From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 19 Jun 2025 10:28:32 +0000 (+0200)
Subject: cryptsetup: handle DA lockout/bad PIN properly
X-Git-Tag: v258-rc1~284^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F37894%2Fhead;p=thirdparty%2Fsystemd.git

cryptsetup: handle DA lockout/bad PIN properly

Now that we have recognizable errors, let's print clear error messages
when we try to unlock a TPM slot. And in case of the token plugin
propagate this as ENOANO so that libcryptsetup recognizes this as bad
PIN. (ENOANO is documented as the error to return in that case)

Fixes: #32260
---

diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
index 708d8a76459..ab7d01f1375 100644
--- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
+++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
@@ -111,6 +111,10 @@ int acquire_luks2_key(
                         ret_decrypted_key);
         if (r == -EREMOTE)
                 return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");
+        if (r == -EILSEQ)
+                return log_error_errno(SYNTHETIC_ERRNO(ENOANO), "Bad PIN."); /* cryptsetup docs say we should return ENOANO on bad PIN */
+        if (r == -ENOLCK)
+                return log_error_errno(r, "TPM is in dictionary attack lock-out mode.");
         if (ERRNO_IS_NEG_TPM2_UNSEAL_BAD_PCR(r))
                 return log_error_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m");
         if (r < 0)
diff --git a/src/shared/cryptsetup-tpm2.c b/src/shared/cryptsetup-tpm2.c
index b62b0f8b332..bd27d3e6d6b 100644
--- a/src/shared/cryptsetup-tpm2.c
+++ b/src/shared/cryptsetup-tpm2.c
@@ -227,14 +227,14 @@ int acquire_tpm2_key(
                         return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");
                 if (ERRNO_IS_NEG_TPM2_UNSEAL_BAD_PCR(r))
                         return log_error_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m");
-                if (r < 0) {
-                        log_error_errno(r, "Failed to unseal secret using TPM2: %m");
-
-                        /* We get this error in case there is an authentication policy mismatch. This should
-                         * not happen, but this avoids confusing behavior, just in case. */
-                        if (r != -ENOLCK)
-                                continue;
+                if (r == -ENOLCK)
+                        return log_error_errno(r, "TPM is in dictionary attack lock-out mode.");
+                if (r == -EILSEQ) {
+                        log_warning_errno(r, "Bad PIN.");
+                        continue;
                 }
+                if (r < 0)
+                        return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
 
                 return r;
         }