From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 13 Sep 2021 10:43:53 +0000 (+0200)
Subject: tpm2: log about invalid PCRs on each unsealing
X-Git-Tag: v250-rc1~690^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d38466bae68fe746c6052a4dd50e27de0274e52d;p=thirdparty%2Fsystemd.git

tpm2: log about invalid PCRs on each unsealing

Let's log every time we use uninitialized PCRs when unsealing a secret
via TPM2. This indicates a firmware issue usually, and is something we
shouldn't just show when enrolling but also show every time we unseal,
so that the fact that the selected PCR policy is pretty much pointless
is repeatedly shown.
---

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index f5f46d14eed..9d5a0ed8652 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -617,9 +617,15 @@ static int tpm2_make_pcr_session(
 
         log_debug("Starting authentication session.");
 
-        if (pcr_bank != UINT16_MAX)
+        if (pcr_bank != UINT16_MAX) {
+                r = tpm2_pcr_mask_good(c, pcr_bank, pcr_mask);
+                if (r < 0)
+                        return r;
+                if (r == 0)
+                        log_notice("Selected TPM2 PCRs are not initialized on this system, most likely due to a firmware issue. PCR policy is effectively not enforced. Proceeding anyway.");
+
                 tpm2_pcr_mask_to_selecion(pcr_mask, pcr_bank, &pcr_selection);
-        else {
+        } else {
                 TPMI_ALG_HASH h;
 
                 /* No bank configured, pick automatically. Some TPM2 devices only can do SHA1. If we detect