summaryrefslogtreecommitdiff
path: root/src/cryptsetup
diff options
context:
space:
mode:
Diffstat (limited to 'src/cryptsetup')
-rw-r--r--src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c15
-rw-r--r--src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c3
-rw-r--r--src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h2
-rw-r--r--src/cryptsetup/cryptsetup-tpm2.c15
-rw-r--r--src/cryptsetup/cryptsetup-tpm2.h4
-rw-r--r--src/cryptsetup/cryptsetup.c7
6 files changed, 38 insertions, 8 deletions
diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c
index b5d66e389d..aab3a4b4c0 100644
--- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c
+++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c
@@ -42,8 +42,8 @@ _public_ int cryptsetup_token_open_pin(
void *usrptr /* plugin defined parameter passed to crypt_activate_by_token*() API */) {
_cleanup_(erase_and_freep) char *base64_encoded = NULL, *pin_string = NULL;
- _cleanup_free_ void *blob = NULL, *pubkey = NULL, *policy_hash = NULL, *salt = NULL;
- size_t blob_size, policy_hash_size, decrypted_key_size, pubkey_size, salt_size = 0;
+ _cleanup_free_ void *blob = NULL, *pubkey = NULL, *policy_hash = NULL, *salt = NULL, *srk_buf = NULL;
+ size_t blob_size, policy_hash_size, decrypted_key_size, pubkey_size, salt_size = 0, srk_buf_size = 0;
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
uint32_t hash_pcr_mask, pubkey_pcr_mask;
@@ -92,6 +92,8 @@ _public_ int cryptsetup_token_open_pin(
&policy_hash_size,
&salt,
&salt_size,
+ &srk_buf,
+ &srk_buf_size,
&flags);
if (r < 0)
return log_debug_open_error(cd, r);
@@ -114,6 +116,8 @@ _public_ int cryptsetup_token_open_pin(
policy_hash_size,
salt,
salt_size,
+ srk_buf,
+ srk_buf_size,
flags,
&decrypted_key,
&decrypted_key_size);
@@ -172,9 +176,9 @@ _public_ void cryptsetup_token_dump(
const char *json /* validated 'systemd-tpm2' token if cryptsetup_token_validate is defined */) {
_cleanup_free_ char *hash_pcrs_str = NULL, *pubkey_pcrs_str = NULL, *blob_str = NULL, *policy_hash_str = NULL, *pubkey_str = NULL;
- _cleanup_free_ void *blob = NULL, *pubkey = NULL, *policy_hash = NULL, *salt = NULL;
+ _cleanup_free_ void *blob = NULL, *pubkey = NULL, *policy_hash = NULL, *salt = NULL, *srk_buf = NULL;
_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
- size_t blob_size, policy_hash_size, pubkey_size, salt_size = 0;
+ size_t blob_size, policy_hash_size, pubkey_size, salt_size = 0, srk_buf_size = 0;
uint32_t hash_pcr_mask, pubkey_pcr_mask;
uint16_t pcr_bank, primary_alg;
TPM2Flags flags = 0;
@@ -201,6 +205,8 @@ _public_ void cryptsetup_token_dump(
&policy_hash_size,
&salt,
&salt_size,
+ &srk_buf,
+ &srk_buf_size,
&flags);
if (r < 0)
return (void) crypt_log_debug_errno(cd, r, "Failed to parse " TOKEN_NAME " JSON fields: %m");
@@ -234,6 +240,7 @@ _public_ void cryptsetup_token_dump(
crypt_log(cd, "\ttpm2-policy-hash:" CRYPT_DUMP_LINE_SEP "%s\n", policy_hash_str);
crypt_log(cd, "\ttpm2-pin: %s\n", true_false(flags & TPM2_FLAGS_USE_PIN));
crypt_log(cd, "\ttpm2-salt: %s\n", true_false(salt));
+ crypt_log(cd, "\ttpm2-srk: %s\n", true_false(srk_buf));
}
/*
diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
index 3074887269..e2fa49b94f 100644
--- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
+++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
@@ -29,6 +29,8 @@ int acquire_luks2_key(
size_t policy_hash_size,
const void *salt,
size_t salt_size,
+ const void *srk_buf,
+ size_t srk_buf_size,
TPM2Flags flags,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size) {
@@ -89,5 +91,6 @@ int acquire_luks2_key(
primary_alg,
key_data, key_data_size,
policy_hash, policy_hash_size,
+ srk_buf, srk_buf_size,
ret_decrypted_key, ret_decrypted_key_size);
}
diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h
index 36d514caa0..1143f5fd9f 100644
--- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h
+++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h
@@ -22,6 +22,8 @@ int acquire_luks2_key(
size_t policy_hash_size,
const void *salt,
size_t salt_size,
+ const void *srk_buf,
+ size_t srk_buf_size,
