]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c68ac12) | patch
tpm2: enable parameter encryption
authorGrigori Goronzy <greg@chown.ath.cx>
Sat, 26 Feb 2022 09:41:16 +0000 (10:41 +0100)
committerLennart Poettering <lennart@poettering.net>
Wed, 16 Mar 2022 21:52:42 +0000 (22:52 +0100)
commitda29de23ef200b17bb780e5a0efb6cff28c72287
treef78aed9a49e59138b08d23f0daac412d0b196995tree | snapshot
parentc68ac12a0e56272b6521558f85e04ac2bc05b093commit | diff
tpm2: enable parameter encryption

Use a salted, unbound HMAC session with the primary key used as tpmKey,
which mean that the random salt will be encrypted with the primary
key while in transit. Decrypt/encrypt flags are set on the new session
with AES in CFB mode. There is no fallback to XOR mode.

This provides confidentiality and replay protection, both when sealing
and unsealing. There is no protection against man in the middle
attacks since we have no way to authenticate the TPM at the moment.
The exception is unsealing with PIN, as an attacker will be unable
to generate the proper HMAC digest.
src/shared/tpm2-util.c diff | blob | blame | history
src/shared/tpm2-util.h diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.