tpm2-util: return better errors if we try to unlock a tpm key on the wrong tpm

Let's improve error handling in case one tries to unlock a TPM2 locked
volume on a different machine via TPM than it was originally enrolled
on. Let's recognize this case and print a clearer error message.

diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
index 85fc12f09ad72e47cbdc60ac6d1fd0389a564f71..956487de772a11ac4b56cdf3e66b73af161d575b 100644 (file)
--- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
+++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
@@ -109,6 +109,8 @@ int acquire_luks2_key(
                         n_policy_hash,
                         srk,
                         ret_decrypted_key);
+        if (r == -EREMOTE)
+                return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");
         if (r < 0)
                 return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
 

diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index 0f840ff61aeb337031e6071b15e2f107d554608c..ca8e15d4c9d1eaf51fd2623793a8260e9cf4c12d 100644 (file)
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -1355,6 +1355,8 @@ int decrypt_credential_and_warn(
                                 /* n_policy_hash= */ 1,
                                 /* srk= */ NULL,
                                 &tpm2_key);
+                if (r == -EREMOTE)
+                        return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");
                 if (r < 0)
                         return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
 #else

diff --git a/src/shared/cryptsetup-tpm2.c b/src/shared/cryptsetup-tpm2.c
index c1cd67bacd72701b089577ce3ba4b416d984faa2..d7f2e545fd404d3b1d14844bf8d726f0d2e530ae 100644 (file)
--- a/src/shared/cryptsetup-tpm2.c
+++ b/src/shared/cryptsetup-tpm2.c
@@ -167,6 +167,8 @@ int acquire_tpm2_key(
                                 n_policy_hash,
                                 srk,
                                 ret_decrypted_key);
+                if (r == -EREMOTE)
+                        return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");
                 if (r < 0)
                         return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
 
@@ -215,6 +217,8 @@ int acquire_tpm2_key(
                                 n_policy_hash,
                                 srk,
                                 ret_decrypted_key);
+                if (r == -EREMOTE)
+                        return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");
                 if (r < 0) {
                         log_error_errno(r, "Failed to unseal secret using TPM2: %m");
 

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 18194da3e78b2c8df8ea5a865da1879f4830c350..6c2ec26a697af21bb622f7e2dad72820111bd47c 100644 (file)
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -2283,6 +2283,9 @@ int tpm2_load(
         if (rc == TPM2_RC_LOCKOUT)
                 return log_debug_errno(SYNTHETIC_ERRNO(ENOLCK),
                                        "TPM2 device is in dictionary attack lockout mode.");
+        if ((rc & ~(TPM2_RC_N_MASK|TPM2_RC_P)) == TPM2_RC_INTEGRITY) /* Return a recognizable error if this key does not belong to the local TPM */
+                return log_debug_errno(SYNTHETIC_ERRNO(EREMOTE),
+                                       "Key invalid or does not belong to current TPM.");
         if (rc != TSS2_RC_SUCCESS)
                 return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
                                        "Failed to load key into TPM: %s", sym_Tss2_RC_Decode(rc));