From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 2 Jun 2025 11:12:28 +0000 (+0200)
Subject: tpm2-util: also generate recognizable error if PolicyAuthorizeNV fails
X-Git-Tag: v258-rc1~408^2~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f31a87331f0703896708416dbb19aed4ed9b7fe9;p=thirdparty%2Fsystemd.git

tpm2-util: also generate recognizable error if PolicyAuthorizeNV fails
---

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 103cf505813..7e2a84bfee0 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -3661,6 +3661,11 @@ int tpm2_policy_authorize_nv(
                         ESYS_TR_PASSWORD,
                         ESYS_TR_NONE,
                         ESYS_TR_NONE);
+        if ((rc & ~(TPM2_RC_N_MASK|TPM2_RC_P)) == TPM2_RC_VALUE) /* Return a recognizable error if the policy
+                                                                  * in the NV index does not match what we
+                                                                  * just put together */
+                return log_debug_errno(SYNTHETIC_ERRNO(EREMCHG),
+                                       "Submitted policy does not match policy stored in PolicyAuthorizeNV.");
         if (rc != TSS2_RC_SUCCESS)
                 return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
                                        "Failed to add AuthorizeNV policy to TPM: %s",