&more,
&capabilities);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to get TPM2 capability 0x%04" PRIx32 " property 0x%04" PRIx32 ": %s",
capability, property, sym_Tss2_RC_Decode(rc));
if (capabilities->capability != capability)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"TPM provided wrong capability: 0x%04" PRIx32 " instead of 0x%04" PRIx32 ".",
capabilities->capability, capability);
c->n_capability_algorithms,
algorithms.algProperties,
algorithms.count))
- return log_oom();
+ return log_oom_debug();
if (r == 0)
break;
c->n_capability_commands,
commands.commandAttributes,
commands.count))
- return log_oom();
+ return log_oom_debug();
if (r == 0)
break;
* TPM2_GetCapability states: "TPM_CAP_PCRS – Returns the current allocation of PCR in a
* TPML_PCR_SELECTION. The property parameter shall be zero. The TPM will always respond to
* this command with the full PCR allocation and moreData will be NO." */
- log_warning("TPM bug: reported multiple PCR sets; using only first set.");
+ log_debug("TPM bug: reported multiple PCR sets; using only first set.");
c->capability_pcrs = capability.assignedPCR;
return 0;
assert(handle_list.count <= max);
if (n_handles > SIZE_MAX - handle_list.count)
- return log_oom();
+ return log_oom_debug();
if (!GREEDY_REALLOC(handles, n_handles + handle_list.count))
- return log_oom();
+ return log_oom_debug();
memcpy_safe(&handles[n_handles], handle_list.handle, sizeof(handles[0]) * handle_list.count);
context = new(Tpm2Context, 1);
if (!context)
- return log_oom();
+ return log_oom_debug();
*context = (Tpm2Context) {
.n_ref = 1,
r = dlopen_tpm2();
if (r < 0)
- return log_error_errno(r, "TPM2 support not installed: %m");
+ return log_debug_errno(r, "TPM2 support not installed: %m");
if (!device) {
device = secure_getenv("SYSTEMD_TPM2_DEVICE");
/* Syntax #1: Pair of driver string and arbitrary parameter */
driver = strndupa_safe(device, param - device);
if (isempty(driver))
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name is empty, refusing.");
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name is empty, refusing.");
param++;
} else if (path_is_absolute(device) && path_is_valid(device)) {
driver = "device";
param = device;
} else
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid TPM2 driver string, refusing.");
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid TPM2 driver string, refusing.");
log_debug("Using TPM2 TCTI driver '%s' with device '%s'.", driver, param);
/* Better safe than sorry, let's refuse strings that cannot possibly be valid driver early, before going to disk. */
if (!filename_is_valid(fn))
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver);
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver);
context->tcti_dl = dlopen(fn, RTLD_NOW);
if (!context->tcti_dl)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to load %s: %s", fn, dlerror());
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to load %s: %s", fn, dlerror());
func = dlsym(context->tcti_dl, TSS2_TCTI_INFO_SYMBOL);
if (!func)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to find TCTI info symbol " TSS2_TCTI_INFO_SYMBOL ": %s",
dlerror());
info = func();
if (!info)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Unable to get TCTI info data.");
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Unable to get TCTI info data.");
log_debug("Loaded TCTI module '%s' (%s) [Version %" PRIu32 "]", info->name, info->description, info->version);
rc = info->init(NULL, &sz, NULL);
if (rc != TPM2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to initialize TCTI context: %s", sym_Tss2_RC_Decode(rc));
context->tcti_context = malloc0(sz);
if (!context->tcti_context)
- return log_oom();
+ return log_oom_debug();
rc = info->init(context->tcti_context, &sz, param);
if (rc != TPM2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to initialize TCTI context: %s", sym_Tss2_RC_Decode(rc));
}
rc = sym_Esys_Initialize(&context->esys_context, context->tcti_context, NULL);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to initialize TPM context: %s", sym_Tss2_RC_Decode(rc));
rc = sym_Esys_Startup(context->esys_context, TPM2_SU_CLEAR);
else if (rc == TSS2_RC_SUCCESS)
log_debug("TPM successfully started up.");
else
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to start up TPM: %s", sym_Tss2_RC_Decode(rc));
r = tpm2_cache_capabilities(context);
if (r < 0)
- return r;
+ return log_debug_errno(r, "Failed to cache TPM capbilities: %m");
/* We require AES and CFB support for session encryption. */
if (!tpm2_supports_alg(context, TPM2_ALG_AES))
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support AES.");
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support AES.");
