clevis TPM2 prviatekey

README.md

@@ -93,6 +93,27 @@ wireguard first. Then restrict to the wireguard network once it is working:
 DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...'
 ```
 
+
+## Clevis-TPM2
+
+`wireguard-initramfs` can be combined with clevis-tpm2 to enable the protection
+of the wireguard private key. This protection does only make sense, if the owner
+is capable of using a TPM correctly.
+This information needs to be undestood!
+- https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/
+
+You need to adapt for wg-quick usage:
+`PostUp = wg set %i private-key <(sh -c "clevis decrypt tpm2 < /etc/wireguard/privatekey.jwe")`
+
+The PreSharedKey is not secured in this way!
+### Requirements
+
+1. a working TPM2
+2. [clevis-tpm2](https://github.com/latchset/clevis) installed and firm to use
+2. [clevis-initramfs](https://github.com/latchset/clevis) installed and firm to use
+3. a jwe encoded wireguard private key
+
+
 ## Legacy compatibility (Migration)
 
 If you are a user using a previous release, such as the one dated

configs/initramfs

@@ -57,4 +57,4 @@ DATETIME_URL=google.com
 PERSISTENT=
 
 # Enable debug logging (will expose key material)? Any value enables.
-DEBUG=
+DEBUG=

initramfs/hooks

@@ -52,7 +52,10 @@ WG_INTERFACE_ADDRESSES=$(echo -n "$(echo "${WG_INTERFACE_SECTION}" | grep -i add
 WG_INTERFACE_MTU=$(echo "${WG_INTERFACE_SECTION}" | grep -i mtu | sed 's/mtu[ ]*=[ ]*//I')
 WG_INTERFACE_FW_MARK=$(echo "${WG_INTERFACE_SECTION}" | grep -i fwmark | sed 's/fwmark[ ]*=[ ]*//I')
 WG_INTERFACE_LISTEN_PORT=$(echo "${WG_INTERFACE_SECTION}" | grep -i listenport | sed 's/listenport[ ]*=[ ]*//I')
-WG_INTERFACE_KEY=$(echo "${WG_INTERFACE_SECTION}" | grep -i privatekey | sed 's/privatekey[ ]*=[ ]*//I')
+
+if [ ! -s "/etc/wireguard/privatekey.jwe" ]; then
+  WG_INTERFACE_KEY=$(echo "${WG_INTERFACE_SECTION}" | grep -i privatekey | sed 's/privatekey[ ]*=[ ]*//I')
+fi
 
 INTERFACE_ADDR_IPV4=''
 INTERFACE_ADDR_IPV6=''
@@ -100,8 +103,20 @@ if [ -n "${ENABLE_QUICK}" ]; then
   copy_exec /usr/bin/bash
   copy_exec /usr/bin/wg-quick /sbin
 else
-  # wg base adapter config.
-  cat > "${DESTDIR}${ADAPTER}" <<EOL
+  if [ -s "/etc/wireguard/privatekey.jwe" ]; then
+    echo "copy jwe privatekey"
+    cp "/etc/wireguard/privatekey.jwe" "${DESTDIR}/etc/wireguard/privatekey.jwe"
+    # wg base adapter config.
+    cat > "${DESTDIR}${ADAPTER}" <<EOL
+[Interface]
+ListenPort = ${WG_INTERFACE_LISTEN_PORT:-0}
+FwMark = ${WG_INTERFACE_FW_MARK:-0}
+
+[Peer]
+${WG_PEER_SECTIONS}
+EOL
+  else
+    cat > "${DESTDIR}${ADAPTER}" <<EOL
 [Interface]
 PrivateKey = ${WG_INTERFACE_KEY}
 ListenPort = ${WG_INTERFACE_LISTEN_PORT:-0}
@@ -110,8 +125,8 @@ FwMark = ${WG_INTERFACE_FW_MARK:-0}
 [Peer]
 ${WG_PEER_SECTIONS}
 EOL
+  fi
 fi
-
 # initramfs config with required primitives to turn-up interfaces.
 cat > "${DESTDIR}/etc/wireguard/initramfs" <<EOL
 ADAPTER="${ADAPTER}"

initramfs/init-premount

@@ -168,7 +168,12 @@ if [ -n "${ENABLE_QUICK}" ]; then
   wg-quick up "${ADAPTER}"
 else
   ip link add dev "${INTERFACE}" type wireguard
-  wg setconf "${INTERFACE}" "${ADAPTER}"
+  if [ -e "/etc/wireguard/privatekey.jwe" ]; then
+    log_success_msg "Found jwe keyfile"
+    clevis decrypt tpm2 < /etc/wireguard/privatekey.jwe > /etc/wireguard/privatekey
+    wg set "${INTERFACE}" private-key /etc/wireguard/privatekey
+  fi
+  wg addconf "${INTERFACE}" "${ADAPTER}"
 
   # Interface must be up before adding routes.
   if [ -n "${INTERFACE_MTU}" ]; then