TPM2Flags flags,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size);
diff --git a/src/cryptsetup/cryptsetup-tpm2.c b/src/cryptsetup/cryptsetup-tpm2.c
index a375a22758..5e277b0dd6 100644
--- a/src/cryptsetup/cryptsetup-tpm2.c
+++ b/src/cryptsetup/cryptsetup-tpm2.c
@@ -72,6 +72,8 @@ int acquire_tpm2_key(
size_t policy_hash_size,
const void *salt,
size_t salt_size,
+ const void *srk_buf,
+ size_t srk_buf_size,
TPM2Flags flags,
usec_t until,
bool headless,
@@ -141,6 +143,8 @@ int acquire_tpm2_key(
blob_size,
policy_hash,
policy_hash_size,
+ srk_buf,
+ srk_buf_size,
ret_decrypted_key,
ret_decrypted_key_size);
@@ -181,6 +185,8 @@ int acquire_tpm2_key(
blob_size,
policy_hash,
policy_hash_size,
+ srk_buf,
+ srk_buf_size,
ret_decrypted_key,
ret_decrypted_key_size);
/* We get this error in case there is an authentication policy mismatch. This should
@@ -210,6 +216,8 @@ int find_tpm2_auto_data(
size_t *ret_policy_hash_size,
void **ret_salt,
size_t *ret_salt_size,
+ void **ret_srk_buf,
+ size_t *ret_srk_buf_size,
TPM2Flags *ret_flags,
int *ret_keyslot,
int *ret_token) {
@@ -219,9 +227,9 @@ int find_tpm2_auto_data(
assert(cd);
for (token = start_token; token < sym_crypt_token_max(CRYPT_LUKS2); token++) {
- _cleanup_free_ void *blob = NULL, *policy_hash = NULL, *pubkey = NULL, *salt = NULL;
+ _cleanup_free_ void *blob = NULL, *policy_hash = NULL, *pubkey = NULL, *salt = NULL, *srk_buf = NULL;
_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
- size_t blob_size, policy_hash_size, pubkey_size, salt_size = 0;
+ size_t blob_size, policy_hash_size, pubkey_size, salt_size = 0, srk_buf_size = 0;
uint32_t hash_pcr_mask, pubkey_pcr_mask;
uint16_t pcr_bank, primary_alg;
TPM2Flags flags;
@@ -244,6 +252,7 @@ int find_tpm2_auto_data(
&blob, &blob_size,
&policy_hash, &policy_hash_size,
&salt, &salt_size,
+ &srk_buf, &srk_buf_size,
&flags);
if (r == -EUCLEAN) /* Gracefully handle issues in JSON fields not owned by us */
continue;
@@ -270,6 +279,8 @@ int find_tpm2_auto_data(
*ret_salt_size = salt_size;
*ret_keyslot = keyslot;
*ret_token = token;
+ *ret_srk_buf = TAKE_PTR(srk_buf);
+ *ret_srk_buf_size = srk_buf_size;
*ret_flags = flags;
return 0;
}
diff --git a/src/cryptsetup/cryptsetup-tpm2.h b/src/cryptsetup/cryptsetup-tpm2.h
index f6549b7d1d..c3d56ac979 100644
--- a/src/cryptsetup/cryptsetup-tpm2.h
+++ b/src/cryptsetup/cryptsetup-tpm2.h
@@ -30,6 +30,8 @@ int acquire_tpm2_key(
size_t policy_hash_size,
const void *salt,
size_t salt_size,
+ const void *srk_buf,
+ size_t salt_srk_buf_size,
TPM2Flags flags,
usec_t until,
bool headless,
@@ -53,6 +55,8 @@ int find_tpm2_auto_data(
size_t *ret_policy_hash_size,
void **ret_salt,
size_t *ret_salt_size,
+ void **ret_srk_buf,
+ size_t *ret_srk_size,
TPM2Flags *ret_flags,
int *ret_keyslot,
int *ret_token);
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index fa160c1f8c..f9283ce6f4 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -1659,6 +1659,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
key_data, key_data_size,
/* policy_hash= */ NULL, /* policy_hash_size= */ 0, /* we don't know the policy hash */
/* salt= */ NULL, /* salt_size= */ 0,
+ /* srk_buf= */ NULL, /* srk_buf_size= */ 0,
arg_tpm2_pin ? TPM2_FLAGS_USE_PIN : 0,
until,
arg_headless,
@@ -1704,8 +1705,8 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
* works. */
for (;;) {
- _cleanup_free_ void *pubkey = NULL, *salt = NULL;
- size_t pubkey_size = 0, salt_size = 0;
+ _cleanup_free_ void *pubkey = NULL, *salt = NULL, *srk_buf = NULL;
+ size_t pubkey_size = 0, salt_size = 0, srk_buf_size = 0;
uint32_t hash_pcr_mask, pubkey_pcr_mask;
uint16_t pcr_bank, primary_alg;
TPM2Flags tpm2_flags;
@@ -1722,6 +1723,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
&blob, &blob_size,
&policy_hash, &policy_hash_size,
&salt, &salt_size,
+ &srk_buf, &srk_buf_size,
&tpm2_flags,
&keyslot,
&token);
@@ -1752,6 +1754,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
blob, blob_size,
policy_hash, policy_hash_size,
salt, salt_size,
+ srk_buf, srk_buf_size,
tpm2_flags,
until,
arg_headless,
View Lorry Controller Status