From f4f5b3a9de29874bcb2345196eb47ec90d02b67d Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Fri, 17 Feb 2023 12:59:18 -0500 Subject: [PATCH] tpm2: add tpm2_get_legacy_template() and tpm2_get_srk_template() Add functions to get either the 'legacy' or standard SRK template, for RSA or ECC. The 'legacy' templates are those used with earlier code, where a transient key was created to use for tpm sealing; the standard SRK is the persistent shared key as defined in TCG guidance docs. This also replaces tpm2_get_primary_template() with the new functions; that function's use of flags is confusing and unnecessary. --- src/shared/tpm2-util.c | 297 +++++++++++++++++++++++++++-------------- src/shared/tpm2-util.h | 9 -- src/test/test-tpm2.c | 90 ------------- 3 files changed, 199 insertions(+), 197 deletions(-) diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 9094195ea63..9694a36d8f8 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -257,6 +257,25 @@ int tpm2_supports_alg(Tpm2Context *c, TPM2_ALG_ID alg) { return tpm2_get_capability_alg(c, alg, NULL); } +/* Returns 1 if the TPM supports the ECC curve, 0 if not, or < 0 for any error. */ +static int tpm2_supports_ecc_curve(Tpm2Context *c, TPM2_ECC_CURVE curve) { + TPMU_CAPABILITIES capability; + int r; + + /* The spec explicitly states the TPM2_ECC_CURVE should be cast to uint32_t. */ + r = tpm2_get_capability(c, TPM2_CAP_ECC_CURVES, (uint32_t) curve, 1, &capability); + if (r < 0) + return r; + + TPML_ECC_CURVE eccCurves = capability.eccCurves; + if (eccCurves.count == 0 || eccCurves.eccCurves[0] != curve) { + log_debug("TPM does not support ECC curve 0x%02" PRIx16 ".", curve); + return 0; + } + + return 1; +} + /* Query the TPM for populated handles. * * This provides an array of handle indexes populated in the TPM, starting at the requested handle. The array will @@ -358,6 +377,13 @@ bool tpm2_test_parms(Tpm2Context *c, TPMI_ALG_PUBLIC alg, const TPMU_PUBLIC_PARM return rc == TSS2_RC_SUCCESS; } +static inline bool tpm2_supports_tpmt_public(Tpm2Context *c, const TPMT_PUBLIC *public) { + assert(c); + assert(public); + + return tpm2_test_parms(c, public->type, &public->parameters); +} + static inline bool tpm2_supports_tpmt_sym_def_object(Tpm2Context *c, const TPMT_SYM_DEF_OBJECT *parameters) { assert(c); assert(parameters); @@ -753,102 +779,168 @@ static int tpm2_read_public( return 0; } -const TPM2B_PUBLIC *tpm2_get_primary_template(Tpm2SRKTemplateFlags flags) { - - /* - * Set up array so flags can be used directly as an input. - * - * Templates for SRK come from the spec: - * - https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf - * - * However, note their is some lore here. On Linux, the SRK has it's unique field set to size 0 and - * on Windows the SRK has their unique data set to keyLen in bytes of zeros. - */ - assert(flags >= 0); - assert(flags <= _TPM2_SRK_TEMPLATE_MAX); - - static const TPM2B_PUBLIC templ[_TPM2_SRK_TEMPLATE_MAX + 1] = { - /* index 0 RSA old */ - [0] = { - .publicArea = { - .type = TPM2_ALG_RSA, - .nameAlg = TPM2_ALG_SHA256, - .objectAttributes = TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH, - .parameters.rsaDetail = { - .symmetric = { - .algorithm = TPM2_ALG_AES, - .keyBits.aes = 128, - .mode.aes = TPM2_ALG_CFB, - }, - .scheme.scheme = TPM2_ALG_NULL, - .keyBits = 2048, - }, - }, - }, - [TPM2_SRK_TEMPLATE_ECC] = { - .publicArea = { - .type = TPM2_ALG_ECC, - .nameAlg = TPM2_ALG_SHA256, - .objectAttributes = TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH, - .parameters.eccDetail = { - .symmetric = { - .algorithm = TPM2_ALG_AES, - .keyBits.aes = 128, - .mode.aes = TPM2_ALG_CFB, - }, - .scheme.scheme = TPM2_ALG_NULL, - .curveID = TPM2_ECC_NIST_P256, - .kdf.scheme = TPM2_ALG_NULL, - }, - }, - }, - [TPM2_SRK_TEMPLATE_NEW_STYLE] = { - .publicArea = { - .type = TPM2_ALG_RSA, - .nameAlg = TPM2_ALG_SHA256, - .objectAttributes = TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_USERWITHAUTH|TPMA_OBJECT_NODA, - .parameters.rsaDetail = { - .symmetric = { - .algorithm = TPM2_ALG_AES, - .keyBits.aes = 128, - .mode.aes = TPM2_ALG_CFB, - }, - .scheme.scheme = TPM2_ALG_NULL, - .keyBits = 2048, - }, - }, - }, - [TPM2_SRK_TEMPLATE_NEW_STYLE|TPM2_SRK_TEMPLATE_ECC] = { - .publicArea = { - .type = TPM2_ALG_ECC, - .nameAlg = TPM2_ALG_SHA256, - .objectAttributes = TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_USERWITHAUTH|TPMA_OBJECT_NODA, - .parameters.eccDetail = { - .symmetric = { - .algorithm = TPM2_ALG_AES, - .keyBits.aes = 128, - .mode.aes = TPM2_ALG_CFB, - }, - .scheme.scheme = TPM2_ALG_NULL, - .curveID = TPM2_ECC_NIST_P256, - .kdf.scheme = TPM2_ALG_NULL, - }, +/* Get one of the legacy primary key templates. + * + * The legacy templates should only be used for older sealed data that did not use the SRK. Instead of a + * persistent SRK, a transient key was created to seal the data and then flushed; and the exact same template + * must be used to recreate the same transient key to unseal the data. The alg parameter must be TPM2_ALG_RSA + * or TPM2_ALG_ECC. This does not check if the alg is actually supported on this TPM. */ +static int tpm2_get_legacy_template(TPMI_ALG_PUBLIC alg, TPMT_PUBLIC *ret_template) { + /* Do not modify. */ + static const TPMT_PUBLIC legacy_ecc = { + .type = TPM2_ALG_ECC, + .nameAlg = TPM2_ALG_SHA256, + .objectAttributes = TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH, + .parameters.eccDetail = { + .symmetric = { + .algorithm = TPM2_ALG_AES, + .keyBits.aes = 128, + .mode.aes = TPM2_ALG_CFB, }, + .scheme.scheme = TPM2_ALG_NULL, + .curveID = TPM2_ECC_NIST_P256, + .kdf.scheme = TPM2_ALG_NULL, }, }; - return &templ[flags]; + /* Do not modify. */ + static const TPMT_PUBLIC legacy_rsa = { + .type = TPM2_ALG_RSA, + .nameAlg = TPM2_ALG_SHA256, + .objectAttributes = TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH, + .parameters.rsaDetail = { + .symmetric = { + .algorithm = TPM2_ALG_AES, + .keyBits.aes = 128, + .mode.aes = TPM2_ALG_CFB, + }, + .scheme.scheme = TPM2_ALG_NULL, + .keyBits = 2048, + }, + }; + + assert(ret_template); + + if (alg == TPM2_ALG_ECC) + *ret_template = legacy_ecc; + else if (alg == TPM2_ALG_RSA) + *ret_template = legacy_rsa; + else + return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "Unsupported legacy SRK alg: 0x%x", alg); + + return 0; } -/* - * Why and what is an SRK? - * TL;DR provides a working space for those without owner auth. The user enrolling - * the disk may not have access to the TPMs owner hierarchy auth, so they need a - * working space. This working space is at the defined address of 0x81000001. - * Details can be found here: - * - https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf - */ -#define SRK_HANDLE UINT32_C(0x81000001) +/* Get a Storage Root Key (SRK) template. + * + * The SRK template values are recommended by the "TCG TPM v2.0 Provisioning Guidance" document in section + * 7.5.1 "Storage Primary Key (SRK) Templates", referencing "TCG EK Credential Profile for