diff options
| author | Lennart Poettering <lennart@poettering.net> | 2024-08-28 16:52:43 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-08-30 14:17:36 +0200 |
| commit | 43b93a8a264769acbd7be3046c2726d3b5db141c (patch) | |
| tree | f382422cd3b2bad712bcd79705b26c753aa164d3 /src/cryptenroll | |
| parent | cryptenroll: don't return slot 0 when we have no policy to search for (diff) | |
| download | systemd-43b93a8a264769acbd7be3046c2726d3b5db141c.tar.xz systemd-43b93a8a264769acbd7be3046c2726d3b5db141c.zip | |
crypenroll: make slot wiping on pin change a bit more explicit
Diffstat (limited to 'src/cryptenroll')
| -rw-r--r-- | src/cryptenroll/cryptenroll-tpm2.c | 2 | ||||
| -rw-r--r-- | src/cryptenroll/cryptenroll.c | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c index b3d851953b..db83ddc6e5 100644 --- a/src/cryptenroll/cryptenroll-tpm2.c +++ b/src/cryptenroll/cryptenroll-tpm2.c @@ -443,7 +443,7 @@ int enroll_tpm2(struct crypt_device *cd, slot_to_wipe = r; } else { log_info("This PCR set is already enrolled, executing no operation."); - *ret_slot_to_wipe = slot_to_wipe; + *ret_slot_to_wipe = -1; return r; /* return existing keyslot, so that wiping won't kill it */ } diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c index df67a5636c..ad98acb762 100644 --- a/src/cryptenroll/cryptenroll.c +++ b/src/cryptenroll/cryptenroll.c @@ -885,6 +885,8 @@ static int run(int argc, char *argv[]) { slot = enroll_tpm2(cd, &vk, arg_tpm2_device, arg_tpm2_seal_key_handle, arg_tpm2_device_key, arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values, arg_tpm2_public_key, arg_tpm2_load_public_key, arg_tpm2_public_key_pcr_mask, arg_tpm2_signature, arg_tpm2_pin, arg_tpm2_pcrlock, &slot_to_wipe); if (slot >= 0 && slot_to_wipe >= 0) { + assert(slot != slot_to_wipe); + /* Updating PIN on an existing enrollment */ r = wipe_slots( cd, |