summaryrefslogtreecommitdiffstats
path: root/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c')
-rw-r--r--src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c71
1 files changed, 71 insertions, 0 deletions
diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
new file mode 100644
index 0000000..be496d4
--- /dev/null
+++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
@@ -0,0 +1,71 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "alloc-util.h"
+#include "ask-password-api.h"
+#include "env-util.h"
+#include "hexdecoct.h"
+#include "json.h"
+#include "log.h"
+#include "luks2-tpm2.h"
+#include "parse-util.h"
+#include "random-util.h"
+#include "strv.h"
+#include "tpm2-util.h"
+
+int acquire_luks2_key(
+ const char *device,
+ uint32_t hash_pcr_mask,
+ uint16_t pcr_bank,
+ const void *pubkey,
+ size_t pubkey_size,
+ uint32_t pubkey_pcr_mask,
+ const char *signature_path,
+ const char *pin,
+ uint16_t primary_alg,
+ const void *key_data,
+ size_t key_data_size,
+ const void *policy_hash,
+ size_t policy_hash_size,
+ TPM2Flags flags,
+ void **ret_decrypted_key,
+ size_t *ret_decrypted_key_size) {
+
+ _cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL;
+ _cleanup_free_ char *auto_device = NULL;
+ int r;
+
+ assert(ret_decrypted_key);
+ assert(ret_decrypted_key_size);
+
+ if (!device) {
+ r = tpm2_find_device_auto(LOG_DEBUG, &auto_device);
+ if (r == -ENODEV)
+ return -EAGAIN; /* Tell the caller to wait for a TPM2 device to show up */
+ if (r < 0)
+ return r;
+
+ device = auto_device;
+ }
+
+ if ((flags & TPM2_FLAGS_USE_PIN) && !pin)
+ return -ENOANO;
+
+ if (pubkey_pcr_mask != 0) {
+ r = tpm2_load_pcr_signature(signature_path, &signature_json);
+ if (r < 0)
+ return r;
+ }
+
+ return tpm2_unseal(
+ device,
+ hash_pcr_mask,
+ pcr_bank,
+ pubkey, pubkey_size,
+ pubkey_pcr_mask,
+ signature_json,
+ pin,
+ primary_alg,
+ key_data, key_data_size,
+ policy_hash, policy_hash_size,
+ ret_decrypted_key, ret_decrypted_key_size);
+}