tpm2-util: allocate pcrlock NV indexes from our newly assigned range

2025-03-21 02:50:18 +03:00 · 2024-07-04 15:59:12 +02:00 · 2024-07-04 15:59:12 +02:00 · 8fd917a74d
commit 8fd917a74d
parent 6cda26f3d6
2 changed files with 17 additions and 9 deletions
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@ -5797,9 +5797,9 @@ int tpm2_unseal(Tpm2Context *c,
        return 0;
 }

-static TPM2_HANDLE generate_random_nv_index(void) {
-        return TPM2_NV_INDEX_UNASSIGNED_FIRST +
-                (TPM2_HANDLE) random_u64_range(TPM2_NV_INDEX_UNASSIGNED_LAST - TPM2_NV_INDEX_UNASSIGNED_FIRST + 1);
+static TPM2_HANDLE generate_random_pcrlock_nv_index(void) {
+        return TPM2_NV_INDEX_PCRLOCK_FIRST +
+                (TPM2_HANDLE) random_u64_range(TPM2_NV_INDEX_PCRLOCK_LAST - TPM2_NV_INDEX_PCRLOCK_FIRST + 1);
 }

 int tpm2_define_policy_nv_index(
@ -5833,7 +5833,7 @@ int tpm2_define_policy_nv_index(
                if (requested_nv_index != 0)
                        nv_index = requested_nv_index;
                else
-                        nv_index = generate_random_nv_index();
+                        nv_index = generate_random_pcrlock_nv_index();

                TPM2B_NV_PUBLIC public_info = {
                        .size = sizeof_field(TPM2B_NV_PUBLIC, nvPublic),
--- a/src/shared/tpm2-util.h
+++ b/src/shared/tpm2-util.h
@ -485,13 +485,21 @@ enum {
 int tpm2_pcr_index_from_string(const char *s) _pure_;
 const char* tpm2_pcr_index_to_string(int pcr) _const_;

-/* The first and last NV index handle that is not registered to any company, as per TCG's "Registry of
+
+/* The first and last NV index handle that is assigned to the systemd project as per TCG's "Registry of
 * Reserved TPM 2.0 Handles and Localities", section 2.2.2. */
-#define TPM2_NV_INDEX_UNASSIGNED_FIRST UINT32_C(0x01800000)
-#define TPM2_NV_INDEX_UNASSIGNED_LAST  UINT32_C(0x01BFFFFF)
+#define TPM2_NV_INDEX_SYSTEMD_FIRST UINT32_C(0x01800400)
+#define TPM2_NV_INDEX_SYSTEMD_LAST  UINT32_C(0x018005FF)

 #if HAVE_TPM2
 /* Verify that the above is indeed a subset of the general NV Index range */
-assert_cc(TPM2_NV_INDEX_UNASSIGNED_FIRST >= TPM2_NV_INDEX_FIRST);
-assert_cc(TPM2_NV_INDEX_UNASSIGNED_LAST <= TPM2_NV_INDEX_LAST);
+assert_cc(TPM2_NV_INDEX_SYSTEMD_FIRST >= TPM2_NV_INDEX_FIRST);
+assert_cc(TPM2_NV_INDEX_SYSTEMD_LAST  <= TPM2_NV_INDEX_LAST);
 #endif
+
+/* A subrange we use to store pcrlock policies in */
+#define TPM2_NV_INDEX_PCRLOCK_FIRST UINT32_C(0x01800400)
+#define TPM2_NV_INDEX_PCRLOCK_LAST  UINT32_C(0x0180041F)
+
+assert_cc(TPM2_NV_INDEX_PCRLOCK_FIRST >= TPM2_NV_INDEX_SYSTEMD_FIRST);
+assert_cc(TPM2_NV_INDEX_PCRLOCK_LAST  <= TPM2_NV_INDEX_SYSTEMD_LAST);