diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-07-30 22:19:23 +0200 |
|---|---|---|
| committer | Frantisek Sumsal <frantisek@sumsal.cz> | 2021-08-01 10:43:36 +0200 |
| commit | b98855d90be454cfe66e43fa611e8433b21d124d (patch) | |
| tree | a50ee1df69880c4672e626b7db024d7acb362ff8 /src/cryptsetup | |
| parent | 1da3eef262078905ec14c707eeab655a17ae8bd2 (diff) | |
| download | systemd-b98855d90be454cfe66e43fa611e8433b21d124d.tar.gz | |
cryptsetup: unbreak CI build
PR #20176 broke building of the cryptsetup token logic. This wasn't
noticed before the PR was merged, because the only CIs new enough to be
able to build the token logic (the Fedora Rawhide ones) didn't actually
run at all on the PR.
Let's add the missing hookup for the TPM2 PCR bank logic also to the
token module, to make the CI pass again.
Diffstat (limited to 'src/cryptsetup')
| -rw-r--r-- | src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c | 10 | ||||
| -rw-r--r-- | src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c | 28 | ||||
| -rw-r--r-- | src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h | 2 |
3 files changed, 35 insertions, 5 deletions
diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c index 152b06b111..d3aa092f6b 100644 --- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c +++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c @@ -57,6 +57,7 @@ _public_ int cryptsetup_token_open( const char *json; size_t blob_size, policy_hash_size, decrypted_key_size; uint32_t pcr_mask; + uint16_t pcr_bank; systemd_tpm2_plugin_params params = { .search_pcr_mask = UINT32_MAX }; @@ -77,7 +78,7 @@ _public_ int cryptsetup_token_open( if (usrptr) params = *(systemd_tpm2_plugin_params *)usrptr; - r = parse_luks2_tpm2_data(json, params.search_pcr_mask, &pcr_mask, &base64_blob, &hex_policy_hash); + r = parse_luks2_tpm2_data(json, params.search_pcr_mask, &pcr_mask, &pcr_bank, &base64_blob, &hex_policy_hash); if (r < 0) return log_debug_open_error(cd, r); @@ -93,6 +94,7 @@ _public_ int cryptsetup_token_open( r = acquire_luks2_key( pcr_mask, + pcr_bank, params.device, blob, blob_size, @@ -133,6 +135,7 @@ _public_ void cryptsetup_token_dump( int r; uint32_t i, pcr_mask; + uint16_t pcr_bank; size_t decoded_blob_size; _cleanup_free_ char *base64_blob = NULL, *hex_policy_hash = NULL, *pcrs_str = NULL, *blob_str = NULL, *policy_hash_str = NULL; @@ -140,7 +143,7 @@ _public_ void cryptsetup_token_dump( assert(json); - r = parse_luks2_tpm2_data(json, UINT32_MAX, &pcr_mask, &base64_blob, &hex_policy_hash); + r = parse_luks2_tpm2_data(json, UINT32_MAX, &pcr_mask, &pcr_bank, &base64_blob, &hex_policy_hash); if (r < 0) return (void) crypt_log_debug_errno(cd, r, "Failed to parse " TOKEN_NAME " metadata: %m."); @@ -162,7 +165,8 @@ _public_ void cryptsetup_token_dump( if (r < 0) return (void) crypt_log_debug_errno(cd, r, "Can not dump " TOKEN_NAME " content: %m"); - crypt_log(cd, "\ttpm2-pcrs: %s\n", pcrs_str ?: ""); + crypt_log(cd, "\ttpm2-pcrs: %s\n", strna(pcrs_str)); + crypt_log(cd, "\ttpm2-bank: %s\n", strna(tpm2_pcr_bank_to_string(pcr_bank))); crypt_log(cd, "\ttmp2-blob: %s\n", blob_str); crypt_log(cd, "\ttmp2-policy-hash:" CRYPT_DUMP_LINE_SEP "%s\n", policy_hash_str); } diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c index 0054065926..a5571f31f6 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c @@ -10,6 +10,7 @@ int acquire_luks2_key( uint32_t pcr_mask, + uint16_t pcr_bank, const char *device, const void *key_data, size_t key_data_size, @@ -34,7 +35,12 @@ int acquire_luks2_key( device = auto_device; } - return tpm2_unseal(device, pcr_mask, key_data, key_data_size, policy_hash, policy_hash_size, ret_decrypted_key, ret_decrypted_key_size); + return tpm2_unseal( + device, + pcr_mask, pcr_bank, + key_data, key_data_size, + policy_hash, policy_hash_size, + ret_decrypted_key, ret_decrypted_key_size); } /* this function expects valid "systemd-tpm2" in json */ @@ -42,19 +48,22 @@ int parse_luks2_tpm2_data( const char *json, uint32_t search_pcr_mask, uint32_t *ret_pcr_mask, + uint16_t *ret_pcr_bank, char **ret_base64_blob, char **ret_hex_policy_hash) { int r; JsonVariant *w, *e; uint32_t pcr_mask = 0; + uint16_t pcr_bank = UINT16_MAX; _cleanup_free_ char *base64_blob = NULL, *hex_policy_hash = NULL; _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; assert(json); + assert(ret_pcr_mask); + assert(ret_pcr_bank); assert(ret_base64_blob); assert(ret_hex_policy_hash); - assert(ret_pcr_mask); r = json_parse(json, 0, &v, NULL, NULL); if (r < 0) @@ -81,6 +90,20 @@ int parse_luks2_tpm2_data( search_pcr_mask != pcr_mask) return -ENXIO; + w = json_variant_by_key(v, "tpm2-pcr-bank"); + if (w) { + /* The PCR bank field is optional */ + + if (!json_variant_is_string(w)) + return -EINVAL; + + r = tpm2_pcr_bank_from_string(json_variant_string(w)); + if (r < 0) + return r; + + pcr_bank = r; + } + w = json_variant_by_key(v, "tpm2-blob"); if (!w || !json_variant_is_string(w)) return -EINVAL; @@ -98,6 +121,7 @@ int parse_luks2_tpm2_data( return -ENOMEM; *ret_pcr_mask = pcr_mask; + *ret_pcr_bank = pcr_bank; *ret_base64_blob = TAKE_PTR(base64_blob); *ret_hex_policy_hash = TAKE_PTR(hex_policy_hash); diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h index d36623baf9..1a20f2cc1f 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h +++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h @@ -6,6 +6,7 @@ struct crypt_device; int acquire_luks2_key( uint32_t pcr_mask, + uint16_t pcr_bank, const char *device, const void *key_data, size_t key_data_size, @@ -18,5 +19,6 @@ int parse_luks2_tpm2_data( const char *json, uint32_t search_pcr_mask, uint32_t *ret_pcr_mask, + uint16_t *ret_pcr_bank, char **ret_base64_blob, char **ret_hex_policy_hash); |