From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 2 Jun 2025 11:13:59 +0000 (+0200)
Subject: tpm2-util: add a brief summary of tpm2_unseal() return values in a comment
X-Git-Tag: v258-rc1~408^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8335765bb8080d5ab86ad1b43acfd25c6a022d65;p=thirdparty%2Fsystemd.git

tpm2-util: add a brief summary of tpm2_unseal() return values in a comment
---

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 7e2a84bfee0..6a6756c990d 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -5508,6 +5508,20 @@ int tpm2_unseal(Tpm2Context *c,
                 const struct iovec *srk,
                 struct iovec *ret_secret) {
 
+        /* Returns the following errors:
+         *
+         *   -EREMOTE         → blob is from a different TPM
+         *   -EDEADLK         → couldn't create primary key because authorization failure
+         *   -ENOLCK          → TPM is in dictionary lockout mode
+         *   -EREMCHG         → submitted policy doesn't match NV index stored policy (in case of PolicyAuthorizeNV)
+         *   -ENOANO          → none of the PolicyOR branches of a policy matched current state
+         *   -EUCLEAN         → PCR state doesn't match expectations
+         *   -EPERM           → stored policy does not match TPM state
+         *   -ENOTRECOVERABLE → all other kinds of TPM errors
+         *
+         * Of these all four of EREMCHG, ENOANO, EUCLEAN, EPERM can all mean that PCR state is not matching
+         * expectations. */
+
         TSS2_RC rc;
         int r;