if (!tpm2_supports_alg(context, TPM2_ALG_CFB))
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support CFB.");
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support CFB.");
if (!tpm2_supports_tpmt_sym_def(context, &SESSION_TEMPLATE_SYM_AES_128_CFB))
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support AES-128-CFB.");
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support AES-128-CFB.");
*ret_context = TAKE_PTR(context);
handle = new(Tpm2Handle, 1);
if (!handle)
- return log_oom();
+ return log_oom_debug();
*handle = (Tpm2Handle) {
.tpm2_context = tpm2_context_ref(context),
case TPM2_HT_TRANSIENT:
break;
case TPM2_HT_PCR:
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
"Invalid handle 0x%08" PRIx32 " (in PCR range).", index);
case TPM2_HT_HMAC_SESSION:
case TPM2_HT_POLICY_SESSION:
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
"Invalid handle 0x%08" PRIx32 " (in session range).", index);
case TPM2_HT_PERMANENT: /* Permanent handles are defined, e.g. ESYS_TR_RH_OWNER. */
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
"Invalid handle 0x%08" PRIx32 " (in permanent range).", index);
default:
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
"Invalid handle 0x%08" PRIx32 " (in unknown range).", index);
}
ESYS_TR_NONE,
&handle->esys_handle);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to read public info: %s", sym_Tss2_RC_Decode(rc));
if (ret_public || ret_name || ret_qname) {
/* Esys_TR_GetTpmHandle was added to tpm2-tss in version 2.4.0. Once we can set a minimum tpm2-tss
* version of 2.4.0 this check can be removed. */
if (!sym_Esys_TR_GetTpmHandle)
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"libtss2-esys too old, does not include Esys_TR_GetTpmHandle.");
rc = sym_Esys_TR_GetTpmHandle(c->esys_context, handle->esys_handle, ret_index);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to get handle index: %s", sym_Tss2_RC_Decode(rc));
return 0;
return 1;
}
if (rc != TPM2_RC_NV_DEFINED)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to persist handle: %s", sym_Tss2_RC_Decode(rc));
}
MIN(rps, 32U), /* 32 is supposedly a safe choice, given that AES 256bit keys are this long, and TPM2 baseline requires support for those. */
&buffer);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to acquire entropy from TPM: %s", sym_Tss2_RC_Decode(rc));
if (buffer->size == 0)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Zero-sized entropy returned from TPM.");
r = random_write_entropy(-1, buffer->buffer, buffer->size, /* credit= */ false);
if (r < 0)
- return log_error_errno(r, "Failed wo write entropy to kernel: %m");
+ return log_debug_errno(r, "Failed wo write entropy to kernel: %m");
done += buffer->size;
rps = LESS_BY(rps, buffer->size);
ret_name,
ret_qname);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to read public info: %s", sym_Tss2_RC_Decode(rc));
return 0;
TPM2B_PUBLIC template = { .size = sizeof(TPMT_PUBLIC), };
r = tpm2_get_best_srk_template(c, &template.publicArea);
if (r < 0)
- return log_error_errno(r, "Could not get best SRK template: %m");
+ return log_debug_errno(r, "Could not get best SRK template: %m");
_cleanup_(tpm2_handle_freep) Tpm2Handle *transient_handle = NULL;
r = tpm2_create_primary(
return r;
if (r == 0)
/* This should never happen. */
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "SRK we just persisted couldn't be found.");
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "SRK we just persisted couldn't be found.");
return 1; /* > 0 → SRK newly set up */
}
/* This is currently hardcoded at 24 PCRs, above. */
if (!TPM2_PCR_MASK_VALID(mask))
- log_warning("PCR mask selections (%x) out of range, ignoring.",
- mask & ~((uint32_t)TPM2_PCRS_MASK));
+ log_debug("PCR mask selections (%x) out of range, ignoring.",
+ mask & ~((uint32_t)TPM2_PCRS_MASK));
*ret = (TPMS_PCR_SELECTION){
.hash = hash_alg,
_cleanup_free_ char *index = NULL;
r = extract_first_word(&p, &index, ":", /* flags= */ 0);
if (r < 1)
- return log_error_errno(r, "Could not parse pcr value '%s': %m", p);
+ return log_debug_errno(r, "Could not parse pcr value '%s': %m", p);
r = tpm2_pcr_index_from_string(index);
if (r < 0)
- return log_error_errno(r, "Invalid pcr index '%s': %m", index);
+ return log_debug_errno(r, "Invalid pcr index '%s': %m", index);
pcr_value.index = (unsigned) r;
if (!isempty(p)) {
_cleanup_free_ char *hash = NULL;
r = extract_first_word(&p, &hash, "=", /* flags= */ 0);
if (r < 1)
- return log_error_errno(r, "Could not parse pcr hash algorithm '%s': %m", p);
+ return log_debug_errno(r, "Could not parse pcr hash algorithm '%s': %m", p);
r = tpm2_hash_alg_from_string(hash);
if (r < 0)
