shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-03 05:18:09 +03:00
Code

tpm2-util: Also retry unsealing after policy_pcr returns PCR_CHANGED

Browse Source 
It's not just Esys_Unseal that may fail due to PCR changes during the
session, but also Esys_PolicyPCR. Perform a retry in that case as well.

Fixes #35490
This commit is contained in:
Fabian Vogt 2024-12-16 19:08:13 +01:00 committed by Lennart Poettering
parent 9aee971185
commit e61032bf47
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/shared/tpm2-util.c
View File

@ -4015,6 +4015,9 @@ int tpm2_policy_pcr(
ESYS_TR_NONE, ESYS_TR_NONE,
NULL, NULL,
pcr_selection); pcr_selection);
if (rc == TPM2_RC_PCR_CHANGED)
return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN),
"Failed to add PCR policy to TPM: %s", sym_Tss2_RC_Decode(rc));
if (rc != TSS2_RC_SUCCESS) if (rc != TSS2_RC_SUCCESS)
return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to add PCR policy to TPM: %s", sym_Tss2_RC_Decode(rc)); "Failed to add PCR policy to TPM: %s", sym_Tss2_RC_Decode(rc));
@ -5810,6 +5813,11 @@ int tpm2_unseal(Tpm2Context *c,
!!pin, !!pin,
(shard == 1 || !iovec_is_set(pubkey)) ? pcrlock_policy : NULL, (shard == 1 || !iovec_is_set(pubkey)) ? pcrlock_policy : NULL,
&policy_digest); &policy_digest);
if (r == -EUCLEAN && i > 0) {
log_debug("A PCR value changed during the TPM2 policy session, restarting HMAC key unsealing (%u tries left).", i);
retry = true;
break;
}
if (r < 0) if (r < 0)
return r; return r;