diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-09-13 10:52:43 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-09-13 14:48:23 +0200 |
| commit | 2b92a67261934d5788613385279157eb1c9fd110 (patch) | |
| tree | 95bb5d819d43ec9beac1a6bee6fab5c8fcc6fbd2 /src/shared/tpm2-util.h | |
| parent | 3f9992d82e0bc601bb33ad7b19a1722c4478c542 (diff) | |
| download | systemd-2b92a67261934d5788613385279157eb1c9fd110.tar.gz | |
tpm2: support RSA primary keys as fallback if TPM2 devices don't support ECC
Previously, we hardcoded use of ECC as primary keys, since they are much
faster (i.e. saving multiple seconds) to do TPM2 operations with. Alas,
not all TPM2 chips appear to support ECC. Bummer.
Let's hence add a fallback logic: if we can't create an ECC primary key,
use an RSA key, and store that fact away.
AFIU the security guarantees should be roughly the same, it's just that
RSA primary keys is so much slower to work with than ECC.
The primary key algorithm is used is stored in the JSON header of LUKS
disks, in a new field. If the field is absent we assume to use ECC, to
provide full compatibility with old systemd versions.
The primary key algorithm is stored in a new field in the credentials
file format (in fact, a previously unused zero space is used), too.
Hopefully, this should ensure that TPM2 support will "just work" on more
systems.
Fixes: #20361
Diffstat (limited to 'src/shared/tpm2-util.h')
| -rw-r--r-- | src/shared/tpm2-util.h | 28 |
1 files changed, 24 insertions, 4 deletions
diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index 8032afe7b0..b8f12760d0 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -34,8 +34,8 @@ extern TSS2_RC (*sym_Tss2_MU_TPM2B_PUBLIC_Unmarshal)(uint8_t const buffer[], siz int dlopen_tpm2(void); -int tpm2_seal(const char *device, uint32_t pcr_mask, void **ret_secret, size_t *ret_secret_size, void **ret_blob, size_t *ret_blob_size, void **ret_pcr_hash, size_t *ret_pcr_hash_size, uint16_t *ret_pcr_bank); -int tpm2_unseal(const char *device, uint32_t pcr_mask, uint16_t pcr_bank, const void *blob, size_t blob_size, const void *pcr_hash, size_t pcr_hash_size, void **ret_secret, size_t *ret_secret_size); +int tpm2_seal(const char *device, uint32_t pcr_mask, void **ret_secret, size_t *ret_secret_size, void **ret_blob, size_t *ret_blob_size, void **ret_pcr_hash, size_t *ret_pcr_hash_size, uint16_t *ret_pcr_bank, uint16_t *ret_primary_alg); +int tpm2_unseal(const char *device, uint32_t pcr_mask, uint16_t pcr_bank, uint16_t primary_alg, const void *blob, size_t blob_size, const void *pcr_hash, size_t pcr_hash_size, void **ret_secret, size_t *ret_secret_size); #endif @@ -44,17 +44,37 @@ int tpm2_find_device_auto(int log_level, char **ret); int tpm2_parse_pcrs(const char *s, uint32_t *ret); -int tpm2_make_luks2_json(int keyslot, uint32_t pcr_mask, uint16_t pcr_bank, const void *blob, size_t blob_size, const void *policy_hash, size_t policy_hash_size, JsonVariant **ret); +int tpm2_make_luks2_json(int keyslot, uint32_t pcr_mask, uint16_t pcr_bank, uint16_t primary_alg, const void *blob, size_t blob_size, const void *policy_hash, size_t policy_hash_size, JsonVariant **ret); #define TPM2_PCRS_MAX 24 /* Default to PCR 7 only */ #define TPM2_PCR_MASK_DEFAULT (UINT32_C(1) << 7) -int tpm2_pcr_bank_supported(uint16_t bank); +/* We want the helpers below to work also if TPM2 libs are not available, hence define these four defines if + * they are missing. */ +#ifndef TPM2_ALG_SHA256 +#define TPM2_ALG_SHA256 0xB +#endif + +#ifndef TPM2_ALG_SHA1 +#define TPM2_ALG_SHA1 0x4 +#endif + +#ifndef TPM2_ALG_ECC +#define TPM2_ALG_ECC 0x23 +#endif + +#ifndef TPM2_ALG_RSA +#define TPM2_ALG_RSA 0x1 +#endif + const char *tpm2_pcr_bank_to_string(uint16_t bank); int tpm2_pcr_bank_from_string(const char *bank); +const char *tpm2_primary_alg_to_string(uint16_t bank); +int tpm2_primary_alg_from_string(const char *alg); + typedef struct { uint32_t search_pcr_mask; const char *device; |