From: Dan Streetman Date: Fri, 14 Jul 2023 17:15:48 +0000 (-0400) Subject: tpm2: handle older tpm enrollments without a saved pcr bank X-Git-Tag: v254-rc2~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=730d6ab9302f42a2d49355ec8851bd5e3929b36d;p=thirdparty%2Fsystemd.git tpm2: handle older tpm enrollments without a saved pcr bank Older code did not save the pcr bank (i.e. pcr hash algorithm), and instead let tpm2_unseal() find the best pcr bank to use. In commit 2cd9d57548b0dadd52523df486d33aa4cf7c3b84 we changed tpm2_unseal() to no longer handle an unset pcr bank. This adds back in the handling of an unset pcr_bank so older sealed data should continue to work. --- diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 0ebee68463f..26ab201194a 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -3431,6 +3431,14 @@ int tpm2_unseal(const char *device, if (r < 0) return r; + /* Older code did not save the pcr_bank, and unsealing needed to detect the best pcr bank to use, + * so we need to handle that legacy situation. */ + if (pcr_bank == UINT16_MAX) { + r = tpm2_get_best_pcr_bank(c, hash_pcr_mask|pubkey_pcr_mask, &pcr_bank); + if (r < 0) + return r; + } + _cleanup_(tpm2_handle_freep) Tpm2Handle *primary_handle = NULL; if (srk_buf) { r = tpm2_handle_new(c, &primary_handle);