diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-09-13 12:43:53 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-09-13 15:02:53 +0200 |
| commit | d38466bae68fe746c6052a4dd50e27de0274e52d (patch) | |
| tree | eda2ea5301d5123275a0fd533430357616f197d0 /src/shared | |
| parent | tpm2: check if PCR values make sense before using them (diff) | |
| download | systemd-d38466bae68fe746c6052a4dd50e27de0274e52d.tar.xz systemd-d38466bae68fe746c6052a4dd50e27de0274e52d.zip | |
tpm2: log about invalid PCRs on each unsealing
Let's log every time we use uninitialized PCRs when unsealing a secret
via TPM2. This indicates a firmware issue usually, and is something we
shouldn't just show when enrolling but also show every time we unseal,
so that the fact that the selected PCR policy is pretty much pointless
is repeatedly shown.
Diffstat (limited to 'src/shared')
| -rw-r--r-- | src/shared/tpm2-util.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index f5f46d14ee..9d5a0ed865 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -617,9 +617,15 @@ static int tpm2_make_pcr_session( log_debug("Starting authentication session."); - if (pcr_bank != UINT16_MAX) + if (pcr_bank != UINT16_MAX) { + r = tpm2_pcr_mask_good(c, pcr_bank, pcr_mask); + if (r < 0) + return r; + if (r == 0) + log_notice("Selected TPM2 PCRs are not initialized on this system, most likely due to a firmware issue. PCR policy is effectively not enforced. Proceeding anyway."); + tpm2_pcr_mask_to_selecion(pcr_mask, pcr_bank, &pcr_selection); - else { + } else { TPMI_ALG_HASH h; /* No bank configured, pick automatically. Some TPM2 devices only can do SHA1. If we detect |