diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:50:40 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:50:40 +0000 |
commit | fc53809803cd2bc2434e312b19a18fa36776da12 (patch) | |
tree | b4b43bd6538f51965ce32856e9c053d0f90919c8 /src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c | |
parent | Adding upstream version 255.5. (diff) | |
download | systemd-fc53809803cd2bc2434e312b19a18fa36776da12.tar.xz systemd-fc53809803cd2bc2434e312b19a18fa36776da12.zip |
Adding upstream version 256.upstream/256
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c')
-rw-r--r-- | src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c | 44 |
1 files changed, 23 insertions, 21 deletions
diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c index 846679f..08f901c 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c @@ -17,33 +17,27 @@ int acquire_luks2_key( const char *device, uint32_t hash_pcr_mask, uint16_t pcr_bank, - const void *pubkey, - size_t pubkey_size, + const struct iovec *pubkey, uint32_t pubkey_pcr_mask, const char *signature_path, const char *pin, const char *pcrlock_path, uint16_t primary_alg, - const void *key_data, - size_t key_data_size, - const void *policy_hash, - size_t policy_hash_size, - const void *salt, - size_t salt_size, - const void *srk_buf, - size_t srk_buf_size, + const struct iovec *blob, + const struct iovec *policy_hash, + const struct iovec *salt, + const struct iovec *srk, + const struct iovec *pcrlock_nv, TPM2Flags flags, - void **ret_decrypted_key, - size_t *ret_decrypted_key_size) { + struct iovec *ret_decrypted_key) { _cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL; _cleanup_free_ char *auto_device = NULL; _cleanup_(erase_and_freep) char *b64_salted_pin = NULL; int r; - assert(salt || salt_size == 0); + assert(iovec_is_valid(salt)); assert(ret_decrypted_key); - assert(ret_decrypted_key_size); if (!device) { r = tpm2_find_device_auto(&auto_device); @@ -58,10 +52,10 @@ int acquire_luks2_key( if ((flags & TPM2_FLAGS_USE_PIN) && !pin) return -ENOANO; - if (pin && salt_size > 0) { + if (pin && iovec_is_set(salt)) { uint8_t salted_pin[SHA256_DIGEST_SIZE] = {}; CLEANUP_ERASE(salted_pin); - r = tpm2_util_pbkdf2_hmac_sha256(pin, strlen(pin), salt, salt_size, salted_pin); + r = tpm2_util_pbkdf2_hmac_sha256(pin, strlen(pin), salt->iov_base, salt->iov_len, salted_pin); if (r < 0) return log_error_errno(r, "Failed to perform PBKDF2: %m"); @@ -82,6 +76,14 @@ int acquire_luks2_key( r = tpm2_pcrlock_policy_load(pcrlock_path, &pcrlock_policy); if (r < 0) return r; + if (r == 0) { + /* Not found? Then search among passed credentials */ + r = tpm2_pcrlock_policy_from_credentials(srk, pcrlock_nv, &pcrlock_policy); + if (r < 0) + return r; + if (r == 0) + return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Couldn't find pcrlock policy for volume."); + } } _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL; @@ -92,16 +94,16 @@ int acquire_luks2_key( r = tpm2_unseal(tpm2_context, hash_pcr_mask, pcr_bank, - pubkey, pubkey_size, + pubkey, pubkey_pcr_mask, signature_json, pin, FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK) ? &pcrlock_policy : NULL, primary_alg, - key_data, key_data_size, - policy_hash, policy_hash_size, - srk_buf, srk_buf_size, - ret_decrypted_key, ret_decrypted_key_size); + blob, + policy_hash, + srk, + ret_decrypted_key); if (r < 0) return log_error_errno(r, "Failed to unseal secret using TPM2: %m"); |