From 2932f601fd1957a1778f58301e8c529ed308fa42 Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Tue, 6 Dec 2022 13:07:34 -0500 Subject: [PATCH] tpm2: use Tpm2Context* instead of ESYS_CONTEXT* This is needed for later patches that use Tpm2Handle, which requires access to the Tpm2Context. (cherry picked from commit 23e9ccc24ae0e7d3f3f609c69dbde171f1c55302) Related: RHEL-16182 --- src/boot/measure.c | 4 +- src/boot/pcrphase.c | 4 +- src/cryptsetup/cryptsetup.c | 4 +- src/shared/tpm2-util.c | 90 ++++++++++++++++++------------------- src/shared/tpm2-util.h | 8 ++-- 5 files changed, 55 insertions(+), 55 deletions(-) diff --git a/src/boot/measure.c b/src/boot/measure.c index 701d5471a1..1bb35e5f76 100644 --- a/src/boot/measure.c +++ b/src/boot/measure.c @@ -874,7 +874,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) { goto finish; } - session_handle = tpm2_flush_context_verbose(c->esys_context, session_handle); + session_handle = tpm2_flush_context_verbose(c, session_handle); _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX* mdctx = NULL; mdctx = EVP_MD_CTX_new(); @@ -965,7 +965,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) { r = 0; finish: - session_handle = tpm2_flush_context_verbose(c->esys_context, session_handle); + session_handle = tpm2_flush_context_verbose(c, session_handle); return r; } diff --git a/src/boot/pcrphase.c b/src/boot/pcrphase.c index bbe58fa209..6c37d34fd6 100644 --- a/src/boot/pcrphase.c +++ b/src/boot/pcrphase.c @@ -163,7 +163,7 @@ static int determine_banks(Tpm2Context *c, unsigned target_pcr_nr) { if (!strv_isempty(arg_banks)) /* Explicitly configured? Then use that */ return 0; - r = tpm2_get_good_pcr_banks_strv(c->esys_context, UINT32_C(1) << target_pcr_nr, &l); + r = tpm2_get_good_pcr_banks_strv(c, UINT32_C(1) << target_pcr_nr, &l); if (r < 0) return r; @@ -361,7 +361,7 @@ static int run(int argc, char *argv[]) { log_debug("Measuring '%s' into PCR index %u, banks %s.", word, target_pcr_nr, joined); - r = tpm2_extend_bytes(c->esys_context, arg_banks, target_pcr_nr, word, length, NULL, 0); + r = tpm2_extend_bytes(c, arg_banks, target_pcr_nr, word, length, NULL, 0); if (r < 0) return r; diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 08744bda0c..a78272bc11 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -848,7 +848,7 @@ static int measure_volume_key( _cleanup_strv_free_ char **l = NULL; if (strv_isempty(arg_tpm2_measure_banks)) { - r = tpm2_get_good_pcr_banks_strv(c->esys_context, UINT32_C(1) << arg_tpm2_measure_pcr, &l); + r = tpm2_get_good_pcr_banks_strv(c, UINT32_C(1) << arg_tpm2_measure_pcr, &l); if (r < 0) return r; } @@ -871,7 +871,7 @@ static int measure_volume_key( if (!s) return log_oom(); - r = tpm2_extend_bytes(c->esys_context, l ?: arg_tpm2_measure_banks, arg_tpm2_measure_pcr, s, SIZE_MAX, volume_key, volume_key_size); + r = tpm2_extend_bytes(c, l ?: arg_tpm2_measure_banks, arg_tpm2_measure_pcr, s, SIZE_MAX, volume_key, volume_key_size); if (r < 0) return r; diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 51bb1c082d..2111d0c638 