diff options
| -rw-r--r-- | src/cryptenroll/cryptenroll-tpm2.c | 2 | ||||
| -rw-r--r-- | src/shared/creds-util.c | 2 | ||||
| -rw-r--r-- | src/shared/tpm2-util.c | 4 | ||||
| -rw-r--r-- | src/shared/tpm2-util.h | 6 |
4 files changed, 9 insertions, 5 deletions
diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c index e8c64dd753..01f2e1183c 100644 --- a/src/cryptenroll/cryptenroll-tpm2.c +++ b/src/cryptenroll/cryptenroll-tpm2.c @@ -147,7 +147,7 @@ int enroll_tpm2(struct crypt_device *cd, assert(cd); assert(volume_key); assert(volume_key_size > 0); - assert(pcr_mask < (1U << TPM2_PCRS_MAX)); /* Support 24 PCR banks */ + assert(TPM2_PCR_MASK_VALID(pcr_mask)); assert_se(node = crypt_get_device_name(cd)); diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index c1a9d35528..03f5fb8c3f 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -879,7 +879,7 @@ int decrypt_credential_and_warn( #if HAVE_TPM2 struct tpm2_credential_header* t = (struct tpm2_credential_header*) ((uint8_t*) input + p); - if (le64toh(t->pcr_mask) >= (UINT64_C(1) << TPM2_PCRS_MAX)) + if (!TPM2_PCR_MASK_VALID(t->pcr_mask)) return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range."); if (!tpm2_pcr_bank_to_string(le16toh(t->pcr_bank))) return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR bank invalid or not supported"); diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index f88272db7b..9bbd5fb27c 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -865,7 +865,7 @@ int tpm2_seal( assert(ret_pcr_hash_size); assert(ret_pcr_bank); - assert(pcr_mask < (UINT32_C(1) << TPM2_PCRS_MAX)); /* Support 24 PCR banks */ + assert(TPM2_PCR_MASK_VALID(pcr_mask)); /* So here's what we do here: we connect to the TPM2 chip. It persistently contains a "seed" key that * is randomized when the TPM2 is first initialized or reset and remains stable across boots. We @@ -1069,7 +1069,7 @@ int tpm2_unseal( assert(ret_secret); assert(ret_secret_size); - assert(pcr_mask < (UINT32_C(1) << TPM2_PCRS_MAX)); /* Support 24 PCR banks */ + assert(TPM2_PCR_MASK_VALID(pcr_mask)); r = dlopen_tpm2(); if (r < 0) diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index ef19bed4f6..ed6a5d1ca2 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -56,7 +56,11 @@ int tpm2_parse_pcrs(const char *s, uint32_t *ret); int tpm2_make_luks2_json(int keyslot, uint32_t pcr_mask, uint16_t pcr_bank, uint16_t primary_alg, const void *blob, size_t blob_size, const void *policy_hash, size_t policy_hash_size, TPM2Flags flags, JsonVariant **ret); -#define TPM2_PCRS_MAX 24 +#define TPM2_PCRS_MAX 24U + +static inline bool TPM2_PCR_MASK_VALID(uint64_t pcr_mask) { + return pcr_mask < (UINT64_C(1) << TPM2_PCRS_MAX); /* Support 24 PCR banks */ +} /* Default to PCR 7 only */ #define TPM2_PCR_MASK_DEFAULT (UINT32_C(1) << 7) |