From 41bcb9308743f021f9635b35100e63106588cab9 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 29 Aug 2024 12:54:40 +0200 Subject: [PATCH 1/3] cryptenroll: don't return slot 0 when we have no policy to search for If the policy hash is empty we shouldn't return "0" from search_policy_hash(), because that is understood as slot index 0, but that's unlikely to match the policy. Hence, return -ENOENT instead, indicating that we can't find a matching slot. --- src/cryptenroll/cryptenroll-tpm2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c index 583259d853e..b3d851953bf 100644 --- a/src/cryptenroll/cryptenroll-tpm2.c +++ b/src/cryptenroll/cryptenroll-tpm2.c @@ -26,7 +26,7 @@ static int search_policy_hash( assert(iovec_is_valid(hash)); if (!iovec_is_set(hash)) - return 0; + return -ENOENT; for (int token = 0; token < sym_crypt_token_max(CRYPT_LUKS2); token++) { _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL; From 43b93a8a264769acbd7be3046c2726d3b5db141c Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 28 Aug 2024 16:52:43 +0200 Subject: [PATCH 2/3] crypenroll: make slot wiping on pin change a bit more explicit --- src/cryptenroll/cryptenroll-tpm2.c | 2 +- src/cryptenroll/cryptenroll.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c index b3d851953bf..db83ddc6e55 100644 --- a/src/cryptenroll/cryptenroll-tpm2.c +++ b/src/cryptenroll/cryptenroll-tpm2.c @@ -443,7 +443,7 @@ int enroll_tpm2(struct crypt_device *cd, slot_to_wipe = r; } else { log_info("This PCR set is already enrolled, executing no operation."); - *ret_slot_to_wipe = slot_to_wipe; + *ret_slot_to_wipe = -1; return r; /* return existing keyslot, so that wiping won't kill it */ } diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c index df67a5636c5..ad98acb7624 100644 --- a/src/cryptenroll/cryptenroll.c +++ b/src/cryptenroll/cryptenroll.c @@ -885,6 +885,8 @@ static int run(int argc, char *argv[]) { slot = enroll_tpm2(cd, &vk, arg_tpm2_device, arg_tpm2_seal_key_handle, arg_tpm2_device_key, arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values, arg_tpm2_public_key, arg_tpm2_load_public_key, arg_tpm2_public_key_pcr_mask, arg_tpm2_signature, arg_tpm2_pin, arg_tpm2_pcrlock, &slot_to_wipe); if (slot >= 0 && slot_to_wipe >= 0) { + assert(slot != slot_to_wipe); + /* Updating PIN on an existing enrollment */ r = wipe_slots( cd, From 379e088f6f34c63eb72fba78f70bd7168cc547b2 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 29 Aug 2024 17:07:46 +0200 Subject: [PATCH 3/3] test: when refusing to run slow tests, mention how to run them Let's be helpful and provide an actionable hint. --- src/test/test-tpm2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/test/test-tpm2.c b/src/test/test-tpm2.c index 3b5a375c883..2be104d8534 100644 --- a/src/test/test-tpm2.c +++ b/src/test/test-tpm2.c @@ -1179,7 +1179,7 @@ static int check_calculate_seal(Tpm2Context *c) { int r; if (detect_virtualization() == VIRTUALIZATION_NONE && !slow_tests_enabled()) { - log_notice("Skipping slow calculate seal TPM2 tests. Physical system detected, and slow tests disabled."); + log_notice("Skipping slow calculate seal TPM2 tests. Physical system detected, and slow tests disabled. (To enable, run again with $SYSTEMD_SLOW_TESTS=1.)"); return 0; } @@ -1257,7 +1257,7 @@ static void check_seal_unseal(Tpm2Context *c) { assert(c); if (detect_virtualization() == VIRTUALIZATION_NONE && !slow_tests_enabled()) { - log_notice("Skipping slow seal/unseal TPM2 tests. Physical system detected, and slow tests disabled."); + log_notice("Skipping slow seal/unseal TPM2 tests. Physical system detected, and slow tests disabled. (To enable, run again with $SYSTEMD_SLOW_TESTS=1.)"); return; }