diff options
author | Ondrej Kozina <okozina@redhat.com> | 2021-08-04 11:38:20 +0200 |
---|---|---|
committer | Luca Boccassi <luca.boccassi@gmail.com> | 2021-08-06 13:33:50 +0100 |
commit | 38a0aec61ea39694d74fad12028a207357770d60 (patch) | |
tree | b90a7ffc4b25aebf9fe44d89be40208463044f7f /src/cryptsetup/cryptsetup-tokens | |
parent | 2525682565b372b9b83c848bfe89c025fed47a1d (diff) | |
download | systemd-38a0aec61ea39694d74fad12028a207357770d60.tar.gz |
cryptsetup: validate optional tpm2 pcr bank field in token.
Diffstat (limited to 'src/cryptsetup/cryptsetup-tokens')
-rw-r--r-- | src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c index d3aa092f6b..0baf21d36d 100644 --- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c +++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c @@ -212,6 +212,22 @@ _public_ int cryptsetup_token_validate( } } + /* The bank field is optional, since it was added in systemd 250 only. Before the bank was hardcoded to SHA256 */ + w = json_variant_by_key(v, "tpm2-pcr-bank"); + if (w) { + /* The PCR bank field is optional */ + + if (!json_variant_is_string(w)) { + crypt_log_debug(cd, "TPM2 PCR bank is not a string."); + return 1; + } + + if (tpm2_pcr_bank_from_string(json_variant_string(w)) < 0) { + crypt_log_debug(cd, "TPM2 PCR bank invalid or not supported: %s.", json_variant_string(w)); + return 1; + } + } + w = json_variant_by_key(v, "tpm2-blob"); if (!w || !json_variant_is_string(w)) { crypt_log_debug(cd, "TPM2 token data lacks 'tpm2-blob' field."); |