TPM Family 2.0". + * The EK Credential Profile version 2.0 provides only a single template each for RSA and ECC, while later EK + * Credential Profile versions provide more templates, and keep the original templates as "L-1" (for RSA) and + * "L-2" (for ECC). + * + * https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance + * https://trustedcomputinggroup.org/resource/http-trustedcomputinggroup-org-wp-content-uploads-tcg-ek-credential-profile + * + * These templates are only needed to create a new persistent SRK (or a new transient key that is + * SRK-compatible). Preferably, the TPM should contain a shared SRK located at the reserved shared SRK handle + * (see TPM2_SRK_HANDLE and tpm2_get_srk() below). + * + * The alg must be TPM2_ALG_RSA or TPM2_ALG_ECC. Returns error if the requested template is not supported on + * this TPM. */ +static int tpm2_get_srk_template(Tpm2Context *c, TPMI_ALG_PUBLIC alg, TPMT_PUBLIC *ret_template) { + /* The attributes are the same between ECC and RSA templates. This has the changes specified in the + * Provisioning Guidance document, specifically: + * TPMA_OBJECT_USERWITHAUTH is added. + * TPMA_OBJECT_ADMINWITHPOLICY is removed. + * TPMA_OBJECT_NODA is added. */ + TPMA_OBJECT srk_attributes = + TPMA_OBJECT_DECRYPT | + TPMA_OBJECT_FIXEDPARENT | + TPMA_OBJECT_FIXEDTPM | + TPMA_OBJECT_NODA | + TPMA_OBJECT_RESTRICTED | + TPMA_OBJECT_SENSITIVEDATAORIGIN | + TPMA_OBJECT_USERWITHAUTH; + + /* The symmetric configuration is the same between ECC and RSA templates. */ + TPMT_SYM_DEF_OBJECT srk_symmetric = { + .algorithm = TPM2_ALG_AES, + .keyBits.aes = 128, + .mode.aes = TPM2_ALG_CFB, + }; + + /* Both templates have an empty authPolicy as specified by the Provisioning Guidance document. */ + + /* From the EK Credential Profile template "L-2". */ + TPMT_PUBLIC srk_ecc = { + .type = TPM2_ALG_ECC, + .nameAlg = TPM2_ALG_SHA256, + .objectAttributes = srk_attributes, + .parameters.eccDetail = { + .symmetric = srk_symmetric, + .scheme.scheme = TPM2_ALG_NULL, + .curveID = TPM2_ECC_NIST_P256, + .kdf.scheme = TPM2_ALG_NULL, + }, + }; + + /* From the EK Credential Profile template "L-1". */ + TPMT_PUBLIC srk_rsa = { + .type = TPM2_ALG_RSA, + .nameAlg = TPM2_ALG_SHA256, + .objectAttributes = srk_attributes, + .parameters.rsaDetail = { + .symmetric = srk_symmetric, + .scheme.scheme = TPM2_ALG_NULL, + .keyBits = 2048, + }, + }; + + assert(c); + assert(ret_template); + + if (alg == TPM2_ALG_ECC) { + if (!tpm2_supports_alg(c, TPM2_ALG_ECC)) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "TPM does not support ECC."); + + if (!tpm2_supports_ecc_curve(c, srk_ecc.parameters.eccDetail.curveID)) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "TPM does not support ECC-NIST-P256 curve."); + + if (!tpm2_supports_tpmt_public(c, &srk_ecc)) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "TPM does not support SRK ECC template L-2."); + + *ret_template = srk_ecc; + return 0; + } + + if (alg == TPM2_ALG_RSA) { + if (!tpm2_supports_alg(c, TPM2_ALG_RSA)) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "TPM does not support RSA."); + + if (!tpm2_supports_tpmt_public(c, &srk_rsa)) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "TPM does not support SRK RSA template L-1."); + + *ret_template = srk_rsa; + return 0; + } + + return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unsupported SRK alg: 0x%x.", alg); +} + +/* The SRK handle is defined in the Provisioning Guidance document (see above) in the table "Reserved