mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
Merge pull request #32993 from poettering/cryptenroll-no-pcr
cryptenroll: make sure enrolling signed PCR policy without literal PCR policy works correctly
This commit is contained in:
commit
c09f7e5a82
4
TODO
4
TODO
@ -130,6 +130,10 @@ Deprecations and removals:
|
||||
|
||||
Features:
|
||||
|
||||
* rework tpm2_parse_pcr_argument_to_mask() to refuse literal hash value
|
||||
specifications. They are currently parsed but ignored. We should refuse them
|
||||
however, to not confuse people.
|
||||
|
||||
* use name_to_handle_at() with AT_HANDLE_FID instead of .st_ino (inode
|
||||
number) for identifying inodes, for example in copy.c when finding hard
|
||||
links, or loop-util.c for tracking backing files, and other places.
|
||||
|
@ -371,8 +371,10 @@ int enroll_tpm2(struct crypt_device *cd,
|
||||
|
||||
uint16_t hash_pcr_bank = 0;
|
||||
uint32_t hash_pcr_mask = 0;
|
||||
|
||||
if (n_hash_pcr_values > 0) {
|
||||
size_t hash_count;
|
||||
|
||||
r = tpm2_pcr_values_hash_count(hash_pcr_values, n_hash_pcr_values, &hash_count);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Could not get hash count: %m");
|
||||
@ -380,10 +382,21 @@ int enroll_tpm2(struct crypt_device *cd,
|
||||
if (hash_count > 1)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Multiple PCR banks selected.");
|
||||
|
||||
/* If we use a literal PCR value policy, derive the bank to use from the algorithm specified on the hash values */
|
||||
hash_pcr_bank = hash_pcr_values[0].hash;
|
||||
r = tpm2_pcr_values_to_mask(hash_pcr_values, n_hash_pcr_values, hash_pcr_bank, &hash_pcr_mask);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Could not get hash mask: %m");
|
||||
} else if (pubkey_pcr_mask != 0) {
|
||||
|
||||
/* If no literal PCR value policy is used, then let's determine the mask to use automatically
|
||||
* from the measurements of the TPM. */
|
||||
r = tpm2_get_best_pcr_bank(
|
||||
tpm2_context,
|
||||
pubkey_pcr_mask,
|
||||
&hash_pcr_bank);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to determine best PCR bank: %m");
|
||||
}
|
||||
|
||||
TPM2B_DIGEST policy = TPM2B_DIGEST_MAKE(NULL, TPM2_SHA256_DIGEST_SIZE);
|
||||
|
@ -7391,11 +7391,11 @@ int tpm2_make_luks2_json(
|
||||
JSON_BUILD_PAIR("keyslots", JSON_BUILD_ARRAY(JSON_BUILD_STRING(keyslot_as_string))),
|
||||
JSON_BUILD_PAIR("tpm2-blob", JSON_BUILD_IOVEC_BASE64(blob)),
|
||||
JSON_BUILD_PAIR("tpm2-pcrs", JSON_BUILD_VARIANT(hmj)),
|
||||
JSON_BUILD_PAIR_CONDITION(!!tpm2_hash_alg_to_string(pcr_bank), "tpm2-pcr-bank", JSON_BUILD_STRING(tpm2_hash_alg_to_string(pcr_bank))),
|
||||
JSON_BUILD_PAIR_CONDITION(!!tpm2_asym_alg_to_string(primary_alg), "tpm2-primary-alg", JSON_BUILD_STRING(tpm2_asym_alg_to_string(primary_alg))),
|
||||
JSON_BUILD_PAIR_CONDITION(pcr_bank != 0 && tpm2_hash_alg_to_string(pcr_bank), "tpm2-pcr-bank", JSON_BUILD_STRING(tpm2_hash_alg_to_string(pcr_bank))),
|
||||
JSON_BUILD_PAIR_CONDITION(primary_alg != 0 && tpm2_asym_alg_to_string(primary_alg), "tpm2-primary-alg", JSON_BUILD_STRING(tpm2_asym_alg_to_string(primary_alg))),
|
||||
JSON_BUILD_PAIR("tpm2-policy-hash", JSON_BUILD_IOVEC_HEX(policy_hash)),
|
||||
JSON_BUILD_PAIR("tpm2-pin", JSON_BUILD_BOOLEAN(flags & TPM2_FLAGS_USE_PIN)),
|
||||
JSON_BUILD_PAIR("tpm2_pcrlock", JSON_BUILD_BOOLEAN(flags & TPM2_FLAGS_USE_PCRLOCK)),
|
||||
JSON_BUILD_PAIR_CONDITION(FLAGS_SET(flags, TPM2_FLAGS_USE_PIN), "tpm2-pin", JSON_BUILD_BOOLEAN(true)),
|
||||
JSON_BUILD_PAIR_CONDITION(FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK), "tpm2_pcrlock", JSON_BUILD_BOOLEAN(true)),
|
||||
JSON_BUILD_PAIR_CONDITION(pubkey_pcr_mask != 0, "tpm2_pubkey_pcrs", JSON_BUILD_VARIANT(pkmj)),
|
||||
JSON_BUILD_PAIR_CONDITION(iovec_is_set(pubkey), "tpm2_pubkey", JSON_BUILD_IOVEC_BASE64(pubkey)),
|
||||
JSON_BUILD_PAIR_CONDITION(iovec_is_set(salt), "tpm2_salt", JSON_BUILD_IOVEC_BASE64(salt)),
|
||||
|
Loading…
Reference in New Issue
Block a user