- return log_error_errno(r, "Invalid pcr hash algorithm '%s': %m", hash);
+ return log_debug_errno(r, "Invalid pcr hash algorithm '%s': %m", hash);
pcr_value.hash = (TPMI_ALG_HASH) r;
if (!isempty(p)) {
size_t buf_size = 0;
r = unhexmem(p, SIZE_MAX, &buf, &buf_size);
if (r < 0)
- return log_error_errno(r, "Invalid pcr hash value '%s': %m", p);
+ return log_debug_errno(r, "Invalid pcr hash value '%s': %m", p);
r = TPM2B_DIGEST_CHECK_SIZE(buf_size);
if (r < 0)
- return log_error_errno(r, "PCR hash value size %zu too large.", buf_size);
+ return log_debug_errno(r, "PCR hash value size %zu too large.", buf_size);
pcr_value.value = TPM2B_DIGEST_MAKE(buf, buf_size);
}
_cleanup_free_ char *pcr_arg = NULL;
r = extract_first_word(&p, &pcr_arg, ",+", /* flags= */ 0);
if (r < 0)
- return log_error_errno(r, "Could not parse pcr values '%s': %m", p);
+ return log_debug_errno(r, "Could not parse pcr values '%s': %m", p);
if (r == 0)
break;
return r;
if (!GREEDY_REALLOC_APPEND(pcr_values, n_pcr_values, &pcr_value, 1))
- return log_oom();
+ return log_oom_debug();
}
*ret_pcr_values = TAKE_PTR(pcr_values);
ESYS_TR_NONE,
&policy_digest);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to get policy digest from TPM: %s", sym_Tss2_RC_Decode(rc));
tpm2_log_debug_digest(policy_digest, "Session policy digest");
/* creationHash= */ NULL,
/* creationTicket= */ NULL);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to generate primary key in TPM: %s",
sym_Tss2_RC_Decode(rc));
/* creationHash= */ NULL,
/* creationTicket= */ NULL);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to generate object in TPM: %s",
sym_Tss2_RC_Decode(rc));
public,
&handle->esys_handle);
if (rc == TPM2_RC_LOCKOUT)
- return log_error_errno(SYNTHETIC_ERRNO(ENOLCK),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOLCK),
"TPM2 device is in dictionary attack lockout mode.");
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to load key into TPM: %s", sym_Tss2_RC_Decode(rc));
*ret_handle = TAKE_PTR(handle);
#endif
&handle->esys_handle);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to load public key into TPM: %s", sym_Tss2_RC_Decode(rc));
*ret_handle = TAKE_PTR(handle);
sizeof(tpm2b_template.buffer),
&size);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to marshal public key template: %s", sym_Tss2_RC_Decode(rc));
assert(size <= UINT16_MAX);
tpm2b_template.size = size;
&private,
&public);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to generate loaded object in TPM: %s",
sym_Tss2_RC_Decode(rc));
¤t_read,
¤t_values);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to read TPM2 PCRs: %s", sym_Tss2_RC_Decode(rc));
tpm2_log_debug_tpml_pcr_selection(current_read, "Read PCR selection");
if (tpm2_tpml_pcr_selection_is_empty(current_read)) {
- log_warning("TPM2 refused to read possibly unimplemented PCRs, ignoring.");
+ log_debug("TPM2 refused to read possibly unimplemented PCRs, ignoring.");
break;
}
tpm2_log_debug_pcr_value(&pcr_value, /* msg= */ NULL);
if (!GREEDY_REALLOC_APPEND(pcr_values, n_pcr_values, &pcr_value, 1))
- return log_oom();
+ return log_oom_debug();
}
assert(i == current_values->count);
tpm2_sort_pcr_values(pcr_values, n_pcr_values);
if (!tpm2_pcr_values_valid(pcr_values, n_pcr_values))
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "PCR values read from TPM are not valid.");
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "PCR values read from TPM are not valid.");
*ret_pcr_values = TAKE_PTR(pcr_values);
*ret_n_pcr_values = n_pcr_values;
size_t hash_count;
r = tpm2_pcr_values_hash_count(pcr_values, n_pcr_values, &hash_count);
if (r < 0)
- return log_error_errno(r, "Could not get hash count from pcr values: %m");
+ return log_debug_errno(r, "Could not get hash count from pcr values: %m");
if (hash_count == 1 && pcr_values[0].hash == 0) {
uint32_t mask;
return r;
if (n_read_values == 0)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Could not read PCR hash 0x%" PRIu16 " index %u",
v->hash, v->index);
log_notice("TPM2 device lacks support for SHA256 bank, but SHA1 bank is supported, but none of the selected PCRs are valid! Firmware apparently did not initialize any of the selected PCRs. Proceeding anyway with SHA1 bank. PCR policy effectively unenforced!");
*ret = TPM2_ALG_SHA1;
} else
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"TPM2 module supports neither SHA1 nor SHA256 PCR banks, cannot operate.");
return 0;
return r;
if (n_good_banks + n_fallback_banks >= INT_MAX)
- return log_error_errno(SYNTHETIC_ERRNO(E2BIG), "Too many good TPM2 banks?");
+ return log_debug_errno(SYNTHETIC_ERRNO(E2BIG), "Too many good TPM2 banks?");
if (r) {
if (!GREEDY_REALLOC(good_banks, n_good_banks+1))
