Comments (6)
@martinezjavier Can you take care of this?
from clevis.
@npmccallum sure thing, I'll take care of it.
from clevis.
@npmccallum I think that this should be solved at the package level. The tpm2 tools already have a udev rule that sets the owner of /dev/tpm[0-9]*
to the tss user and group. So I think we should add usermod -a -G tss %{name}
to the clevis specfile %pre
section.
There are some things that I need to also fix on the tpm2 packages though, since the current udev rule only takes into account /dev/tpm[0-9]*
, while we are using in Clevis the character device that exposes the resource manager /dev/tpmrm[0-9]*
. And also the permission bits only allow the tss user ad not member of the tss group to access the device. Finally, this udev rule is installed by the tpm2-abrmd (user-space daemon) instead of the tpm2-tss (the TPM2 library, which makes more sense).
Anyways, these are orthogonal issues so I'll change the clevis package and then go to fix the issues in the tpm2-* ones.
from clevis.
I've proposed the following a pull request to the Clevis package. I've found another problem, but I'll fill it as a separate issue.
from clevis.
Okay, since we can fix this in the package, I'll close this bug.
from clevis.
@npmccallum yes, FYI I've already proposed a PR to the tpm2-abrmd project fixing the issues I mentioned with the current tpm udev rule:
I'll also update the Fedora tpm2-abrmd package to ship the udev rule with the fixes.
from clevis.
Related Issues (20)
- Include manual compilation steps to README.md
- How to resize a luks partition if unlocked with clevis HOT 1
- clevis build independent of systemd. HOT 1
- Issue when loss of voltage occurrs HOT 1
- enable RHEL LUKs to use IBM S390x CEX Card Encryption HOT 8
- Supporting URI and/or query string with tang
- Tang for multiple devices on the same system HOT 1
- Add the ability to allow curl to retry the request, particularly for recovery HOT 2
- Clevis/Tang in 802.1X network HOT 4
- SSS with tang in different locaions HOT 6
- Q/FR: luks bind with key-files, pin config as file HOT 3
- SSS/Tang regenerate with multiple locations HOT 1
- unable to network unlock using dns name HOT 2
- Not working killing of child process of clevisloop
- Using preset pcr_digest and pcr_ids with clevis-encrypt-tpm2
- Adapt Github action rules to avoid Node16 and upgrade to Node20
- Release version 20
- Dracut fails to boot with Clevis 20 HOT 10
- Debain 12 Non root device Unlocking issues with Tang HOT 3
- Support use with systemd-gpt-auto-generator on LUKS devices HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clevis.