diff options
Diffstat (limited to 'src/cryptsetup')
-rw-r--r-- | src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c | 15 | ||||
-rw-r--r-- | src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c | 3 | ||||
-rw-r--r-- | src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h | 2 | ||||
-rw-r--r-- | src/cryptsetup/cryptsetup-tpm2.c | 15 | ||||
-rw-r--r-- | src/cryptsetup/cryptsetup-tpm2.h | 4 | ||||
-rw-r--r-- | src/cryptsetup/cryptsetup.c | 7 |
6 files changed, 38 insertions, 8 deletions
diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c index b5d66e389d..aab3a4b4c0 100644 --- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c +++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c @@ -42,8 +42,8 @@ _public_ int cryptsetup_token_open_pin( void *usrptr /* plugin defined parameter passed to crypt_activate_by_token*() API */) { _cleanup_(erase_and_freep) char *base64_encoded = NULL, *pin_string = NULL; - _cleanup_free_ void *blob = NULL, *pubkey = NULL, *policy_hash = NULL, *salt = NULL; - size_t blob_size, policy_hash_size, decrypted_key_size, pubkey_size, salt_size = 0; + _cleanup_free_ void *blob = NULL, *pubkey = NULL, *policy_hash = NULL, *salt = NULL, *srk_buf = NULL; + size_t blob_size, policy_hash_size, decrypted_key_size, pubkey_size, salt_size = 0, srk_buf_size = 0; _cleanup_(erase_and_freep) void *decrypted_key = NULL; _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; uint32_t hash_pcr_mask, pubkey_pcr_mask; @@ -92,6 +92,8 @@ _public_ int cryptsetup_token_open_pin( &policy_hash_size, &salt, &salt_size, + &srk_buf, + &srk_buf_size, &flags); if (r < 0) return log_debug_open_error(cd, r); @@ -114,6 +116,8 @@ _public_ int cryptsetup_token_open_pin( policy_hash_size, salt, salt_size, + srk_buf, + srk_buf_size, flags, &decrypted_key, &decrypted_key_size); @@ -172,9 +176,9 @@ _public_ void cryptsetup_token_dump( const char *json /* validated 'systemd-tpm2' token if cryptsetup_token_validate is defined */) { _cleanup_free_ char *hash_pcrs_str = NULL, *pubkey_pcrs_str = NULL, *blob_str = NULL, *policy_hash_str = NULL, *pubkey_str = NULL; - _cleanup_free_ void *blob = NULL, *pubkey = NULL, *policy_hash = NULL, *salt = NULL; + _cleanup_free_ void *blob = NULL, *pubkey = NULL, *policy_hash = NULL, *salt = NULL, *srk_buf = NULL; _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; - size_t blob_size, policy_hash_size, pubkey_size, salt_size = 0; + size_t blob_size, policy_hash_size, pubkey_size, salt_size = 0, srk_buf_size = 0; uint32_t hash_pcr_mask, pubkey_pcr_mask; uint16_t pcr_bank, primary_alg; TPM2Flags flags = 0; @@ -201,6 +205,8 @@ _public_ void cryptsetup_token_dump( &policy_hash_size, &salt, &salt_size, + &srk_buf, + &srk_buf_size, &flags); if (r < 0) return (void) crypt_log_debug_errno(cd, r, "Failed to parse " TOKEN_NAME " JSON fields: %m"); @@ -234,6 +240,7 @@ _public_ void cryptsetup_token_dump( crypt_log(cd, "\ttpm2-policy-hash:" CRYPT_DUMP_LINE_SEP "%s\n", policy_hash_str); crypt_log(cd, "\ttpm2-pin: %s\n", true_false(flags & TPM2_FLAGS_USE_PIN)); crypt_log(cd, "\ttpm2-salt: %s\n", true_false(salt)); + crypt_log(cd, "\ttpm2-srk: %s\n", true_false(srk_buf)); } /* diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c index 3074887269..e2fa49b94f 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c @@ -29,6 +29,8 @@ int acquire_luks2_key( size_t policy_hash_size, const void *salt, size_t salt_size, + const void *srk_buf, + size_t srk_buf_size, TPM2Flags flags, void **ret_decrypted_key, size_t *ret_decrypted_key_size) { @@ -89,5 +91,6 @@ int acquire_luks2_key( primary_alg, key_data, key_data_size, policy_hash, policy_hash_size, + srk_buf, srk_buf_size, ret_decrypted_key, ret_decrypted_key_size); } diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h index 36d514caa0..1143f5fd9f 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h +++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h @@ -22,6 +22,8 @@ int acquire_luks2_key( size_t policy_hash_size, const void *salt, size_t salt_size, + const void *srk_buf, + size_t srk_buf_size, TPM2Flags flags, void **ret_decrypted_key, size_t *ret_decrypted_key_size); diff --git a/src/cryptsetup/cryptsetup-tpm2.c b/src/cryptsetup/cryptsetup-tpm2.c index a375a22758..5e277b0dd6 100644 --- a/src/cryptsetup/cryptsetup-tpm2.c +++ b/src/cryptsetup/cryptsetup-tpm2.c @@ -72,6 +72,8 @@ int acquire_tpm2_key( size_t policy_hash_size, const void *salt, size_t salt_size, + const void *srk_buf, + size_t srk_buf_size, TPM2Flags flags, usec_t until, bool headless, @@ -141,6 +143,8 @@ int acquire_tpm2_key( blob_size, policy_hash, policy_hash_size, + srk_buf, + srk_buf_size, ret_decrypted_key, ret_decrypted_key_size); @@ -181,6 +185,8 @@ int acquire_tpm2_key( blob_size, policy_hash, policy_hash_size, + srk_buf, + srk_buf_size, ret_decrypted_key, ret_decrypted_key_size); /* We get this error in case there is an authentication policy mismatch. This should @@ -210,6 +216,8 @@ int find_tpm2_auto_data( size_t *ret_policy_hash_size, void **ret_salt, size_t *ret_salt_size, + void **ret_srk_buf, + size_t *ret_srk_buf_size, TPM2Flags *ret_flags, int *ret_keyslot, int *ret_token) { @@ -219,9 +227,9 @@ int find_tpm2_auto_data( assert(cd); for (token = start_token; token < sym_crypt_token_max(CRYPT_LUKS2); token++) { - _cleanup_free_ void *blob = NULL, *policy_hash = NULL, *pubkey = NULL, *salt = NULL; + _cleanup_free_ void *blob = NULL, *policy_hash = NULL, *pubkey = NULL, *salt = NULL, *srk_buf = NULL; _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; - size_t blob_size, policy_hash_size, pubkey_size, salt_size = 0; + size_t blob_size, policy_hash_size, pubkey_size, salt_size = 0, srk_buf_size = 0; uint32_t hash_pcr_mask, pubkey_pcr_mask; uint16_t pcr_bank, primary_alg; TPM2Flags flags; @@ -244,6 +252,7 @@ int find_tpm2_auto_data( &blob, &blob_size, &policy_hash, &policy_hash_size, &salt, &salt_size, + &srk_buf, &srk_buf_size, &flags); if (r == -EUCLEAN) /* Gracefully handle issues in JSON fields not owned by us */ continue; @@ -270,6 +279,8 @@ int find_tpm2_auto_data( *ret_salt_size = salt_size; *ret_keyslot = keyslot; *ret_token = token; + *ret_srk_buf = TAKE_PTR(srk_buf); + *ret_srk_buf_size = srk_buf_size; *ret_flags = flags; return 0; } diff --git a/src/cryptsetup/cryptsetup-tpm2.h b/src/cryptsetup/cryptsetup-tpm2.h index f6549b7d1d..c3d56ac979 100644 --- a/src/cryptsetup/cryptsetup-tpm2.h +++ b/src/cryptsetup/cryptsetup-tpm2.h @@ -30,6 +30,8 @@ int acquire_tpm2_key( size_t policy_hash_size, const void *salt, size_t salt_size, + const void *srk_buf, + size_t salt_srk_buf_size, TPM2Flags flags, usec_t until, bool headless, @@ -53,6 +55,8 @@ int find_tpm2_auto_data( size_t *ret_policy_hash_size, void **ret_salt, size_t *ret_salt_size, + void **ret_srk_buf, + size_t *ret_srk_size, TPM2Flags *ret_flags, int *ret_keyslot, int *ret_token); diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index fa160c1f8c..f9283ce6f4 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -1659,6 +1659,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( key_data, key_data_size, /* policy_hash= */ NULL, /* policy_hash_size= */ 0, /* we don't know the policy hash */ /* salt= */ NULL, /* salt_size= */ 0, + /* srk_buf= */ NULL, /* srk_buf_size= */ 0, arg_tpm2_pin ? TPM2_FLAGS_USE_PIN : 0, until, arg_headless, @@ -1704,8 +1705,8 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( * works. */ for (;;) { - _cleanup_free_ void *pubkey = NULL, *salt = NULL; - size_t pubkey_size = 0, salt_size = 0; + _cleanup_free_ void *pubkey = NULL, *salt = NULL, *srk_buf = NULL; + size_t pubkey_size = 0, salt_size = 0, srk_buf_size = 0; uint32_t hash_pcr_mask, pubkey_pcr_mask; uint16_t pcr_bank, primary_alg; TPM2Flags tpm2_flags; @@ -1722,6 +1723,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( &blob, &blob_size, &policy_hash, &policy_hash_size, &salt, &salt_size, + &srk_buf, &srk_buf_size, &tpm2_flags, &keyslot, &token); @@ -1752,6 +1754,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( blob, blob_size, policy_hash, policy_hash_size, salt, salt_size, + srk_buf, srk_buf_size, tpm2_flags, until, arg_headless, |