- return log_oom();
+ return log_oom_debug();
good_banks[n_good_banks++] = hash;
} else {
if (!GREEDY_REALLOC(fallback_banks, n_fallback_banks+1))
- return log_oom();
+ return log_oom_debug();
fallback_banks[n_fallback_banks++] = hash;
}
salg = tpm2_hash_alg_to_string(*a);
if (!salg)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM2 operates with unknown PCR algorithm, can't measure.");
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM2 operates with unknown PCR algorithm, can't measure.");
implementation = EVP_get_digestbyname(salg);
if (!implementation)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM2 operates with unsupported PCR algorithm, can't measure.");
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM2 operates with unsupported PCR algorithm, can't measure.");
n = strdup(ASSERT_PTR(EVP_MD_name(implementation)));
if (!n)
- return log_oom();
+ return log_oom_debug();
ascii_strlower(n); /* OpenSSL uses uppercase digest names, we prefer them lower case. */
if (strv_consume(&l, TAKE_PTR(n)) < 0)
- return log_oom();
+ return log_oom_debug();
}
*ret = TAKE_PTR(l);
return 0;
#else /* HAVE_OPENSSL */
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
#endif
}
assert(data || n_data == 0);
if (alg != TPM2_ALG_SHA256)
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"Hash algorithm not supported: 0x%x", alg);
if (extend && digest->size != SHA256_DIGEST_SIZE)
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"Digest size 0x%x, require 0x%x",
digest->size, (unsigned)SHA256_DIGEST_SIZE);
iovecs = new(struct iovec, n_data);
if (!iovecs)
- return log_oom();
+ return log_oom_debug();
for (size_t i = 0; i < n_data; i++)
iovecs[i] = IOVEC_MAKE((void*) data[i].buffer, data[i].size);
rc = sym_Esys_TR_SetAuth(c->esys_context, handle->esys_handle, &auth);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to load PIN in TPM: %s", sym_Tss2_RC_Decode(rc));
return 0;
TPM2_ALG_SHA256,
&session->esys_handle);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to open session in TPM: %s", sym_Tss2_RC_Decode(rc));
/* Enable parameter encryption/decryption with AES in CFB mode. Together with HMAC digests (which are
* operations that use this session. */
rc = sym_Esys_TRSess_SetAttributes(c->esys_context, session->esys_handle, sessionAttributes, 0xff);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(
- SYNTHETIC_ERRNO(ENOTRECOVERABLE),
- "Failed to configure TPM session: %s",
- sym_Tss2_RC_Decode(rc));
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ "Failed to configure TPM session: %s", sym_Tss2_RC_Decode(rc));
*ret_session = TAKE_PTR(session);
assert(ret_session);
if (!tpm2_is_encryption_session(c, encryption_session))
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
"Missing encryption session");
log_debug("Starting policy session.");
TPM2_ALG_SHA256,
&session->esys_handle);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to open session in TPM: %s", sym_Tss2_RC_Decode(rc));
*ret_session = TAKE_PTR(session);
* public key, and policy digest. */
if (!json_variant_is_object(v))
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Signature is not a JSON object.");
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature is not a JSON object.");
uint16_t pcr_bank = pcr_selection->pcrSelections[0].hash;
uint32_t pcr_mask = tpm2_tpml_pcr_selection_to_mask(pcr_selection, pcr_bank);
k = tpm2_hash_alg_to_string(pcr_bank);
if (!k)
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Don't know PCR bank %" PRIu16, pcr_bank);
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Don't know PCR bank %" PRIu16, pcr_bank);
/* First, find field by bank */
b = json_variant_by_key(v, k);
if (!b)
- return log_error_errno(SYNTHETIC_ERRNO(ENXIO), "Signature lacks data for PCR bank '%s'.", k);
+ return log_debug_errno(SYNTHETIC_ERRNO(ENXIO), "Signature lacks data for PCR bank '%s'.", k);
if (!json_variant_is_array(b))
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Bank data is not a JSON array.");
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Bank data is not a JSON array.");
/* Now iterate through all signatures known for this bank */
JSON_VARIANT_ARRAY_FOREACH(i, b) {
uint32_t parsed_mask;
if (!json_variant_is_object(i))
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Bank data element is not a JSON object");
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Bank data element is not a JSON object");
/* Check if the PCR mask matches our expectations */
maskj = json_variant_by_key(i, "pcrs");
r = tpm2_parse_pcr_json_array(maskj, &parsed_mask);
if (r < 0)
- return log_error_errno(r, "Failed to parse JSON PCR mask");
+ return log_debug_errno(r, "Failed to parse JSON PCR mask");
