From: Fabian Vogt <fvogt@suse.de>
Date: Mon, 16 Dec 2024 18:08:13 +0000 (+0100)
Subject: tpm2-util: Also retry unsealing after policy_pcr returns PCR_CHANGED
X-Git-Tag: v258-rc1~1824
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e61032bf47e6a7e572643a0060c6dd610635c854;p=thirdparty%2Fsystemd.git

tpm2-util: Also retry unsealing after policy_pcr returns PCR_CHANGED

It's not just Esys_Unseal that may fail due to PCR changes during the
session, but also Esys_PolicyPCR. Perform a retry in that case as well.

Fixes #35490
---

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 252136af3e1..4bd9fc65dd2 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -4015,6 +4015,9 @@ int tpm2_policy_pcr(
                         ESYS_TR_NONE,
                         NULL,
                         pcr_selection);
+        if (rc == TPM2_RC_PCR_CHANGED)
+                return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN),
+                                       "Failed to add PCR policy to TPM: %s", sym_Tss2_RC_Decode(rc));
         if (rc != TSS2_RC_SUCCESS)
                 return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
                                        "Failed to add PCR policy to TPM: %s", sym_Tss2_RC_Decode(rc));
@@ -5810,6 +5813,11 @@ int tpm2_unseal(Tpm2Context *c,
                                         !!pin,
                                         (shard == 1 || !iovec_is_set(pubkey)) ? pcrlock_policy : NULL,
                                         &policy_digest);
+                        if (r == -EUCLEAN && i > 0) {
+                                log_debug("A PCR value changed during the TPM2 policy session, restarting HMAC key unsealing (%u tries left).", i);
+                                retry = true;
+                                break;
+                        }
                         if (r < 0)
                                 return r;