From: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Fri, 27 Feb 2026 12:46:07 +0000 (+0100)
Subject: cryptenroll: Save primary algorithm type to the LUKS token
X-Git-Tag: v260-rc2~50^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=295affa3f7b74fb8bc680db2d7539e110e6d9130;p=thirdparty%2Fsystemd.git

cryptenroll: Save primary algorithm type to the LUKS token

'tpm2-primary-alg' field is currently unset in LUKS JSON token both for the
case when SRK was used for enrolling (--tpm2-device-key=) and for the case when
SRK was obtained/generated (--tpm2-device=). While this information is not
really needed for unsealing (the sealed object itself has key type in it), it
may be convenient to see key type in e.g. 'cryptsetup luksDump' in the
situations where key type matters. Since 'tpm2-primary-alg' is already defined,
just set it properly in all cases.
---

diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index 48f08e15d2c..50abca43639 100644
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -313,6 +313,7 @@ int enroll_tpm2(struct crypt_device *cd,
         ssize_t base64_encoded_size;
         int r, keyslot, slot_to_wipe = -1;
         TPM2Flags flags = 0;
+        uint16_t primary_alg = 0;
         uint8_t binary_salt[SHA256_DIGEST_SIZE] = {};
         /*
          * erase the salt, we'd rather attempt to not have this in a coredump
@@ -402,6 +403,8 @@ int enroll_tpm2(struct crypt_device *cd,
                 if (!tpm2_pcr_values_has_all_values(hash_pcr_values, n_hash_pcr_values))
                         return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                "Must provide all PCR values when using TPM2 device key.");
+
+                primary_alg = device_key_public.publicArea.type;
         } else {
                 r = tpm2_context_new_or_warn(device, &tpm2_context);
                 if (r < 0)
@@ -515,7 +518,7 @@ int enroll_tpm2(struct crypt_device *cd,
                               &secret,
                               &blobs,
                               &n_blobs,
-                              /* ret_primary_alg= */ NULL,
+                              &primary_alg,
                               &srk);
         if (r < 0)
                 return log_error_errno(r, "Failed to seal to TPM2: %m");
@@ -553,7 +556,7 @@ int enroll_tpm2(struct crypt_device *cd,
                                 signature_json,
                                 pin_str,
                                 pcrlock_path ? &pcrlock_policy : NULL,
-                                /* primary_alg= */ 0,
+                                primary_alg,
                                 blobs,
                                 n_blobs,
                                 policy_hash_as_iovec,
@@ -592,7 +595,7 @@ int enroll_tpm2(struct crypt_device *cd,
                         hash_pcr_bank,
                         &pubkey,
                         pubkey_pcr_mask,
-                        /* primary_alg= */ 0,
+                        primary_alg,
                         blobs,
                         n_blobs,
                         policy_hash_as_iovec,