• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

systemd / systemd / 28630269468

02 Jul 2026 10:23PM UTC coverage: 72.618% (-0.06%) from 72.68%
28630269468

push

github

yuwata
test: ignore fails when the formatted timezone differs from the current one

When formatting a timestamp the C API takes into account historical data
from tzdata, so it returns a date strings with a historically-correct
timezone abbreviation. However, tzname[] doesn't do this and it returns
the most recent abbreviation for the given zone.

For example, according to tzdata America/Cancun switched from EST/EDT to
CST/CDT on 1998-08-02:

Zone America/Cancun     -5:47:04 -      LMT     1922 Jan  1  6:00u
                        -6:00   -       CST     1981 Dec 26  2:00
                        -5:00   -       EST     1983 Jan  4  0:00
                        -6:00   Mexico  C%sT    1997 Oct 26  2:00
                        -5:00   Mexico  E%sT    1998 Aug  2  2:00
                        -6:00   Mexico  C%sT    2015 Feb  1  2:00
                        -5:00   -       EST

So, formatting a timestamp from this time will yield a string with the
EDT timezone:

$ TZ=America/Cancun date -d "@902035565"
Sun Aug  2 01:26:05 EDT 1998

But using tzname[] (or strptime %z) shows the most recent data, where
America/Cancun uses EST (and doesn't use DST anymore, hence
tzname[1]=CDT that glibc remembers from the previous zone epoch):

$ TZ=America/Cancun ./tz
{EST, CDT}

This means that when we parse the formatted timestamp back we don't use
the historical timezone data, so we might end up with a different
offset:

TZ=America/Cancun, tzname[0]=EST, tzname[1]=CDT
@902035565603993 → Sun 1998-08-02 01:26:05 EDT → @902039165000000 → Sun 1998-08-02 01:26:05 CDT
src/test/test-time-util.c:452: Assertion failed: Expected "ignore" to be true
Aborted                    (core dumped) build-local/test-time-util

Instead of adding exceptions for every single timezone that switched
between different offsets in the past, let's address this a bit more
generally and skip the check if the parsed timezone doesn't match any of
the current timezones - this still keeps the check that the time... (continued)

1 of 5 new or added lines in 1 file covered. (20.0%)

9391 existing lines in 86 files now uncovered.

341680 of 470518 relevant lines covered (72.62%)

1343034.26 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

59.24
/src/shared/cryptsetup-tpm2.c
1
/* SPDX-License-Identifier: LGPL-2.1-or-later */
2

3
#include "sd-json.h"
4

5
#include "alloc-util.h"
6
#include "ask-password-api.h"
7
#include "cryptsetup-tpm2.h"
8
#include "cryptsetup-util.h"
9
#include "env-util.h"
10
#include "fileio.h"
11
#include "hexdecoct.h"
12
#include "log.h"
13
#include "random-util.h"
14
#include "strv.h"
15
#include "tpm2-util.h"
16

17
#if HAVE_LIBCRYPTSETUP && HAVE_TPM2
18
static int get_pin(
×
19
                usec_t until,
20
                const char *askpw_credential,
21
                AskPasswordFlags askpw_flags,
22
                char **ret_pin_str) {
23
        _cleanup_(erase_and_freep) char *pin_str = NULL;
×
24
        _cleanup_strv_free_erase_ char **pin = NULL;
×
25
        int r;
×
26

27
        assert(ret_pin_str);
×
28

29
        r = getenv_steal_erase("PIN", &pin_str);
×
30
        if (r < 0)
×
31
                return log_error_errno(r, "Failed to acquire PIN from environment: %m");
×
32
        if (!r) {
×
33
                if (FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS))
×
34
                        return log_error_errno(
×
35
                                        SYNTHETIC_ERRNO(ENOPKG),
36
                                        "PIN querying disabled via 'headless' option. "
37
                                        "Use the '$PIN' environment variable.");
38

39
                AskPasswordRequest req = {
×
40
                        .tty_fd = -EBADF,
41
                        .message = "Please enter TPM2 PIN:",
42
                        .icon = "drive-harddisk",
43
                        .keyring = "tpm2-pin",
44
                        .credential = askpw_credential,
45
                        .until = until,
46
                        .hup_fd = -EBADF,
47
                };
48

49
                pin = strv_free_erase(pin);
×
50
                r = ask_password_auto(&req, askpw_flags, &pin);
×
51
                if (r < 0)
×
52
                        return log_error_errno(r, "Failed to ask for user pin: %m");
×
53
                assert(strv_length(pin) == 1);
×
54

55
                pin_str = strdup(pin[0]);
×
56
                if (!pin_str)
×
57
                        return log_oom();
×
58
        }
59