if (parsed_mask != pcr_mask)
continue; /* Not for this PCR mask */
r = json_variant_unhex(fpj, &fpj_data, &fpj_size);
if (r < 0)
- return log_error_errno(r, "Failed to decode fingerprint in JSON data: %m");
+ return log_debug_errno(r, "Failed to decode fingerprint in JSON data: %m");
if (memcmp_nn(fp, fp_size, fpj_data, fpj_size) != 0)
continue; /* Not for this public key */
r = json_variant_unhex(polj, &polj_data, &polj_size);
if (r < 0)
- return log_error_errno(r, "Failed to decode policy hash JSON data: %m");
+ return log_debug_errno(r, "Failed to decode policy hash JSON data: %m");
if (memcmp_nn(policy, policy_size, polj_data, polj_size) != 0)
continue;
return json_variant_unbase64(sigj, ret_signature, ret_signature_size);
}
- return log_error_errno(SYNTHETIC_ERRNO(ENXIO), "Couldn't find signature for this PCR bank, PCR index and public key.");
+ return log_debug_errno(SYNTHETIC_ERRNO(ENXIO), "Couldn't find signature for this PCR bank, PCR index and public key.");
#else /* HAVE_OPENSSL */
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
#endif
}
r = dlopen_tpm2();
if (r < 0)
- return log_error_errno(r, "TPM2 support not installed: %m");
+ return log_debug_errno(r, "TPM2 support not installed: %m");
if (public->nameAlg != TPM2_ALG_SHA256)
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"Unsupported nameAlg: 0x%x",
public->nameAlg);
buf = (uint8_t*) new(TPMT_PUBLIC, 1);
if (!buf)
- return log_oom();
+ return log_oom_debug();
rc = sym_Tss2_MU_TPMT_PUBLIC_Marshal(public, buf, sizeof(TPMT_PUBLIC), &size);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to marshal public key: %s", sym_Tss2_RC_Decode(rc));
TPM2B_DIGEST digest = {};
size = 0;
rc = sym_Tss2_MU_TPMT_HA_Marshal(&ha, name.name, sizeof(name.name), &size);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to marshal key name: %s", sym_Tss2_RC_Decode(rc));
name.size = size;
rc = sym_Esys_TR_GetName(c->esys_context, handle->esys_handle, &name);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to get name of public key from TPM: %s", sym_Tss2_RC_Decode(rc));
tpm2_log_debug_name(name, "Object name");
r = dlopen_tpm2();
if (r < 0)
- return log_error_errno(r, "TPM2 support not installed: %m");
+ return log_debug_errno(r, "TPM2 support not installed: %m");
uint8_t buf[sizeof(command)];
size_t offset = 0;
rc = sym_Tss2_MU_TPM2_CC_Marshal(command, buf, sizeof(buf), &offset);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to marshal PolicyAuthValue command: %s", sym_Tss2_RC_Decode(rc));
if (offset != sizeof(command))
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Offset 0x%zx wrong after marshalling PolicyAuthValue command", offset);
r = tpm2_digest_buffer(TPM2_ALG_SHA256, digest, buf, offset, /* extend= */ true);
ESYS_TR_NONE,
ESYS_TR_NONE);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to add authValue policy to TPM: %s",
sym_Tss2_RC_Decode(rc));
r = dlopen_tpm2();
if (r < 0)
- return log_error_errno(r, "TPM2 support not installed: %m");
+ return log_debug_errno(r, "TPM2 support not installed: %m");
TPML_PCR_SELECTION pcr_selection;
_cleanup_free_ TPM2B_DIGEST *values = NULL;
size_t n_values;
r = tpm2_tpml_pcr_selection_from_pcr_values(pcr_values, n_pcr_values, &pcr_selection, &values, &n_values);
if (r < 0)
- return log_error_errno(r, "Could not convert PCR values to TPML_PCR_SELECTION: %m");
+ return log_debug_errno(r, "Could not convert PCR values to TPML_PCR_SELECTION: %m");
TPM2B_DIGEST hash = {};
r = tpm2_digest_many_digests(TPM2_ALG_SHA256, &hash, values, n_values, /* extend= */ false);
buf = malloc(maxsize);
if (!buf)
- return log_oom();
+ return log_oom_debug();
rc = sym_Tss2_MU_TPM2_CC_Marshal(command, buf, maxsize, &size);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to marshal PolicyPCR command: %s", sym_Tss2_RC_Decode(rc));
rc = sym_Tss2_MU_TPML_PCR_SELECTION_Marshal(&pcr_selection, buf, maxsize, &size);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to marshal PCR selection: %s", sym_Tss2_RC_Decode(rc));
struct iovec data[] = {
NULL,
pcr_selection);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to add PCR policy to TPM: %s", sym_Tss2_RC_Decode(rc));
return tpm2_get_policy_digest(c, session, ret_policy_digest);
r = dlopen_tpm2();
if (r < 0)
- return log_error_errno(r, "TPM2 support not installed: %m");
+ return log_debug_errno(r, "TPM2 support not installed: %m");
uint8_t buf[sizeof(command)];
size_t offset = 0;
rc = sym_Tss2_MU_TPM2_CC_Marshal(command, buf, sizeof(buf), &offset);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to marshal PolicyAuthorize command: %s", sym_Tss2_RC_Decode(rc));
if (offset != sizeof(command))
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Offset 0x%zx wrong after marshalling PolicyAuthorize command", offset);
