summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/cryptenroll/cryptenroll-tpm2.c2
-rw-r--r--src/shared/creds-util.c2
-rw-r--r--src/shared/tpm2-util.c4
-rw-r--r--src/shared/tpm2-util.h6
4 files changed, 9 insertions, 5 deletions
diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index e8c64dd753..01f2e1183c 100644
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -147,7 +147,7 @@ int enroll_tpm2(struct crypt_device *cd,
assert(cd);
assert(volume_key);
assert(volume_key_size > 0);
- assert(pcr_mask < (1U << TPM2_PCRS_MAX)); /* Support 24 PCR banks */
+ assert(TPM2_PCR_MASK_VALID(pcr_mask));
assert_se(node = crypt_get_device_name(cd));
diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index c1a9d35528..03f5fb8c3f 100644
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -879,7 +879,7 @@ int decrypt_credential_and_warn(
#if HAVE_TPM2
struct tpm2_credential_header* t = (struct tpm2_credential_header*) ((uint8_t*) input + p);
- if (le64toh(t->pcr_mask) >= (UINT64_C(1) << TPM2_PCRS_MAX))
+ if (!TPM2_PCR_MASK_VALID(t->pcr_mask))
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range.");
if (!tpm2_pcr_bank_to_string(le16toh(t->pcr_bank)))
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR bank invalid or not supported");
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index f88272db7b..9bbd5fb27c 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -865,7 +865,7 @@ int tpm2_seal(
assert(ret_pcr_hash_size);
assert(ret_pcr_bank);
- assert(pcr_mask < (UINT32_C(1) << TPM2_PCRS_MAX)); /* Support 24 PCR banks */
+ assert(TPM2_PCR_MASK_VALID(pcr_mask));
/* So here's what we do here: we connect to the TPM2 chip. It persistently contains a "seed" key that
* is randomized when the TPM2 is first initialized or reset and remains stable across boots. We
@@ -1069,7 +1069,7 @@ int tpm2_unseal(
assert(ret_secret);
assert(ret_secret_size);
- assert(pcr_mask < (UINT32_C(1) << TPM2_PCRS_MAX)); /* Support 24 PCR banks */
+ assert(TPM2_PCR_MASK_VALID(pcr_mask));
r = dlopen_tpm2();
if (r < 0)
diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h
index ef19bed4f6..ed6a5d1ca2 100644
--- a/src/shared/tpm2-util.h
+++ b/src/shared/tpm2-util.h
@@ -56,7 +56,11 @@ int tpm2_parse_pcrs(const char *s, uint32_t *ret);
int tpm2_make_luks2_json(int keyslot, uint32_t pcr_mask, uint16_t pcr_bank, uint16_t primary_alg, const void *blob, size_t blob_size, const void *policy_hash, size_t policy_hash_size, TPM2Flags flags, JsonVariant **ret);
-#define TPM2_PCRS_MAX 24
+#define TPM2_PCRS_MAX 24U
+
+static inline bool TPM2_PCR_MASK_VALID(uint64_t pcr_mask) {
+ return pcr_mask < (UINT64_C(1) << TPM2_PCRS_MAX); /* Support 24 PCR banks */
+}
/* Default to PCR 7 only */
#define TPM2_PCR_MASK_DEFAULT (UINT32_C(1) << 7)