tpm2: add salt to pin

Add a salt to the pin and store it in the TPM2 LUKS header for future this. This adds entropy to user supplied pins and helps brute forcing the passphrase on the key residing in the TPM or brute forcing bind key encrypted sessions with low entropy passphrases. Signed-off-by: malikabhi05 <abhishek.malik@intel.com> Signed-off-by: William Roberts <william.c.roberts@intel.com>
author: William Roberts <william.c.roberts@intel.com> 2023-01-18 15:45:53 +0100
committer: Luca Boccassi <luca.boccassi@gmail.com> 2023-01-18 22:58:33 +0100
commit: aae6eb96117acd54ce5ac572aac6a11b34c4ad99 (patch)
tree: 82c3781c1d15e1c3bf2c50abbd5f94eab782c879 /src/cryptsetup/cryptsetup-tpm2.h
parent: man: note that cgroup-based sandboxing is not bypassed by '+' (diff)
download: systemd-aae6eb96117acd54ce5ac572aac6a11b34c4ad99.tar.xz
systemd-aae6eb96117acd54ce5ac572aac6a11b34c4ad99.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/src/cryptsetup/cryptsetup-tpm2.h b/src/cryptsetup/cryptsetup-tpm2.h
index a34eb8443d..f6549b7d1d 100644
--- a/src/cryptsetup/cryptsetup-tpm2.h
+++ b/src/cryptsetup/cryptsetup-tpm2.h
@@ -28,6 +28,8 @@ int acquire_tpm2_key(
                 size_t key_data_size,
                 const void *policy_hash,
                 size_t policy_hash_size,
+                const void *salt,
+                size_t salt_size,
                 TPM2Flags flags,
                 usec_t until,
                 bool headless,
@@ -49,6 +51,8 @@ int find_tpm2_auto_data(
                 size_t *ret_blob_size,
                 void **ret_policy_hash,
                 size_t *ret_policy_hash_size,
+                void **ret_salt,
+                size_t *ret_salt_size,
                 TPM2Flags *ret_flags,
                 int *ret_keyslot,
                 int *ret_token);
@@ -72,6 +76,8 @@ static inline int acquire_tpm2_key(
                 size_t key_data_size,
                 const void *policy_hash,
                 size_t policy_hash_size,
+                const void *salt,
+                size_t salt_size,
                 TPM2Flags flags,
                 usec_t until,
                 bool headless,
@@ -97,6 +103,8 @@ static inline int find_tpm2_auto_data(
                 size_t *ret_blob_size,
                 void **ret_policy_hash,
                 size_t *ret_policy_hash_size,
+                void **ret_salt,
+                size_t *ret_salt_size,
                 TPM2Flags *ret_flags,
                 int *ret_keyslot,
                 int *ret_token) {
author	William Roberts <william.c.roberts@intel.com>	2023-01-18 15:45:53 +0100
committer	Luca Boccassi <luca.boccassi@gmail.com>	2023-01-18 22:58:33 +0100
commit	aae6eb96117acd54ce5ac572aac6a11b34c4ad99 (patch)
tree	82c3781c1d15e1c3bf2c50abbd5f94eab782c879 /src/cryptsetup/cryptsetup-tpm2.h
parent	man: note that cgroup-based sandboxing is not bypassed by '+' (diff)
download	systemd-aae6eb96117acd54ce5ac572aac6a11b34c4ad99.tar.xz systemd-aae6eb96117acd54ce5ac572aac6a11b34c4ad99.zip