keylime · ansasaki · Apr 26, 2024 · Mar 27, 2024
diff --git a/keylime-agent.conf b/keylime-agent.conf
@@ -263,6 +263,9 @@ idevid_cert = "default"
 # Use this option to state the existing TPM ownerpassword.
 # This option should be set only when a password is set for the Endorsement
 # Hierarchy (e.g. via "tpm2_changeauth -c e").
+# In order to use a hex value for the password, use the prefix "hex:"
+# For example if tpm2_changeauth -c e "hex:00a1b2c3e4" has run, the config option
+# would be 'tpm_ownerpassword = "hex:00a1b2c3e4"'
 # If no password was set, keep the empty string "".
 #
 # To override tpm_ownerpassword, set KEYLIME_AGENT_TPM_OWNERPASSWORD environment

diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
@@ -295,7 +295,15 @@
     // ownership of TPM access, which will not be implemented here.
     let tpm_ownerpassword = &config.agent.tpm_ownerpassword;
     if !tpm_ownerpassword.is_empty() {
-        let auth = Auth::try_from(tpm_ownerpassword.as_bytes())?;
+        let auth = if let Some(hex_ownerpassword) =
+            tpm_ownerpassword.strip_prefix("hex:")
+        {
+            let decoded_ownerpassword =
+                hex::decode(hex_ownerpassword).map_err(Error::from)?;
+            Auth::try_from(decoded_ownerpassword)?
+        } else {
+            Auth::try_from(tpm_ownerpassword.as_bytes())?
+        };
         ctx.as_mut().tr_set_auth(Hierarchy::Endorsement.into(), auth)
             .map_err(|e| {
                 Error::Configuration(format!(