From: Lennart Poettering Date: Wed, 17 Apr 2024 08:17:20 +0000 (+0200) Subject: tpm2-util: now that we don't use PolicyAuthValue anymore, let's not set an authValue... X-Git-Tag: v256-rc1~127^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d10d4a37018375b5ff92d9cafead72026bf3418a;p=thirdparty%2Fsystemd.git tpm2-util: now that we don't use PolicyAuthValue anymore, let's not set an authValue anymore for the policy nvindex We have now switched from PolicyAuthValue to PolicySigned to control access to the policy nvindex to. This means there's no point in setting an authValue on the nvindex anymore, hence drop this. --- diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c index f73724f1c6c..fa382a22d8a 100644 --- a/src/pcrlock/pcrlock.c +++ b/src/pcrlock/pcrlock.c @@ -4596,8 +4596,6 @@ static int make_policy(bool force, bool recovery_pin) { encryption_session, arg_nv_index, &recovery_policy_digest, - pin, - &auth, &nv_index, &nv_handle, &nv_public); diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index dd2148fcda3..35b4957eefb 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -5771,8 +5771,6 @@ int tpm2_define_policy_nv_index( const Tpm2Handle *session, TPM2_HANDLE requested_nv_index, const TPM2B_DIGEST *write_policy, - const char *pin, - const TPM2B_AUTH *auth, TPM2_HANDLE *ret_nv_index, Tpm2Handle **ret_nv_handle, TPM2B_NV_PUBLIC *ret_nv_public) { @@ -5782,7 +5780,6 @@ int tpm2_define_policy_nv_index( int r; assert(c); - assert(pin || auth); /* Allocates an nvindex to store a policy for use in PolicyAuthorizeNV in. This is where pcrlock then * stores its predicted PCR policies in. If 'requested_nv_index' will try to allocate the specified @@ -5794,17 +5791,6 @@ int tpm2_define_policy_nv_index( new_handle->flush = false; /* This is a persistent NV index, don't flush hence */ - TPM2B_AUTH _auth = {}; - CLEANUP_ERASE(_auth); - - if (!auth) { - r = tpm2_auth_value_from_pin(TPM2_ALG_SHA256, pin, &_auth); - if (r < 0) - return r; - - auth = &_auth; - } - for (unsigned try = 0; try < 25U; try++) { TPM2_HANDLE nv_index; @@ -5832,7 +5818,7 @@ int tpm2_define_policy_nv_index( /* shandle1= */ session ? session->esys_handle : ESYS_TR_PASSWORD, /* shandle2= */ ESYS_TR_NONE, /* shandle3= */ ESYS_TR_NONE, - auth, + /* auth= */ NULL, &public_info, &new_handle->esys_handle); diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index adee36f8edd..f09b71f84c5 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -301,7 +301,7 @@ int tpm2_tpm2b_public_from_openssl_pkey(const EVP_PKEY *pkey, TPM2B_PUBLIC *ret) int tpm2_tpm2b_public_from_pem(const void *pem, size_t pem_size, TPM2B_PUBLIC *ret); int tpm2_tpm2b_public_to_fingerprint(const TPM2B_PUBLIC *public, void **ret_fingerprint, size_t *ret_fingerprint_size); -int tpm2_define_policy_nv_index(Tpm2Context *c, const Tpm2Handle *session, TPM2_HANDLE requested_nv_index, const TPM2B_DIGEST *write_policy, const char *pin, const TPM2B_AUTH *auth, TPM2_HANDLE *ret_nv_index, Tpm2Handle **ret_nv_handle, TPM2B_NV_PUBLIC *ret_nv_public); +int tpm2_define_policy_nv_index(Tpm2Context *c, const Tpm2Handle *session, TPM2_HANDLE requested_nv_index, const TPM2B_DIGEST *write_policy, TPM2_HANDLE *ret_nv_index, Tpm2Handle **ret_nv_handle, TPM2B_NV_PUBLIC *ret_nv_public); int tpm2_write_policy_nv_index(Tpm2Context *c, const Tpm2Handle *policy_session, TPM2_HANDLE nv_index, const Tpm2Handle *nv_handle, const TPM2B_DIGEST *policy_digest); int tpm2_undefine_policy_nv_index(Tpm2Context *c, const Tpm2Handle *session, TPM2_HANDLE nv_index, const Tpm2Handle *nv_handle);