Handle TPM2 + passphrase

[codicodi]

A while ago systemd got support for TPM2 + passphrase setup:
systemd/systemd#22563

It would be nice if booster supported unlocking such volumes as well

[anatol]

I added booster boilerplate to handle PIN. Now I need to use the pincode to unseal the value.

I am looking for help from someone who understands the tpm2-tss API and can translate the systemd's change into go-tpm equivalent. See booster's tpm2Unseal() function and its new parameter password that is sha256 hashed content on PIN.

[anatol]

Alright, I think I figured out the logic. I improved booster code and the test shows it is able to unlock a drive locked with systems tpm+pin.

Please pull the changes from wip branch and test it with your setup.

[codicodi]

Thanks for looking into this.
Unlocking does indeed work, but the whole procedure appears a bit messy.
First, booster asks for a passphrase which I guess refers to a recovery key also enrolled on this drive. I entered it incorrectly and booster asked for a PIN next. I entered the PIN (correctly) and booster once again showed the passphrase prompt, but the system booted after a short while anyway without me entering anything.

Interestingly the log complains about no tpm devices being found just before obtaining password for the tpm2 token

booster.log

[anatol]

Booster tries to unlock all possible LUKS slots in parallel. Such an algorithm would work well if slots are non-interactive (non-PIN tpm, clevis, ...). The first valid slot unlocks the partition, and other slots processors get canceled.

In your case, you have 2 interactive slots that require some sort of pin/password. So the prompts you see are interleaved.

My guess you expected to see only 1 interactive slot processed at a time. But which one should be processed/prompted first? And why?

[codicodi]

A TPM2 PIN is supposed to be safe, yet convenient (lowish entropy; easy to type). If a user went to trouble of enrolling it, it's probably the preferable way of unlocking.
Regular passphrases (including recovery key) could be tried next. Correct me if I'm wrong, but I think the order no longer matters since booster can just keep asking until given passphrase matches one of the slots.