From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
Date: Thu, 31 Mar 2022 08:09:29 +0000 (+0200)
Subject: cryptsetup: fall back to traditional unlocking if any TPM2 operation fails
X-Git-Tag: v251-rc2~237
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=49be03838db38609f53f2aba4372917aedfbfa12;p=thirdparty%2Fsystemd.git

cryptsetup: fall back to traditional unlocking if any TPM2 operation fails

If any TPM2 operation fails, the boot process should continue and
prompt for a text password (if configured to do so).

Fixes #22870
---

diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 6c7b74037f8..4c514e408ff 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -1322,8 +1322,11 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
                                 return log_error_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 PIN unlock failed, falling back to traditional unlocking.");
                         if (ERRNO_IS_NOT_SUPPORTED(r)) /* TPM2 support not compiled in? */
                                 return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 support not available, falling back to traditional unlocking.");
-                        if (r != -EAGAIN) /* EAGAIN means: no tpm2 chip found */
-                                return r;
+                        /* EAGAIN means: no tpm2 chip found */
+                        if (r != -EAGAIN) {
+                                log_notice_errno(r, "TPM2 operation failed, falling back to traditional unlocking: %m");
+                                return -EAGAIN; /* Mangle error code: let's make any form of TPM2 failure non-fatal. */
+                        }
                 } else {
                         r = attach_luks2_by_tpm2(cd, name, flags);
                         /* EAGAIN     means: no tpm2 chip found
@@ -1334,8 +1337,10 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
                         if (r == -ENOENT)
                                 return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
                                                        "No TPM2 metadata enrolled in LUKS2 header or TPM2 support not available, falling back to traditional unlocking.");
-                        if (!IN_SET(r, -EOPNOTSUPP, -EAGAIN))
-                                return r;
+                        if (!IN_SET(r, -EOPNOTSUPP, -EAGAIN)) {
+                                log_notice_errno(r, "TPM2 operation failed, falling back to traditional unlocking: %m");
+                                return -EAGAIN; /* Mangle error code: let's make any form of TPM2 failure non-fatal. */
+                        }
                 }
 
                 if (r == -EOPNOTSUPP) {
@@ -1402,8 +1407,11 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
 
                         if (r >= 0)
                                 break;
-                        if (r != -EAGAIN) /* EAGAIN means: no tpm2 chip found */
-                                return r;
+                        /* EAGAIN means: no tpm2 chip found */
+                        if (r != -EAGAIN) {
+                                log_notice_errno(r, "TPM2 operation failed, falling back to traditional unlocking: %m");
+                                return -EAGAIN; /* Mangle error code: let's make any form of TPM2 failure non-fatal. */
+                        }
                 }
 
                 if (!monitor) {