60
        *ret_pin_str = TAKE_PTR(pin_str);
×
61

62
        return r;
×
63
}
64
#endif
65

66
int acquire_tpm2_key(
9✔
67
                const char *volume_name,
68
                const char *device,
69
                uint32_t hash_pcr_mask,
70
                uint16_t pcr_bank,
71
                const struct iovec *pubkey,
72
                const char *pubkey_policy_ref,
73
                uint32_t pubkey_pcr_mask,
74
                const char *signature_path,
75
                const char *pcrlock_path,
76
                uint16_t primary_alg,
77
                const char *key_file,
78
                size_t key_file_size,
79
                uint64_t key_file_offset,
80
                const struct iovec blobs[],
81
                size_t n_blobs,
82
                const struct iovec policy_hash[],
83
                size_t n_policy_hash,
84
                const struct iovec *salt,
85
                const struct iovec *srk,
86
                const struct iovec *pcrlock_nv,
87
                TPM2Flags flags,
88
                usec_t until,
89
                const char *askpw_credential,
90
                AskPasswordFlags askpw_flags,
91
                struct iovec *ret_decrypted_key) {
92

93
#if HAVE_LIBCRYPTSETUP && HAVE_TPM2
94
        _cleanup_(sd_json_variant_unrefp) sd_json_variant *signature_json = NULL;
9✔
95
        _cleanup_(iovec_done) struct iovec loaded_blob = {};
9✔
96
        _cleanup_free_ char *auto_device = NULL;
9✔
97
        int r;
9✔
98

99
        assert(iovec_is_valid(salt));
9✔
100

101
        if (!device) {
9✔
102
                r = tpm2_find_device_auto(&auto_device);
9✔
103
                if (r == -ENODEV)
9✔
104
                        return -EAGAIN; /* Tell the caller to wait for a TPM2 device to show up */
105
                if (r < 0)
9✔
UNCOV
106
                        return log_error_errno(r, "Could not find TPM2 device: %m");
×
107

108
                device = auto_device;
9✔
109
        }
110

111
        if (n_blobs == 0) {
9✔
112
                _cleanup_free_ char *bindname = NULL;
2✔
113

114
                /* If we read the salt via AF_UNIX, make this client recognizable */
115
                if (asprintf(&bindname, "@%" PRIx64"/cryptsetup-tpm2/%s", random_u64(), volume_name) < 0)
2✔
UNCOV
116
                        return log_oom();
×
117

118
                r = read_full_file_full(
6✔
119
                                AT_FDCWD, key_file,
120
                                key_file_offset == 0 ? UINT64_MAX : key_file_offset,
121
                                key_file_size == 0 ? SIZE_MAX : key_file_size,
122
                                READ_FULL_FILE_CONNECT_SOCKET,
123
                                bindname,
124
                                (char**) &loaded_blob.iov_base, &loaded_blob.iov_len);
125
                if (r < 0)
2✔
126
                        return r;
127

128
                blobs = &loaded_blob;
2✔
129
                n_blobs = 1;
2✔
130
        }
131

132
        if (pubkey_pcr_mask != 0) {
9✔
133
                r = tpm2_load_pcr_signature(signature_path, &signature_json);
1✔
134
                if (r < 0)
1✔
UNCOV
135
                        return log_error_errno(r, "Failed to load pcr signature: %m");
×
136
        }
137

138
        _cleanup_(tpm2_pcrlock_policy_done) Tpm2PCRLockPolicy pcrlock_policy = {};
9✔
139

140
        if (FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK)) {
9✔
141
                r = tpm2_pcrlock_policy_load(pcrlock_path, &pcrlock_policy);
2✔
142
                if (r < 0)
2✔
143
                        return r;
144
                if (r == 0) {
2✔
145
                        /* Not found? Then search among passed credentials */
146
                        r = tpm2_pcrlock_policy_from_credentials(srk, pcrlock_nv, &pcrlock_policy);
×
UNCOV
147
                        if (r < 0)
×
148
                                return r;
149
                        if (r == 0)
×
UNCOV
150
                                return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Couldn't find pcrlock policy for volume.");
×
151
                }
152
        }
153

154
        _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
9✔
155
        r = tpm2_context_new_or_warn(device, &tpm2_context);
9✔
156
        if (r < 0)
9✔
157
                return r;
158

