15789897806

Committed 20 Jun 2025 05:25PM UTC coverage: 72.105% (+0.06%) from 72.045%

Build # 15789897806

Build Type

push

github

Committed by

web-flow

Commit Message

bootctl: honour architecture when updating boot loaders (#37913)

Fixes: #33413
Follow-up for: #30418

Run Details

21 of 29 new or added lines in 2 files covered. (72.41%)

1701 existing lines in 55 files now uncovered.

300497 of 416750 relevant lines covered (72.1%)

721912.12 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

53.9

/src/shared/cryptsetup-tpm2.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include "sd-json.h"

#include "alloc-util.h"
#include "ask-password-api.h"
#include "cryptsetup-tpm2.h"
#include "cryptsetup-util.h"
#include "env-util.h"
#include "fileio.h"
#include "hexdecoct.h"
#include "log.h"
#include "random-util.h"
#include "strv.h"
#include "tpm2-util.h"

#if HAVE_LIBCRYPTSETUP && HAVE_TPM2
static int get_pin(
                usec_t until,
                const char *askpw_credential,
                AskPasswordFlags askpw_flags,
                char **ret_pin_str) {
        _cleanup_(erase_and_freep) char *pin_str = NULL;
        _cleanup_strv_free_erase_ char **pin = NULL;
        int r;

        assert(ret_pin_str);

        r = getenv_steal_erase("PIN", &pin_str);
        if (r < 0)
                return log_error_errno(r, "Failed to acquire PIN from environment: %m");
        if (!r) {
                if (FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS))
                        return log_error_errno(
                                        SYNTHETIC_ERRNO(ENOPKG),
                                        "PIN querying disabled via 'headless' option. "
                                        "Use the '$PIN' environment variable.");

                AskPasswordRequest req = {
                        .tty_fd = -EBADF,
                        .message = "Please enter TPM2 PIN:",
                        .icon = "drive-harddisk",
                        .keyring = "tpm2-pin",
                        .credential = askpw_credential,
                        .until = until,
                        .hup_fd = -EBADF,
                };

                pin = strv_free_erase(pin);
                r = ask_password_auto(&req, askpw_flags, &pin);
                if (r < 0)
                        return log_error_errno(r, "Failed to ask for user pin: %m");
                assert(strv_length(pin) == 1);

                pin_str = strdup(pin[0]);
                if (!pin_str)
                        return log_oom();
        }

        *ret_pin_str = TAKE_PTR(pin_str);

        return r;
}
#endif

int acquire_tpm2_key(
                const char *volume_name,
                const char *device,
                uint32_t hash_pcr_mask,
                uint16_t pcr_bank,
                const struct iovec *pubkey,
                uint32_t pubkey_pcr_mask,
                const char *signature_path,
                const char *pcrlock_path,
                uint16_t primary_alg,
                const char *key_file,
                size_t key_file_size,
                uint64_t key_file_offset,
                const struct iovec blobs[],
                size_t n_blobs,
                const struct iovec policy_hash[],
                size_t n_policy_hash,
                const struct iovec *salt,
                const struct iovec *srk,
                const struct iovec *pcrlock_nv,
                TPM2Flags flags,
                usec_t until,
                const char *askpw_credential,
                AskPasswordFlags askpw_flags,
                struct iovec *ret_decrypted_key) {

#if HAVE_LIBCRYPTSETUP && HAVE_TPM2
        _cleanup_(sd_json_variant_unrefp) sd_json_variant *signature_json = NULL;
        _cleanup_(iovec_done) struct iovec loaded_blob = {};
        _cleanup_free_ char *auto_device = NULL;
        int r;

        assert(iovec_is_valid(salt));

        if (!device) {
                r = tpm2_find_device_auto(&auto_device);
                if (r == -ENODEV)
                        return -EAGAIN; /* Tell the caller to wait for a TPM2 device to show up */
                if (r < 0)
                        return log_error_errno(r, "Could not find TPM2 device: %m");

                device = auto_device;
        }

        if (n_blobs == 0) {
                _cleanup_free_ char *bindname = NULL;

