tree-wide: hook everything up with pcrlock policy

Make sure cryptenroll and repart can enroll TPM2 policies with pcrlock logic. Make sure cryptsetup can unlock TPM2 policies with pcrlock in effect.
author: Lennart Poettering <lennart@poettering.net> 2023-10-24 22:30:47 +0200
committer: Lennart Poettering <lennart@poettering.net> 2023-11-03 11:24:24 +0100
commit: 404aea7815595c1324947ed7f2a7502b17d3cc01 (patch)
tree: 940f71ed3d561811dbc490a88f4c479bac6b31af /src/cryptenroll/cryptenroll-tpm2.c
parent: pcrlock: add new pcrlock tool (diff)
download: systemd-404aea7815595c1324947ed7f2a7502b17d3cc01.tar.xz
systemd-404aea7815595c1324947ed7f2a7502b17d3cc01.zip
1 files changed, 13 insertions, 3 deletions
diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index c0a19bfe92..1273822d3a 100644
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -139,7 +139,8 @@ int enroll_tpm2(struct crypt_device *cd,
                 const char *pubkey_path,
                 uint32_t pubkey_pcr_mask,
                 const char *signature_path,
-                bool use_pin) {
+                bool use_pin,
+                const char *pcrlock_path) {
 
         _cleanup_(erase_and_freep) void *secret = NULL;
         _cleanup_(json_variant_unrefp) JsonVariant *v = NULL, *signature_json = NULL;
@@ -207,6 +208,15 @@ int enroll_tpm2(struct crypt_device *cd,
                         return log_debug_errno(r, "Failed to read TPM PCR signature: %m");
         }
 
+        _cleanup_(tpm2_pcrlock_policy_done) Tpm2PCRLockPolicy pcrlock_policy = {};
+        if (pcrlock_path) {
+                r = tpm2_pcrlock_policy_load(pcrlock_path, &pcrlock_policy);
+                if (r < 0)
+                        return r;
+
+                flags |= TPM2_FLAGS_USE_PCRLOCK;
+        }
+
         _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
         r = tpm2_context_new(device, &tpm2_context);
         if (r < 0)
@@ -248,7 +258,7 @@ int enroll_tpm2(struct crypt_device *cd,
                         n_hash_pcr_values,
                         pubkey ? &public : NULL,
                         use_pin,
-                        /* pcrlock_policy= */ NULL,
+                        pcrlock_path ? &pcrlock_policy : NULL,
                         &policy);
         if (r < 0)
                 return r;
@@ -289,7 +299,7 @@ int enroll_tpm2(struct crypt_device *cd,
                                 pubkey_pcr_mask,
                                 signature_json,
                                 pin_str,
-                                /* pcrlock_policy= */ NULL,
+                                pcrlock_path ? &pcrlock_policy : NULL,
                                 /* primary_alg= */ 0,
                                 blob, blob_size,
                                 policy.buffer, policy.size,
author	Lennart Poettering <lennart@poettering.net>	2023-10-24 22:30:47 +0200
committer	Lennart Poettering <lennart@poettering.net>	2023-11-03 11:24:24 +0100
commit	404aea7815595c1324947ed7f2a7502b17d3cc01 (patch)
tree	940f71ed3d561811dbc490a88f4c479bac6b31af /src/cryptenroll/cryptenroll-tpm2.c
parent	pcrlock: add new pcrlock tool (diff)
download	systemd-404aea7815595c1324947ed7f2a7502b17d3cc01.tar.xz systemd-404aea7815595c1324947ed7f2a7502b17d3cc01.zip