From aca54b3b093c408845a97b1ed261a287c5966c83 Mon Sep 17 00:00:00 2001 From: Isaac-Matthews Date: Wed, 27 Mar 2024 11:52:37 -0500 Subject: [PATCH] enable hex values to be used for tpm_ownerpassword Signed-off-by: Isaac-Matthews --- keylime-agent.conf | 3 +++ keylime-agent/src/main.rs | 10 +++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/keylime-agent.conf b/keylime-agent.conf index 4045bca9..4fc38649 100644 --- a/keylime-agent.conf +++ b/keylime-agent.conf @@ -263,6 +263,9 @@ idevid_cert = "default" # Use this option to state the existing TPM ownerpassword. # This option should be set only when a password is set for the Endorsement # Hierarchy (e.g. via "tpm2_changeauth -c e"). +# In order to use a hex value for the password, use the prefix "hex:" +# For example if tpm2_changeauth -c e "hex:00a1b2c3e4" has run, the config option +# would be 'tpm_ownerpassword = "hex:00a1b2c3e4"' # If no password was set, keep the empty string "". # # To override tpm_ownerpassword, set KEYLIME_AGENT_TPM_OWNERPASSWORD environment diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs index 1305d11e..f0713f9b 100644 --- a/keylime-agent/src/main.rs +++ b/keylime-agent/src/main.rs @@ -295,7 +295,15 @@ async fn main() -> Result<()> { // ownership of TPM access, which will not be implemented here. let tpm_ownerpassword = &config.agent.tpm_ownerpassword; if !tpm_ownerpassword.is_empty() { - let auth = Auth::try_from(tpm_ownerpassword.as_bytes())?; + let auth = if let Some(hex_ownerpassword) = + tpm_ownerpassword.strip_prefix("hex:") + { + let decoded_ownerpassword = + hex::decode(hex_ownerpassword).map_err(Error::from)?; + Auth::try_from(decoded_ownerpassword)? + } else { + Auth::try_from(tpm_ownerpassword.as_bytes())? + }; ctx.as_mut().tr_set_auth(Hierarchy::Endorsement.into(), auth) .map_err(|e| { Error::Configuration(format!(