From b79a30632032341ad7e5a8f2df888cfec793848f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Old=C5=99ich=20Jedli=C4=8Dka?= Date: Tue, 2 Jul 2024 22:24:17 +0200 Subject: [PATCH] Mention TPM 1.2 support in README MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Oldřich Jedlička --- README.md | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 1b2c9cf2..d541ffcc 100644 --- a/README.md +++ b/README.md @@ -62,20 +62,31 @@ advertisement is stored, or the JSON contents of the advertisement itself. When the advertisement is specified manually like this, Clevis presumes that the advertisement is trusted. -#### PIN: TPM2 +#### PIN: TPM1 and TPM2 -Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2) -chip. The cryptographically-strong, random key used for encryption is encrypted -using the TPM2 chip, and is decrypted using TPM2 at the time of decryption to allow clevis to decrypt the secret stored in the JWE. +Clevis provides support to encrypt a key in a Trusted Platform Module 1.2 (TPM1) +and 2.0 (TPM2) chips. The cryptographically-strong, random key used for +encryption is encrypted using the TPM chip, and is decrypted using TPM at the +time of decryption to allow clevis to decrypt the secret stored in the JWE. -For example: +For example for TPM1 pin: + +```bash +$ echo hi | clevis encrypt tpm1 '{}' > hi.jwe +``` + +or TPM2 pin: ```bash $ echo hi | clevis encrypt tpm2 '{}' > hi.jwe ``` Clevis store the public and private keys of the encrypted key in the JWE object, -so those can be fetched on decryption to unseal the key encrypted using the TPM2. +so those can be fetched on decryption to unseal the key encrypted using the TPM +chip. + +Check manual pages for `clevis-encrypt-tpm1` and `clevis-encrypt-tpm2` tools for +more options, like binding to a particular PCR registry states and/or values. #### PIN: Shamir Secret Sharing