REFERENCE.md

Reference

Table of Contents

Classes

• tpm: Provides utilities for interacting with a TPM
• tpm::ownership: Take ownership of the TPM in the system, using an auto-generated password created with simplib's passgen.
• tpm::pkcs11: Manage the tpm-enabled PKCS #11 interface
• tpm::tboot: Create a launch policy, modify grub, and enable tboot.
• tpm::tboot::grub: Configure grub
• tpm::tboot::grub::grub1: Manage grub configuration for tboot
• tpm::tboot::grub::grub2: Manage grub2 configuration
• tpm::tboot::lock_kernel: Lock the kernel to avoid automatically invalidating the launch policy
• tpm::tboot::policy: Generate and install policy
• tpm::tboot::sinit: Install the sinit for your platform

Resource types

• tpm_ownership: A type to manage ownership of a TPM. owner_pass is required, while srk_pass is only necessary if you aren't using Trusted Boot or the PKC
• tpmtoken: This type will manage the PKCS #11 interface provided by opencryptoki, and backed by the TPM. Example: include 'tpm' tpmtoken { 'tpmtok

Classes

tpm

Provides utilities for interacting with a TPM

Parameters

The following parameters are available in the tpm class:

• ima
• take_ownership

ima

Data type: Boolean

Toggles IMA on or off. NOTE: This parameter is deprecated and throws a warning if specified. IMA may remain on if the ima module is enabled elsewhere.

Default value: false

take_ownership

Data type: Boolean

Enable to allow Puppet to take ownership of the TPM.

Default value: false

tpm::ownership

The password must be generated with passgen in order for most of the facts to be functional post-ownership, as the tpm commands from tpm-tools require the owner password.

Parameters

The following parameters are available in the tpm::ownership class:

• owned
• owner_pass
• srk_pass
• advanced_facts

owned

Data type: Boolean

Whether or not the module should take ownership

Default value: true

owner_pass

Data type: Variant[Enum['well-known'],String[20]]

The TPM owner password

Default value: simplib::passgen( "${facts['fqdn']}_tpm0_owner_pass", { 'length' => 20 } )

srk_pass

Data type: Optional[String]

The TPM SRK password

• Defaults to an empty String because according to the trousers documentation it needs to be null to be useful.

Default value: undef

advanced_facts

Data type: Boolean

Enable facts that require the owner password to function. The password will be on the client filesystem (in $vardir/simp) if enabled.

Default value: false

tpm::pkcs11

If the SO_PIN_LOCKED flag gets thrown, you will have to reset your interface by deleting the /var/lib/opencryptoki/tpm/root/NVTOK.DAT file.

Parameters

The following parameters are available in the tpm::pkcs11 class:

• so_pin
• user_pin

so_pin

Data type: String

4-8 character password used for the Security Officer pin.

Default value: simplib::passgen( "${facts['fqdn']}_pkcs_so_pin", { 'length' => 8 } )

user_pin

Data type: String

4-8 character password used for the user pin.

Default value: simplib::passgen( "${facts['fqdn']}_pkcs_user_pin", { 'length' => 8 } )

tpm::tboot

This version of tpm::tboot will work only with tboot versions 1.9.6 or later. To use an earlier version on tboot use pupmod-simp-tpm version 1.1.0.

Parameters

The following parameters are available in the tpm::tboot class:

• purge_boot_entries
• lock_kernel_packages
• create_policy
• sinit_name
• sinit_source
• tboot_version
• kernel_packages_to_lock
• rsync_source
• rsync_server
• rsync_timeout
• owner_password
• tboot_boot_options
• additional_boot_options
• policy_script
• policy_script_source
• update_script
• update_script_source
• package_ensure

purge_boot_entries

Data type: Boolean

Remove other, nontrusted boot entries from Grub

Default value: false

lock_kernel_packages

Data type: Boolean

Lock kernel related packages in YUM, to avoid accidentally invalidating the launch policy

Default value: true

create_policy

Data type: Boolean

The verified launch policy and launch control policies will be updated using the scripts identified by parameter policy_script.

