From: Khem Raj <raj.khem@gmail.com>
Date: Sat, 5 Apr 2025 04:40:41 +0000 (-0700)
Subject: shared/cred-util: Ensure TPM code is used with HAVE_TPM2 guards
X-Git-Tag: v258-rc1~905
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fd9c4b4f49990f0656092035464b85256a0ba6e3;p=thirdparty%2Fsystemd.git

shared/cred-util: Ensure TPM code is used with HAVE_TPM2 guards

Building with no TPM2 we end up with following error

/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: note: in a call to built-in function ‘__builtin___memcpy_chk’
In function ‘memcpy’,
    inlined from ‘encrypt_credential_and_warn’ at ../git/src/shared/creds-util.c:1091:17:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: error: argument 2 null where non-null expected [-Werror=nonnull]
   29 |   return __builtin___memcpy_chk (__dest, __src, __len,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   30 |                                  __glibc_objsize0 (__dest));
      |                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: note: in a call to built-in function ‘__builtin___memcpy_chk’
cc1: some warnings being treated as errors   29 |   return __builtin___memcpy_chk (__dest, __src, __len,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   30 |                                  __glibc_objsize0 (__dest));
      |                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~

This is because code referencing tpm2 data structures is still used while the
initialization of the function has been compiled out since its conditional on HAVE_TPM2

We add needed guards in places where it is missing to fix this problem

Signed-off-by: Khem Raj <raj.khem@gmail.com>
---

diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index ca8e15d4c9d..e074c8b2468 100644
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -804,7 +804,9 @@ int encrypt_credential_and_warn(
         _cleanup_(iovec_done_erase) struct iovec tpm2_key = {}, output = {}, host_key = {};
         _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL;
         _cleanup_free_ struct metadata_credential_header *m = NULL;
+#if HAVE_TPM2
         uint16_t tpm2_pcr_bank = 0, tpm2_primary_alg = 0;
+#endif
         struct encrypted_credential_header *h;
         int ksz, bsz, ivsz, tsz, added, r;
         uint8_t md[SHA256_DIGEST_LENGTH];
@@ -1078,6 +1080,7 @@ int encrypt_credential_and_warn(
 
         p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz);
 
+#if HAVE_TPM2
         if (iovec_is_set(&tpm2_key)) {
                 struct tpm2_credential_header *t;
 
@@ -1092,7 +1095,7 @@ int encrypt_credential_and_warn(
 
                 p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob.iov_len + tpm2_policy_hash.iov_len);
         }
-
+#endif
         if (iovec_is_set(&pubkey)) {
                 struct tpm2_public_key_credential_header *z;