git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Thu, 8 Jul 2021 11:52:21 +0000 (13:52 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Fri, 30 Jul 2021 17:03:35 +0000 (19:03 +0200)
commit	07697bfee6988630cdb35887c2f2ca3283001f7a
tree	a046271604393d00c5f9dca9490f8f5f668681e2	tree \| snapshot
parent	1f0fb7d544711248cba34615e43c5a76bc902d74	commit \| diff

tpm2-util: auto-detect supported PCR banks

Previously, we'd encode PCR policies strictly with the SHA256 PCR bank
set. However, as it appears not all hw implement those. Sad.

Let's add some minimal logic to auto-detect supported PCR banks: if
SHA256 is supported, use that. But if not, automatically fall back to
SHA1.

This then changes both the LUKS code, and the credentials code to
serialize the selected bank, along with the rest of the data in order to
make this robust.

This extends the LUK2 JSON metadata in a compatible way. The credentials
encryption format is modified in an incompatible way however, but given
that this is not part of any official release should be OK.

Fixes: #20134

src/cryptenroll/cryptenroll-tpm2.c		diff \| blob \| blame \| history
src/cryptsetup/cryptsetup-tpm2.c		diff \| blob \| blame \| history
src/cryptsetup/cryptsetup-tpm2.h		diff \| blob \| blame \| history
src/cryptsetup/cryptsetup.c		diff \| blob \| blame \| history
src/partition/repart.c		diff \| blob \| blame \| history
src/shared/creds-util.c		diff \| blob \| blame \| history
src/shared/tpm2-util.c		diff \| blob \| blame \| history
src/shared/tpm2-util.h		diff \| blob \| blame \| history