diff options
| -rw-r--r-- | src/core/execute.c | 4 | ||||
| -rw-r--r-- | src/creds/creds.c | 4 | ||||
| -rw-r--r-- | src/shared/creds-util.c | 131 | ||||
| -rw-r--r-- | src/shared/creds-util.h | 7 | ||||
| -rw-r--r-- | src/shared/tpm2-util.c | 46 | ||||
| -rw-r--r-- | src/shared/tpm2-util.h | 3 |
6 files changed, 167 insertions, 28 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 0ce18159bd..6474c97e80 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2746,7 +2746,7 @@ static int load_credential( _cleanup_free_ void *plaintext = NULL; size_t plaintext_size = 0; - r = decrypt_credential_and_warn(id, now(CLOCK_REALTIME), NULL, data, size, &plaintext, &plaintext_size); + r = decrypt_credential_and_warn(id, now(CLOCK_REALTIME), NULL, NULL, data, size, &plaintext, &plaintext_size); if (r < 0) return r; @@ -2920,7 +2920,7 @@ static int acquire_credentials( return log_debug_errno(errno, "Failed to test if credential %s exists: %m", sc->id); if (sc->encrypted) { - r = decrypt_credential_and_warn(sc->id, now(CLOCK_REALTIME), NULL, sc->data, sc->size, &plaintext, &size); + r = decrypt_credential_and_warn(sc->id, now(CLOCK_REALTIME), NULL, NULL, sc->data, sc->size, &plaintext, &size); if (r < 0) return r; diff --git a/src/creds/creds.c b/src/creds/creds.c index c067c886db..03422d31ff 100644 --- a/src/creds/creds.c +++ b/src/creds/creds.c @@ -418,6 +418,7 @@ static int verb_cat(int argc, char **argv, void *userdata) { *cn, timestamp, arg_tpm2_device, + /* tpm2_signature_path= */ NULL, data, size, &plaintext, &plaintext_size); if (r < 0) @@ -490,6 +491,8 @@ static int verb_encrypt(int argc, char **argv, void *userdata) { arg_not_after, arg_tpm2_device, arg_tpm2_pcr_mask, + /* tpm2_pubkey_path= */ NULL, + /* tpm2_pubkey_pcr_mask= */ 0, plaintext, plaintext_size, &output, &output_size); if (r < 0) @@ -577,6 +580,7 @@ static int verb_decrypt(int argc, char **argv, void *userdata) { name, timestamp, arg_tpm2_device, + /* tpm2_signature_path= */ NULL, input, input_size, &plaintext, &plaintext_size); if (r < 0) diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index 6f061a1aa3..02d86207c2 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -11,6 +11,7 @@ #include "blockdev-util.h" #include "chattr-util.h" #include "creds-util.h" +#include "def.h" #include "efi-api.h" #include "env-util.h" #include "fd-util.h" @@ -27,6 +28,8 @@ #include "tpm2-util.h" #include "virt.h" +#define PUBLIC_KEY_MAX (UINT32_C(1024) * UINT32_C(1024)) + bool credential_name_valid(const char *s) { /* We want that credential names are both valid in filenames (since that's our primary way to pass * them around) and as fdnames (which is how we might want to pass them around eventually) */ @@ -461,6 +464,13 @@ struct _packed_ tpm2_credential_header { /* Followed by NUL bytes until next 8 byte boundary */ }; +struct _packed_ tpm2_public_key_credential_header { + le64_t pcr_mask; /* PCRs used for the public key PCR policy (usually just PCR 11, i.e. the unified kernel) */ + le32_t size; /* Size of DER public key */ + uint8_t data[]; /* DER public key */ + /* Followed by NUL bytes until next 8 byte boundary */ +}; + struct _packed_ metadata_credential_header { le64_t timestamp; le64_t not_after; @@ -519,6 +529,8 @@ int encrypt_credential_and_warn( usec_t not_after, const char *tpm2_device, uint32_t tpm2_hash_pcr_mask, + const char *tpm2_pubkey_path, + uint32_t tpm2_pubkey_pcr_mask, const void *input, size_t input_size, void **ret, @@ -532,6 +544,8 @@ int encrypt_credential_and_warn( uint16_t tpm2_pcr_bank = 0, tpm2_primary_alg = 0; struct encrypted_credential_header *h; int ksz, bsz, ivsz, tsz, added, r; + _cleanup_free_ void *pubkey = NULL; + size_t pubkey_size = 0; uint8_t md[SHA256_DIGEST_LENGTH]; const EVP_CIPHER *cc; sd_id128_t id; @@ -545,7 +559,9 @@ int encrypt_credential_and_warn( _CRED_AUTO_INITRD, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_TPM2_HMAC, + CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC, + CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK, CRED_AES256_GCM_BY_TPM2_ABSENT)) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid key type: " SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(with_key)); @@ -569,7 +585,8 @@ int encrypt_credential_and_warn( if (sd_id128_in_set(with_key, _CRED_AUTO, CRED_AES256_GCM_BY_HOST, - CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC)) { + CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC, + CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK)) { r = get_credential_host_secret( CREDENTIAL_SECRET_GENERATE| @@ -604,20 +621,41 @@ int encrypt_credential_and_warn( if (!try_tpm2) log_debug("Firmware lacks TPM2 support, not attempting to use TPM2."); } else - try_tpm2 = sd_id128_in_set(with_key, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC); + try_tpm2 = sd_id128_in_set(with_key, + CRED_AES256_GCM_BY_TPM2_HMAC, + CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK, + CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC, + CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK); if (try_tpm2) { + if (sd_id128_in_set(with_key, + _CRED_AUTO, + _CRED_AUTO_INITRD, + CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK, + CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK)) { + + /* Load public key for PCR policies, if one is specified, or explicitly requested */ + + r = tpm2_load_pcr_public_key(tpm2_pubkey_path, &pubkey, &pubkey_size); + if (r < 0) { + if (tpm2_pubkey_path || r != -ENOENT || !sd_id128_in_set(with_key, _CRED_AUTO, _CRED_AUTO_INITRD)) + return log_error_errno(r, "Failed read TPM PCR public key: %m"); + + log_debug_errno(r, "Failed to read TPM2 PCR public key, proceeding without: %m"); + } + } + + if (!pubkey) + tpm2_pubkey_pcr_mask = 0; + r = tpm2_seal(tpm2_device, tpm2_hash_pcr_mask, - /* pubkey= */ NULL, /* pubkey_size= */ 0, - /* pubkey_pcr_mask= */ 0, + pubkey, pubkey_size, + tpm2_pubkey_pcr_mask, /* pin= */ NULL, - &tpm2_key, - &tpm2_key_size, - &tpm2_blob, - &tpm2_blob_size, - &tpm2_policy_hash, - &tpm2_policy_hash_size, + &tpm2_key, &tpm2_key_size, + &tpm2_blob, &tpm2_blob_size, + &tpm2_policy_hash, &tpm2_policy_hash_size, &tpm2_pcr_bank, &tpm2_primary_alg); if (r < 0) { @@ -638,9 +676,9 @@ int encrypt_credential_and_warn( /* Let's settle the key type in auto mode now. */ if (host_key && tpm2_key) - id = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC; + id = pubkey ? CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK : CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC; else if (tpm2_key) - id = CRED_AES256_GCM_BY_TPM2_HMAC; + id = pubkey ? CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK : CRED_AES256_GCM_BY_TPM2_HMAC; else if (host_key) id = CRED_AES256_GCM_BY_HOST; else if (sd_id128_equal(with_key, _CRED_AUTO_INITRD)) @@ -696,6 +734,7 @@ int encrypt_credential_and_warn( output_size = ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz) + ALIGN8(tpm2_key ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size : 0) + + ALIGN8(pubkey ? offsetof(struct tpm2_public_key_credential_header, data) + pubkey_size : 0) + ALIGN8(offsetof(struct metadata_credential_header, name) + strlen_ptr(name)) + input_size + 2U * (size_t) bsz + tsz; @@ -729,6 +768,17 @@ int encrypt_credential_and_warn( p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size); } + if (pubkey) { + struct tpm2_public_key_credential_header *z; + + z = (struct tpm2_public_key_credential_header*) ((uint8_t*) output + p); + z->pcr_mask = htole64(tpm2_pubkey_pcr_mask); + z->size = htole32(pubkey_size); + memcpy(z->data, pubkey, pubkey_size); + + p += ALIGN8(offsetof(struct tpm2_public_key_credential_header, data) + pubkey_size); + } + /* Pass the encrypted + TPM2 header as AAD */ if (EVP_EncryptUpdate(context, NULL, &added, output, p) != 1) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s", @@ -800,18 +850,20 @@ int decrypt_credential_and_warn( const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, + const char *tpm2_signature_path, const void *input, size_t input_size, void **ret, size_t *ret_size) { _cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL, *plaintext = NULL; + _cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL; _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL; size_t host_key_size = 0, tpm2_key_size = 0, plaintext_size, p, hs; struct encrypted_credential_header *h; struct metadata_credential_header *m; uint8_t md[SHA256_DIGEST_LENGTH]; - bool with_tpm2, with_host_key, is_tpm2_absent; + bool with_tpm2, with_host_key, is_tpm2_absent, with_tpm2_pk; const EVP_CIPHER *cc; int r, added; @@ -825,13 +877,20 @@ int decrypt_credential_and_warn( if (input_size < sizeof(h->id)) return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short."); - with_host_key = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC); - with_tpm2 = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC); + with_host_key = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK); + with_tpm2_pk = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK); + with_tpm2 = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC) || with_tpm2_pk; is_tpm2_absent = sd_id128_equal(h->id, CRED_AES256_GCM_BY_TPM2_ABSENT); if (!with_host_key && !with_tpm2 && !is_tpm2_absent) return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unknown encryption format, or corrupted data: %m"); + if (with_tpm2_pk) { + r = tpm2_load_pcr_signature(tpm2_signature_path, &signature_json); + if (r < 0) + return r; + } + if (is_tpm2_absent) { /* So this is a credential encrypted with a zero length key. We support this to cover for the * case where neither a host key not a TPM2 are available (specifically: initrd environments @@ -870,7 +929,8 @@ int decrypt_credential_and_warn( * lower limit only) */ if (input_size < ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) + - ALIGN8((with_tpm2 ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) : 0)) + + ALIGN8(with_tpm2 ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) : 0) + + ALIGN8(with_tpm2_pk ? offsetof(struct tpm2_public_key_credential_header, data) : 0) + ALIGN8(offsetof(struct metadata_credential_header, name)) + le32toh(h->tag_size)) return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short."); @@ -880,6 +940,7 @@ int decrypt_credential_and_warn( if (with_tpm2) { #if HAVE_TPM2 struct tpm2_credential_header* t = (struct tpm2_credential_header*) ((uint8_t*) input + p); + struct tpm2_public_key_credential_header *z = NULL; if (!TPM2_PCR_MASK_VALID(t->pcr_mask)) return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range."); @@ -897,16 +958,41 @@ int decrypt_credential_and_warn( if (input_size < ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) + ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + le32toh(t->blob_size) + le32toh(t->policy_hash_size)) + + ALIGN8(with_tpm2_pk ? offsetof(struct tpm2_public_key_credential_header, data) : 0) + ALIGN8(offsetof(struct metadata_credential_header, name)) + le32toh(h->tag_size)) return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short."); + p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + + le32toh(t->blob_size) + + le32toh(t->policy_hash_size)); + + if (with_tpm2_pk) { + z = (struct tpm2_public_key_credential_header*) ((uint8_t*) input + p); + + if (!TPM2_PCR_MASK_VALID(le64toh(z->pcr_mask)) || le64toh(z->pcr_mask) == 0) + return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range."); + if (le32toh(z->size) > PUBLIC_KEY_MAX) + return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected public key size."); + + if (input_size < + ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) + + ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + le32toh(t->blob_size) + le32toh(t->policy_hash_size)) + + ALIGN8(offsetof(struct tpm2_public_key_credential_header, data) + le32toh(z->size)) + + ALIGN8(offsetof(struct metadata_credential_header, name)) + + le32toh(h->tag_size)) + return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short."); + + p += ALIGN8(offsetof(struct tpm2_public_key_credential_header, data) + + le32toh(z->size)); + } + r = tpm2_unseal(tpm2_device, le64toh(t->pcr_mask), le16toh(t->pcr_bank), - /* pubkey= */ NULL, /* pubkey_size= */ 0, - /* pubkey_pcr_mask= */ 0, - /* signature= */ NULL, + z ? z->data : NULL, z ? le32toh(z->size) : 0, + le64toh(z->pcr_mask), + signature_json, /* pin= */ NULL, le16toh(t->primary_alg), t->policy_hash_and_blob, @@ -918,9 +1004,6 @@ int decrypt_credential_and_warn( if (r < 0) return r; - p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + - le32toh(t->blob_size) + - le32toh(t->policy_hash_size)); #else return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Credential requires TPM2 support, but TPM2 support not available."); #endif @@ -1076,11 +1159,11 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available."); } -int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size) { +int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_hash_pcr_mask, const char *tpm2_pubkey_path, uint32_t tpm2_pubkey_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size) { return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available."); } -int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const void *input, size_t input_size, void **ret, size_t *ret_size) { +int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const char *tpm2_signature_path, const void *input, size_t input_size, void **ret, size_t *ret_size) { return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available."); } diff --git a/src/shared/creds-util.h b/src/shared/creds-util.h index 62e5c888ee..cf3d6c7dc6 100644 --- a/src/shared/creds-util.h +++ b/src/shared/creds-util.h @@ -52,7 +52,10 @@ int get_credential_user_password(const char *username, char **ret_password, bool * for us to handle). */ #define CRED_AES256_GCM_BY_HOST SD_ID128_MAKE(5a,1c,6a,86,df,9d,40,96,b1,d5,a6,5e,08,62,f1,9a) #define CRED_AES256_GCM_BY_TPM2_HMAC SD_ID128_MAKE(0c,7c,c0,7b,11,76,45,91,9c,4b,0b,ea,08,bc,20,fe) +#define CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK SD_ID128_MAKE(fa,f7,eb,93,41,e3,41,2c,a1,a4,36,f9,5a,29,36,2f) #define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC SD_ID128_MAKE(93,a8,94,09,48,74,44,90,90,ca,f2,fc,93,ca,b5,53) +#define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK \ + SD_ID128_MAKE(af,49,50,a8,49,13,4e,b1,a7,38,46,30,4f,f3,0c,05) #define CRED_AES256_GCM_BY_TPM2_ABSENT SD_ID128_MAKE(05,84,69,da,f6,f5,43,24,80,05,49,da,0f,8e,a2,fb) /* Two special IDs to pick a general automatic mode (i.e. tpm2+host if TPM2 exists, only host otherwise) or @@ -63,5 +66,5 @@ int get_credential_user_password(const char *username, char **ret_password, bool #define _CRED_AUTO SD_ID128_MAKE(a2,19,cb,07,85,b2,4c,04,b1,6d,18,ca,b9,d2,ee,01) #define _CRED_AUTO_INITRD SD_ID128_MAKE(02,dc,8e,de,3a,02,43,ab,a9,ec,54,9c,05,e6,a0,71) -int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size); -int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const void *input, size_t input_size, void **ret, size_t *ret_size); +int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_hash_pcr_mask, const char *tpm2_pubkey_path, uint32_t tpm2_pubkey_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size); +int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const char *tpm2_signature_path, const void *input, size_t input_size, void **ret, size_t *ret_size); diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 1546bb02f9..aef0603855 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -9,9 +9,11 @@ #if HAVE_TPM2 #include "alloc-util.h" +#include "def.h" #include "dirent-util.h" #include "dlfcn-util.h" #include "fd-util.h" +#include "fileio.h" #include "format-table.h" #include "fs-util.h" #include "hexdecoct.h" @@ -1955,3 +1957,47 @@ int tpm2_parse_pcr_argument(const char *arg, uint32_t *mask) { return 0; } + +int tpm2_load_pcr_signature(const char *path, JsonVariant **ret) { + _cleanup_free_ char *discovered_path = NULL; + _cleanup_fclose_ FILE *f = NULL; + int r; + + /* Tries to load a JSON PCR signature file. Takes an absolute path, a simple file name or NULL. In + * the latter two cases searches in /etc/, /usr/lib/, /run/, as usual. */ + + if (!path) + path = "tpm2-pcr-signature.json"; + + r = search_and_fopen(path, "re", NULL, (const char**) CONF_PATHS_STRV("systemd"), &f, &discovered_path); + if (r < 0) + return log_debug_errno(r, "Failed to find TPM PCR signature file '%s': %m", path); + + r = json_parse_file(f, discovered_path, 0, ret, NULL, NULL); + if (r < 0) + return log_debug_errno(r, "Failed to parse TPM PCR signature JSON object '%s': %m", discovered_path); + + return 0; +} + +int tpm2_load_pcr_public_key(const char *path, void **ret_pubkey, size_t *ret_pubkey_size) { + _cleanup_free_ char *discovered_path = NULL; + _cleanup_fclose_ FILE *f = NULL; + int r; + + /* Tries to load a PCR public key file. Takes an absolute path, a simple file name or NULL. In the + * latter two cases searches in /etc/, /usr/lib/, /run/, as usual. */ + + if (!path) + path = "tpm2-pcr-public-key.pem"; + + r = search_and_fopen(path, "re", NULL, (const char**) CONF_PATHS_STRV("systemd"), &f, &discovered_path); + if (r < 0) + return log_debug_errno(r, "Failed to find TPM PCR public key file '%s': %m", path); + + r = read_full_stream(f, (char**) ret_pubkey, ret_pubkey_size); + if (r < 0) + return log_debug_errno(r, "Failed to load TPM PCR public key PEM file '%s': %m", discovered_path); + + return 0; +} diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index 7a61b1e797..ee6e94ef67 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -142,3 +142,6 @@ typedef enum Tpm2Support { Tpm2Support tpm2_support(void); int tpm2_parse_pcr_argument(const char *arg, uint32_t *mask); + +int tpm2_load_pcr_signature(const char *path, JsonVariant **ret); +int tpm2_load_pcr_public_key(const char *path, void **ret_pubkey, size_t *ret_pubkey_size); |