From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 2 May 2024 16:34:36 +0000 (+0200)
Subject: cryptenroll: do not combine pcrlock and signed PCR policies in TPM mode
X-Git-Tag: v256-rc2~91^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=27f42786fe2bcf9f4eba17d1869e69dcde6f9bda;p=thirdparty%2Fsystemd.git

cryptenroll: do not combine pcrlock and signed PCR policies in TPM mode

We currently do not support pcrlock policies and signed PCR policies in
combination. Hence, when we auto-discover both, let's disable signed PCR
policies if pcrlock is available too (simple because that covers more
ground).

Fixes: #32565
---

diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index 1656dc1e834..1423f3b2ac3 100644
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -249,8 +249,8 @@ int enroll_tpm2(struct crypt_device *cd,
                 const char *device_key,
                 Tpm2PCRValue *hash_pcr_values,
                 size_t n_hash_pcr_values,
-                const char *pubkey_path,
-                bool load_pubkey,
+                const char *pcr_pubkey_path,
+                bool load_pcr_pubkey,
                 uint32_t pubkey_pcr_mask,
                 const char *signature_path,
                 bool use_pin,
@@ -307,10 +307,13 @@ int enroll_tpm2(struct crypt_device *cd,
         }
 
         TPM2B_PUBLIC public = {};
-        if (load_pubkey) {
-                r = tpm2_load_pcr_public_key(pubkey_path, &pubkey.iov_base, &pubkey.iov_len);
+        /* Load the PCR public key if specified explicitly, or if no pcrlock policy was specified and
+         * automatic loading of PCR public keys wasn't disabled explicitly. The reason we turn this off when
+         * pcrlock is configured is simply that we currently not support both in combination. */
+        if (pcr_pubkey_path || (load_pcr_pubkey && !pcrlock_path)) {
+                r = tpm2_load_pcr_public_key(pcr_pubkey_path, &pubkey.iov_base, &pubkey.iov_len);
                 if (r < 0) {
-                        if (pubkey_path || signature_path || r != -ENOENT)
+                        if (pcr_pubkey_path || signature_path || r != -ENOENT)
                                 return log_error_errno(r, "Failed to read TPM PCR public key: %m");
 
                         log_debug_errno(r, "Failed to read TPM2 PCR public key, proceeding without: %m");
@@ -329,7 +332,8 @@ int enroll_tpm2(struct crypt_device *cd,
                                         return log_debug_errno(r, "Failed to read TPM PCR signature: %m");
                         }
                 }
-        }
+        } else
+                pubkey_pcr_mask = 0;
 
         bool any_pcr_value_specified = tpm2_pcr_values_has_any_values(hash_pcr_values, n_hash_pcr_values);
 
diff --git a/src/cryptenroll/cryptenroll-tpm2.h b/src/cryptenroll/cryptenroll-tpm2.h
index 4522b0b5950..d722ed66a0f 100644
--- a/src/cryptenroll/cryptenroll-tpm2.h
+++ b/src/cryptenroll/cryptenroll-tpm2.h
@@ -9,14 +9,14 @@
 
 #if HAVE_TPM2
 int load_volume_key_tpm2(struct crypt_device *cd, const char *cd_node, const char *device, void *ret_vk, size_t *ret_vks);
-int enroll_tpm2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, uint32_t seal_key_handle, const char *device_key, Tpm2PCRValue *hash_pcr_values, size_t n_hash_pcr_values, const char *pubkey_path, bool disable_loading_pubkey, uint32_t pubkey_pcr_mask, const char *signature_path, bool use_pin, const char *pcrlock_path, int *ret_slot_to_wipe);
+int enroll_tpm2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, uint32_t seal_key_handle, const char *device_key, Tpm2PCRValue *hash_pcr_values, size_t n_hash_pcr_values, const char *pubkey_path, bool load_pcr_pubkey, uint32_t pubkey_pcr_mask, const char *signature_path, bool use_pin, const char *pcrlock_path, int *ret_slot_to_wipe);
 #else
 static inline int load_volume_key_tpm2(struct crypt_device *cd, const char *cd_node, const char *device, void *ret_vk, size_t *ret_vks) {
         return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                "TPM2 unlocking not supported.");
 }
 
-static inline int enroll_tpm2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, uint32_t seal_key_handle, const char *device_key, Tpm2PCRValue *hash_pcr_values, size_t n_hash_pcr_values, const char *pubkey_path, bool disable_loading_pubkey, uint32_t pubkey_pcr_mask, const char *signature_path, bool use_pin, const char *pcrlock_path, int *ret_slot_to_wipe) {
+static inline int enroll_tpm2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, uint32_t seal_key_handle, const char *device_key, Tpm2PCRValue *hash_pcr_values, size_t n_hash_pcr_values, const char *pubkey_path, bool load_pcr_pubkey, uint32_t pubkey_pcr_mask, const char *signature_path, bool use_pin, const char *pcrlock_path, int *ret_slot_to_wipe) {
         return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                "TPM2 key enrollment not supported.");
 }