4 files changed, 127 insertions, 15 deletions

diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 49e095946..e70b4f0d9 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -136,10 +136,10 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
     if 'connection_status' in rule_conf and rule_conf['connection_status']:
         status = rule_conf['connection_status']
         if status['nat'] == 'destination':
-            nat_status = '{dnat}'
+            nat_status = 'dnat'
             output.append(f'ct status {nat_status}')
         if status['nat'] == 'source':
-            nat_status = '{snat}'
+            nat_status = 'snat'
             output.append(f'ct status {nat_status}')
 
     if 'protocol' in rule_conf and rule_conf['protocol'] != 'all':
diff --git a/python/vyos/kea.py b/python/vyos/kea.py
index 2328d0b00..89ae7ca81 100644
--- a/python/vyos/kea.py
+++ b/python/vyos/kea.py
@@ -56,6 +56,8 @@ kea6_options = {
     'captive_portal': 'v6-captive-portal'
 }
 
+kea_ctrl_socket = '/run/kea/dhcp{inet}-ctrl-socket'
+
 def kea_parse_options(config):
     options = []
 
@@ -294,7 +296,9 @@ def kea6_parse_subnet(subnet, config):
 
     return out
 
-def _ctrl_socket_command(path, command, args=None):
+def _ctrl_socket_command(inet, command, args=None):
+    path = kea_ctrl_socket.format(inet=inet)
+
     if not os.path.exists(path):
         return None
 
@@ -319,19 +323,25 @@ def _ctrl_socket_command(path, command, args=None):
         return json.loads(result.decode('utf-8'))
 
 def kea_get_leases(inet):
-    ctrl_socket = f'/run/kea/dhcp{inet}-ctrl-socket'
-
-    leases = _ctrl_socket_command(ctrl_socket, f'lease{inet}-get-all')
+    leases = _ctrl_socket_command(inet, f'lease{inet}-get-all')
 
     if not leases or 'result' not in leases or leases['result'] != 0:
         return []
 
     return leases['arguments']['leases']
 
-def kea_get_active_config(inet):
-    ctrl_socket = f'/run/kea/dhcp{inet}-ctrl-socket'
+def kea_delete_lease(inet, ip_address):
+    args = {'ip-address': ip_address}
 
-    config = _ctrl_socket_command(ctrl_socket, 'config-get')
+    result = _ctrl_socket_command(inet, f'lease{inet}-del', args)
+
+    if result and 'result' in result:
+        return result['result'] == 0
+
+    return False
+
+def kea_get_active_config(inet):
+    config = _ctrl_socket_command(inet, 'config-get')
 
     if not config or 'result' not in config or config['result'] != 0:
         return None
diff --git a/python/vyos/remote.py b/python/vyos/remote.py
index 129e65772..d87fd24f6 100644
--- a/python/vyos/remote.py
+++ b/python/vyos/remote.py
@@ -43,6 +43,7 @@ from vyos.utils.io import print_error
 from vyos.utils.misc import begin
 from vyos.utils.process import cmd, rc_cmd
 from vyos.version import get_version
+from vyos.base import Warning
 
 CHUNK_SIZE = 8192
 
@@ -54,13 +55,16 @@ class InteractivePolicy(MissingHostKeyPolicy):
     def missing_host_key(self, client, hostname, key):
         print_error(f"Host '{hostname}' not found in known hosts.")
         print_error('Fingerprint: ' + key.get_fingerprint().hex())
-        if sys.stdin.isatty() and ask_yes_no('Do you wish to continue?'):
-            if client._host_keys_filename\
-               and ask_yes_no('Do you wish to permanently add this host/key pair to known hosts?'):
-                client._host_keys.add(hostname, key.get_name(), key)
-                client.save_host_keys(client._host_keys_filename)
-        else:
+        if not sys.stdin.isatty():
+            return
+        if not ask_yes_no('Do you wish to continue?'):
             raise SSHException(f"Cannot connect to unknown host '{hostname}'.")
+        if client._host_keys_filename is None:
+            Warning('no \'known_hosts\' file; create to store keys permanently')
+            return
+        if ask_yes_no('Do you wish to permanently add this host/key pair to known_hosts file?'):
+            client._host_keys.add(hostname, key.get_name(), key)
+            client.save_host_keys(client._host_keys_filename)
 
