1 files changed, 18 insertions, 112 deletions

diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
index 3d633de3f5..be496d4949 100644
--- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
+++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
@@ -13,19 +13,24 @@
 #include "tpm2-util.h"
 
 int acquire_luks2_key(
-                uint32_t pcr_mask,
+                const char *device,
+                uint32_t hash_pcr_mask,
                 uint16_t pcr_bank,
+                const void *pubkey,
+                size_t pubkey_size,
+                uint32_t pubkey_pcr_mask,
+                const char *signature_path,
+                const char *pin,
                 uint16_t primary_alg,
-                const char *device,
                 const void *key_data,
                 size_t key_data_size,
                 const void *policy_hash,
                 size_t policy_hash_size,
                 TPM2Flags flags,
-                const char *pin,
                 void **ret_decrypted_key,
                 size_t *ret_decrypted_key_size) {
 
+        _cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL;
         _cleanup_free_ char *auto_device = NULL;
         int r;
 
@@ -45,121 +50,22 @@ int acquire_luks2_key(
         if ((flags & TPM2_FLAGS_USE_PIN) && !pin)
                 return -ENOANO;
 
+        if (pubkey_pcr_mask != 0) {
+                r = tpm2_load_pcr_signature(signature_path, &signature_json);
+                if (r < 0)
+                        return r;
+        }
+
         return tpm2_unseal(
                         device,
-                        pcr_mask,
+                        hash_pcr_mask,
                         pcr_bank,
-                        /* pubkey= */ NULL, /* pubkey_size= */ 0,
-                        /* pubkey_pcr_mask= */ 0,
-                        /* signature_json= */ NULL,
+                        pubkey, pubkey_size,
+                        pubkey_pcr_mask,
+                        signature_json,
                         pin,
                         primary_alg,
                         key_data, key_data_size,
                         policy_hash, policy_hash_size,
                         ret_decrypted_key, ret_decrypted_key_size);
 }
-
-/* this function expects valid "systemd-tpm2" in json */
-int parse_luks2_tpm2_data(
-                const char *json,
-                uint32_t search_pcr_mask,
-                uint32_t *ret_pcr_mask,
-                uint16_t *ret_pcr_bank,
-                uint16_t *ret_primary_alg,
-                char **ret_base64_blob,
-                char **ret_hex_policy_hash,
-                TPM2Flags *ret_flags) {
-
-        int r;
-        JsonVariant *w;
-        uint32_t pcr_mask;
-        uint16_t pcr_bank = UINT16_MAX, primary_alg = TPM2_ALG_ECC;
-        _cleanup_free_ char *base64_blob = NULL, *hex_policy_hash = NULL;
-        _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
-        TPM2Flags flags = 0;
-
-        assert(json);
-        assert(ret_pcr_mask);
-        assert(ret_pcr_bank);
-        assert(ret_primary_alg);
-        assert(ret_base64_blob);
-        assert(ret_hex_policy_hash);
-
-        r = json_parse(json, 0, &v, NULL, NULL);
-        if (r < 0)
-                return -EINVAL;
-
-        w = json_variant_by_key(v, "tpm2-pcrs");
-        if (!w)
-                return -EINVAL;
-
-        r = tpm2_parse_pcr_json_array(w, &pcr_mask);
-        if (r < 0)
-                return r;
-
-        if (search_pcr_mask != UINT32_MAX &&
-            search_pcr_mask != pcr_mask)
-                return -ENXIO;
-
-        w = json_variant_by_key(v, "tpm2-pcr-bank");
-        if (w) {
-                /* The PCR bank field is optional */
-
-                if (!json_variant_is_string(w))
-                        return -EINVAL;
-
-                r = tpm2_pcr_bank_from_string(json_variant_string(w));
-                if (r < 0)
-                        return r;
-
-                pcr_bank = r;
-        }
-
-        w = json_variant_by_key(v, "tpm2-primary-alg");
-        if (w) {
-                /* The primary key algorithm is optional */
-
-                if (!json_variant_is_string(w))
-                        return -EINVAL;
-
-                r = tpm2_primary_alg_from_string(json_variant_string(w));
-                if (r < 0)
-                        return r;
-
-                primary_alg = r;
-        }
-
-        w = json_variant_by_key(v, "tpm2-blob");
-        if (!w || !json_variant_is_string(w))
-                return -EINVAL;
-
-        base64_blob = strdup(json_variant_string(w));
-        if (!base64_blob)
-                return -ENOMEM;
-
-        w = json_variant_by_key(v, "tpm2-policy-hash");
-        if (!w || !json_variant_is_string(w))
-                return -EINVAL;
-
-        hex_policy_hash = strdup(json_variant_string(w));
-        if (!hex_policy_hash)
-                return -ENOMEM;
-
-        w = json_variant_by_key(v, "tpm2-pin");
-        if (w) {
-                if (!json_variant_is_boolean(w))
-                        return -EINVAL;
-
-                if (json_variant_boolean(w))
-                        flags |= TPM2_FLAGS_USE_PIN;
-        }
-
-        *ret_pcr_mask = pcr_mask;
-        *ret_pcr_bank = pcr_bank;
-        *ret_primary_alg = primary_alg;
-        *ret_base64_blob = TAKE_PTR(base64_blob);
-        *ret_hex_policy_hash = TAKE_PTR(hex_policy_hash);
-        *ret_flags = flags;
-
-        return 0;
-}