TPM2B_NAME name = {};
r = TPM2B_PUBLIC_KEY_RSA_CHECK_SIZE(signature_size);
if (r < 0)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Signature larger than buffer.");
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Signature larger than buffer.");
TPMT_SIGNATURE policy_signature = {
.sigAlg = TPM2_ALG_RSASSA,
&policy_signature,
&check_ticket_buffer);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to validate signature in TPM: %s", sym_Tss2_RC_Decode(rc));
check_ticket = check_ticket_buffer;
pubkey_name,
check_ticket);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to push Authorize policy into TPM: %s", sym_Tss2_RC_Decode(rc));
return tpm2_get_policy_digest(c, session, ret_policy_digest);
if (r < 0)
return r;
if (r == 0)
- log_warning("Selected TPM2 PCRs are not initialized on this system.");
+ log_debug("Selected TPM2 PCRs are not initialized on this system.");
}
if (pubkey_pcr_mask != 0) {
/* Hardcode fingerprint to SHA256 */
return pubkey_fingerprint(pkey, EVP_sha256(), ret_fingerprint, ret_fingerprint_size);
#else
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
#endif
}
return tpm2_tpm2b_public_from_openssl_pkey(pkey, ret);
#else
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
#endif
}
size_t size = 0;
rc = sym_Esys_TR_Serialize(c->esys_context, handle->esys_handle, &serialized, &size);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to serialize: %s", sym_Tss2_RC_Decode(rc));
*ret_serialized = TAKE_PTR(serialized);
rc = sym_Esys_TR_Deserialize(c->esys_context, serialized, serialized_size, &handle->esys_handle);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to deserialize: %s", sym_Tss2_RC_Decode(rc));
*ret_handle = TAKE_PTR(handle);
r = crypto_random_bytes(hmac_sensitive.data.buffer, hmac_sensitive.data.size);
if (r < 0)
- return log_error_errno(r, "Failed to generate secret key: %m");
+ return log_debug_errno(r, "Failed to generate secret key: %m");
_cleanup_(tpm2_handle_freep) Tpm2Handle *primary_handle = NULL;
if (ret_srk_buf) {
TPM2B_PUBLIC template = { .size = sizeof(TPMT_PUBLIC), };
r = tpm2_get_legacy_template(primary_alg, &template.publicArea);
if (r < 0)
- return log_error_errno(r, "Could not get legacy ECC template: %m");
+ return log_debug_errno(r, "Could not get legacy ECC template: %m");
if (!tpm2_supports_tpmt_public(c, &template.publicArea)) {
primary_alg = TPM2_ALG_RSA;
r = tpm2_get_legacy_template(primary_alg, &template.publicArea);
if (r < 0)
- return log_error_errno(r, "Could not get legacy RSA template: %m");
+ return log_debug_errno(r, "Could not get legacy RSA template: %m");
if (!tpm2_supports_tpmt_public(c, &template.publicArea))
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"TPM does not support either ECC or RSA legacy template.");
}
_cleanup_(erase_and_freep) void *secret = NULL;
secret = memdup(hmac_sensitive.data.buffer, hmac_sensitive.data.size);
if (!secret)
- return log_oom();
+ return log_oom_debug();
log_debug("Marshalling private and public part of HMAC key.");
size_t blob_size;
r = tpm2_marshal_blob(public, private, &blob, &blob_size);
if (r < 0)
- return log_error_errno(r, "Could not create sealed blob: %m");
+ return log_debug_errno(r, "Could not create sealed blob: %m");
if (DEBUG_LOGGING)
log_debug("Completed TPM2 key sealing in %s.", FORMAT_TIMESPAN(now(CLOCK_MONOTONIC) - start, 1));
*/
srk_buf = memdup(tmp, srk_buf_size);
if (!srk_buf)
- return log_oom();
+ return log_oom_debug();
*ret_srk_buf = TAKE_PTR(srk_buf);
*ret_srk_buf_size = srk_buf_size;
r = dlopen_tpm2();
if (r < 0)
- return log_error_errno(r, "TPM2 support is not installed.");
+ return r;
/* So here's what we do here: We connect to the TPM2 chip. As we do when sealing we generate a
* "primary" key on the TPM2 chip, with the same parameters as well as a PCR-bound policy session.
TPM2B_PRIVATE private;
r = tpm2_unmarshal_blob(blob, blob_size, &public, &private);
if (r < 0)
- return log_error_errno(r, "Could not extract parts from blob: %m");
+ return log_debug_errno(r, "Could not extract parts from blob: %m");
_cleanup_(tpm2_context_unrefp) Tpm2Context *c = NULL;
r = tpm2_context_new(device, &c);
TPM2B_PUBLIC template = { .size = sizeof(TPMT_PUBLIC), };
r = tpm2_get_legacy_template(primary_alg, &template.publicArea);
if (r < 0)
- return log_error_errno(r, "Could not get legacy template: %m");
+ return log_debug_errno(r, "Could not get legacy template: %m");
r = tpm2_create_primary(
c,
if (r < 0)
return r;
} else
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
"No SRK or primary alg provided.");
log_debug("Loading HMAC key into TPM.");
if (pubkey) {
r = tpm2_tpm2b_public_from_pem(pubkey, pubkey_size, &pubkey_tpm2b);
