Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-68417

No argument validation when passing TPM2 json

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • clevis-pin-tpm2-0.5.1-3.el9
    • No
    • Low
    • rhel-security-special-projects
    • ssg_security
    • 26
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • None
    • Requested
    • None
    • Bug Fix
    • Hide
      Cause: clevis-pin-tpm2 did not validate JSON field names when encrypting with TPM2, silently ignoring typos and invalid fields (e.g., "pcrs_ids" instead of "pcr_ids").

      Consequence: Users could inadvertently create LUKS bindings with incorrect TPM2 configurations due to typos. This could lead to unlock failures when TPM state changes, potentially making systems unbootable.

      Fix: Added JSON schema validation to reject unknown fields in TPM2 configuration during encryption.

      Result: Invalid field names in TPM2 JSON configuration are now properly rejected with clear error messages, preventing silent misconfigurations that could cause unlock failures.
      Show
      Cause: clevis-pin-tpm2 did not validate JSON field names when encrypting with TPM2, silently ignoring typos and invalid fields (e.g., "pcrs_ids" instead of "pcr_ids"). Consequence: Users could inadvertently create LUKS bindings with incorrect TPM2 configurations due to typos. This could lead to unlock failures when TPM state changes, potentially making systems unbootable. Fix: Added JSON schema validation to reject unknown fields in TPM2 configuration during encryption. Result: Invalid field names in TPM2 JSON configuration are now properly rejected with clear error messages, preventing silent misconfigurations that could cause unlock failures.
    • Proposed
    • None

      What were you trying to do that didn't work?

      It appears that there is no argument validation when passing arguments to TPM2, e.g.:

      # echo "HELLO" | clevis encrypt tpm2 '{"pcrs_ids":"7"}'
... some result ...

      Here above "pcrs_ids" was used instead of "pcr_ids".
      This may be problematic when binding LUKS devices against TPM2, because the binding will occur but sooner or later, on TPM content change, it's very probable that unlocking won't occur anymore.

      What is the impact of this issue to you?

      Potential issues in the future

      Please provide the package NVR for which the bug is seen:

      clevis-15-15.el8
      clevis-20-200.el9

      How reproducible is this bug?:

      Always, see above

              scorreia@redhat.com Sergio Correia
              rhn-support-rmetrich Renaud Métrich
              Sergio Correia Sergio Correia
              Adam Prikryl Adam Prikryl
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: