From 07697bfee6988630cdb35887c2f2ca3283001f7a Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 8 Jul 2021 13:52:21 +0200 Subject: tpm2-util: auto-detect supported PCR banks Previously, we'd encode PCR policies strictly with the SHA256 PCR bank set. However, as it appears not all hw implement those. Sad. Let's add some minimal logic to auto-detect supported PCR banks: if SHA256 is supported, use that. But if not, automatically fall back to SHA1. This then changes both the LUKS code, and the credentials code to serialize the selected bank, along with the rest of the data in order to make this robust. This extends the LUK2 JSON metadata in a compatible way. The credentials encryption format is modified in an incompatible way however, but given that this is not part of any official release should be OK. Fixes: #20134 --- src/cryptsetup/cryptsetup-tpm2.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/cryptsetup/cryptsetup-tpm2.h') diff --git a/src/cryptsetup/cryptsetup-tpm2.h b/src/cryptsetup/cryptsetup-tpm2.h index 8ddf301a63..a82ecb4594 100644 --- a/src/cryptsetup/cryptsetup-tpm2.h +++ b/src/cryptsetup/cryptsetup-tpm2.h @@ -13,6 +13,7 @@ int acquire_tpm2_key( const char *volume_name, const char *device, uint32_t pcr_mask, + uint16_t pcr_bank, const char *key_file, size_t key_file_size, uint64_t key_file_offset, @@ -28,6 +29,7 @@ int find_tpm2_auto_data( uint32_t search_pcr_mask, int start_token, uint32_t *ret_pcr_mask, + uint16_t *ret_pcr_bank, void **ret_blob, size_t *ret_blob_size, void **ret_policy_hash, @@ -41,6 +43,7 @@ static inline int acquire_tpm2_key( const char *volume_name, const char *device, uint32_t pcr_mask, + uint16_t pcr_bank, const char *key_file, size_t key_file_size, uint64_t key_file_offset, @@ -60,6 +63,7 @@ static inline int find_tpm2_auto_data( uint32_t search_pcr_mask, int start_token, uint32_t *ret_pcr_mask, + uint16_t *ret_pcr_bank, void **ret_blob, size_t *ret_blob_size, void **ret_policy_hash, -- cgit v1.2.1