From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 9 Sep 2022 21:06:58 +0000 (+0200)
Subject: tpm2-util: avoid trial
X-Git-Tag: v252-rc1~214
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=251d2ea269e96beb18ad0a1a751e93d829db8ebf;p=thirdparty%2Fsystemd.git

tpm2-util: avoid trial

Let's avoid trial mode for putting together policies if we can, and use
the real policy whenever we can pull it off.

Fixes: #24401
---

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 7c9eb77f95d..ba2120065a8 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -924,6 +924,18 @@ static int tpm2_make_policy_session(
 
         log_debug("Starting authentication session.");
 
+        /* So apparently some TPM implementations don't implement trial mode correctly. To avoid issues let's
+         * avoid it when it is easy to. At the moment we only really need trial mode for the signed PCR
+         * policies (since only then we need to shove PCR values into the policy that don't match current
+         * state anyway), hence if we have none of those we don't need to bother. Hence, let's patch in
+         * TPM2_SE_POLICY even if trial mode is requested unless a pubkey PCR mask is specified that is
+         * non-zero, i.e. signed PCR policy is requested.
+         *
+         * One day we should switch to calculating policy hashes client side when trial mode is requested, to
+         * avoid this mess. */
+        if (session_type == TPM2_SE_TRIAL && pubkey_pcr_mask == 0)
+                session_type = TPM2_SE_POLICY;
+
         if ((hash_pcr_mask | pubkey_pcr_mask) != 0) {
                 /* We are told to configure a PCR policy of some form, let's determine/validate the PCR bank to use. */