                /* If we read the salt via AF_UNIX, make this client recognizable */
                if (asprintf(&bindname, "@%" PRIx64"/cryptsetup-tpm2/%s", random_u64(), volume_name) < 0)
                        return log_oom();

                r = read_full_file_full(
                                AT_FDCWD, key_file,
                                key_file_offset == 0 ? UINT64_MAX : key_file_offset,
                                key_file_size == 0 ? SIZE_MAX : key_file_size,
                                READ_FULL_FILE_CONNECT_SOCKET,
                                bindname,
                                (char**) &loaded_blob.iov_base, &loaded_blob.iov_len);
                if (r < 0)
                        return r;

                blobs = &loaded_blob;
                n_blobs = 1;
        }

        if (pubkey_pcr_mask != 0) {
                r = tpm2_load_pcr_signature(signature_path, &signature_json);
                if (r < 0)
                        return log_error_errno(r, "Failed to load pcr signature: %m");
        }

        _cleanup_(tpm2_pcrlock_policy_done) Tpm2PCRLockPolicy pcrlock_policy = {};

        if (FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK)) {
                r = tpm2_pcrlock_policy_load(pcrlock_path, &pcrlock_policy);
                if (r < 0)
                        return r;
                if (r == 0) {
                        /* Not found? Then search among passed credentials */
                        r = tpm2_pcrlock_policy_from_credentials(srk, pcrlock_nv, &pcrlock_policy);
                        if (r < 0)
                                return r;
                        if (r == 0)
                                return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Couldn't find pcrlock policy for volume.");
                }
        }

        _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
        r = tpm2_context_new_or_warn(device, &tpm2_context);
        if (r < 0)
                return r;

        if (!(flags & TPM2_FLAGS_USE_PIN)) {
                r = tpm2_unseal(tpm2_context,
                                hash_pcr_mask,
                                pcr_bank,
                                pubkey,
                                pubkey_pcr_mask,
                                signature_json,
                                /* pin= */ NULL,
                                FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK) ? &pcrlock_policy : NULL,
                                primary_alg,
                                blobs,
                                n_blobs,
                                policy_hash,
                                n_policy_hash,
                                srk,
                                ret_decrypted_key);
                if (r == -EREMOTE)
                        return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");
                if (ERRNO_IS_NEG_TPM2_UNSEAL_BAD_PCR(r))
                        return log_error_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m");
                if (r < 0)
                        return log_error_errno(r, "Failed to unseal secret using TPM2: %m");

                return r;
        }

        for (int i = 5;; i--) {
                _cleanup_(erase_and_freep) char *pin_str = NULL, *b64_salted_pin = NULL;

                if (i <= 0)
                        return -EACCES;

                r = get_pin(until, askpw_credential, askpw_flags, &pin_str);
                if (r < 0)
                        return r;

                askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;

                if (iovec_is_set(salt)) {
                        uint8_t salted_pin[SHA256_DIGEST_SIZE] = {};
                        CLEANUP_ERASE(salted_pin);

                        r = tpm2_util_pbkdf2_hmac_sha256(pin_str, strlen(pin_str), salt->iov_base, salt->iov_len, salted_pin);
                        if (r < 0)
                                return log_error_errno(r, "Failed to perform PBKDF2: %m");

