From: safforddr <david.safford@gmail.com>
Date: Tue, 13 Jan 2026 18:27:20 +0000 (-0500)
Subject: tpm2: allow use of recoverable sealing keys
X-Git-Tag: v260-rc1~354
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=331fef07d8b2909a84a88cc3d18911853b413f8f;p=thirdparty%2Fsystemd.git

tpm2: allow use of recoverable sealing keys

In some use cases it is desirable to use a recoverable (ie duplicatable)
sealing key. Currently objects have the attribute TPMA_OBJECT_FIXEDTPM
and TPMA_OBJECT_FIXEDPARENT hard coded, which will not work with a
recoverable sealing key. This patch sets the object's attributes from
the sealing key's attributes, so that both types of sealing keys will work.
---

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 8592485bf47..c751afb06b4 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -5441,6 +5441,11 @@ int tpm2_seal(Tpm2Context *c,
                                                seal_key_handle);
 
                 primary_alg = primary_public->publicArea.type;
+                
+                /* Propagate fixedTPM/fixedParent flags from sealing key to hmac key */
+                hmac_template.objectAttributes = (hmac_template.objectAttributes & ~(TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT)) |
+                                                 (primary_public->publicArea.objectAttributes & (TPMA_OBJECT_FIXEDTPM|TPMA_OBJECT_FIXEDPARENT));
+
         } else {
                 if (seal_key_handle != 0)
                         log_debug("Using primary alg sealing, but seal key handle also provided; ignoring seal key handle.");