From: Gabríel Arthúr Pétursson <gabriel.petursson@marel.com>
Date: Wed, 20 Mar 2024 16:48:36 +0000 (+0000)
Subject: shared: Fix TPM2 unsealing when PCR values change
X-Git-Tag: v256-rc1~426
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1923e213165d1510b553473b1a14c33cb5124bcb;p=thirdparty%2Fsystemd.git

shared: Fix TPM2 unsealing when PCR values change

Recreate the encryption session on each retry. It's invalidated along
with the policy session when freed, failing subsequent retries.

	Unsealing HMAC key.
	WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
	ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x00000128)
	A PCR value changed during the TPM2 policy session, restarting HMAC key unsealing (30 tries left).
	Missing encryption session
	Failed to unseal secret using TPM2: Invalid argument

Fixes #31881
---

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 666dd970e6f..203cf5fb3ad 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -5525,13 +5525,13 @@ int tpm2_unseal(Tpm2Context *c,
         if (r < 0)
                 return r;
 
-        _cleanup_(tpm2_handle_freep) Tpm2Handle *encryption_session = NULL;
-        r = tpm2_make_encryption_session(c, primary_handle, hmac_key, &encryption_session);
-        if (r < 0)
-                return r;
-
         _cleanup_(Esys_Freep) TPM2B_SENSITIVE_DATA* unsealed = NULL;
         for (unsigned i = RETRY_UNSEAL_MAX;; i--) {
+                _cleanup_(tpm2_handle_freep) Tpm2Handle *encryption_session = NULL;
+                r = tpm2_make_encryption_session(c, primary_handle, hmac_key, &encryption_session);
+                if (r < 0)
+                        return r;
+
                 _cleanup_(tpm2_handle_freep) Tpm2Handle *policy_session = NULL;
                 _cleanup_(Esys_Freep) TPM2B_DIGEST *policy_digest = NULL;
                 r = tpm2_make_policy_session(