffffffffffffffff
23 : 0000000000000000000000000000000000000000
sha256 :
0 : 0000000000000000000000000000000000000000000000000000000...
1 : 0000000000000000000000000000000000000000000000000000000...
2 : 0000000000000000000000000000000000000000000000000000000...
3 : 0000000000000000000000000000000000000000000000000000000...
4 : 0000000000000000000000000000000000000000000000000000000...
5 : 0000000000000000000000000000000000000000000000000000000...
6 : 0000000000000000000000000000000000000000000000000000000...
7 : 0000000000000000000000000000000000000000000000000000000...
8 : 0000000000000000000000000000000000000000000000000000000...
9 : 0000000000000000000000000000000000000000000000000000000...
10 : 0000000000000000000000000000000000000000000000000000000...
11 : 0000000000000000000000000000000000000000000000000000000...
12 : 0000000000000000000000000000000000000000000000000000000...
13 : 0000000000000000000000000000000000000000000000000000000...
14 : 0000000000000000000000000000000000000000000000000000000...
15 : 0000000000000000000000000000000000000000000000000000000...
16 : 0000000000000000000000000000000000000000000000000000000...
17 : fffffffffffffffffffffffffffffffffffffffffffffffffffffff...
18 : fffffffffffffffffffffffffffffffffffffffffffffffffffffff...
19 : fffffffffffffffffffffffffffffffffffffffffffffffffffffff...
20 : fffffffffffffffffffffffffffffffffffffffffffffffffffffff...
21 : fffffffffffffffffffffffffffffffffffffffffffffffffffffff...
22 : fffffffffffffffffffffffffffffffffffffffffffffffffffffff...
23 : 0000000000000000000000000000000000000000000000000000000...
To bind a Clevis encryption client to a TPM device, use the
clevis encrypt tpm2 sub-command:
Code: Select all
$ echo "Hello World." > PLAINTEXT
$ clevis encrypt tpm2 '{}' < PLAINTEXT > JWE
$ cat JWE && echo
eyJhb...gI59Q
I’ve chosen to seal the data against the PCR index 7 and 11 for the sha-256 bank:
Code: Select all
$ echo "Hello World." > PLAINTEXT
$ sudo clevis encrypt tpm2 '{ "pcr_bank":"sha256", "pcr_ids": "7,11" }' < PLAINTEXT > JWE
$ cat JWE && echo
eyJhb...XZ3ug
If the machine has a TPM 2.0 device, PCR index 7 support is required. PCR indexes 7 and 11 are tied to the Security Boot for integrity validation. Other combinations may be used when the PCR index 7 is not available: PCR 0, 2, 4, and 11.
To decrypt the data, provide the ciphertext (JWE):
Code: Select all
$ sudo clevis decrypt tpm2 < JWE
Hello World.
Configure Manual Enrollment of Root Volumes
To automatically unlock an existing LUKS-encrypted volume, install the clevis-luks subpackage and bind the volume to the TPM device using the
clevis luks bind command:
Code: Select all
$ sudo yum install clevis-luks
$ sudo clevis luks bind -d /dev/devnode tpm2 \
'{ "pcr_bank":"sha256", "pcr_ids": "7,11" }'
Note: replace
devnode with the appropriate block device.