feat: tpm2 based disk encryption

Support disk encryption using tpm2 and pre-calculated signed PCR values. Fixes: #7266 Signed-off-by: Noel Georgi <git@frezbo.dev>
2025-11-02 05:28:09 +00:00 · 2023-07-12 02:30:08 +05:30
parent 06369e8195
commit 79365d9bac
29 changed files with 1144 additions and 38 deletions
--- a/internal/pkg/encryption/encryption.go
+++ b/internal/pkg/encryption/encryption.go
@@ -392,7 +392,8 @@ func (h *Handler) readToken(path string, id int) (token.Token, error) {
 		return nil, err
 	}

-	if token.Type == keys.TokenTypeKMS {
+	switch token.Type {
+	case keys.TokenTypeKMS:
 		kmsData := &keys.KMSToken{}

 		if err = json.Unmarshal(token.UserData, &kmsData); err != nil {
@@ -403,7 +404,18 @@ func (h *Handler) readToken(path string, id int) (token.Token, error) {
 			Type:     token.Type,
 			UserData: kmsData,
 		}, nil
-	}
+	case keys.TokenTypeTPM:
+		tpmData := &keys.TPMToken{}

-	return &token, nil
+		if err = json.Unmarshal(token.UserData, &tpmData); err != nil {
+			return nil, err
+		}
+
+		return &luks.Token[*keys.TPMToken]{
+			Type:     token.Type,
+			UserData: tpmData,
+		}, nil
+	default:
+		return nil, fmt.Errorf("unknown token type %s", token.Type)
+	}
 }