diff options
Diffstat (limited to 'src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c')
-rw-r--r-- | src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c | 130 |
1 files changed, 18 insertions, 112 deletions
diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c index 3d633de3f5..be496d4949 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c @@ -13,19 +13,24 @@ #include "tpm2-util.h" int acquire_luks2_key( - uint32_t pcr_mask, + const char *device, + uint32_t hash_pcr_mask, uint16_t pcr_bank, + const void *pubkey, + size_t pubkey_size, + uint32_t pubkey_pcr_mask, + const char *signature_path, + const char *pin, uint16_t primary_alg, - const char *device, const void *key_data, size_t key_data_size, const void *policy_hash, size_t policy_hash_size, TPM2Flags flags, - const char *pin, void **ret_decrypted_key, size_t *ret_decrypted_key_size) { + _cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL; _cleanup_free_ char *auto_device = NULL; int r; @@ -45,121 +50,22 @@ int acquire_luks2_key( if ((flags & TPM2_FLAGS_USE_PIN) && !pin) return -ENOANO; + if (pubkey_pcr_mask != 0) { + r = tpm2_load_pcr_signature(signature_path, &signature_json); + if (r < 0) + return r; + } + return tpm2_unseal( device, - pcr_mask, + hash_pcr_mask, pcr_bank, - /* pubkey= */ NULL, /* pubkey_size= */ 0, - /* pubkey_pcr_mask= */ 0, - /* signature_json= */ NULL, + pubkey, pubkey_size, + pubkey_pcr_mask, + signature_json, pin, primary_alg, key_data, key_data_size, policy_hash, policy_hash_size, ret_decrypted_key, ret_decrypted_key_size); } - -/* this function expects valid "systemd-tpm2" in json */ -int parse_luks2_tpm2_data( - const char *json, - uint32_t search_pcr_mask, - uint32_t *ret_pcr_mask, - uint16_t *ret_pcr_bank, - uint16_t *ret_primary_alg, - char **ret_base64_blob, - char **ret_hex_policy_hash, - TPM2Flags *ret_flags) { - - int r; - JsonVariant *w; - uint32_t pcr_mask; - uint16_t pcr_bank = UINT16_MAX, primary_alg = TPM2_ALG_ECC; - _cleanup_free_ char *base64_blob = NULL, *hex_policy_hash = NULL; - _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; - TPM2Flags flags = 0; - - assert(json); - assert(ret_pcr_mask); - assert(ret_pcr_bank); - assert(ret_primary_alg); - assert(ret_base64_blob); - assert(ret_hex_policy_hash); - - r = json_parse(json, 0, &v, NULL, NULL); - if (r < 0) - return -EINVAL; - - w = json_variant_by_key(v, "tpm2-pcrs"); - if (!w) - return -EINVAL; - - r = tpm2_parse_pcr_json_array(w, &pcr_mask); - if (r < 0) - return r; - - if (search_pcr_mask != UINT32_MAX && - search_pcr_mask != pcr_mask) - return -ENXIO; - - w = json_variant_by_key(v, "tpm2-pcr-bank"); - if (w) { - /* The PCR bank field is optional */ - - if (!json_variant_is_string(w)) - return -EINVAL; - - r = tpm2_pcr_bank_from_string(json_variant_string(w)); - if (r < 0) - return r; - - pcr_bank = r; - } - - w = json_variant_by_key(v, "tpm2-primary-alg"); - if (w) { - /* The primary key algorithm is optional */ - - if (!json_variant_is_string(w)) - return -EINVAL; - - r = tpm2_primary_alg_from_string(json_variant_string(w)); - if (r < 0) - return r; - - primary_alg = r; - } - - w = json_variant_by_key(v, "tpm2-blob"); - if (!w || !json_variant_is_string(w)) - return -EINVAL; - - base64_blob = strdup(json_variant_string(w)); - if (!base64_blob) - return -ENOMEM; - - w = json_variant_by_key(v, "tpm2-policy-hash"); - if (!w || !json_variant_is_string(w)) - return -EINVAL; - - hex_policy_hash = strdup(json_variant_string(w)); - if (!hex_policy_hash) - return -ENOMEM; - - w = json_variant_by_key(v, "tpm2-pin"); - if (w) { - if (!json_variant_is_boolean(w)) - return -EINVAL; - - if (json_variant_boolean(w)) - flags |= TPM2_FLAGS_USE_PIN; - } - - *ret_pcr_mask = pcr_mask; - *ret_pcr_bank = pcr_bank; - *ret_primary_alg = primary_alg; - *ret_base64_blob = TAKE_PTR(base64_blob); - *ret_hex_policy_hash = TAKE_PTR(hex_policy_hash); - *ret_flags = flags; - - return 0; -} |