if (r < 0)
- return log_error_errno(r, "Could not create TPMT_PUBLIC: %m");
+ return log_debug_errno(r, "Could not create TPMT_PUBLIC: %m");
r = tpm2_tpm2b_public_to_fingerprint(&pubkey_tpm2b, &fp, &fp_size);
if (r < 0)
- return log_error_errno(r, "Could not get key fingerprint: %m");
+ return log_debug_errno(r, "Could not get key fingerprint: %m");
}
/*
* wait until the TPM2 tells us to go away. */
if (known_policy_hash_size > 0 &&
memcmp_nn(policy_digest->buffer, policy_digest->size, known_policy_hash, known_policy_hash_size) != 0)
- return log_error_errno(SYNTHETIC_ERRNO(EPERM),
+ return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
"Current policy digest does not match stored policy digest, cancelling "
"TPM2 authentication attempt.");
if (rc == TSS2_RC_SUCCESS)
break;
if (rc != TPM2_RC_PCR_CHANGED || i == 0)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to unseal HMAC key in TPM: %s", sym_Tss2_RC_Decode(rc));
log_debug("A PCR value changed during the TPM2 policy session, restarting HMAC key unsealing (%u tries left).", i);
}
secret = memdup(unsealed->buffer, unsealed->size);
explicit_bzero_safe(unsealed->buffer, unsealed->size);
if (!secret)
- return log_oom();
+ return log_oom_debug();
if (DEBUG_LOGGING)
log_debug("Completed TPM2 key unsealing in %s.", FORMAT_TIMESPAN(now(CLOCK_MONOTONIC) - start, 1));
#endif
}
-int tpm2_find_device_auto(
- int log_level, /* log level when no device is found */
- char **ret) {
+int tpm2_find_device_auto(char **ret) {
#if HAVE_TPM2
_cleanup_closedir_ DIR *d = NULL;
int r;
r = dlopen_tpm2();
if (r < 0)
- return log_error_errno(r, "TPM2 support is not installed.");
+ return log_debug_errno(r, "TPM2 support is not installed.");
d = opendir("/sys/class/tpmrm");
if (!d) {
- log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_ERR, errno,
- "Failed to open /sys/class/tpmrm: %m");
+ log_debug_errno(errno, "Failed to open /sys/class/tpmrm: %m");
if (errno != ENOENT)
return -errno;
} else {
break;
if (node)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
"More than one TPM2 (tpmrm) device found.");
node = path_join("/dev", de->d_name);
if (!node)
- return log_oom();
+ return log_oom_debug();
}
if (node) {
}
}
- return log_full_errno(log_level, SYNTHETIC_ERRNO(ENODEV), "No TPM2 (tpmrm) device found.");
+ return log_debug_errno(SYNTHETIC_ERRNO(ENODEV), "No TPM2 (tpmrm) device found.");
#else
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"TPM2 not supported on this build.");
#endif
}
* lock it, which we want to avoid. */
fd = open(e, O_CREAT|O_WRONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600);
if (fd < 0)
- return log_warning_errno(errno, "Failed to open TPM log file '%s' for writing, ignoring: %m", e);
+ return log_debug_errno(errno, "Failed to open TPM log file '%s' for writing, ignoring: %m", e);
if (flock(fd, LOCK_EX) < 0)
- return log_warning_errno(errno, "Failed to lock TPM log file '%s', ignoring: %m", e);
+ return log_debug_errno(errno, "Failed to lock TPM log file '%s', ignoring: %m", e);
if (fstat(fd, &st) < 0)
- return log_warning_errno(errno, "Failed to fstat TPM log file '%s', ignoring: %m", e);
+ return log_debug_errno(errno, "Failed to fstat TPM log file '%s', ignoring: %m", e);
r = stat_verify_regular(&st);
if (r < 0)
- return log_warning_errno(r, "TPM log file '%s' is not regular, ignoring: %m", e);
+ return log_debug_errno(r, "TPM log file '%s' is not regular, ignoring: %m", e);
/* We set the sticky bit when we are about to append to the log file. We'll unset it afterwards
* again. If we manage to take a lock on a file that has it set we know we didn't write it fully and
* it is corrupted. Ideally we'd like to use user xattrs for this, but unfortunately tmpfs (which is
* our assumed backend fs) doesn't know user xattrs. */
if (st.st_mode & S_ISVTX)
- return log_warning_errno(SYNTHETIC_ERRNO(ESTALE), "TPM log file '%s' aborted, ignoring.", e);
+ return log_debug_errno(SYNTHETIC_ERRNO(ESTALE), "TPM log file '%s' aborted, ignoring.", e);
if (fchmod(fd, 0600 | S_ISVTX) < 0)
- return log_warning_errno(errno, "Failed to chmod() TPM log file '%s', ignoring: %m", e);
+ return log_debug_errno(errno, "Failed to chmod() TPM log file '%s', ignoring: %m", e);
return TAKE_FD(fd);
}
JSON_BUILD_PAIR_STRING("hashAlg", a),
JSON_BUILD_PAIR("digest", JSON_BUILD_HEX(&values->digests[i].digest, EVP_MD_size(implementation)))));
if (r < 0)
- return log_error_errno(r, "Failed to append digest object to JSON array: %m");
+ return log_debug_errno(r, "Failed to append digest object to JSON array: %m");
}
assert(array);
r = sd_id128_get_boot(&boot_id);
if (r < 0)
- return log_error_errno(r, "Failed to acquire boot ID: %m");
