summaryrefslogtreecommitdiffstats
path: root/src/shared/userdb-dropin.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2021-09-13 10:52:43 +0200
committerLennart Poettering <lennart@poettering.net>2021-09-13 14:48:23 +0200
commit2b92a67261934d5788613385279157eb1c9fd110 (patch)
tree95bb5d819d43ec9beac1a6bee6fab5c8fcc6fbd2 /src/shared/userdb-dropin.c
parentmemory-util: replace memeqzero() by a more generic memeqbyte() (diff)
downloadsystemd-2b92a67261934d5788613385279157eb1c9fd110.tar.xz
systemd-2b92a67261934d5788613385279157eb1c9fd110.zip
tpm2: support RSA primary keys as fallback if TPM2 devices don't support ECC
Previously, we hardcoded use of ECC as primary keys, since they are much faster (i.e. saving multiple seconds) to do TPM2 operations with. Alas, not all TPM2 chips appear to support ECC. Bummer. Let's hence add a fallback logic: if we can't create an ECC primary key, use an RSA key, and store that fact away. AFIU the security guarantees should be roughly the same, it's just that RSA primary keys is so much slower to work with than ECC. The primary key algorithm is used is stored in the JSON header of LUKS disks, in a new field. If the field is absent we assume to use ECC, to provide full compatibility with old systemd versions. The primary key algorithm is stored in a new field in the credentials file format (in fact, a previously unused zero space is used), too. Hopefully, this should ensure that TPM2 support will "just work" on more systems. Fixes: #20361
Diffstat (limited to 'src/shared/userdb-dropin.c')
0 files changed, 0 insertions, 0 deletions