                        r = base64mem(salted_pin, sizeof(salted_pin), &b64_salted_pin);
                        if (r < 0)
                                return log_error_errno(r, "Failed to base64 encode salted pin: %m");
                } else
                        /* no salting needed, backwards compat with non-salted pins */
                        b64_salted_pin = TAKE_PTR(pin_str);

                r = tpm2_unseal(tpm2_context,
                                hash_pcr_mask,
                                pcr_bank,
                                pubkey,
                                pubkey_pcr_mask,
                                signature_json,
                                b64_salted_pin,
                                FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK) ? &pcrlock_policy : NULL,
                                primary_alg,
                                blobs,
                                n_blobs,
                                policy_hash,
                                n_policy_hash,
                                srk,
                                ret_decrypted_key);
                if (r == -EREMOTE)
                        return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");
                if (ERRNO_IS_NEG_TPM2_UNSEAL_BAD_PCR(r))
                        return log_error_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m");
                if (r == -ENOLCK)
                        return log_error_errno(r, "TPM is in dictionary attack lock-out mode.");
                if (r == -EILSEQ) {
                        log_warning_errno(r, "Bad PIN.");
                        continue;
                }
                if (r < 0)
                        return log_error_errno(r, "Failed to unseal secret using TPM2: %m");

                return r;
        }
#else
        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM2 support not available.");
#endif
}

int find_tpm2_auto_data(
                struct crypt_device *cd,
                uint32_t search_pcr_mask,
                int start_token,
                uint32_t *ret_hash_pcr_mask,
                uint16_t *ret_pcr_bank,
                struct iovec *ret_pubkey,
                uint32_t *ret_pubkey_pcr_mask,
                uint16_t *ret_primary_alg,
                struct iovec **ret_blobs,
                size_t *ret_n_blobs,
                struct iovec **ret_policy_hash,
                size_t *ret_n_policy_hash,
                struct iovec *ret_salt,
                struct iovec *ret_srk,
                struct iovec *ret_pcrlock_nv,
                TPM2Flags *ret_flags,
                int *ret_keyslot,
                int *ret_token) {

#if HAVE_LIBCRYPTSETUP && HAVE_TPM2
        int r, token;

        assert(cd);
        assert(ret_hash_pcr_mask);
        assert(ret_pcrlock_nv);
        assert(ret_pubkey);
        assert(ret_pubkey_pcr_mask);
        assert(ret_primary_alg);
        assert(ret_blobs);
        assert(ret_n_blobs);
        assert(ret_policy_hash);
        assert(ret_n_policy_hash);
        assert(ret_salt);
        assert(ret_srk);
        assert(ret_pcrlock_nv);
        assert(ret_flags);
        assert(ret_keyslot);
        assert(ret_token);

        for (token = start_token; token < sym_crypt_token_max(CRYPT_LUKS2); token++) {
                _cleanup_(iovec_done) struct iovec pubkey = {}, salt = {}, srk = {}, pcrlock_nv = {};
                _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
                struct iovec *blobs = NULL, *policy_hash = NULL;
                size_t n_blobs = 0, n_policy_hash = 0;
                uint32_t hash_pcr_mask, pubkey_pcr_mask;
                uint16_t pcr_bank, primary_alg;
                TPM2Flags flags;
                int keyslot;

                CLEANUP_ARRAY(blobs, n_blobs, iovec_array_free);
                CLEANUP_ARRAY(policy_hash, n_policy_hash, iovec_array_free);

                r = cryptsetup_get_token_as_json(cd, token, "systemd-tpm2", &v);
                if (IN_SET(r, -ENOENT, -EINVAL, -EMEDIUMTYPE))
                        continue;
                if (r < 0)
                        return log_error_errno(r, "Failed to read JSON token data off disk: %m");

                r = tpm2_parse_luks2_json(
                                v,
                                &keyslot,
                                &hash_pcr_mask,
                                &pcr_bank,
                                &pubkey,
                                &pubkey_pcr_mask,
                                &primary_alg,
                                &blobs,
                                &n_blobs,
                                &policy_hash,
                                &n_policy_hash,
                                &salt,
                                &srk,
                                &pcrlock_nv,
                                &flags);
                if (r == -EUCLEAN) /* Gracefully handle issues in JSON fields not owned by us */
                        continue;
                if (r < 0)
                        return log_error_errno(r, "Failed to parse TPM2 JSON data: %m");

                if (search_pcr_mask == UINT32_MAX ||
                    search_pcr_mask == hash_pcr_mask) {

