From: Lennart Poettering Date: Mon, 2 Jun 2025 10:23:51 +0000 (+0200) Subject: pcrlock: make error messages more useful if PCR state doesn't match policy during... X-Git-Tag: v258-rc1~408^2~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3ab04fbc4c5d7009eade670b1ea48c6982b9f372;p=thirdparty%2Fsystemd.git pcrlock: make error messages more useful if PCR state doesn't match policy during PolicyOR Fixes: #35187 --- diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c index d3b72cc6649..652692ea812 100644 --- a/src/pcrlock/pcrlock.c +++ b/src/pcrlock/pcrlock.c @@ -4632,7 +4632,7 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) { &old_policy.prediction, old_policy.algorithm); if (r < 0) - return log_error_errno(r, "Failed to submit super PCR policy: %m"); + return r; r = tpm2_policy_authorize_nv( tc, diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index d4e81083d17..103cf505813 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -3705,8 +3705,11 @@ int tpm2_policy_or( ESYS_TR_NONE, ESYS_TR_NONE, &hash_list); + if ((rc & ~(TPM2_RC_N_MASK|TPM2_RC_P)) == TPM2_RC_VALUE) /* Return a recognizable error if none of the OR branches matched */ + return log_debug_errno(SYNTHETIC_ERRNO(ENOANO), + "None of the PolicyOR branches matched the current policy state."); if (rc != TSS2_RC_SUCCESS) - return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to add OR policy to TPM: %s", sym_Tss2_RC_Decode(rc)); @@ -6780,8 +6783,17 @@ int tpm2_policy_super_pcr( session, &pcr_selection, ¤t_policy_digest); + if (r == -EUCLEAN) { + _cleanup_free_ char *j = NULL; + + for (uint32_t pcr = 0; pcr < TPM2_PCRS_MAX; pcr++) + if (single_value_pcrs & (UINT32_C(1) << pcr)) + (void) strextendf_with_separator(&j, ", ", "%" PRIu32, pcr); + + return log_error_errno(r, "Combined value for PCR(s) %s encoded in policy does not match the current TPM state. Either the system has been tempered with or the provided policy is incorrect.", strna(j)); + } if (r < 0) - return r; + return log_error_errno(r, "Failed to submit PCR policy to TPM: %m"); previous_policy_digest = *current_policy_digest; } @@ -6810,8 +6822,10 @@ int tpm2_policy_super_pcr( session, &pcr_selection, ¤t_policy_digest); + if (r == -EUCLEAN) + return log_error_errno(r, "Value for PCR %" PRIu32 " encoded in policy does not match the current TPM state. Either the system has been tempered with or the provided policy is incorrect.", pcr); if (r < 0) - return r; + return log_error_errno(r, "Failed to submit PCR policy to TPM: %m"); _cleanup_free_ TPM2B_DIGEST *branches = NULL; branches = new0(TPM2B_DIGEST, n_branches); @@ -6836,7 +6850,7 @@ int tpm2_policy_super_pcr( /* n_pcr_values= */ 1, &pcr_policy_digest); if (r < 0) - return r; + return log_error_errno(r, "Failed to calculate PolicyPCR: %m"); branches[i++] = pcr_policy_digest; } @@ -6850,8 +6864,10 @@ int tpm2_policy_super_pcr( branches, n_branches, ¤t_policy_digest); + if (r == -ENOANO) + return log_error_errno(r, "None of the alternative values for PCR %" PRIu32 " encoded in policy match the current TPM state. Either the system has been tempered with or the provided policy is incorrect.", pcr); if (r < 0) - return r; + return log_error_errno(r, "Failed to submit OR policy to TPM: %m"); previous_policy_digest = *current_policy_digest; }