srk,
ret_decrypted_key);
if (r == -EREMOTE)
- return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");
+ return log_error_errno(r, "TPM key integrity check failed or NV index unusable. Key enrolled in superblock most likely does not belong to this TPM.");
if (r == -EILSEQ)
return log_error_errno(SYNTHETIC_ERRNO(ENOANO), "Bad PIN."); /* cryptsetup docs say we should return ENOANO on bad PIN */
if (r == -ENOLCK)
srk,
ret_decrypted_key);
if (r == -EREMOTE)
- return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");
+ return log_error_errno(r, "TPM key integrity check failed or NV index unusable. Key enrolled in superblock most likely does not belong to this TPM.");
if (ERRNO_IS_NEG_TPM2_UNSEAL_BAD_PCR(r))
return log_error_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m");
if (r == -ENOSTR)
srk,
ret_decrypted_key);
if (r == -EREMOTE)
- return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");
+ return log_error_errno(r, "TPM key integrity check failed or NV index unusable. Key enrolled in superblock most likely does not belong to this TPM.");
if (ERRNO_IS_NEG_TPM2_UNSEAL_BAD_PCR(r))
return log_error_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m");
if (r == -ENOSTR)
* just put together */
return log_debug_errno(SYNTHETIC_ERRNO(EREMCHG),
"Submitted policy does not match policy stored in PolicyAuthorizeNV.");
+ if ((rc & ~(TPM2_RC_N_MASK|TPM2_RC_P)) == TPM2_RC_HANDLE ||
+ rc == TPM2_RC_NV_UNINITIALIZED) /* NV index is missing, unwritten, or otherwise unusable for this policy (or: wrong authHandle/policySession). */
+ return log_debug_errno(SYNTHETIC_ERRNO(EREMOTE),
+ "NV index referenced by token is missing, unwritten, or unusable.");
if (rc != TSS2_RC_SUCCESS)
return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to add AuthorizeNV policy to TPM: %s",
/* Returns the following errors:
*
- * -EREMOTE → blob is from a different TPM
+ * -EREMOTE → blob is from a different TPM, or NV index referenced by policy is unusable
* -ENOSTR → signature JSON has no matching entry for the current PCR policy
* -EDEADLK → couldn't create primary key because authorization failure
* -ENOLCK → TPM is in dictionary lockout mode