From: Paul Meyer <katexochen0@gmail.com>
Date: Wed, 17 Jun 2026 15:40:18 +0000 (+0200)
Subject: tpm2-util: refuse NvPCR extend when the NV index is gone
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=662e02a5f8489937e072d8459af560034864469d;p=thirdparty%2Fsystemd.git

tpm2-util: refuse NvPCR extend when the NV index is gone

tpm2_index_to_handle() returns 0 with a NULL handle when the NV index is
not present on the TPM. tpm2_nvpcr_extend_bytes() only checked for r < 0,
so a tombstoned NvPCR (anchor file present, NV slot cleared out from under
us) passed the NULL handle to tpm2_extend_nvpcr_nv_index() and aborted the
process via its assert(). Handle r == 0 explicitly, as the other
tpm2_index_to_handle() callers already do.

The newly introduced -ENODEV is mapped together with -ENOENT to the
io.systemd.PCRExtend.NoSuchNvPCR varlink error.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
---

diff --git a/src/pcrextend/pcrextend.c b/src/pcrextend/pcrextend.c
index b42a190a9f8..cf70daaa927 100644
--- a/src/pcrextend/pcrextend.c
+++ b/src/pcrextend/pcrextend.c
@@ -465,7 +465,7 @@ static int vl_method_extend(sd_varlink *link, sd_json_variant *parameters, sd_va
 
         if (p.nvpcr) {
                 r = extend_nvpcr_now(p.nvpcr, extend_iovec->iov_base, extend_iovec->iov_len, p.event_type);
-                if (r == -ENOENT)
+                if (IN_SET(r, -ENOENT, -ENODEV))
                         return sd_varlink_error(link, "io.systemd.PCRExtend.NoSuchNvPCR", NULL);
         } else
                 r = extend_pcr_now(INDEX_TO_MASK(uint32_t, p.pcr), extend_iovec->iov_base, extend_iovec->iov_len, p.event_type);
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 26f49666774..5af69f544f1 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -7451,6 +7451,10 @@ int tpm2_nvpcr_extend_bytes(
                         &nv_handle);
         if (r < 0)
                 return log_debug_errno(r, "Failed to acquire handle to NV index 0x%" PRIu32 ".", p.nv_index);
+        if (r == 0)
+                return log_debug_errno(SYNTHETIC_ERRNO(ENODEV),
+                                       "NvPCR '%s' is anchored but its NV index 0x%" PRIx32 " is no longer present on the TPM, refusing extend.",
+                                       name, p.nv_index);
 
         log_debug("Successfully acquired handle to existing NV index 0x%" PRIx32 ".", p.nv_index);