cryptsetup: unbreak CI build

PR #20176 broke building of the cryptsetup token logic. This wasn't
noticed before the PR was merged, because the only CIs new enough to be
able to build the token logic (the Fedora Rawhide ones) didn't actually
run at all on the PR.

Let's add the missing hookup for the TPM2 PCR bank logic also to the
token module, to make the CI pass again.

diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c
index 152b06b111accc2f0c9fb213065ffa12dd0e42fc..d3aa092f6b841f21653c8538f7558460bde78ea3 100644 (file)
--- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c
+++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c
@@ -57,6 +57,7 @@ _public_ int cryptsetup_token_open(
         const char *json;
         size_t blob_size, policy_hash_size, decrypted_key_size;
         uint32_t pcr_mask;
+        uint16_t pcr_bank;
         systemd_tpm2_plugin_params params = {
                 .search_pcr_mask = UINT32_MAX
         };
@@ -77,7 +78,7 @@ _public_ int cryptsetup_token_open(
         if (usrptr)
                 params = *(systemd_tpm2_plugin_params *)usrptr;
 
-        r = parse_luks2_tpm2_data(json, params.search_pcr_mask, &pcr_mask, &base64_blob, &hex_policy_hash);
+        r = parse_luks2_tpm2_data(json, params.search_pcr_mask, &pcr_mask, &pcr_bank, &base64_blob, &hex_policy_hash);
         if (r < 0)
                 return log_debug_open_error(cd, r);
 
@@ -93,6 +94,7 @@ _public_ int cryptsetup_token_open(
 
         r = acquire_luks2_key(
                         pcr_mask,
+                        pcr_bank,
                         params.device,
                         blob,
                         blob_size,
@@ -133,6 +135,7 @@ _public_ void cryptsetup_token_dump(
 
         int r;
         uint32_t i, pcr_mask;
+        uint16_t pcr_bank;
         size_t decoded_blob_size;
         _cleanup_free_ char *base64_blob = NULL, *hex_policy_hash = NULL,
                             *pcrs_str = NULL, *blob_str = NULL, *policy_hash_str = NULL;
@@ -140,7 +143,7 @@ _public_ void cryptsetup_token_dump(
 
         assert(json);
 
-        r = parse_luks2_tpm2_data(json, UINT32_MAX, &pcr_mask, &base64_blob, &hex_policy_hash);
+        r = parse_luks2_tpm2_data(json, UINT32_MAX, &pcr_mask, &pcr_bank, &base64_blob, &hex_policy_hash);
         if (r < 0)
                 return (void) crypt_log_debug_errno(cd, r, "Failed to parse " TOKEN_NAME " metadata: %m.");
 
@@ -162,7 +165,8 @@ _public_ void cryptsetup_token_dump(
         if (r < 0)
                 return (void) crypt_log_debug_errno(cd, r, "Can not dump " TOKEN_NAME " content: %m");
 
-        crypt_log(cd, "\ttpm2-pcrs:  %s\n", pcrs_str ?: "");
+        crypt_log(cd, "\ttpm2-pcrs:  %s\n", strna(pcrs_str));
+        crypt_log(cd, "\ttpm2-bank:  %s\n", strna(tpm2_pcr_bank_to_string(pcr_bank)));
         crypt_log(cd, "\ttmp2-blob:  %s\n", blob_str);
         crypt_log(cd, "\ttmp2-policy-hash:" CRYPT_DUMP_LINE_SEP "%s\n", policy_hash_str);
 }

diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
index 00540659266cda50e250426fcb17fce7973195d4..a5571f31f6dba262d3deab64ef69414572c05d17 100644 (file)
--- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
+++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
@@ -10,6 +10,7 @@
 
 int acquire_luks2_key(
                 uint32_t pcr_mask,
+                uint16_t pcr_bank,
                 const char *device,
                 const void *key_data,
                 size_t key_data_size,
@@ -34,7 +35,12 @@ int acquire_luks2_key(
                 device = auto_device;
         }
 
-        return tpm2_unseal(device, pcr_mask, key_data, key_data_size, policy_hash, policy_hash_size, ret_decrypted_key, ret_decrypted_key_size);
+        return tpm2_unseal(
+                        device,
+                        pcr_mask, pcr_bank,
+                        key_data, key_data_size,
+                        policy_hash, policy_hash_size,
+                        ret_decrypted_key, ret_decrypted_key_size);
 }
 
 /* this function expects valid "systemd-tpm2" in json */
@@ -42,19 +48,22 @@ int parse_luks2_tpm2_data(
                 const char *json,
                 uint32_t search_pcr_mask,
                 uint32_t *ret_pcr_mask,
+                uint16_t *ret_pcr_bank,
                 char **ret_base64_blob,
                 char **ret_hex_policy_hash) {
 
         int r;
         JsonVariant *w, *e;
         uint32_t pcr_mask = 0;
+        uint16_t pcr_bank = UINT16_MAX;
         _cleanup_free_ char *base64_blob = NULL, *hex_policy_hash = NULL;
         _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
 
         assert(json);
+        assert(ret_pcr_mask);
+        assert(ret_pcr_bank);
         assert(ret_base64_blob);
         assert(ret_hex_policy_hash);
-        assert(ret_pcr_mask);
 
         r = json_parse(json, 0, &v, NULL, NULL);
         if (r < 0)
@@ -81,6 +90,20 @@ int parse_luks2_tpm2_data(
             search_pcr_mask != pcr_mask)
                 return -ENXIO;
 
+        w = json_variant_by_key(v, "tpm2-pcr-bank");
+        if (w) {
+                /* The PCR bank field is optional */
+
+                if (!json_variant_is_string(w))
+                        return -EINVAL;
+
+                r = tpm2_pcr_bank_from_string(json_variant_string(w));
+                if (r < 0)
+                        return r;
+
+                pcr_bank = r;
+        }
+
         w = json_variant_by_key(v, "tpm2-blob");
         if (!w || !json_variant_is_string(w))
                 return -EINVAL;
@@ -98,6 +121,7 @@ int parse_luks2_tpm2_data(
                 return -ENOMEM;
 
         *ret_pcr_mask = pcr_mask;
+        *ret_pcr_bank = pcr_bank;
         *ret_base64_blob = TAKE_PTR(base64_blob);
         *ret_hex_policy_hash = TAKE_PTR(hex_policy_hash);
 

diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h
index d36623baf960355295a1b868f34bf1cd8dd606c2..1a20f2cc1fd73bd1480b18ef2efbc0328f6571d9 100644 (file)
--- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h
+++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h
@@ -6,6 +6,7 @@ struct crypt_device;
 
 int acquire_luks2_key(
                 uint32_t pcr_mask,
+                uint16_t pcr_bank,
                 const char *device,
                 const void *key_data,
                 size_t key_data_size,
@@ -18,5 +19,6 @@ int parse_luks2_tpm2_data(
                 const char *json,
                 uint32_t search_pcr_mask,
                 uint32_t *ret_pcr_mask,
+                uint16_t *ret_pcr_bank,
                 char **ret_base64_blob,
                 char **ret_hex_policy_hash);