diff options
| author | Dan Streetman <ddstreet@ieee.org> | 2022-12-19 14:26:32 +0100 |
|---|---|---|
| committer | Dan Streetman <ddstreet@ieee.org> | 2023-07-05 23:33:55 +0200 |
| commit | d1d0de735da52a7cf5aa5638b07d5fdf4e8b23f2 (patch) | |
| tree | 39e672b35547c39cdb7df98e999ad258668e54de /src | |
| parent | update syscall tables for upcoming v254 (diff) | |
| download | systemd-d1d0de735da52a7cf5aa5638b07d5fdf4e8b23f2.tar.xz systemd-d1d0de735da52a7cf5aa5638b07d5fdf4e8b23f2.zip | |
tpm2: add tpm2_load()
This function allows loading an object (e.g. a sealed secret) or key into the
TPM.
Diffstat (limited to 'src')
| -rw-r--r-- | src/shared/tpm2-util.c | 69 |
1 files changed, 45 insertions, 24 deletions
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index bbff2a934b..e56a82d238 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -1489,6 +1489,50 @@ static int tpm2_get_policy_digest( return 0; } +static int tpm2_load( + Tpm2Context *c, + const Tpm2Handle *parent, + const Tpm2Handle *session, + const TPM2B_PUBLIC *public, + const TPM2B_PRIVATE *private, + Tpm2Handle **ret_handle) { + + TSS2_RC rc; + int r; + + assert(c); + assert(public); + assert(private); + assert(ret_handle); + + log_debug("Loading object into TPM."); + + _cleanup_(tpm2_handle_freep) Tpm2Handle *handle = NULL; + r = tpm2_handle_new(c, &handle); + if (r < 0) + return r; + + rc = sym_Esys_Load( + c->esys_context, + parent ? parent->esys_handle : ESYS_TR_RH_OWNER, + session ? session->esys_handle : ESYS_TR_PASSWORD, + ESYS_TR_NONE, + ESYS_TR_NONE, + private, + public, + &handle->esys_handle); + if (rc == TPM2_RC_LOCKOUT) + return log_error_errno(SYNTHETIC_ERRNO(ENOLCK), + "TPM2 device is in dictionary attack lockout mode."); + if (rc != TSS2_RC_SUCCESS) + return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "Failed to load key into TPM: %s", sym_Tss2_RC_Decode(rc)); + + *ret_handle = TAKE_PTR(handle); + + return 0; +} + static int tpm2_pcr_read( Tpm2Context *c, const TPML_PCR_SELECTION *pcr_selection, @@ -3142,33 +3186,10 @@ int tpm2_unseal(const char *device, * provides protections. */ _cleanup_(tpm2_handle_freep) Tpm2Handle *hmac_key = NULL; - r = tpm2_handle_new(c, &hmac_key); + r = tpm2_load(c, primary, NULL, &public, &private, &hmac_key); if (r < 0) return r; - rc = sym_Esys_Load( - c->esys_context, - primary->esys_handle, - ESYS_TR_PASSWORD, - ESYS_TR_NONE, - ESYS_TR_NONE, - &private, - &public, - &hmac_key->esys_handle); - if (rc != TSS2_RC_SUCCESS) { - /* If we're in dictionary attack lockout mode, we should see a lockout error here, which we - * need to translate for the caller. */ - if (rc == TPM2_RC_LOCKOUT) - return log_error_errno( - SYNTHETIC_ERRNO(ENOLCK), - "TPM2 device is in dictionary attack lockout mode."); - else - return log_error_errno( - SYNTHETIC_ERRNO(ENOTRECOVERABLE), - "Failed to load HMAC key in TPM: %s", - sym_Tss2_RC_Decode(rc)); - } - TPM2B_PUBLIC pubkey_tpm2, *authorize_key = NULL; _cleanup_free_ void *fp = NULL; size_t fp_size = 0; |