tpm2: handle older tpm enrollments without a saved pcr bank

Older code did not save the pcr bank (i.e. pcr hash algorithm), and instead let
tpm2_unseal() find the best pcr bank to use. In commit
2cd9d57548b0dadd52523df486d33aa4cf7c3b84 we changed tpm2_unseal() to no longer
handle an unset pcr bank. This adds back in the handling of an unset pcr_bank
so older sealed data should continue to work.

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 0ebee68463f5fd9b25c5157990ecb9ec5c17abfe..26ab201194abf9bc3b95ab16e07a8c4964f11e2e 100644 (file)
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -3431,6 +3431,14 @@ int tpm2_unseal(const char *device,
         if (r < 0)
                 return r;
 
+        /* Older code did not save the pcr_bank, and unsealing needed to detect the best pcr bank to use,
+         * so we need to handle that legacy situation. */
+        if (pcr_bank == UINT16_MAX) {
+                r = tpm2_get_best_pcr_bank(c, hash_pcr_mask|pubkey_pcr_mask, &pcr_bank);
+                if (r < 0)
+                        return r;
+        }
+
         _cleanup_(tpm2_handle_freep) Tpm2Handle *primary_handle = NULL;
         if (srk_buf) {
                 r = tpm2_handle_new(c, &primary_handle);