From: Lennart Poettering Date: Mon, 10 Jun 2024 16:58:54 +0000 (+0200) Subject: tpm2-util: tighten rules on the nvindex handle range we allocate from X-Git-Tag: v256~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a5139b1415cf85489a6c55b5d7c14d08c13bc64d;p=thirdparty%2Fsystemd.git tpm2-util: tighten rules on the nvindex handle range we allocate from Let's follow the conventions set by "Registry of Reserved TPM 2.0 Handles and Localities" and only allocate nvindex currently not assigned to any vendor. For details see: https://trustedcomputinggroup.org/resource/registry/ Section 2.2 --- diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 11750333e4f..87ce53cf954 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -5800,7 +5800,8 @@ int tpm2_unseal(Tpm2Context *c, } static TPM2_HANDLE generate_random_nv_index(void) { - return TPM2_NV_INDEX_FIRST + (TPM2_HANDLE) random_u64_range(TPM2_NV_INDEX_LAST - TPM2_NV_INDEX_FIRST + 1); + return TPM2_NV_INDEX_UNASSIGNED_FIRST + + (TPM2_HANDLE) random_u64_range(TPM2_NV_INDEX_UNASSIGNED_LAST - TPM2_NV_INDEX_UNASSIGNED_FIRST + 1); } int tpm2_define_policy_nv_index( diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index dc8aa88f09b..ed306d41137 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -484,3 +484,14 @@ enum { int tpm2_pcr_index_from_string(const char *s) _pure_; const char *tpm2_pcr_index_to_string(int pcr) _const_; + +/* The first and last NV index handle that is not registered to any company, as per TCG's "Registry of + * Reserved TPM 2.0 Handles and Localities", section 2.2.2. */ +#define TPM2_NV_INDEX_UNASSIGNED_FIRST UINT32_C(0x01800000) +#define TPM2_NV_INDEX_UNASSIGNED_LAST UINT32_C(0x01BFFFFF) + +#if HAVE_TPM2 +/* Verify that the above is indeed a subset of the general NV Index range */ +assert_cc(TPM2_NV_INDEX_UNASSIGNED_FIRST >= TPM2_NV_INDEX_FIRST); +assert_cc(TPM2_NV_INDEX_UNASSIGNED_LAST <= TPM2_NV_INDEX_LAST); +#endif