git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Tue, 16 Apr 2024 11:46:58 +0000 (13:46 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Thu, 18 Apr 2024 16:12:23 +0000 (18:12 +0200)
commit	cb835a2ed13604358d356514955b4a2b003dcee6
tree	7f31aef9597104708c2470d6045fbf140a1bcda8	tree \| snapshot
parent	19d82e1beef5858a7d68692607317b630c187d84	commit \| diff

pcrlock: switch access policy for nvindex to store policy in from PolicyAuthValue to PolicySigned (with an HMAC-SHA256 key)

So far the nvindex to store the pcrlock policy in was protected via a
PolicyAuthValue policy (i.e. with a simple PIN set on the nvindex).
That's a bad idea however, as it means an attacker can simply remove and
re-create the nvindex and the "name" of the nvindex does not change,
thus defeating the logic. (This is because the authValue is *not* part
of the "name" of an nvindex!).

Fix this by switching from PolicyAuthValue to PolicySigned with an
HMAC-SHA256 key. Behaviour is very similar: however, the PIN is now part
of of the access policy hash, which *is* part of the "name" of an
nvindex. Thus, if an attacker removes and recreates the nvindex it has
to provide the same PIN again or the "name" of the nvindex will change.
Mission accomplished.

I'd like to thank Chris Coulson for finding this issue (and helping me
address it). Thank you!

src/pcrlock/pcrlock.c		diff \| blob \| blame \| history
src/shared/tpm2-util.c		diff \| blob \| blame \| history
src/shared/tpm2-util.h		diff \| blob \| blame \| history