From 331fef07d8b2909a84a88cc3d18911853b413f8f Mon Sep 17 00:00:00 2001 From: safforddr Date: Tue, 13 Jan 2026 13:27:20 -0500 Subject: [PATCH] tpm2: allow use of recoverable sealing keys In some use cases it is desirable to use a recoverable (ie duplicatable) sealing key. Currently objects have the attribute TPMA_OBJECT_FIXEDTPM and TPMA_OBJECT_FIXEDPARENT hard coded, which will not work with a recoverable sealing key. This patch sets the object's attributes from the sealing key's attributes, so that both types of sealing keys will work. --- src/shared/tpm2-util.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 8592485bf47..c751afb06b4 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -5441,6 +5441,11 @@ int tpm2_seal(Tpm2Context *c, seal_key_handle); primary_alg = primary_public->publicArea.type; + + /* Propagate fixedTPM/fixedParent flags from sealing key to hmac key */ + hmac_template.objectAttributes = (hmac_template.objectAttributes & ~(TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT)) | + (primary_public->publicArea.objectAttributes & (TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT)); + } else { if (seal_key_handle != 0) log_debug("Using primary alg sealing, but seal key handle also provided; ignoring seal key handle."); -- 2.47.3