From: Lennart Poettering Date: Wed, 19 Mar 2025 17:09:23 +0000 (+0100) Subject: tpm2-util: return better errors if we try to unlock a tpm key on the wrong tpm X-Git-Tag: v258-rc1~1045 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0015502168b868e8b6380765bdce3abee33b856c;p=thirdparty%2Fsystemd.git tpm2-util: return better errors if we try to unlock a tpm key on the wrong tpm Let's improve error handling in case one tries to unlock a TPM2 locked volume on a different machine via TPM than it was originally enrolled on. Let's recognize this case and print a clearer error message. --- diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c index 85fc12f09ad..956487de772 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c @@ -109,6 +109,8 @@ int acquire_luks2_key( n_policy_hash, srk, ret_decrypted_key); + if (r == -EREMOTE) + return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM."); if (r < 0) return log_error_errno(r, "Failed to unseal secret using TPM2: %m"); diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index 0f840ff61ae..ca8e15d4c9d 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -1355,6 +1355,8 @@ int decrypt_credential_and_warn( /* n_policy_hash= */ 1, /* srk= */ NULL, &tpm2_key); + if (r == -EREMOTE) + return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM."); if (r < 0) return log_error_errno(r, "Failed to unseal secret using TPM2: %m"); #else diff --git a/src/shared/cryptsetup-tpm2.c b/src/shared/cryptsetup-tpm2.c index c1cd67bacd7..d7f2e545fd4 100644 --- a/src/shared/cryptsetup-tpm2.c +++ b/src/shared/cryptsetup-tpm2.c @@ -167,6 +167,8 @@ int acquire_tpm2_key( n_policy_hash, srk, ret_decrypted_key); + if (r == -EREMOTE) + return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM."); if (r < 0) return log_error_errno(r, "Failed to unseal secret using TPM2: %m"); @@ -215,6 +217,8 @@ int acquire_tpm2_key( n_policy_hash, srk, ret_decrypted_key); + if (r == -EREMOTE) + return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM."); if (r < 0) { log_error_errno(r, "Failed to unseal secret using TPM2: %m"); diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 18194da3e78..6c2ec26a697 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -2283,6 +2283,9 @@ int tpm2_load( if (rc == TPM2_RC_LOCKOUT) return log_debug_errno(SYNTHETIC_ERRNO(ENOLCK), "TPM2 device is in dictionary attack lockout mode."); + if ((rc & ~(TPM2_RC_N_MASK|TPM2_RC_P)) == TPM2_RC_INTEGRITY) /* Return a recognizable error if this key does not belong to the local TPM */ + return log_debug_errno(SYNTHETIC_ERRNO(EREMOTE), + "Key invalid or does not belong to current TPM."); if (rc != TSS2_RC_SUCCESS) return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to load key into TPM: %s", sym_Tss2_RC_Decode(rc));