DEFINE_TRIVIAL_REF_UNREF_FUNC(Tpm2Context, tpm2_context, tpm2_context_free);
-ESYS_TR tpm2_flush_context_verbose(ESYS_CONTEXT *c, ESYS_TR handle) {
+ESYS_TR tpm2_flush_context_verbose(Tpm2Context *c, ESYS_TR handle) {
TSS2_RC rc;
- if (!c || handle == ESYS_TR_NONE)
+ if (!c || !c->esys_context || handle == ESYS_TR_NONE)
return ESYS_TR_NONE;
- rc = sym_Esys_FlushContext(c, handle);
+ rc = sym_Esys_FlushContext(c->esys_context, handle);
if (rc != TSS2_RC_SUCCESS) /* We ignore failures here (besides debug logging), since this is called
* in error paths, where we cannot do anything about failures anymore. And
* when it is called in successful codepaths by this time we already did
#define TPM2_CREDIT_RANDOM_FLAG_PATH "/run/systemd/tpm-rng-credited"
-static int tpm2_credit_random(ESYS_CONTEXT *c) {
+static int tpm2_credit_random(Tpm2Context *c) {
size_t rps, done = 0;
TSS2_RC rc;
usec_t t;
_cleanup_(Esys_Freep) TPM2B_DIGEST *buffer = NULL;
rc = sym_Esys_GetRandom(
- c,
+ c->esys_context,
ESYS_TR_NONE,
ESYS_TR_NONE,
ESYS_TR_NONE,
}
static int tpm2_make_primary(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
ESYS_TR *ret_primary,
TPMI_ALG_PUBLIC alg,
TPMI_ALG_PUBLIC *ret_alg) {
if (IN_SET(alg, 0, TPM2_ALG_ECC)) {
rc = sym_Esys_CreatePrimary(
- c,
+ c->esys_context,
ESYS_TR_RH_OWNER,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
if (IN_SET(alg, 0, TPM2_ALG_RSA)) {
rc = sym_Esys_CreatePrimary(
- c,
+ c->esys_context,
ESYS_TR_RH_OWNER,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
}
static int tpm2_pcr_mask_good(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
TPMI_ALG_HASH bank,
uint32_t mask) {
tpm2_pcr_mask_to_selection(mask, bank, &selection);
rc = sym_Esys_PCR_Read(
- c,
+ c->esys_context,
ESYS_TR_NONE,
ESYS_TR_NONE,
ESYS_TR_NONE,
}
static int tpm2_get_best_pcr_bank(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
uint32_t pcr_mask,
TPMI_ALG_HASH *ret) {
assert(c);
rc = sym_Esys_GetCapability(
- c,
+ c->esys_context,
ESYS_TR_NONE,
ESYS_TR_NONE,
ESYS_TR_NONE,
}
int tpm2_get_good_pcr_banks(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
uint32_t pcr_mask,
TPMI_ALG_HASH **ret) {
assert(ret);
rc = sym_Esys_GetCapability(
- c,
+ c->esys_context,
ESYS_TR_NONE,
ESYS_TR_NONE,
ESYS_TR_NONE,
}
int tpm2_get_good_pcr_banks_strv(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
uint32_t pcr_mask,
char ***ret) {
}
static int tpm2_make_encryption_session(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
ESYS_TR primary,
ESYS_TR bind_key,
const char *pin,
hash_pin(pin, strlen(pin), &auth);
- rc = sym_Esys_TR_SetAuth(c, bind_key, &auth);
+ rc = sym_Esys_TR_SetAuth(c->esys_context, bind_key, &auth);
if (rc != TSS2_RC_SUCCESS)
return log_error_errno(
SYNTHETIC_ERRNO(ENOTRECOVERABLE),
* means that the random salt will be encrypted with the well-known key. That way, only the TPM can
* recover the salt, which is then used for key derivation. */
rc = sym_Esys_StartAuthSession(
- c,
+ c->esys_context,
primary,
bind_key,
ESYS_TR_NONE,
/* Enable parameter encryption/decryption with AES in CFB mode. Together with HMAC digests (which are
* always used for sessions), this provides confidentiality, integrity and replay protection for
* operations that use this session. */
- rc = sym_Esys_TRSess_SetAttributes(c, session, sessionAttributes, 0xff);
+ rc = sym_Esys_TRSess_SetAttributes(c->esys_context, session, sessionAttributes, 0xff);
if (rc != TSS2_RC_SUCCESS)
return log_error_errno(
SYNTHETIC_ERRNO(ENOTRECOVERABLE),
#endif
static int tpm2_make_policy_session(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
ESYS_TR primary,
ESYS_TR parent_session,
TPM2_SE session_type,
#endif
rc = sym_Esys_StartAuthSession(
- c,
+ c->esys_context,
primary,
ESYS_TR_NONE,
parent_session,
goto finish;
rc = sym_Esys_LoadExternal(
- c,
+ c->esys_context,
ESYS_TR_NONE,
ESYS_TR_NONE,
ESYS_TR_NONE,
