enable hex values to be used for tpm_ownerpassword

Signed-off-by: Isaac-Matthews <[email protected]>

Author: Isaac-Matthews

keylime-agent.conf

@@ -263,6 +263,9 @@ idevid_cert = "default"
 # Use this option to state the existing TPM ownerpassword.
 # This option should be set only when a password is set for the Endorsement
 # Hierarchy (e.g. via "tpm2_changeauth -c e").
+# In order to use a hex value for the password, use the prefix "hex:"
+# For example if tpm2_changeauth -c e "hex:00a1b2c3e4" has run, the config option
+# would be 'tpm_ownerpassword = "hex:00a1b2c3e4"'
 # If no password was set, keep the empty string "".
 #
 # To override tpm_ownerpassword, set KEYLIME_AGENT_TPM_OWNERPASSWORD environment

keylime-agent/src/main.rs

@@ -295,7 +295,15 @@ async fn main() -> Result<()> {
     // ownership of TPM access, which will not be implemented here.
     let tpm_ownerpassword = &config.agent.tpm_ownerpassword;
     if !tpm_ownerpassword.is_empty() {
-        let auth = Auth::try_from(tpm_ownerpassword.as_bytes())?;
+        let auth = if let Some(hex_ownerpassword) =
+            tpm_ownerpassword.strip_prefix("hex:")
+        {
+            let decoded_ownerpassword =
+                hex::decode(hex_ownerpassword).map_err(Error::from)?;
+            Auth::try_from(decoded_ownerpassword)?
+        } else {
+            Auth::try_from(tpm_ownerpassword.as_bytes())?
+        };
         ctx.as_mut().tr_set_auth(Hierarchy::Endorsement.into(), auth)
             .map_err(|e| {
                 Error::Configuration(format!(