From: Ondrej Kozina <okozina@redhat.com>
Date: Wed, 4 Aug 2021 09:38:20 +0000 (+0200)
Subject: cryptsetup: validate optional tpm2 pcr bank field in token.
X-Git-Tag: v250-rc1~873
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=38a0aec61ea39694d74fad12028a207357770d60;p=thirdparty%2Fsystemd.git

cryptsetup: validate optional tpm2 pcr bank field in token.
---

diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c
index d3aa092f6b8..0baf21d36d2 100644
--- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c
+++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c
@@ -212,6 +212,22 @@ _public_ int cryptsetup_token_validate(
                 }
         }
 
+        /* The bank field is optional, since it was added in systemd 250 only. Before the bank was hardcoded to SHA256 */
+        w = json_variant_by_key(v, "tpm2-pcr-bank");
+        if (w) {
+                /* The PCR bank field is optional */
+
+                if (!json_variant_is_string(w)) {
+                        crypt_log_debug(cd, "TPM2 PCR bank is not a string.");
+                        return 1;
+                }
+
+                if (tpm2_pcr_bank_from_string(json_variant_string(w)) < 0) {
+                        crypt_log_debug(cd, "TPM2 PCR bank invalid or not supported: %s.", json_variant_string(w));
+                        return 1;
+                }
+        }
+
         w = json_variant_by_key(v, "tpm2-blob");
         if (!w || !json_variant_is_string(w)) {
                 crypt_log_debug(cd, "TPM2 token data lacks 'tpm2-blob' field.");