Handles + * for TPM Provisioning Fundamental Elements". The SRK is useful because it is "shared", meaning it has no + * authValue nor authPolicy set, and thus may be used by anyone on the system to generate derived keys or + * seal secrets. This is useful if the TPM has an auth (password) set for the 'owner hierarchy', which would + * prevent users from generating primary transient keys, unless they knew the owner hierarchy auth. See + * the Provisioning Guidance document for more details. */ +#define TPM2_SRK_HANDLE UINT32_C(0x81000001) /* * Retrieves the SRK handle if present. Returns 0 if SRK not present, 1 if present @@ -867,7 +959,7 @@ static int tpm2_get_srk( assert(c); _cleanup_(tpm2_handle_freep) Tpm2Handle *handle = NULL; - r = tpm2_esys_handle_from_tpm_handle(c, session, SRK_HANDLE, &handle); + r = tpm2_esys_handle_from_tpm_handle(c, session, TPM2_SRK_HANDLE, &handle); if (r < 0) return r; if (r == 0) { /* SRK not found */ @@ -903,8 +995,7 @@ static int tpm2_make_primary( static const TPM2B_SENSITIVE_CREATE primary_sensitive = {}; static const TPML_PCR_SELECTION creation_pcr = {}; - const TPM2B_PUBLIC *primary_template = NULL; - Tpm2SRKTemplateFlags base_flags = use_srk_model ? TPM2_SRK_TEMPLATE_NEW_STYLE : 0; + TPM2B_PUBLIC primary_template = { .size = sizeof(TPMT_PUBLIC), }; _cleanup_(release_lock_file) LockFile srk_lock = LOCK_FILE_INIT; TSS2_RC rc; usec_t ts; @@ -959,7 +1050,12 @@ static int tpm2_make_primary( return r; if (IN_SET(alg, 0, TPM2_ALG_ECC)) { - primary_template = tpm2_get_primary_template(base_flags | TPM2_SRK_TEMPLATE_ECC); + if (use_srk_model) + r = tpm2_get_srk_template(c, TPM2_ALG_ECC, &primary_template.publicArea); + else + r = tpm2_get_legacy_template(TPM2_ALG_ECC, &primary_template.publicArea); + if (r < 0) + return r; rc = sym_Esys_CreatePrimary( c->esys_context, @@ -968,7 +1064,7 @@ static int tpm2_make_primary( ESYS_TR_NONE, ESYS_TR_NONE, &primary_sensitive, - primary_template, + &primary_template, NULL, &creation_pcr, &primary->esys_handle, @@ -990,7 +1086,12 @@ static int tpm2_make_primary( } if (IN_SET(alg, 0, TPM2_ALG_RSA)) { - primary_template = tpm2_get_primary_template(base_flags); + if (use_srk_model) + r = tpm2_get_srk_template(c, TPM2_ALG_RSA, &primary_template.publicArea); + else + r = tpm2_get_legacy_template(TPM2_ALG_RSA, &primary_template.publicArea); + if (r < 0) + return r; rc = sym_Esys_CreatePrimary( c->esys_context, @@ -999,7 +1100,7 @@ static int tpm2_make_primary( ESYS_TR_NONE, ESYS_TR_NONE, &primary_sensitive, - primary_template, + &primary_template, NULL, &creation_pcr, &primary->esys_handle, @@ -1024,7 +1125,7 @@ static int tpm2_make_primary( if (use_srk_model) { rc = sym_Esys_EvictControl(c->esys_context, ESYS_TR_RH_OWNER, primary->esys_handle, - ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, SRK_HANDLE, &primary->esys_handle); + ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, TPM2_SRK_HANDLE, &primary->esys_handle); if (rc != TSS2_RC_SUCCESS) return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to persist SRK within TPM: %s", sym_Tss2_RC_Decode(rc)); diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index 015514e4bf9..5fa64563796 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -13,13 +13,6 @@ typedef enum TPM2Flags { TPM2_FLAGS_USE_PIN = 1 << 0, } TPM2Flags; - -typedef enum Tpm2SRKTemplateFlags { - TPM2_SRK_TEMPLATE_ECC = 1 << 0, - TPM2_SRK_TEMPLATE_NEW_STYLE = 1 << 1, - _TPM2_SRK_TEMPLATE_MAX = TPM2_SRK_TEMPLATE_NEW_STYLE|TPM2_SRK_TEMPLATE_ECC, -} Tpm2SRKTemplateFlags; - /* As per https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf a * TPM2 on a Client PC must have at least 24 PCRs. This hardcodes our expectation of 24. */ #define TPM2_PCRS_MAX 24U @@ -119,8 +112,6 @@ char *tpm2_tpml_pcr_selection_to_string(const TPML_PCR_SELECTION *l); size_t tpm2_tpml_pcr_selection_weight(const TPML_PCR_SELECTION *l); #define tpm2_tpml_pcr_selection_is_empty(l) (tpm2_tpml_pcr_selection_weight(l) == 0) -const TPM2B_PUBLIC *tpm2_get_primary_template(Tpm2SRKTemplateFlags flags); - #else /* HAVE_TPM2 */ typedef struct {} Tpm2Context; typedef struct {} Tpm2Handle; diff --git a/src/test/test-tpm2.c b/src/test/test-tpm2.c index e60de5e29ed..f014c8f27e1 100644 --- a/src/test/test-tpm2.c +++ b/src/test/test-tpm2.c @@ -458,96 +458,6 @@ TEST(tpml_pcr_selection_add_sub) { expected2, expected2_count); } -/* this test includes TPM2 specific data structures */ -TEST(tpm2_get_primary_template) { - - /* - * Verify that if someone changes the template code, they know they're breaking things. - * Templates MUST be changed in a backwards compatible way. - * - */ - static const TPM2B_PUBLIC templ[] = { - /* index 0 RSA old */ - [0] = { - .publicArea = { - .type = TPM2_ALG_RSA, - .nameAlg = TPM2_ALG_SHA256, - .objectAttributes = TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH, - .parameters.rsaDetail = { - .symmetric = { - .algorithm = TPM2_ALG_AES, - .keyBits.aes = 128, - .mode.aes = TPM2_ALG_CFB, - }, - .scheme.scheme = TPM2_ALG_NULL, - .keyBits = 2048, - }, - }, - }, - /* Index 1 ECC old */ - [TPM2_SRK_TEMPLATE_ECC] = { - .publicArea = { - .type = TPM2_ALG_ECC, - .nameAlg = TPM2_ALG_SHA256, - .objectAttributes = TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_USERWITHAUTH, - .parameters.eccDetail = { - .symmetric = { - .algorithm = TPM2_ALG_AES, - .keyBits.aes = 128, - .mode.aes = TPM2_ALG_CFB, - }, - .scheme.scheme = TPM2_ALG_NULL, - .curveID = TPM2_ECC_NIST_P256, - .kdf.scheme = TPM2_ALG_NULL, - }, - }, - }, - /* index 2 RSA SRK */ - [TPM2_SRK_TEMPLATE_NEW_STYLE] = { - .publicArea = { - .type = TPM2_ALG_RSA, - .nameAlg = TPM2_ALG_SHA256, - .objectAttributes = TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_USERWITHAUTH|TPMA_OBJECT_NODA, - .parameters.rsaDetail = { - .symmetric = { - .algorithm = TPM2_ALG_AES, - .keyBits.aes = 128, - .mode.aes = TPM2_ALG_CFB, - }, - .scheme.scheme = TPM2_ALG_NULL, - .keyBits = 2048, - }, - }, - }, - /* Index 3 ECC SRK */ - [TPM2_SRK_TEMPLATE_NEW_STYLE | TPM2_SRK_TEMPLATE_ECC] = { - .publicArea = { - .type = TPM2_ALG_ECC, - .nameAlg = TPM2_ALG_SHA256, - .objectAttributes = TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT|TPMA_OBJECT_SENSITIVEDATAORIGIN|TPMA_OBJECT_RESTRICTED|TPMA_OBJECT_DECRYPT|TPMA_OBJECT_USERWITHAUTH|TPMA_OBJECT_NODA, - .parameters.eccDetail = { - .symmetric = { - .algorithm = TPM2_ALG_AES, - .keyBits.aes = 128, - .mode.aes = TPM2_ALG_CFB, - }, - .scheme.scheme = TPM2_ALG_NULL, - .curveID = TPM2_ECC_NIST_P256, - .kdf.scheme = TPM2_ALG_NULL, - }, - }, - }, - }; - - assert_cc(ELEMENTSOF(templ) == _TPM2_SRK_TEMPLATE_MAX + 1); - - for (size_t i = 0; i < ELEMENTSOF(templ); i++) { - /* the index counter lines up with the flags and the expected template received */ - const TPM2B_PUBLIC *got = tpm2_get_primary_template((Tpm2SRKTemplateFlags)i); - assert_se(memcmp(&templ[i], got, sizeof(*got)) == 0); - } -} - static bool digest_check(const TPM2B_DIGEST *digest, const char *expect) { _cleanup_free_ char *h = NULL;