                        if (start_token <= 0)
                                log_info("Automatically discovered security TPM2 token unlocks volume.");

                        *ret_hash_pcr_mask = hash_pcr_mask;
                        *ret_pcr_bank = pcr_bank;
                        *ret_pubkey = TAKE_STRUCT(pubkey);
                        *ret_pubkey_pcr_mask = pubkey_pcr_mask;
                        *ret_primary_alg = primary_alg;
                        *ret_blobs = TAKE_PTR(blobs);
                        *ret_n_blobs = n_blobs;
                        *ret_policy_hash = TAKE_PTR(policy_hash);
                        *ret_n_policy_hash = n_policy_hash;
                        *ret_salt = TAKE_STRUCT(salt);
                        *ret_keyslot = keyslot;
                        *ret_token = token;
                        *ret_srk = TAKE_STRUCT(srk);
                        *ret_pcrlock_nv = TAKE_STRUCT(pcrlock_nv);
                        *ret_flags = flags;
                        return 0;
                }

                /* PCR mask doesn't match what is configured, ignore this entry, let's see next */
        }

        return log_error_errno(SYNTHETIC_ERRNO(ENXIO), "No valid TPM2 token data found.");
#else
        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM2 support not available.");
#endif
}

1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3	#include "sd-json.h"
4
5	#include "alloc-util.h"
6	#include "ask-password-api.h"
7	#include "cryptsetup-tpm2.h"
8	#include "cryptsetup-util.h"
9	#include "env-util.h"
10	#include "fileio.h"
11	#include "hexdecoct.h"
12	#include "log.h"
13	#include "random-util.h"
14	#include "strv.h"
15	#include "tpm2-util.h"
16
17	#if HAVE_LIBCRYPTSETUP && HAVE_TPM2
18	static int get_pin(	×
19	usec_t until,
20	const char *askpw_credential,
21	AskPasswordFlags askpw_flags,
22	char **ret_pin_str) {
23	_cleanup_(erase_and_freep) char *pin_str = NULL;	×
24	_cleanup_strv_free_erase_ char **pin = NULL;	×
25	int r;	×
26
27	assert(ret_pin_str);	×
28
29	r = getenv_steal_erase("PIN", &pin_str);	×
30	if (r < 0)	×
31	return log_error_errno(r, "Failed to acquire PIN from environment: %m");	×
32	if (!r) {	×
33	if (FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS))	×
34	return log_error_errno(	×
35	SYNTHETIC_ERRNO(ENOPKG),
36	"PIN querying disabled via 'headless' option. "
37	"Use the '$PIN' environment variable.");
38
39	AskPasswordRequest req = {	×
40	.tty_fd = -EBADF,
41	.message = "Please enter TPM2 PIN:",
42	.icon = "drive-harddisk",
43	.keyring = "tpm2-pin",
44	.credential = askpw_credential,
45	.until = until,
46	.hup_fd = -EBADF,
47	};
48
49	pin = strv_free_erase(pin);	×
50	r = ask_password_auto(&req, askpw_flags, &pin);	×
51	if (r < 0)	×
52	return log_error_errno(r, "Failed to ask for user pin: %m");	×
53	assert(strv_length(pin) == 1);	×
54
55	pin_str = strdup(pin[0]);	×
56	if (!pin_str)	×
57	return log_oom();	×
58	}
59
60	*ret_pin_str = TAKE_PTR(pin_str);	×
61
62	return r;	×
63	}
64	#endif
65
66	int acquire_tpm2_key(	7✔