 class SourceAdapter(HTTPAdapter):
     """
diff --git a/python/vyos/tpm.py b/python/vyos/tpm.py
new file mode 100644
index 000000000..f120e10c4
--- /dev/null
+++ b/python/vyos/tpm.py
@@ -0,0 +1,98 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import tempfile
+
+from vyos.util import rc_cmd
+
+default_pcrs = ['0','2','4','7']
+tpm_handle = 0x81000000
+
+def init_tpm(clear=False):
+    """
+    Initialize TPM
+    """
+    code, output = rc_cmd('tpm2_startup' + (' -c' if clear else ''))
+    if code != 0:
+        raise Exception('init_tpm: Failed to initialize TPM')
+
+def clear_tpm_key():
+    """
+    Clear existing key on TPM
+    """
+    code, output = rc_cmd(f'tpm2_evictcontrol -C o -c {tpm_handle}')
+    if code != 0:
+        raise Exception('clear_tpm_key: Failed to clear TPM key')
+
+def read_tpm_key(index=0, pcrs=default_pcrs):
+    """
+    Read existing key on TPM
+    """
+    with tempfile.TemporaryDirectory() as tpm_dir:
+        pcr_str = ",".join(pcrs)
+
+        tpm_key_file = os.path.join(tpm_dir, 'tpm_key.key')
+        code, output = rc_cmd(f'tpm2_unseal -c {tpm_handle + index} -p pcr:sha256:{pcr_str} -o {tpm_key_file}')
+        if code != 0:
+            raise Exception('read_tpm_key: Failed to read key from TPM')
+
+        with open(tpm_key_file, 'rb') as f:
+            tpm_key = f.read()
+
+        return tpm_key
+
+def write_tpm_key(key, index=0, pcrs=default_pcrs):
+    """
+    Saves key to TPM
+    """
+    with tempfile.TemporaryDirectory() as tpm_dir:
+        pcr_str = ",".join(pcrs)
+
+        policy_file = os.path.join(tpm_dir, 'policy.digest')
+        code, output = rc_cmd(f'tpm2_createpolicy --policy-pcr -l sha256:{pcr_str} -L {policy_file}')
+        if code != 0:
+            raise Exception('write_tpm_key: Failed to create policy digest')
+
+        primary_context_file = os.path.join(tpm_dir, 'primary.ctx')
+        code, output = rc_cmd(f'tpm2_createprimary -C e -g sha256 -G rsa -c {primary_context_file}')
+        if code != 0:
+            raise Exception('write_tpm_key: Failed to create primary key')
+
+        key_file = os.path.join(tpm_dir, 'crypt.key')
+        with open(key_file, 'wb') as f:
+            f.write(key)
+
+        public_obj = os.path.join(tpm_dir, 'obj.pub')
+        private_obj = os.path.join(tpm_dir, 'obj.key')
+        code, output = rc_cmd(
+            f'tpm2_create -g sha256 \
+            -u {public_obj} -r {private_obj} \
+            -C {primary_context_file} -L {policy_file} -i {key_file}')
+
+        if code != 0:
+            raise Exception('write_tpm_key: Failed to create object')
+
+        load_context_file = os.path.join(tpm_dir, 'load.ctx')
+        code, output = rc_cmd(f'tpm2_load -C {primary_context_file} -u {public_obj} -r {private_obj} -c {load_context_file}')
+
+        if code != 0:
+            raise Exception('write_tpm_key: Failed to load object')
+
+        code, output = rc_cmd(f'tpm2_evictcontrol -c {load_context_file} -C o {tpm_handle + index}')
+
+        if code != 0:
+            raise Exception('write_tpm_key: Failed to write object to TPM')