From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 16 Apr 2024 13:01:41 +0000 (+0200)
Subject: tpm2-util: load external key into NULL hierarchy if private key is provided
X-Git-Tag: v256-rc1~127^2~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=371b59441459e3bc33ceca4da619fec310dd7b37;p=thirdparty%2Fsystemd.git

tpm2-util: load external key into NULL hierarchy if private key is provided

If we load an external key into the TPM we must do so in the NULL
hierarchy. An external key after all is one that is not wrapped by any
hierarchy's seed.

See TPM2 spec, Part 3, Section 12.3.1
---

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index e012dd2c5c7..51c01b6c9c7 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -2242,9 +2242,9 @@ static int tpm2_load_external(
 #if HAVE_TSS2_ESYS3
                         /* tpm2-tss >= 3.0.0 requires a ESYS_TR_RH_* constant specifying the requested
                          * hierarchy, older versions need TPM2_RH_* instead. */
-                        ESYS_TR_RH_OWNER,
+                        private ? ESYS_TR_RH_NULL : ESYS_TR_RH_OWNER,
 #else
-                        TPM2_RH_OWNER,
+                        private ? TPM2_RH_NULL : TPM2_RH_OWNER,
 #endif
                         &handle->esys_handle);
         if (rc != TSS2_RC_SUCCESS)