67	const char *volume_name,
68	const char *device,
69	uint32_t hash_pcr_mask,
70	uint16_t pcr_bank,
71	const struct iovec *pubkey,
72	uint32_t pubkey_pcr_mask,
73	const char *signature_path,
74	const char *pcrlock_path,
75	uint16_t primary_alg,
76	const char *key_file,
77	size_t key_file_size,
78	uint64_t key_file_offset,
79	const struct iovec blobs[],
80	size_t n_blobs,
81	const struct iovec policy_hash[],
82	size_t n_policy_hash,
83	const struct iovec *salt,
84	const struct iovec *srk,
85	const struct iovec *pcrlock_nv,
86	TPM2Flags flags,
87	usec_t until,
88	const char *askpw_credential,
89	AskPasswordFlags askpw_flags,
90	struct iovec *ret_decrypted_key) {
91
92	#if HAVE_LIBCRYPTSETUP && HAVE_TPM2
93	_cleanup_(sd_json_variant_unrefp) sd_json_variant *signature_json = NULL;	7✔
94	_cleanup_(iovec_done) struct iovec loaded_blob = {};	14✔
95	_cleanup_free_ char *auto_device = NULL;	7✔
96	int r;	7✔
97
98	assert(iovec_is_valid(salt));	7✔
99
100	if (!device) {	7✔
101	r = tpm2_find_device_auto(&auto_device);	7✔
102	if (r == -ENODEV)	7✔
103	return -EAGAIN; /* Tell the caller to wait for a TPM2 device to show up */
104	if (r < 0)	7✔
105	return log_error_errno(r, "Could not find TPM2 device: %m");	×
106
107	device = auto_device;	7✔
108	}
109
110	if (n_blobs == 0) {	7✔
111	_cleanup_free_ char *bindname = NULL;	×
112
113	/* If we read the salt via AF_UNIX, make this client recognizable */
114	if (asprintf(&bindname, "@%" PRIx64"/cryptsetup-tpm2/%s", random_u64(), volume_name) < 0)	×
115	return log_oom();	×
116
117	r = read_full_file_full(	×
118	AT_FDCWD, key_file,
119	key_file_offset == 0 ? UINT64_MAX : key_file_offset,
120	key_file_size == 0 ? SIZE_MAX : key_file_size,
121	READ_FULL_FILE_CONNECT_SOCKET,
122	bindname,
123	(char**) &loaded_blob.iov_base, &loaded_blob.iov_len);
124	if (r < 0)	×
125	return r;
126
127	blobs = &loaded_blob;	×
128	n_blobs = 1;	×
129	}
130
131	if (pubkey_pcr_mask != 0) {	7✔
132	r = tpm2_load_pcr_signature(signature_path, &signature_json);	6✔
133	if (r < 0)	6✔
134	return log_error_errno(r, "Failed to load pcr signature: %m");	×
135	}
136
137	_cleanup_(tpm2_pcrlock_policy_done) Tpm2PCRLockPolicy pcrlock_policy = {};	7✔
138
139	if (FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK)) {	7✔
140	r = tpm2_pcrlock_policy_load(pcrlock_path, &pcrlock_policy);	2✔
141	if (r < 0)	2✔
142	return r;
143	if (r == 0) {	2✔
144	/* Not found? Then search among passed credentials */
145	r = tpm2_pcrlock_policy_from_credentials(srk, pcrlock_nv, &pcrlock_policy);	×
146	if (r < 0)	×
147	return r;
148	if (r == 0)	×
149	return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Couldn't find pcrlock policy for volume.");	×
150	}
151	}
152
153	_cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;	7✔
154	r = tpm2_context_new_or_warn(device, &tpm2_context);	7✔
155	if (r < 0)	7✔
156	return r;
157
158	if (!(flags & TPM2_FLAGS_USE_PIN)) {	7✔
159	r = tpm2_unseal(tpm2_context,	12✔
160	hash_pcr_mask,
161	pcr_bank,
162	pubkey,
163	pubkey_pcr_mask,
164	signature_json,
165	/* pin= */ NULL,
