From: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Fri, 27 Feb 2026 12:46:07 +0000 (+0100)
Subject: cryptenroll: Save primary algorithm type to the LUKS token
X-Git-Tag: v257.12~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=58d9979911cd1472f2369acefb4805d8107b8270;p=thirdparty%2Fsystemd.git

cryptenroll: Save primary algorithm type to the LUKS token

'tpm2-primary-alg' field is currently unset in LUKS JSON token both for the
case when SRK was used for enrolling (--tpm2-device-key=) and for the case when
SRK was obtained/generated (--tpm2-device=). While this information is not
really needed for unsealing (the sealed object itself has key type in it), it
may be convenient to see key type in e.g. 'cryptsetup luksDump' in the
situations where key type matters. Since 'tpm2-primary-alg' is already defined,
just set it properly in all cases.

(cherry picked from commit 295affa3f7b74fb8bc680db2d7539e110e6d9130)
(cherry picked from commit 2e2b25e66c7d6f367dcad63a1723a9f1e6e8e002)
(cherry picked from commit 8a7cad4e233160eb56f07479b5f7a448e9555f70)
---

diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index ca163ef3c2f..d6cc43d2498 100644
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -304,6 +304,7 @@ int enroll_tpm2(struct crypt_device *cd,
         ssize_t base64_encoded_size;
         int r, keyslot, slot_to_wipe = -1;
         TPM2Flags flags = 0;
+        uint16_t primary_alg = 0;
         uint8_t binary_salt[SHA256_DIGEST_SIZE] = {};
         /*
          * erase the salt, we'd rather attempt to not have this in a coredump
@@ -393,6 +394,8 @@ int enroll_tpm2(struct crypt_device *cd,
                 if (!tpm2_pcr_values_has_all_values(hash_pcr_values, n_hash_pcr_values))
                         return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                "Must provide all PCR values when using TPM2 device key.");
+
+                primary_alg = device_key_public.publicArea.type;
         } else {
                 r = tpm2_context_new_or_warn(device, &tpm2_context);
                 if (r < 0)
@@ -506,7 +509,7 @@ int enroll_tpm2(struct crypt_device *cd,
                               &secret,
                               &blobs,
                               &n_blobs,
-                              /* ret_primary_alg= */ NULL,
+                              &primary_alg,
                               &srk);
         if (r < 0)
                 return log_error_errno(r, "Failed to seal to TPM2: %m");
@@ -544,7 +547,7 @@ int enroll_tpm2(struct crypt_device *cd,
                                 signature_json,
                                 pin_str,
                                 pcrlock_path ? &pcrlock_policy : NULL,
-                                /* primary_alg= */ 0,
+                                primary_alg,
                                 blobs,
                                 n_blobs,
                                 policy_hash_as_iovec,
@@ -583,7 +586,7 @@ int enroll_tpm2(struct crypt_device *cd,
                         hash_pcr_bank,
                         &pubkey,
                         pubkey_pcr_mask,
-                        /* primary_alg= */ 0,
+                        primary_alg,
                         blobs,
                         n_blobs,
                         policy_hash_as_iovec,