size_t secret2_size;
log_debug("Unsealing for verification...");
- r = tpm2_unseal(device,
+ r = tpm2_unseal(tpm2_context,
hash_pcr_mask,
hash_pcr_bank,
pubkey, pubkey_size,
return log_error_errno(r, "Failed to load PCR signature: %m");
}
- r = tpm2_unseal(device,
+ _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
+ r = tpm2_context_new(device, &tpm2_context);
+ if (r < 0)
+ return log_error_errno(r, "Failed to create TPM2 context: %m");
+
+ r = tpm2_unseal(tpm2_context,
hash_pcr_mask,
pcr_bank,
pubkey, pubkey_size,
return log_error_errno(r, "Failed to load pcr signature: %m");
}
+ _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
+ r = tpm2_context_new(device, &tpm2_context);
+ if (r < 0)
+ return log_error_errno(r, "Failed to create TPM2 context: %m");
+
if (!(flags & TPM2_FLAGS_USE_PIN)) {
- r = tpm2_unseal(device,
+ r = tpm2_unseal(tpm2_context,
hash_pcr_mask,
pcr_bank,
pubkey, pubkey_size,
/* no salting needed, backwards compat with non-salted pins */
b64_salted_pin = TAKE_PTR(pin_str);
- r = tpm2_unseal(device,
+ r = tpm2_unseal(tpm2_context,
hash_pcr_mask,
pcr_bank,
pubkey, pubkey_size,
le32toh(z->size));
}
+ _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
+ r = tpm2_context_new(tpm2_device, &tpm2_context);
+ if (r < 0)
+ return r;
+
// TODO: Add the SRK data to the credential structure so it can be plumbed
// through and used to verify the TPM session.
- r = tpm2_unseal(tpm2_device,
+ r = tpm2_unseal(tpm2_context,
le64toh(t->pcr_mask),
le16toh(t->pcr_bank),
z ? z->data : NULL,
#define RETRY_UNSEAL_MAX 30u
-int tpm2_unseal(const char *device,
+int tpm2_unseal(Tpm2Context *c,
uint32_t hash_pcr_mask,
uint16_t pcr_bank,
const void *pubkey,
assert(TPM2_PCR_MASK_VALID(hash_pcr_mask));
assert(TPM2_PCR_MASK_VALID(pubkey_pcr_mask));
- r = dlopen_tpm2();
- if (r < 0)
- return r;
-
/* So here's what we do here: We connect to the TPM2 chip. As we do when sealing we generate a
* "primary" key on the TPM2 chip, with the same parameters as well as a PCR-bound policy session.
* Given we pass the same parameters, this will result in the same "primary" key, and same policy
if (r < 0)
return log_debug_errno(r, "Could not extract parts from blob: %m");
- _cleanup_(tpm2_context_unrefp) Tpm2Context *c = NULL;
- r = tpm2_context_new(device, &c);
- if (r < 0)
- return r;
-
/* Older code did not save the pcr_bank, and unsealing needed to detect the best pcr bank to use,
* so we need to handle that legacy situation. */
if (pcr_bank == UINT16_MAX) {
int tpm2_get_or_create_srk(Tpm2Context *c, const Tpm2Handle *session, TPM2B_PUBLIC **ret_public, TPM2B_NAME **ret_name, TPM2B_NAME **ret_qname, Tpm2Handle **ret_handle);
int tpm2_seal(Tpm2Context *c, const TPM2B_DIGEST *policy, const char *pin, void **ret_secret, size_t *ret_secret_size, void **ret_blob, size_t *ret_blob_size, uint16_t *ret_primary_alg, void **ret_srk_buf, size_t *ret_srk_buf_size);
-int tpm2_unseal(const char *device, uint32_t hash_pcr_mask, uint16_t pcr_bank, const void *pubkey, size_t pubkey_size, uint32_t pubkey_pcr_mask, JsonVariant *signature, const char *pin, uint16_t primary_alg, const void *blob, size_t blob_size, const void *policy_hash, size_t policy_hash_size, const void *srk_buf, size_t srk_buf_size, void **ret_secret, size_t *ret_secret_size);
+int tpm2_unseal(Tpm2Context *c, uint32_t hash_pcr_mask, uint16_t pcr_bank, const void *pubkey, size_t pubkey_size, uint32_t pubkey_pcr_mask, JsonVariant *signature, const char *pin, uint16_t primary_alg, const void *blob, size_t blob_size, const void *policy_hash, size_t policy_hash_size, const void *srk_buf, size_t srk_buf_size, void **ret_secret, size_t *ret_secret_size);
#if HAVE_OPENSSL
int tpm2_tpm2b_public_to_openssl_pkey(const TPM2B_PUBLIC *public, EVP_PKEY **ret);