]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #include "alloc-util.h"
4 #include "ask-password-api.h"
9 #include "luks2-tpm2.h"
10 #include "parse-util.h"
11 #include "random-util.h"
14 #include "tpm2-util.h"
16 int acquire_luks2_key(
18 uint32_t hash_pcr_mask
,
22 uint32_t pubkey_pcr_mask
,
23 const char *signature_path
,
28 const void *policy_hash
,
29 size_t policy_hash_size
,
33 void **ret_decrypted_key
,
34 size_t *ret_decrypted_key_size
) {
36 _cleanup_(json_variant_unrefp
) JsonVariant
*signature_json
= NULL
;
37 _cleanup_free_
char *auto_device
= NULL
;
38 _cleanup_(erase_and_freep
) char *b64_salted_pin
= NULL
;
41 assert(ret_decrypted_key
);
42 assert(ret_decrypted_key_size
);
45 r
= tpm2_find_device_auto(LOG_DEBUG
, &auto_device
);
47 return -EAGAIN
; /* Tell the caller to wait for a TPM2 device to show up */
54 if ((flags
& TPM2_FLAGS_USE_PIN
) && !pin
)
57 /* If we're using a PIN, and the luks header has a salt, it better have a pin too */
58 if ((flags
& TPM2_FLAGS_USE_PIN
) && salt
&& !pin
)
62 uint8_t salted_pin
[SHA256_DIGEST_SIZE
] = {};
63 CLEANUP_ERASE(salted_pin
);
64 r
= tpm2_util_pbkdf2_hmac_sha256(pin
, strlen(pin
), salt
, salt_size
, salted_pin
);
66 return log_error_errno(r
, "Failed to perform PBKDF2: %m");
68 r
= base64mem(salted_pin
, sizeof(salted_pin
), &b64_salted_pin
);
70 return log_error_errno(r
, "Failed to base64 encode salted pin: %m");
74 if (pubkey_pcr_mask
!= 0) {
75 r
= tpm2_load_pcr_signature(signature_path
, &signature_json
);
89 key_data
, key_data_size
,
90 policy_hash
, policy_hash_size
,
91 ret_decrypted_key
, ret_decrypted_key_size
);