Skip to content

Latest commit

 

History

History
277 lines (151 loc) · 5.51 KB

REFERENCE.md

File metadata and controls

277 lines (151 loc) · 5.51 KB

Reference

Table of Contents

Classes

  • tpm2: Provides utilities for interacting with a TPM2 device
  • tpm2::install: @summary Install tpm2 packages
  • tpm2::ownership: Provides the ability to set or clear the authentication passwords for the TPM
  • tpm2::service: A private class to ensure that the TABRM service is running

Resource types

  • tpm2_ownership: A type to manage ownership of a TPM 2.0. Use this to set the passwords on a TPM to prevent unauthorized access. It cannot change the pa

Data types

Classes

tpm2

Provides utilities for interacting with a TPM2 device

Parameters

The following parameters are available in the tpm2 class.

package_ensure

Data type: String[1]

The default ensure parameter for packages.

Default value: simplib::lookup('simp_options::package_ensure', {'default_value' => 'installed'})

packages

Data type: Hash[String[1], Hash[String[1],String[1]]]

A Hash of packages needed for tpm2-tools. The Hash format is:

<package_name>':
  ensure: <ensure_value>

Default value: simplib::lookup('tpm2::packages')

take_ownership

Data type: Boolean

Enable to allow Puppet to take ownership of the TPM

Default value: false

tabrm_service

Data type: String[1]

Systemd name of the abrmd-service

Default value: 'tpm2-abrmd'

tabrm_options

Data type: Optional[Array[String[1]]]

An unvalidated list of options to pass to $tabrm_service at start time

Default value: undef

tpm2::install

@summary Install tpm2 packages

tpm2::ownership

At this time you can clear a set password but cannot change it to another value.

To use this module, set tpm2::take_ownership to true in hiera and set the parameters in hiera to override the defaults.

The passwords will default to automatically generated passwords using simplib::passgen. If you want to set them to specific passwords then set them in hiera using the following settings (it expects a minumum password length of 14 charaters):

tpm2::ownership::owner_auth: 'MyOwnerPassword' tpm2::ownership::lockout_auth: 'MyLockPassword' tpm2::ownership::endorsement_auth: 'MyEndorsePassword'

Examples

In Hiera set the following:
  tpm2::take_ownership: true
  tpm2::ownership::owner: set
  tpm2::ownership::lockout:  clear
  tpm2::ownership::endorsement: set

Parameters

The following parameters are available in the tpm2::ownership class.

owner

Data type: Enum['set','clear']

The desired state of the owner authentication.

Default value: 'clear'

endorsement

Data type: Enum['set','clear']

The desired state of the endorsement authentication.

Default value: 'clear'

lockout

Data type: Enum['set','clear']

The desired state of the lockout authentication.

Default value: 'clear'

owner_auth

Data type: String[14]

The password word for owner authentication.

Default value: simplib::passgen("${facts['fqdn']}_tpm_owner_auth", {'length'=> 24})

lockout_auth

Data type: String[14]

The password word for lockout authentication.

Default value: simplib::passgen("${facts['fqdn']}_tpm_lock_auth", {'length'=> 24})

endorsement_auth

Data type: String[14]

The password word for endorsement authentication.

Default value: simplib::passgen("${facts['fqdn']}_tpm_endorse_auth", {'length'=> 24})

in_hex

Data type: Boolean

Whether or not the passwords are in Hex.

Default value: false

tpm2::service

A private class to ensure that the TABRM service is running

Resource types

tpm2_ownership

A type to manage ownership of a TPM 2.0.

Use this to set the passwords on a TPM to prevent unauthorized access.

It cannot change the passwords.

Example:

include 'tpm'

tpm2_ownership { 'tpm2': owner => set, lockout => set, endorsement => set, owner_auth => 'badpass', lockout_auth => 'badpass', endorsement_auth => 'badpass', }

Properties

The following properties are available in the tpm2_ownership type.

endorsement

Valid values: clear, set

Setting for owner authorization

lockout

Valid values: clear, set

Setting for owner authorization

owner

Valid values: clear, set

Setting for owner authorization

Parameters

The following parameters are available in the tpm2_ownership type.

endorsement_auth

The endorse password of the TPM

Default value: ''

in_hex

Valid values: true, false, yes, no

Whether or not the passwords are in hex

Default value: false

local

Valid values: true, false, yes, no

Whether to save the passwords on the local system

Default value: false

lockout_auth

The lock out password of the TPM

Default value: ''

name

namevar

A static name assigned to this type. You can only declare this type of resource once in your node scope

Default value: tpm2

owner_auth

The owner password of the TPM

Default value: ''

provider

The specific backend to use for this tpm2_ownership resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

Data types

Tpm2::Ownership

Valid ownership options for TPM2

Alias of Enum['set', 'clear']