166	FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK) ? &pcrlock_policy : NULL,
167	primary_alg,
168	blobs,
169	n_blobs,
170	policy_hash,
171	n_policy_hash,
172	srk,
173	ret_decrypted_key);
174	if (r == -EREMOTE)	7✔
175	return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");	×
176	if (ERRNO_IS_NEG_TPM2_UNSEAL_BAD_PCR(r))	7✔
177	return log_error_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m");	×
178	if (r < 0)	7✔
179	return log_error_errno(r, "Failed to unseal secret using TPM2: %m");	×
180
181	return r;
182	}
183
184	for (int i = 5;; i--) {	×
185	_cleanup_(erase_and_freep) char pin_str = NULL, b64_salted_pin = NULL;	×
186
187	if (i <= 0)	×
188	return -EACCES;
189
190	r = get_pin(until, askpw_credential, askpw_flags, &pin_str);	×
191	if (r < 0)	×
192	return r;
193
194	askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;	×
195
196	if (iovec_is_set(salt)) {	×
197	uint8_t salted_pin[SHA256_DIGEST_SIZE] = {};	×
198	CLEANUP_ERASE(salted_pin);	×
199
200	r = tpm2_util_pbkdf2_hmac_sha256(pin_str, strlen(pin_str), salt->iov_base, salt->iov_len, salted_pin);	×
201	if (r < 0)	×
202	return log_error_errno(r, "Failed to perform PBKDF2: %m");	×
203
204	r = base64mem(salted_pin, sizeof(salted_pin), &b64_salted_pin);	×
205	if (r < 0)	×
206	return log_error_errno(r, "Failed to base64 encode salted pin: %m");	×
207	} else
208	/* no salting needed, backwards compat with non-salted pins */
209	b64_salted_pin = TAKE_PTR(pin_str);	×
210
211	r = tpm2_unseal(tpm2_context,	×
212	hash_pcr_mask,
213	pcr_bank,
214	pubkey,
215	pubkey_pcr_mask,
216	signature_json,
217	b64_salted_pin,
218	FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK) ? &pcrlock_policy : NULL,
219	primary_alg,
220	blobs,
221	n_blobs,
222	policy_hash,
223	n_policy_hash,
224	srk,
225	ret_decrypted_key);
226	if (r == -EREMOTE)	×
227	return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");	×
228	if (ERRNO_IS_NEG_TPM2_UNSEAL_BAD_PCR(r))	×
229	return log_error_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m");	×
230	if (r == -ENOLCK)	×
231	return log_error_errno(r, "TPM is in dictionary attack lock-out mode.");	×
UNCOV 232	if (r == -EILSEQ) {	×
UNCOV 233	log_warning_errno(r, "Bad PIN.");	×
UNCOV 234	continue;	×
235	}
236	if (r < 0)	×
UNCOV 237	return log_error_errno(r, "Failed to unseal secret using TPM2: %m");	×
238
239	return r;
240	}
241	#else
242	return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM2 support not available.");
243	#endif
244	}
245
246	int find_tpm2_auto_data(	7✔
247	struct crypt_device *cd,
248	uint32_t search_pcr_mask,
249	int start_token,
250	uint32_t *ret_hash_pcr_mask,
251	uint16_t *ret_pcr_bank,
252	struct iovec *ret_pubkey,
253	uint32_t *ret_pubkey_pcr_mask,
254	uint16_t *ret_primary_alg,
255	struct iovec **ret_blobs,
256	size_t *ret_n_blobs,
257	struct iovec **ret_policy_hash,
258	size_t *ret_n_policy_hash,
259	struct iovec *ret_salt,
260	struct iovec *ret_srk,
261	struct iovec *ret_pcrlock_nv,
262	TPM2Flags *ret_flags,
263	int *ret_keyslot,
264	int *ret_token) {
265
