1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

Merge pull request #34189 from poettering/cryptenroll-slot-fix

cryptenroll: don't return slot 0 when we have no policy to search for
This commit is contained in:
Yu Watanabe 2024-08-31 04:26:02 +09:00 committed by GitHub
commit 7571cb42a8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 6 additions and 4 deletions

View File

@ -26,7 +26,7 @@ static int search_policy_hash(
assert(iovec_is_valid(hash)); assert(iovec_is_valid(hash));
if (!iovec_is_set(hash)) if (!iovec_is_set(hash))
return 0; return -ENOENT;
for (int token = 0; token < sym_crypt_token_max(CRYPT_LUKS2); token++) { for (int token = 0; token < sym_crypt_token_max(CRYPT_LUKS2); token++) {
_cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL; _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
@ -443,7 +443,7 @@ int enroll_tpm2(struct crypt_device *cd,
slot_to_wipe = r; slot_to_wipe = r;
} else { } else {
log_info("This PCR set is already enrolled, executing no operation."); log_info("This PCR set is already enrolled, executing no operation.");
*ret_slot_to_wipe = slot_to_wipe; *ret_slot_to_wipe = -1;
return r; /* return existing keyslot, so that wiping won't kill it */ return r; /* return existing keyslot, so that wiping won't kill it */
} }

View File

@ -885,6 +885,8 @@ static int run(int argc, char *argv[]) {
slot = enroll_tpm2(cd, &vk, arg_tpm2_device, arg_tpm2_seal_key_handle, arg_tpm2_device_key, arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values, arg_tpm2_public_key, arg_tpm2_load_public_key, arg_tpm2_public_key_pcr_mask, arg_tpm2_signature, arg_tpm2_pin, arg_tpm2_pcrlock, &slot_to_wipe); slot = enroll_tpm2(cd, &vk, arg_tpm2_device, arg_tpm2_seal_key_handle, arg_tpm2_device_key, arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values, arg_tpm2_public_key, arg_tpm2_load_public_key, arg_tpm2_public_key_pcr_mask, arg_tpm2_signature, arg_tpm2_pin, arg_tpm2_pcrlock, &slot_to_wipe);
if (slot >= 0 && slot_to_wipe >= 0) { if (slot >= 0 && slot_to_wipe >= 0) {
assert(slot != slot_to_wipe);
/* Updating PIN on an existing enrollment */ /* Updating PIN on an existing enrollment */
r = wipe_slots( r = wipe_slots(
cd, cd,

View File

@ -1179,7 +1179,7 @@ static int check_calculate_seal(Tpm2Context *c) {
int r; int r;
if (detect_virtualization() == VIRTUALIZATION_NONE && !slow_tests_enabled()) { if (detect_virtualization() == VIRTUALIZATION_NONE && !slow_tests_enabled()) {
log_notice("Skipping slow calculate seal TPM2 tests. Physical system detected, and slow tests disabled."); log_notice("Skipping slow calculate seal TPM2 tests. Physical system detected, and slow tests disabled. (To enable, run again with $SYSTEMD_SLOW_TESTS=1.)");
return 0; return 0;
} }
@ -1257,7 +1257,7 @@ static void check_seal_unseal(Tpm2Context *c) {
assert(c); assert(c);
if (detect_virtualization() == VIRTUALIZATION_NONE && !slow_tests_enabled()) { if (detect_virtualization() == VIRTUALIZATION_NONE && !slow_tests_enabled()) {
log_notice("Skipping slow seal/unseal TPM2 tests. Physical system detected, and slow tests disabled."); log_notice("Skipping slow seal/unseal TPM2 tests. Physical system detected, and slow tests disabled. (To enable, run again with $SYSTEMD_SLOW_TESTS=1.)");
return; return;
} }