assert(cd);
assert(volume_key);
assert(volume_key_size > 0);
- assert(pcr_mask < (1U << TPM2_PCRS_MAX)); /* Support 24 PCR banks */
+ assert(TPM2_PCR_MASK_VALID(pcr_mask));
assert_se(node = crypt_get_device_name(cd));
#if HAVE_TPM2
struct tpm2_credential_header* t = (struct tpm2_credential_header*) ((uint8_t*) input + p);
- if (le64toh(t->pcr_mask) >= (UINT64_C(1) << TPM2_PCRS_MAX))
+ if (!TPM2_PCR_MASK_VALID(t->pcr_mask))
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range.");
if (!tpm2_pcr_bank_to_string(le16toh(t->pcr_bank)))
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR bank invalid or not supported");
assert(ret_pcr_hash_size);
assert(ret_pcr_bank);
- assert(pcr_mask < (UINT32_C(1) << TPM2_PCRS_MAX)); /* Support 24 PCR banks */
+ assert(TPM2_PCR_MASK_VALID(pcr_mask));
/* So here's what we do here: we connect to the TPM2 chip. It persistently contains a "seed" key that
* is randomized when the TPM2 is first initialized or reset and remains stable across boots. We
assert(ret_secret);
assert(ret_secret_size);
- assert(pcr_mask < (UINT32_C(1) << TPM2_PCRS_MAX)); /* Support 24 PCR banks */
+ assert(TPM2_PCR_MASK_VALID(pcr_mask));
r = dlopen_tpm2();
if (r < 0)
int tpm2_make_luks2_json(int keyslot, uint32_t pcr_mask, uint16_t pcr_bank, uint16_t primary_alg, const void *blob, size_t blob_size, const void *policy_hash, size_t policy_hash_size, TPM2Flags flags, JsonVariant **ret);
-#define TPM2_PCRS_MAX 24
+#define TPM2_PCRS_MAX 24U
+
+static inline bool TPM2_PCR_MASK_VALID(uint64_t pcr_mask) {
+ return pcr_mask < (UINT64_C(1) << TPM2_PCRS_MAX); /* Support 24 PCR banks */
+}
/* Default to PCR 7 only */
#define TPM2_PCR_MASK_DEFAULT (UINT32_C(1) << 7)
projects / thirdparty / systemd.git / commitdiff