266	#if HAVE_LIBCRYPTSETUP && HAVE_TPM2
267	int r, token;	7✔
268
269	assert(cd);	7✔
270	assert(ret_hash_pcr_mask);	7✔
271	assert(ret_pcrlock_nv);	7✔
272	assert(ret_pubkey);	7✔
273	assert(ret_pubkey_pcr_mask);	7✔
274	assert(ret_primary_alg);	7✔
275	assert(ret_blobs);	7✔
276	assert(ret_n_blobs);	7✔
277	assert(ret_policy_hash);	7✔
278	assert(ret_n_policy_hash);	7✔
279	assert(ret_salt);	7✔
280	assert(ret_srk);	7✔
281	assert(ret_pcrlock_nv);	7✔
282	assert(ret_flags);	7✔
283	assert(ret_keyslot);	7✔
284	assert(ret_token);	7✔
285
286	for (token = start_token; token < sym_crypt_token_max(CRYPT_LUKS2); token++) {	13✔
287	_cleanup_(iovec_done) struct iovec pubkey = {}, salt = {}, srk = {}, pcrlock_nv = {};	13✔
288	_cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;	13✔
289	struct iovec blobs = NULL, policy_hash = NULL;	13✔
290	size_t n_blobs = 0, n_policy_hash = 0;	13✔
291	uint32_t hash_pcr_mask, pubkey_pcr_mask;	13✔
292	uint16_t pcr_bank, primary_alg;	13✔
293	TPM2Flags flags;	13✔
294	int keyslot;	13✔
295
296	CLEANUP_ARRAY(blobs, n_blobs, iovec_array_free);	13✔
297	CLEANUP_ARRAY(policy_hash, n_policy_hash, iovec_array_free);	13✔
298
299	r = cryptsetup_get_token_as_json(cd, token, "systemd-tpm2", &v);	13✔
300	if (IN_SET(r, -ENOENT, -EINVAL, -EMEDIUMTYPE))	13✔
301	continue;	6✔
302	if (r < 0)	7✔
303	return log_error_errno(r, "Failed to read JSON token data off disk: %m");	×
304
305	r = tpm2_parse_luks2_json(	7✔
306	v,
307	&keyslot,
308	&hash_pcr_mask,
309	&pcr_bank,
310	&pubkey,
311	&pubkey_pcr_mask,
312	&primary_alg,
313	&blobs,
314	&n_blobs,
315	&policy_hash,
316	&n_policy_hash,
317	&salt,
318	&srk,
319	&pcrlock_nv,
320	&flags);
321	if (r == -EUCLEAN) /* Gracefully handle issues in JSON fields not owned by us */	7✔
322	continue;	×
323	if (r < 0)	7✔
324	return log_error_errno(r, "Failed to parse TPM2 JSON data: %m");	×
325
326	if (search_pcr_mask == UINT32_MAX \|\|	7✔
327	search_pcr_mask == hash_pcr_mask) {	×
328
329	if (start_token <= 0)	7✔
330	log_info("Automatically discovered security TPM2 token unlocks volume.");	7✔
331
332	*ret_hash_pcr_mask = hash_pcr_mask;	7✔
333	*ret_pcr_bank = pcr_bank;	7✔
334	*ret_pubkey = TAKE_STRUCT(pubkey);	7✔
335	*ret_pubkey_pcr_mask = pubkey_pcr_mask;	7✔
336	*ret_primary_alg = primary_alg;	7✔
337	*ret_blobs = TAKE_PTR(blobs);	7✔
338	*ret_n_blobs = n_blobs;	7✔
339	*ret_policy_hash = TAKE_PTR(policy_hash);	7✔
340	*ret_n_policy_hash = n_policy_hash;	7✔
341	*ret_salt = TAKE_STRUCT(salt);	7✔
342	*ret_keyslot = keyslot;	7✔
343	*ret_token = token;	7✔
344	*ret_srk = TAKE_STRUCT(srk);	7✔
345	*ret_pcrlock_nv = TAKE_STRUCT(pcrlock_nv);	7✔
346	*ret_flags = flags;	7✔
347	return 0;	7✔
348	}
349
350	/* PCR mask doesn't match what is configured, ignore this entry, let's see next */
351	}
352
353	return log_error_errno(SYNTHETIC_ERRNO(ENXIO), "No valid TPM2 token data found.");	×
354	#else
355	return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM2 support not available.");
356	#endif
357	}

systemd / systemd / 15789897806

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous