From 371b59441459e3bc33ceca4da619fec310dd7b37 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 16 Apr 2024 15:01:41 +0200
Subject: tpm2-util: load external key into NULL hierarchy if private key is
 provided

If we load an external key into the TPM we must do so in the NULL
hierarchy. An external key after all is one that is not wrapped by any
hierarchy's seed.

See TPM2 spec, Part 3, Section 12.3.1
---
 src/shared/tpm2-util.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/shared/tpm2-util.c')

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index e012dd2c5c..51c01b6c9c 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -2242,9 +2242,9 @@ static int tpm2_load_external(
 #if HAVE_TSS2_ESYS3
                         /* tpm2-tss >= 3.0.0 requires a ESYS_TR_RH_* constant specifying the requested
                          * hierarchy, older versions need TPM2_RH_* instead. */
-                        ESYS_TR_RH_OWNER,
+                        private ? ESYS_TR_RH_NULL : ESYS_TR_RH_OWNER,
 #else
-                        TPM2_RH_OWNER,
+                        private ? TPM2_RH_NULL : TPM2_RH_OWNER,
 #endif
                         &handle->esys_handle);
         if (rc != TSS2_RC_SUCCESS)
-- 
cgit v1.2.3