Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
- Puppet >= 5.0.0 < 7.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-tpm2', '0.2.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
Description
This module manages TPM 2.0 devices and the tpm2-tools
software.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they may be submitted to our bug tracker.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems are disabled by
default and must be explicitly opted into by administrators. Please review
the parameters in
simp/simp_options
for details.
Setup
What tpm2 affects
The tpm2 module manages:
tpm2-software
packages and services (e.g.,tpm2-tools
, etc.,)- The
tpm2
Facter fact - TODO: Ownership of a TPM2 device's endorsement hierarchy
Beginning with tpm2
include 'tpm2'
Usage
To set the authentication passwords on the system:
Include the tpm module and set the following in hiera:
Note: You must indicate the desired status of all three authentications settings. They can be either 'set' or 'clear'.
tpm2::take_ownership: true tpm2::ownership::owner: set tpm2::ownership::lock: set tpm2::ownership::endorsement: set
The passwords will default to automatically generated passwords using passgen. If you want to set them to specific passwords then set them in hiera using the following settings (it expects a minumum password length of 14 charaters):
tpm2::ownership::owner_auth: 'MyOwnerPassword' tpm2::ownership::lock_auth: 'MyLockPassword' tpm2::ownership::endorse_autt: 'MyEndorsePassword'
Limitations
The tpm2_takeownership module cannot be used to change the current password. It would continually try to reset the password and would lock out the TPM. It should be used to initialized or clear the TPM only.
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the
metadata.json
file for the most up-to-date list of
supported operating systems, Puppet versions, and module dependencies.
Reference
See REFERENCE.md for API documentation.
Development
Please read our Contribution Guide.
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suites
TPM2 simulator
The acceptance tests spin up a tpm2-simulator. To our knowledge this has not been packaged for EL7, so a package has been provided as an RPM, currently hosted at https://github.com/op-ct/simp-tpm2-rpms/releases.
Environment variables
-
BEAKER_download_pre_suite_rpms
When 'yes
', downloads a tarball of RPMs to install before running the first Beaker suite -
BEAKER_tpm2_rpms_tarball_url
FIXME: Ensure the Acceptance tests section is correct and complete, including any module-specific instructions, and remove this message!
Please refer to the SIMP Beaker Helpers documentation for more information.
- Wed May 08 2019 Liz Nemsick lnemsick.simp@gmail.com - 0.2.0
- Removed Puppet 4 support
- Added Puppet 6 support
- Added puppetlabs-stdlib 6 support
- Maintenance: removed OBE build/rpm_metadata/requires
- Mon Jan 07 2019 Liz Nemsick lnemsick-simp@gmail.com - 0.1.1
- Confine tpm2 fact on the presence of TPM 2 tools required for that fact evaluation
- Use simplib::passgen() in lieu of passgen(), a deprecated simplib Puppet 3 function.
- Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Wed Nov 21 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 0.1.0
- Added OEL support
- Mon Nov 05 2018 Liz Nemsick lnemsick-simp@gmail.com - 0.1.0
- Update to Hiera 5
- Mon Jul 30 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 0.1.0
- added take ownership
- Mon Jul 23 2018 Chris Tessmer chris.tessemr@onyxpoint.com - 0.1.0
- initial module
Dependencies
- simp/simplib (>= 3.5.0 < 4.0.0)
- puppetlabs/stdlib (>= 4.13.1 < 7.0.0)
tpm2 - Manage TPM2.0 devices Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.