diff options
author | Lennart Poettering <lennart@poettering.net> | 2021-09-13 10:52:43 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2021-09-13 14:48:23 +0200 |
commit | 2b92a67261934d5788613385279157eb1c9fd110 (patch) | |
tree | 95bb5d819d43ec9beac1a6bee6fab5c8fcc6fbd2 /src/shared/userdb-dropin.c | |
parent | memory-util: replace memeqzero() by a more generic memeqbyte() (diff) | |
download | systemd-2b92a67261934d5788613385279157eb1c9fd110.tar.xz systemd-2b92a67261934d5788613385279157eb1c9fd110.zip |
tpm2: support RSA primary keys as fallback if TPM2 devices don't support ECC
Previously, we hardcoded use of ECC as primary keys, since they are much
faster (i.e. saving multiple seconds) to do TPM2 operations with. Alas,
not all TPM2 chips appear to support ECC. Bummer.
Let's hence add a fallback logic: if we can't create an ECC primary key,
use an RSA key, and store that fact away.
AFIU the security guarantees should be roughly the same, it's just that
RSA primary keys is so much slower to work with than ECC.
The primary key algorithm is used is stored in the JSON header of LUKS
disks, in a new field. If the field is absent we assume to use ECC, to
provide full compatibility with old systemd versions.
The primary key algorithm is stored in a new field in the credentials
file format (in fact, a previously unused zero space is used), too.
Hopefully, this should ensure that TPM2 support will "just work" on more
systems.
Fixes: #20361
Diffstat (limited to 'src/shared/userdb-dropin.c')
0 files changed, 0 insertions, 0 deletions