diff options
author | Lennart Poettering <lennart@poettering.net> | 2022-09-09 23:06:58 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2022-09-10 20:58:41 +0200 |
commit | 251d2ea269e96beb18ad0a1a751e93d829db8ebf (patch) | |
tree | 42dfa7354da65408346b389eae7c2f6ffd89d873 /src/shared/tpm2-util.c | |
parent | 706c9a30accbd36254181cee5abee97cd1675f66 (diff) | |
download | systemd-251d2ea269e96beb18ad0a1a751e93d829db8ebf.tar.gz |
tpm2-util: avoid trial
Let's avoid trial mode for putting together policies if we can, and use
the real policy whenever we can pull it off.
Fixes: #24401
Diffstat (limited to 'src/shared/tpm2-util.c')
-rw-r--r-- | src/shared/tpm2-util.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 7c9eb77f95..ba2120065a 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -924,6 +924,18 @@ static int tpm2_make_policy_session( log_debug("Starting authentication session."); + /* So apparently some TPM implementations don't implement trial mode correctly. To avoid issues let's + * avoid it when it is easy to. At the moment we only really need trial mode for the signed PCR + * policies (since only then we need to shove PCR values into the policy that don't match current + * state anyway), hence if we have none of those we don't need to bother. Hence, let's patch in + * TPM2_SE_POLICY even if trial mode is requested unless a pubkey PCR mask is specified that is + * non-zero, i.e. signed PCR policy is requested. + * + * One day we should switch to calculating policy hashes client side when trial mode is requested, to + * avoid this mess. */ + if (session_type == TPM2_SE_TRIAL && pubkey_pcr_mask == 0) + session_type = TPM2_SE_POLICY; + if ((hash_pcr_mask | pubkey_pcr_mask) != 0) { /* We are told to configure a PCR policy of some form, let's determine/validate the PCR bank to use. */ |