/* Acquire the "name" of what we just loaded */
_cleanup_(Esys_Freep) TPM2B_NAME *pubkey_name = NULL;
rc = sym_Esys_TR_GetName(
- c,
+ c->esys_context,
pubkey_handle,
&pubkey_name);
if (rc != TSS2_RC_SUCCESS) {
TPML_PCR_SELECTION pcr_selection;
tpm2_pcr_mask_to_selection(pubkey_pcr_mask, pcr_bank, &pcr_selection);
rc = sym_Esys_PolicyPCR(
- c,
+ c->esys_context,
session,
ESYS_TR_NONE,
ESYS_TR_NONE,
/* Get the policy hash of the PCR policy */
_cleanup_(Esys_Freep) TPM2B_DIGEST *approved_policy = NULL;
rc = sym_Esys_PolicyGetDigest(
- c,
+ c->esys_context,
session,
ESYS_TR_NONE,
ESYS_TR_NONE,
memcpy(policy_signature.signature.rsassa.sig.buffer, signature_raw, signature_size);
rc = sym_Esys_VerifySignature(
- c,
+ c->esys_context,
pubkey_handle,
ESYS_TR_NONE,
ESYS_TR_NONE,
}
rc = sym_Esys_PolicyAuthorize(
- c,
+ c->esys_context,
session,
ESYS_TR_NONE,
ESYS_TR_NONE,
TPML_PCR_SELECTION pcr_selection;
tpm2_pcr_mask_to_selection(hash_pcr_mask, pcr_bank, &pcr_selection);
rc = sym_Esys_PolicyPCR(
- c,
+ c->esys_context,
session,
ESYS_TR_NONE,
ESYS_TR_NONE,
log_debug("Configuring PIN policy.");
rc = sym_Esys_PolicyAuthValue(
- c,
+ c->esys_context,
session,
ESYS_TR_NONE,
ESYS_TR_NONE,
log_debug("Acquiring policy digest.");
rc = sym_Esys_PolicyGetDigest(
- c,
+ c->esys_context,
session,
ESYS_TR_NONE,
ESYS_TR_NONE,
if (r < 0)
return r;
- r = tpm2_make_primary(c->esys_context, &primary, 0, &primary_alg);
+ r = tpm2_make_primary(c, &primary, 0, &primary_alg);
if (r < 0)
return r;
/* we cannot use the bind key before its created */
- r = tpm2_make_encryption_session(c->esys_context, primary, ESYS_TR_NONE, NULL, &session);
+ r = tpm2_make_encryption_session(c, primary, ESYS_TR_NONE, NULL, &session);
if (r < 0)
goto finish;
r = tpm2_make_policy_session(
- c->esys_context,
+ c,
primary,
session,
TPM2_SE_TRIAL,
assert(sizeof(hmac_sensitive.sensitive.data.buffer) >= hmac_sensitive.sensitive.data.size);
- (void) tpm2_credit_random(c->esys_context);
+ (void) tpm2_credit_random(c);
log_debug("Generating secret key data.");
r = 0;
finish:
- primary = tpm2_flush_context_verbose(c->esys_context, primary);
- session = tpm2_flush_context_verbose(c->esys_context, session);
+ primary = tpm2_flush_context_verbose(c, primary);
+ session = tpm2_flush_context_verbose(c, session);
return r;
}
if (r < 0)
return r;
- r = tpm2_make_primary(c->esys_context, &primary, primary_alg, NULL);
+ r = tpm2_make_primary(c, &primary, primary_alg, NULL);
if (r < 0)
return r;
goto finish;
}
- r = tpm2_make_encryption_session(c->esys_context, primary, hmac_key, pin, &hmac_session);
+ r = tpm2_make_encryption_session(c, primary, hmac_key, pin, &hmac_session);
if (r < 0)
goto finish;
for (unsigned i = RETRY_UNSEAL_MAX;; i--) {
r = tpm2_make_policy_session(
- c->esys_context,
+ c,
primary,
hmac_session,
TPM2_SE_POLICY,
&unsealed);
if (rc == TPM2_RC_PCR_CHANGED && i > 0) {
log_debug("A PCR value changed during the TPM2 policy session, restarting HMAC key unsealing (%u tries left).", i);
- session = tpm2_flush_context_verbose(c->esys_context, session);
+ session = tpm2_flush_context_verbose(c, session);
continue;
}
if (rc != TSS2_RC_SUCCESS) {
r = 0;
finish:
- primary = tpm2_flush_context_verbose(c->esys_context, primary);
- session = tpm2_flush_context_verbose(c->esys_context, session);
- hmac_key = tpm2_flush_context_verbose(c->esys_context, hmac_key);
+ primary = tpm2_flush_context_verbose(c, primary);
+ session = tpm2_flush_context_verbose(c, session);
+ hmac_key = tpm2_flush_context_verbose(c, hmac_key);
return r;
}
#if HAVE_TPM2
int tpm2_extend_bytes(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
char **banks,
unsigned pcr_index,
const void *data,
}
rc = sym_Esys_PCR_Extend(
- c,
+ c->esys_context,
ESYS_TR_PCR0 + pcr_index,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
projects / thirdparty / systemd.git / commitdiff
