cryptsetup: fall back to traditional unlocking if any TPM2 operation fails

If any TPM2 operation fails, the boot process should continue and
prompt for a text password (if configured to do so).

Fixes #22870

diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 6c7b74037f8d5a2be9501f119094d8983c1935af..4c514e408ffbb9ea19f6276bc2a3c814ebda9eac 100644 (file)
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -1322,8 +1322,11 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
                                 return log_error_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 PIN unlock failed, falling back to traditional unlocking.");
                         if (ERRNO_IS_NOT_SUPPORTED(r)) /* TPM2 support not compiled in? */
                                 return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 support not available, falling back to traditional unlocking.");
-                        if (r != -EAGAIN) /* EAGAIN means: no tpm2 chip found */
-                                return r;
+                        /* EAGAIN means: no tpm2 chip found */
+                        if (r != -EAGAIN) {
+                                log_notice_errno(r, "TPM2 operation failed, falling back to traditional unlocking: %m");
+                                return -EAGAIN; /* Mangle error code: let's make any form of TPM2 failure non-fatal. */
+                        }
                 } else {
                         r = attach_luks2_by_tpm2(cd, name, flags);
                         /* EAGAIN     means: no tpm2 chip found
@@ -1334,8 +1337,10 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
                         if (r == -ENOENT)
                                 return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
                                                        "No TPM2 metadata enrolled in LUKS2 header or TPM2 support not available, falling back to traditional unlocking.");
-                        if (!IN_SET(r, -EOPNOTSUPP, -EAGAIN))
-                                return r;
+                        if (!IN_SET(r, -EOPNOTSUPP, -EAGAIN)) {
+                                log_notice_errno(r, "TPM2 operation failed, falling back to traditional unlocking: %m");
+                                return -EAGAIN; /* Mangle error code: let's make any form of TPM2 failure non-fatal. */
+                        }
                 }
 
                 if (r == -EOPNOTSUPP) {
@@ -1402,8 +1407,11 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
 
                         if (r >= 0)
                                 break;
-                        if (r != -EAGAIN) /* EAGAIN means: no tpm2 chip found */
-                                return r;
+                        /* EAGAIN means: no tpm2 chip found */
+                        if (r != -EAGAIN) {
+                                log_notice_errno(r, "TPM2 operation failed, falling back to traditional unlocking: %m");
+                                return -EAGAIN; /* Mangle error code: let's make any form of TPM2 failure non-fatal. */
+                        }
                 }
 
                 if (!monitor) {