+ return log_debug_errno(r, "Failed to acquire boot ID: %m");
r = json_build(&v, JSON_BUILD_OBJECT(
JSON_BUILD_PAIR("pcr", JSON_BUILD_UNSIGNED(pcr_index)),
JSON_BUILD_PAIR("timestamp", JSON_BUILD_UNSIGNED(now(CLOCK_BOOTTIME))),
JSON_BUILD_PAIR_CONDITION(event_type >= 0, "eventType", JSON_BUILD_STRING(tpm2_userspace_event_type_to_string(event_type)))))));
if (r < 0)
- return log_error_errno(r, "Failed to build log record JSON: %m");
+ return log_debug_errno(r, "Failed to build log record JSON: %m");
r = json_variant_format(v, JSON_FORMAT_SEQ, &f);
if (r < 0)
- return log_error_errno(r, "Failed to format JSON: %m");
+ return log_debug_errno(r, "Failed to format JSON: %m");
if (lseek(fd, 0, SEEK_END) == (off_t) -1)
- return log_error_errno(errno, "Failed to seek to end of JSON log: %m");
+ return log_debug_errno(errno, "Failed to seek to end of JSON log: %m");
r = loop_write(fd, f, SIZE_MAX);
if (r < 0)
- return log_error_errno(r, "Failed to write JSON data to log: %m");
+ return log_debug_errno(r, "Failed to write JSON data to log: %m");
if (fsync(fd) < 0)
- return log_error_errno(errno, "Failed to sync JSON data: %m");
+ return log_debug_errno(errno, "Failed to sync JSON data: %m");
/* Unset S_ISVTX again */
if (fchmod(fd, 0600) < 0)
- return log_warning_errno(errno, "Failed to chmod() TPM log file, ignoring: %m");
+ return log_debug_errno(errno, "Failed to chmod() TPM log file, ignoring: %m");
r = fsync_full(fd);
if (r < 0)
- return log_error_errno(r, "Failed to sync JSON log: %m");
+ return log_debug_errno(r, "Failed to sync JSON log: %m");
return 1;
}
secret_size = strlen(secret);
if (pcr_index >= TPM2_PCRS_MAX)
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Can't measure into unsupported PCR %u, refusing.", pcr_index);
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Can't measure into unsupported PCR %u, refusing.", pcr_index);
if (strv_isempty(banks))
return 0;
assert_se(implementation = EVP_get_digestbyname(*bank));
if (values.count >= ELEMENTSOF(values.digests))
- return log_error_errno(SYNTHETIC_ERRNO(E2BIG), "Too many banks selected.");
+ return log_debug_errno(SYNTHETIC_ERRNO(E2BIG), "Too many banks selected.");
if ((size_t) EVP_MD_size(implementation) > sizeof(values.digests[values.count].digest))
- return log_error_errno(SYNTHETIC_ERRNO(E2BIG), "Hash result too large for TPM2.");
+ return log_debug_errno(SYNTHETIC_ERRNO(E2BIG), "Hash result too large for TPM2.");
id = tpm2_hash_alg_from_string(EVP_MD_name(implementation));
if (id < 0)
- return log_error_errno(id, "Can't map hash name to TPM2.");
+ return log_debug_errno(id, "Can't map hash name to TPM2.");
values.digests[values.count].hashAlg = id;
* private non-secret string instead. */
if (secret_size > 0) {
if (!HMAC(implementation, secret, secret_size, data, data_size, (unsigned char*) &values.digests[values.count].digest, NULL))
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to calculate HMAC of data to measure.");
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to calculate HMAC of data to measure.");
} else if (EVP_Digest(data, data_size, (unsigned char*) &values.digests[values.count].digest, NULL, implementation, NULL) != 1)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to hash data to measure.");
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to hash data to measure.");
values.count++;
}
ESYS_TR_NONE,
&values);
if (rc != TSS2_RC_SUCCESS)
- return log_error_errno(
+ return log_debug_errno(
SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to measure into PCR %u: %s",
pcr_index,
return 0;
#else /* HAVE_OPENSSL */
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
#endif
}
#endif
}
#endif
+/* The following tpm2_parse_pcr_argument*() functions all log errors, to match the behavior of system-wide
+ * parse_*_argument() functions. */
+
/* Parse the PCR selection/value arg(s) and return a corresponding array of Tpm2PCRValue objects.
*
* The format is the same as tpm2_pcr_values_from_string(). The first provided entry with a hash algorithm
size_t n_pcr_values = 0;
r = tpm2_pcr_values_from_string(arg, &pcr_values, &n_pcr_values);
if (r < 0)
- return r;
+ return log_error_errno(r, "Could not parse PCR values from '%s': %m", arg);
tpm2_pcr_values_apply_default_hash_alg(pcr_values, n_pcr_values);
search = strv_split_nulstr(CONF_PATHS_NULSTR("systemd"));
if (!search)
- return log_oom();
+ return log_oom_debug();
if (!path) {
/* If no path is specified, then look for "tpm2-pcr-signature.json" automatically. Also, in
if (in_initrd())
if (strv_extend(&search, "/.extra") < 0)
- return log_oom();
+ return log_oom_debug();
}
r = search_and_fopen(path, "re", NULL, (const char**) search, &f, &discovered_path);