From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 24 Dec 2025 07:37:22 +0000 (+0100)
Subject: analyze: properly handle nvpcrs that have not been initialized yet
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=855b4cd731fbded090f6ea38aaa553393cba3253;p=thirdparty%2Fsystemd.git

analyze: properly handle nvpcrs that have not been initialized yet

Let's explicitly check if NvPCRs are fully set up (allocated, anchored)
before we try to show them.

Alternative to: #40184
---

diff --git a/src/analyze/analyze-nvpcrs.c b/src/analyze/analyze-nvpcrs.c
index 4da24523935..ae134dfc2b2 100644
--- a/src/analyze/analyze-nvpcrs.c
+++ b/src/analyze/analyze-nvpcrs.c
@@ -27,10 +27,11 @@ static int add_nvpcr_to_table(Tpm2Context **c, Table *t, const char *name) {
                 r = tpm2_nvpcr_read(*c, /* session= */ NULL, name, &digest, &nv_index);
                 if (r < 0)
                         return log_error_errno(r, "Failed to read NvPCR '%s': %m", name);
-
-                h = hexmem(digest.iov_base, digest.iov_len);
-                if (!h)
-                        return log_oom();
+                if (r > 0) { /* set? */
+                        h = hexmem(digest.iov_base, digest.iov_len);
+                        if (!h)
+                                return log_oom();
+                }
         } else {
                 r = tpm2_nvpcr_get_index(name, &nv_index);
                 if (r < 0)
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 4ba83a47ae0..8592485bf47 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -7474,6 +7474,21 @@ int tpm2_nvpcr_read(
         if (r < 0)
                 return r;
 
+        /* Check if the NvPCR is already anchored */
+        const char *anchor_fname = strjoina("/run/systemd/nvpcr/", name, ".anchor");
+        r = access_nofollow(anchor_fname, F_OK);
+        if (r < 0) {
+                if (r != -ENOENT)
+                        return log_debug_errno(r, "Failed to check if '%s' exists: %m", anchor_fname);
+
+                /* valid, but not anchored */
+                *ret_value = (struct iovec) {};
+                if (ret_nv_index)
+                        *ret_nv_index = p.nv_index;
+
+                return 0;
+        }
+
         _cleanup_(tpm2_handle_freep) Tpm2Handle *nv_handle = NULL;
         r = tpm2_index_to_handle(
                         c,
@@ -7488,19 +7503,26 @@ int tpm2_nvpcr_read(
 
         log_debug("Successfully acquired handle to NV index 0x%" PRIx32 ".", p.nv_index);
 
-        r = tpm2_read_nv_index(
-                        c,
-                        /* session= */ NULL,
-                        p.nv_index,
-                        nv_handle,
-                        ret_value);
-        if (r < 0)
-                return r;
+        if (r > 0) {
+                r = tpm2_read_nv_index(
+                                c,
+                                /* session= */ NULL,
+                                p.nv_index,
+                                nv_handle,
+                                ret_value);
+                if (r < 0)
+                        return r;
+
+                r = 1;
+        } else {
+                *ret_value = (struct iovec) {};
+                r = 0;
+        }
 
         if (ret_nv_index)
                 *ret_nv_index = p.nv_index;
 
-        return 0;
+        return r;
 #else /* HAVE_OPENSSL */
         return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
 #endif