tpm2-util: add TPM2_PCR_MASK_VALID() helper

2025-01-14 19:24:13 +03:00 · 2022-08-17 16:49:14 +02:00 · 2022-08-17 16:49:14 +02:00 · df6c3cbd02
commit df6c3cbd02
parent d8776eed9b
4 changed files with 9 additions and 5 deletions
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@ -147,7 +147,7 @@ int enroll_tpm2(struct crypt_device *cd,
        assert(cd);
        assert(volume_key);
        assert(volume_key_size > 0);
-        assert(pcr_mask < (1U << TPM2_PCRS_MAX)); /* Support 24 PCR banks */
+        assert(TPM2_PCR_MASK_VALID(pcr_mask));

        assert_se(node = crypt_get_device_name(cd));

--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@ -879,7 +879,7 @@ int decrypt_credential_and_warn(
 #if HAVE_TPM2
                struct tpm2_credential_header* t = (struct tpm2_credential_header*) ((uint8_t*) input + p);

-                if (le64toh(t->pcr_mask) >= (UINT64_C(1) << TPM2_PCRS_MAX))
+                if (!TPM2_PCR_MASK_VALID(t->pcr_mask))
                        return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range.");
                if (!tpm2_pcr_bank_to_string(le16toh(t->pcr_bank)))
                        return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR bank invalid or not supported");
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@ -865,7 +865,7 @@ int tpm2_seal(
        assert(ret_pcr_hash_size);
        assert(ret_pcr_bank);

-        assert(pcr_mask < (UINT32_C(1) << TPM2_PCRS_MAX)); /* Support 24 PCR banks */
+        assert(TPM2_PCR_MASK_VALID(pcr_mask));

        /* So here's what we do here: we connect to the TPM2 chip. It persistently contains a "seed" key that
         * is randomized when the TPM2 is first initialized or reset and remains stable across boots. We
@ -1069,7 +1069,7 @@ int tpm2_unseal(
        assert(ret_secret);
        assert(ret_secret_size);

-        assert(pcr_mask < (UINT32_C(1) << TPM2_PCRS_MAX)); /* Support 24 PCR banks */
+        assert(TPM2_PCR_MASK_VALID(pcr_mask));

        r = dlopen_tpm2();
        if (r < 0)
--- a/src/shared/tpm2-util.h
+++ b/src/shared/tpm2-util.h
@ -56,7 +56,11 @@ int tpm2_parse_pcrs(const char *s, uint32_t *ret);

 int tpm2_make_luks2_json(int keyslot, uint32_t pcr_mask, uint16_t pcr_bank, uint16_t primary_alg, const void *blob, size_t blob_size, const void *policy_hash, size_t policy_hash_size, TPM2Flags flags, JsonVariant **ret);

-#define TPM2_PCRS_MAX 24
+#define TPM2_PCRS_MAX 24U
+
+static inline bool TPM2_PCR_MASK_VALID(uint64_t pcr_mask) {
+        return pcr_mask < (UINT64_C(1) << TPM2_PCRS_MAX); /* Support 24 PCR banks */
+}

 /* Default to PCR 7 only */
 #define TPM2_PCR_MASK_DEFAULT (UINT32_C(1) << 7)