Default value: false

sinit_name

Data type: Optional[String]

Name of the SINIT policy file, usually ending in *.BIN

Default value: undef

sinit_source

Data type: Optional[String]

Puppet file resouce source attribute for the SINIT binary

Default value: simplib::lookup('simp_options::rsync', { 'default_value' => undef })

tboot_version

Data type: Optional[String]

The verson of tboot installed on the remote system

Default value: $facts['tboot_version']

kernel_packages_to_lock

Data type: Array[String]

List of kernel related packages to lock

@example The binary was manually copied over to /root/BIN, so this entry was set to file:///root/BIN

Default value:

[ 'kernel','kernel-bigmem','kernel-enterprise',
                                                    'kernel-smp','kernel-debug','kernel-unsupported',
                                                    'kernel-source','kernel-devel','kernel-PAE',
                                                    'kernel-PAE-debug','kernel-modules', 'kernel-headers' ]

rsync_source

Data type: String

Rsync location for the SINIT binary

Default value: "tboot_${::environment}/"

rsync_server

Data type: Optional[String]

Rsync server to use for pulling the sinit images

Default value: simplib::lookup('simp_options::rsync::server', { 'default_value' => '127.0.0.1' })

rsync_timeout

Data type: Integer

Rsync timeout

Default value: simplib::lookup('simp_options::rsync::timeout', { 'default_value' => 1 })

owner_password

Data type: String

The TPM owner password

Default value: simplib::passgen( "${facts['fqdn']}_tpm0_owner_pass", { 'length' => 20 } )

tboot_boot_options

Data type: Array[String]

Kernel parameters for the tboot kernel min_ram=0x2000000 is required on systems with more than 4GB of memory

@see the tboot documentation in /usr/share/simp/tboot-*/README

Default value: ['logging=serial,memory,vga','min_ram=0x2000000']

additional_boot_options

Data type: Array[String]

Regular Linux kernel parameters, specific to tboot sessions intel_iommu=on is the default here to force the kernel to load VT-d

Default value: ['intel_iommu=on']

policy_script

Data type: Stdlib::AbsolutePath

The script to generate the tboot policy. This should not be changed

Default value: '/root/txt/create_lcp_boot_policy.sh'

policy_script_source

Data type: String

Where to find the script. This should also not be changed

Default value: 'puppet:///modules/tpm/create_lcp_tboot_policy.sh'

update_script

Data type: Stdlib::AbsolutePath

The script to use for updating the tboot policy. This should not be changed.

Default value: '/root/txt/update_tboot_policy.sh'

update_script_source

Data type: String

Where to find the update script. This should not be changed.

Default value: 'puppet:///modules/tpm/update_tboot_policy.sh'

package_ensure

Data type: String

How to ensure the tboot package will be managed

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

tpm::tboot::grub

This class is controlled by tpm::tboot

tpm::tboot::grub::grub1

This class is controlled by tpm::tboot

tpm::tboot::grub::grub2

This class is controlled by tpm::tboot

tpm::tboot::lock_kernel

This class is controlled by tpm::tboot

tpm::tboot::policy

This class is controlled by tpm::tboot

tpm::tboot::sinit

This class is controlled by tpm::tboot

Resource types

tpm_ownership

A type to manage ownership of a TPM. owner_pass is required, while srk_pass is only necessary if you aren't using Trusted Boot or the PKCS#11 interface. The SRK (Storage Root Key) password must be to be null in order to use those features.

If you need to use a 'well-known' password, make the password equal to the string 'well-known'. The provider will then use the -z or -y option when taking ownership of the TPM with tpm_takeownership.

Example:

include 'tpm'

tpm_ownership { 'tpm0': owned => true, owner_pass => 'badpass', }

Properties

The following properties are available in the tpm_ownership type.

owned

Valid values: true, false

Ownership status of the TPM

Parameters

The following parameters are available in the tpm_ownership type.

• advanced_facts
• name
• owner_pass
• provider
• srk_pass

advanced_facts

Valid values: true, false, yes, no

Enabling the advanced facts will write your owner password to a file on the system, only readable by the root user. It will be used to query the TPM using trousers.

Default value: false

name

namevar

The name of the resource - usually tpm0, the default device.

Default value: tpm0

owner_pass

The owner password of the TPM

provider

The specific backend to use for this tpm_ownership resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

srk_pass

The Storage Root Key(SRK) password of the TPM

Default value: well-known

tpmtoken

This type will manage the PKCS #11 interface provided by opencryptoki, and backed by the TPM.

Example: include 'tpm'

tpmtoken { 'tpmtok': ensure => present, so_pin => '87654321', user_pin => '87654321' }

Properties

The following properties are available in the tpmtoken type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the tpmtoken type.

• label
• provider
• so_pin
• user_pin

label

The tag of the slot, to be used during initialization

provider

The specific backend to use for this tpmtoken resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

so_pin

Security Officer (SO) PIN for the interface

user_pin

User PIN for the interface