summaryrefslogtreecommitdiffstats
path: root/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c')
-rw-r--r--src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c44
1 files changed, 23 insertions, 21 deletions
diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
index 846679f..08f901c 100644
--- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
+++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
@@ -17,33 +17,27 @@ int acquire_luks2_key(
const char *device,
uint32_t hash_pcr_mask,
uint16_t pcr_bank,
- const void *pubkey,
- size_t pubkey_size,
+ const struct iovec *pubkey,
uint32_t pubkey_pcr_mask,
const char *signature_path,
const char *pin,
const char *pcrlock_path,
uint16_t primary_alg,
- const void *key_data,
- size_t key_data_size,
- const void *policy_hash,
- size_t policy_hash_size,
- const void *salt,
- size_t salt_size,
- const void *srk_buf,
- size_t srk_buf_size,
+ const struct iovec *blob,
+ const struct iovec *policy_hash,
+ const struct iovec *salt,
+ const struct iovec *srk,
+ const struct iovec *pcrlock_nv,
TPM2Flags flags,
- void **ret_decrypted_key,
- size_t *ret_decrypted_key_size) {
+ struct iovec *ret_decrypted_key) {
_cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL;
_cleanup_free_ char *auto_device = NULL;
_cleanup_(erase_and_freep) char *b64_salted_pin = NULL;
int r;
- assert(salt || salt_size == 0);
+ assert(iovec_is_valid(salt));
assert(ret_decrypted_key);
- assert(ret_decrypted_key_size);
if (!device) {
r = tpm2_find_device_auto(&auto_device);
@@ -58,10 +52,10 @@ int acquire_luks2_key(
if ((flags & TPM2_FLAGS_USE_PIN) && !pin)
return -ENOANO;
- if (pin && salt_size > 0) {
+ if (pin && iovec_is_set(salt)) {
uint8_t salted_pin[SHA256_DIGEST_SIZE] = {};
CLEANUP_ERASE(salted_pin);
- r = tpm2_util_pbkdf2_hmac_sha256(pin, strlen(pin), salt, salt_size, salted_pin);
+ r = tpm2_util_pbkdf2_hmac_sha256(pin, strlen(pin), salt->iov_base, salt->iov_len, salted_pin);
if (r < 0)
return log_error_errno(r, "Failed to perform PBKDF2: %m");
@@ -82,6 +76,14 @@ int acquire_luks2_key(
r = tpm2_pcrlock_policy_load(pcrlock_path, &pcrlock_policy);
if (r < 0)
return r;
+ if (r == 0) {
+ /* Not found? Then search among passed credentials */
+ r = tpm2_pcrlock_policy_from_credentials(srk, pcrlock_nv, &pcrlock_policy);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Couldn't find pcrlock policy for volume.");
+ }
}
_cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
@@ -92,16 +94,16 @@ int acquire_luks2_key(
r = tpm2_unseal(tpm2_context,
hash_pcr_mask,
pcr_bank,
- pubkey, pubkey_size,
+ pubkey,
pubkey_pcr_mask,
signature_json,
pin,
FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK) ? &pcrlock_policy : NULL,
primary_alg,
- key_data, key_data_size,
- policy_hash, policy_hash_size,
- srk_buf, srk_buf_size,
- ret_decrypted_key, ret_decrypted_key_size);
+ blob,
+ policy_hash,
+ srk,
+ ret_decrypted_key);
if (r < 0)
return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-08 04:09:33 +0000