159
        if (!(flags & TPM2_FLAGS_USE_PIN)) {
9✔
160
                r = tpm2_unseal(tpm2_context,
16✔
161
                                hash_pcr_mask,
162
                                pcr_bank,
163
                                pubkey,
164
                                pubkey_policy_ref,
165
                                pubkey_pcr_mask,
166
                                signature_json,
167
                                /* pin= */ NULL,
168
                                FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK) ? &pcrlock_policy : NULL,
169
                                primary_alg,
170
                                blobs,
171
                                n_blobs,
172
                                policy_hash,
173
                                n_policy_hash,
174
                                srk,
175
                                ret_decrypted_key);
176
                if (r == -EREMOTE)
9✔
177
                        return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");
×
178
                if (ERRNO_IS_NEG_TPM2_UNSEAL_BAD_PCR(r))
9✔
UNCOV
179
                        return log_error_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m");
×
180
                if (r < 0)
9✔
181
                        return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
2✔
182

183
                return r;
184
        }
185

UNCOV
186
        for (int i = 5;; i--) {
×
187
                _cleanup_(erase_and_freep) char *pin_str = NULL, *b64_salted_pin = NULL;
×
188

UNCOV
189
                if (i <= 0)
×
190
                        return -EACCES;
191

UNCOV
192
                r = get_pin(until, askpw_credential, askpw_flags, &pin_str);
×
UNCOV
193
                if (r < 0)
×
194
                        return r;
195

196
                askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
×
197

198
                if (iovec_is_set(salt)) {
×
UNCOV
199
                        uint8_t salted_pin[SHA256_DIGEST_SIZE] = {};
×
200
                        CLEANUP_ERASE(salted_pin);
×
201

202
                        r = tpm2_util_pbkdf2_hmac_sha256(pin_str, strlen(pin_str), salt->iov_base, salt->iov_len, salted_pin);
×
UNCOV
203
                        if (r < 0)
×
204
                                return log_error_errno(r, "Failed to perform PBKDF2: %m");
×
205

206
                        r = base64mem(salted_pin, sizeof(salted_pin), &b64_salted_pin);
×
UNCOV
207
                        if (r < 0)
×
UNCOV
208
                                return log_error_errno(r, "Failed to base64 encode salted pin: %m");
×
209
                } else
210
                        /* no salting needed, backwards compat with non-salted pins */
211
                        b64_salted_pin = TAKE_PTR(pin_str);
×
212

UNCOV
213
                r = tpm2_unseal(tpm2_context,
×
214
                                hash_pcr_mask,
215
                                pcr_bank,
216
                                pubkey,
217
                                pubkey_policy_ref,
218
                                pubkey_pcr_mask,
219
                                signature_json,
220
                                b64_salted_pin,
221
                                FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK) ? &pcrlock_policy : NULL,
222
                                primary_alg,
223
                                blobs,
224
                                n_blobs,
225
                                policy_hash,
226
                                n_policy_hash,
227
                                srk,
228
                                ret_decrypted_key);
229
                if (r == -EREMOTE)
×
230
                        return log_error_errno(r, "TPM key integrity check failed. Key enrolled in superblock most likely does not belong to this TPM.");
×
231
                if (ERRNO_IS_NEG_TPM2_UNSEAL_BAD_PCR(r))
×
232
                        return log_error_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m");
×
233
                if (r == -ENOLCK)
×
234
                        return log_error_errno(r, "TPM is in dictionary attack lock-out mode.");
×
UNCOV
235
                if (r == -EILSEQ) {
×
236
                        log_warning_errno(r, "Bad PIN.");
×
237
                        continue;
×
238
                }
UNCOV
239
                if (r < 0)
×
UNCOV
240
                        return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
×
241

242
                return r;
243
        }
244
#else
245
        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM2 support not available.");
246
#endif
247
}
248

249
int find_tpm2_auto_data(
7✔
250
                struct crypt_device *cd,
251
                uint32_t search_pcr_mask,
252
                int start_token,
253
                uint32_t *ret_hash_pcr_mask,
254
                uint16_t *ret_pcr_bank,
255
                struct iovec *ret_pubkey,
256
                char **ret_pubkey_policy_ref,
257
                uint32_t *ret_pubkey_pcr_mask,
258
                uint16_t *ret_primary_alg,
259
                struct iovec **ret_blobs,
260
                size_t *ret_n_blobs,
261
                struct iovec **ret_policy_hash,
262
                size_t *ret_n_policy_hash,
263
                struct iovec *ret_salt,
264
                struct iovec *ret_srk,
265
                struct iovec *ret_pcrlock_nv,
266
                TPM2Flags *ret_flags,
267
                int *ret_keyslot,
268
                int *ret_token) {
269

