summaryrefslogtreecommitdiffstats
path: root/src/cryptenroll/cryptenroll-tpm2.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* cryptsetup: handle more gracefully if "keyslots" LUKS2 JSON header field is ↵Lennart Poettering2021-09-281-2/+6
| | | | | | | | | | invalid The field is not owned by us (even though is in our JSON objects) but by the LUKS2 spec. Hence let's handle this a bit more gracefully: let's not get confused by it, just warn and skip over it. Fixes: #20847
* tpm2: support RSA primary keys as fallback if TPM2 devices don't support ECCLennart Poettering2021-09-131-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | Previously, we hardcoded use of ECC as primary keys, since they are much faster (i.e. saving multiple seconds) to do TPM2 operations with. Alas, not all TPM2 chips appear to support ECC. Bummer. Let's hence add a fallback logic: if we can't create an ECC primary key, use an RSA key, and store that fact away. AFIU the security guarantees should be roughly the same, it's just that RSA primary keys is so much slower to work with than ECC. The primary key algorithm is used is stored in the JSON header of LUKS disks, in a new field. If the field is absent we assume to use ECC, to provide full compatibility with old systemd versions. The primary key algorithm is stored in a new field in the credentials file format (in fact, a previously unused zero space is used), too. Hopefully, this should ensure that TPM2 support will "just work" on more systems. Fixes: #20361
* tpm2-util: auto-detect supported PCR banksLennart Poettering2021-07-301-3/+4
| | | | | | | | | | | | | | | | | | | Previously, we'd encode PCR policies strictly with the SHA256 PCR bank set. However, as it appears not all hw implement those. Sad. Let's add some minimal logic to auto-detect supported PCR banks: if SHA256 is supported, use that. But if not, automatically fall back to SHA1. This then changes both the LUKS code, and the credentials code to serialize the selected bank, along with the rest of the data in order to make this robust. This extends the LUK2 JSON metadata in a compatible way. The credentials encryption format is modified in an incompatible way however, but given that this is not part of any official release should be OK. Fixes: #20134
* tree-wide: use UINT64_MAX or friendsYu Watanabe2021-03-041-1/+1
|
* cryptsetup: use crypt_token_max if availableLuca Boccassi2021-01-051-1/+1
| | | | | | New API added upstream: https://gitlab.com/cryptsetup/cryptsetup/-/commit/8a12f6dc2c75f8fd0c4969fbdc421895eb418072
* cryptenroll: drop an unused variableFrantisek Sumsal2020-12-201-1/+1
| | | | | | | | Fixes following warning/error w/ clang: ../src/cryptenroll/cryptenroll-tpm2.c:64:64: error: unused variable 'a' [-Werror,-Wunused-variable] _cleanup_(json_variant_unrefp) JsonVariant *v = NULL, *a = NULL; ^ 1 error generated.
* cryptenroll: add support for TPM2 enrollingLennart Poettering2020-12-171-0/+131
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-12 08:02:35 +0100