shared: Fix TPM2 unsealing when PCR values change

Recreate the encryption session on each retry. It's invalidated along
with the policy session when freed, failing subsequent retries.

	Unsealing HMAC key.
	WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
	ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x00000128)
	A PCR value changed during the TPM2 policy session, restarting HMAC key unsealing (30 tries left).
	Missing encryption session
	Failed to unseal secret using TPM2: Invalid argument

Fixes #31881

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 666dd970e6f0e2bad7543cccde491a150dbb4e40..203cf5fb3adcd5a42eafb5b221c577399df212ed 100644 (file)
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -5525,13 +5525,13 @@ int tpm2_unseal(Tpm2Context *c,
         if (r < 0)
                 return r;
 
-        _cleanup_(tpm2_handle_freep) Tpm2Handle *encryption_session = NULL;
-        r = tpm2_make_encryption_session(c, primary_handle, hmac_key, &encryption_session);
-        if (r < 0)
-                return r;
-
         _cleanup_(Esys_Freep) TPM2B_SENSITIVE_DATA* unsealed = NULL;
         for (unsigned i = RETRY_UNSEAL_MAX;; i--) {
+                _cleanup_(tpm2_handle_freep) Tpm2Handle *encryption_session = NULL;
+                r = tpm2_make_encryption_session(c, primary_handle, hmac_key, &encryption_session);
+                if (r < 0)
+                        return r;
+
                 _cleanup_(tpm2_handle_freep) Tpm2Handle *policy_session = NULL;
                 _cleanup_(Esys_Freep) TPM2B_DIGEST *policy_digest = NULL;
                 r = tpm2_make_policy_session(