270
#if HAVE_LIBCRYPTSETUP && HAVE_TPM2
271
        int r, token;
7✔
272

273
        assert(cd);
7✔
274
        assert(ret_hash_pcr_mask);
7✔
275
        assert(ret_pcrlock_nv);
7✔
276
        assert(ret_pubkey);
7✔
277
        assert(ret_pubkey_policy_ref);
7✔
278
        assert(ret_pubkey_pcr_mask);
7✔
279
        assert(ret_primary_alg);
7✔
280
        assert(ret_blobs);
7✔
281
        assert(ret_n_blobs);
7✔
282
        assert(ret_policy_hash);
7✔
283
        assert(ret_n_policy_hash);
7✔
284
        assert(ret_salt);
7✔
285
        assert(ret_srk);
7✔
286
        assert(ret_pcrlock_nv);
7✔
287
        assert(ret_flags);
7✔
288
        assert(ret_keyslot);
7✔
289
        assert(ret_token);
7✔
290

291
        for (token = start_token; token < sym_crypt_token_max(CRYPT_LUKS2); token++) {
13✔
292
                _cleanup_(iovec_done) struct iovec pubkey = {}, salt = {}, srk = {}, pcrlock_nv = {};
13✔
293
                _cleanup_free_ char *pubkey_policy_ref = NULL;
13✔
294
                _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
13✔
295
                struct iovec *blobs = NULL, *policy_hash = NULL;
13✔
296
                size_t n_blobs = 0, n_policy_hash = 0;
13✔
297
                uint32_t hash_pcr_mask, pubkey_pcr_mask;
13✔
298
                uint16_t pcr_bank, primary_alg;
13✔
299
                TPM2Flags flags;
13✔
300
                int keyslot;
13✔
301

302
                CLEANUP_ARRAY(blobs, n_blobs, iovec_array_free);
13✔
303
                CLEANUP_ARRAY(policy_hash, n_policy_hash, iovec_array_free);
13✔
304

305
                r = cryptsetup_get_token_as_json(cd, token, "systemd-tpm2", &v);
13✔
306
                if (IN_SET(r, -ENOENT, -EINVAL, -EMEDIUMTYPE))
13✔
307
                        continue;
6✔
308
                if (r < 0)
7✔
UNCOV
309
                        return log_error_errno(r, "Failed to read JSON token data off disk: %m");
×
310

311
                r = tpm2_parse_luks2_json(
7✔
312
                                v,
313
                                &keyslot,
314
                                &hash_pcr_mask,
315
                                &pcr_bank,
316
                                &pubkey,
317
                                &pubkey_policy_ref,
318
                                &pubkey_pcr_mask,
319
                                &primary_alg,
320
                                &blobs,
321
                                &n_blobs,
322
                                &policy_hash,
323
                                &n_policy_hash,
324
                                &salt,
325
                                &srk,
326
                                &pcrlock_nv,
327
                                &flags);
328
                if (r == -EUCLEAN) /* Gracefully handle issues in JSON fields not owned by us */
7✔
UNCOV
329
                        continue;
×
330
                if (r < 0)
7✔
UNCOV
331
                        return log_error_errno(r, "Failed to parse TPM2 JSON data: %m");
×
332

333
                if (search_pcr_mask == UINT32_MAX ||
7✔
UNCOV
334
                    search_pcr_mask == hash_pcr_mask) {
×
335

336
                        if (start_token <= 0)
7✔
337
                                log_info("Automatically discovered security TPM2 token unlocks volume.");
7✔
338

339
                        *ret_hash_pcr_mask = hash_pcr_mask;
7✔
340
                        *ret_pcr_bank = pcr_bank;
7✔
341
                        *ret_pubkey = TAKE_STRUCT(pubkey);
7✔
342
                        *ret_pubkey_policy_ref = TAKE_PTR(pubkey_policy_ref);
7✔
343
                        *ret_pubkey_pcr_mask = pubkey_pcr_mask;
7✔
344
                        *ret_primary_alg = primary_alg;
7✔
345
                        *ret_blobs = TAKE_PTR(blobs);
7✔
346
                        *ret_n_blobs = n_blobs;
7✔
347
                        *ret_policy_hash = TAKE_PTR(policy_hash);
7✔
348
                        *ret_n_policy_hash = n_policy_hash;
7✔
349
                        *ret_salt = TAKE_STRUCT(salt);
7✔
350
                        *ret_keyslot = keyslot;
7✔
351
                        *ret_token = token;
7✔
352
                        *ret_srk = TAKE_STRUCT(srk);
7✔
353
                        *ret_pcrlock_nv = TAKE_STRUCT(pcrlock_nv);
7✔
354
                        *ret_flags = flags;
7✔
355
                        return 0;
7✔
356
                }
357

358
                /* PCR mask doesn't match what is configured, ignore this entry, let's see next */
359
        }
360

UNCOV
361
        return log_error_errno(SYNTHETIC_ERRNO(ENXIO), "No valid TPM2 token data found.");
×
362
#else
363
        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM2 support not available.");
364
#endif
365
}
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc