From: Kai Lüke Date: Mon, 20 Apr 2026 13:22:16 +0000 (+0900) Subject: tpm2-util: Also report EREMOTE if key is for different parent template X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0f1ee40986b4329bcc3167feeaa8948b842e8068;p=thirdparty%2Fsystemd.git tpm2-util: Also report EREMOTE if key is for different parent template We already report foreign TPM keys (wrapped for different parent) but this is not enough because when also a different template was used, we don't get TPM2_RC_INTEGRITY but TPM2_RC_SIZE. Also cover TPM2_RC_SIZE to report EREMOTE so that we can continue to iterate over LUKS tokens instead of giving up. --- diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 75cd2aca3e3..3a6afdb95c7 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -3234,7 +3234,7 @@ int tpm2_load( if (rc == TPM2_RC_LOCKOUT) return log_debug_errno(SYNTHETIC_ERRNO(ENOLCK), "TPM2 device is in dictionary attack lockout mode."); - if ((rc & ~(TPM2_RC_N_MASK|TPM2_RC_P)) == TPM2_RC_INTEGRITY) /* Return a recognizable error if this key does not belong to the local TPM */ + if (TPM2_RC_IS_FOREIGN_KEY(rc)) return log_debug_errno(SYNTHETIC_ERRNO(EREMOTE), "Key invalid or does not belong to current TPM."); if (rc != TSS2_RC_SUCCESS) @@ -3454,7 +3454,7 @@ static int tpm2_import( seed, symmetric ?: &(TPMT_SYM_DEF_OBJECT){ .algorithm = TPM2_ALG_NULL, }, ret_private); - if ((rc & ~(TPM2_RC_N_MASK|TPM2_RC_P)) == TPM2_RC_INTEGRITY) /* Return a recognizable error if this key does not belong to the local TPM */ + if (TPM2_RC_IS_FOREIGN_KEY(rc)) return log_debug_errno(SYNTHETIC_ERRNO(EREMOTE), "Key invalid or does not belong to current TPM."); if (rc != TSS2_RC_SUCCESS) diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index 7fca284d699..5f60788869f 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -386,6 +386,10 @@ int tpm2_get_or_create_ek(Tpm2Context *c, const Tpm2Handle *session, TPM2B_PUBLI int tpm2_seal(Tpm2Context *c, uint32_t seal_key_handle, const TPM2B_DIGEST policy_hash[], size_t n_policy, const char *pin, struct iovec *ret_secret, struct iovec **ret_blobs, size_t *ret_n_blobs, uint16_t *ret_primary_alg, struct iovec *ret_srk); int tpm2_unseal(Tpm2Context *c, uint32_t hash_pcr_mask, uint16_t pcr_bank, const struct iovec *pubkey, const char *pubkey_policy_ref, uint32_t pubkey_pcr_mask, sd_json_variant *signature, const char *pin, const Tpm2PCRLockPolicy *pcrlock_policy, uint16_t primary_alg, const struct iovec blobs[], size_t n_blobs, const struct iovec known_policy_hash[], size_t n_known_policy_hash, const struct iovec *srk, struct iovec *ret_secret); +/* On load/import the return codes mean the key was wrapped for a different parent (INTEGRITY) or used a + * different template (SIZE), so it's probably not for our TPM. */ +#define TPM2_RC_IS_FOREIGN_KEY(rc) IN_SET((rc) & ~(TPM2_RC_N_MASK|TPM2_RC_P), TPM2_RC_INTEGRITY, TPM2_RC_SIZE) + #if HAVE_OPENSSL int tpm2_tpm2b_public_to_openssl_pkey(const TPM2B_PUBLIC *public, EVP_PKEY **ret); int tpm2_tpm2b_public_from_openssl_pkey(const EVP_PKEY *pkey, TPM2B_PUBLIC *ret);