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -118,13 +118,13 @@ static Tpm2Context *tpm2_context_free(Tpm2Context *c) { DEFINE_TRIVIAL_REF_UNREF_FUNC(Tpm2Context, tpm2_context, tpm2_context_free); -ESYS_TR tpm2_flush_context_verbose(ESYS_CONTEXT *c, ESYS_TR handle) { +ESYS_TR tpm2_flush_context_verbose(Tpm2Context *c, ESYS_TR handle) { TSS2_RC rc; - if (!c || handle == ESYS_TR_NONE) + if (!c || !c->esys_context || handle == ESYS_TR_NONE) return ESYS_TR_NONE; - rc = sym_Esys_FlushContext(c, handle); + rc = sym_Esys_FlushContext(c->esys_context, handle); if (rc != TSS2_RC_SUCCESS) /* We ignore failures here (besides debug logging), since this is called * in error paths, where we cannot do anything about failures anymore. And * when it is called in successful codepaths by this time we already did @@ -247,7 +247,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) { #define TPM2_CREDIT_RANDOM_FLAG_PATH "/run/systemd/tpm-rng-credited" -static int tpm2_credit_random(ESYS_CONTEXT *c) { +static int tpm2_credit_random(Tpm2Context *c) { size_t rps, done = 0; TSS2_RC rc; usec_t t; @@ -274,7 +274,7 @@ static int tpm2_credit_random(ESYS_CONTEXT *c) { _cleanup_(Esys_Freep) TPM2B_DIGEST *buffer = NULL; rc = sym_Esys_GetRandom( - c, + c->esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, @@ -306,7 +306,7 @@ static int tpm2_credit_random(ESYS_CONTEXT *c) { } static int tpm2_make_primary( - ESYS_CONTEXT *c, + Tpm2Context *c, ESYS_TR *ret_primary, TPMI_ALG_PUBLIC alg, TPMI_ALG_PUBLIC *ret_alg) { @@ -363,7 +363,7 @@ static int tpm2_make_primary( if (IN_SET(alg, 0, TPM2_ALG_ECC)) { rc = sym_Esys_CreatePrimary( - c, + c->esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD, ESYS_TR_NONE, @@ -392,7 +392,7 @@ static int tpm2_make_primary( if (IN_SET(alg, 0, TPM2_ALG_RSA)) { rc = sym_Esys_CreatePrimary( - c, + c->esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD, ESYS_TR_NONE, @@ -468,7 +468,7 @@ static unsigned find_nth_bit(uint32_t mask, unsigned n) { } static int tpm2_pcr_mask_good( - ESYS_CONTEXT *c, + Tpm2Context *c, TPMI_ALG_HASH bank, uint32_t mask) { @@ -486,7 +486,7 @@ static int tpm2_pcr_mask_good( tpm2_pcr_mask_to_selection(mask, bank, &selection); rc = sym_Esys_PCR_Read( - c, + c->esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, @@ -550,7 +550,7 @@ static int tpm2_bank_has24(const TPMS_PCR_SELECTION *selection) { } static int tpm2_get_best_pcr_bank( - ESYS_CONTEXT *c, + Tpm2Context *c, uint32_t pcr_mask, TPMI_ALG_HASH *ret) { @@ -563,7 +563,7 @@ static int tpm2_get_best_pcr_bank( assert(c); rc = sym_Esys_GetCapability( - c, + c->esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, @@ -647,7 +647,7 @@ static int tpm2_get_best_pcr_bank( } int tpm2_get_good_pcr_banks( - ESYS_CONTEXT *c, + Tpm2Context *c, uint32_t pcr_mask, TPMI_ALG_HASH **ret) { @@ -662,7 +662,7 @@ int tpm2_get_good_pcr_banks( assert(ret); rc = sym_Esys_GetCapability( - c, + c->esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, @@ -726,7 +726,7 @@ int tpm2_get_good_pcr_banks( } int tpm2_get_good_pcr_banks_strv( - ESYS_CONTEXT *c, + Tpm2Context *c, uint32_t pcr_mask, char ***ret) { @@ -784,7 +784,7 @@ static void hash_pin(const char *pin, size_t len, TPM2B_AUTH *auth) { } static int tpm2_make_encryption_session( - ESYS_CONTEXT *c, + Tpm2Context *c, ESYS_TR primary, ESYS_TR bind_key, const char *pin, @@ -816,7 +816,7 @@ static int tpm2_make_encryption_session( hash_pin(pin, strlen(pin), &auth); - rc = sym_Esys_TR_SetAuth(c, bind_key, &auth); + rc = sym_Esys_TR_SetAuth(c->esys_context, bind_key, &auth); if (rc != TSS2_RC_SUCCESS) return log_error_errno( SYNTHETIC_ERRNO(ENOTRECOVERABLE), @@ -830,7 +830,7 @@ static int tpm2_make_encryption_session( * means that the random salt will be encrypted with the well-known key. That way, only the TPM can * recover the salt, which is then used for key derivation. */ rc = sym_Esys_StartAuthSession( - c, + c->esys_context, primary, bind_key, ESYS_TR_NONE, @@ -848,7 +848,7 @@ static int tpm2_make_encryption_session( /* Enable parameter encryption/decryption with AES in CFB mode. Together with HMAC digests (which are * always used for sessions), this provides confidentiality, integrity and replay protection for * operations that use this session. */ - rc = sym_Esys_TRSess_SetAttributes(c, session, sessionAttributes, 0xff); + rc = sym_Esys_TRSess_SetAttributes(c->esys_context, session, sessionAttributes, 0xff); if (rc != TSS2_RC_SUCCESS) return log_error_errno( SYNTHETIC_ERRNO(ENOTRECOVERABLE), @@ -1047,7 +1047,7 @@ static int find_signature( #endif static int tpm2_make_policy_session( - ESYS_CONTEXT *c, + Tpm2Context *c, ESYS_TR primary, ESYS_TR parent_session, TPM2_SE session_type, @@ -1124,7 +1124,7 @@ static int tpm2_make_policy_session( #endif rc = sym_Esys_StartAuthSession( - c, + c->esys_context, primary, ESYS_TR_NONE, parent_session, @@ -1150,7 +1150,7 @@ static int tpm2_make_policy_session( goto finish; rc = sym_Esys_LoadExternal( - c, + c->esys_context, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, @@ -1173,7 +1173,7 @@ static int tpm2_make_policy_session( /* Acquire the "name" of what we just loaded */ _cleanup_(Esys_Freep) TPM2B_NAME *pubkey_name = NULL; rc = sym_Esys_TR_GetName( - c, + c->esys_context, pubkey_handle, &pubkey_name); if (rc != TSS2_RC_SUCCESS) { @@ -1186,7 +1186,7 @@ static int tpm2_make_policy_session( TPML_PCR_SELECTION pcr_selection; tpm2_pcr_mask_to_selection(pubkey_pcr_mask, pcr_bank, &pcr_selection); rc = sym_Esys_PolicyPCR( - c, + c->esys_context, session, ESYS_TR_NONE, ESYS_TR_NONE, @@ -1202,7 +1202,7 @@ static int tpm2_make_policy_session( /* Get the policy hash of the PCR policy */ _cleanup_(Esys_Freep) TPM2B_DIGEST *approved_policy = NULL; rc = sym_Esys_PolicyGetDigest( - c, + c->esys_context, session, ESYS_TR_NONE, ESYS_TR_NONE, @@ -1255,7 +1255,7 @@ static int tpm2_make_policy_session( memcpy(policy_signature.signature.rsassa.sig.buffer, signature_raw, signature_size); rc = sym_Esys_VerifySignature( - c, + c->esys_context, pubkey_handle, ESYS_TR_NONE, ESYS_TR_NONE, @@ -1281,7 +1281,7 @@ static int tpm2_make_policy_session( } rc = sym_Esys_PolicyAuthorize( - c, + c->esys_context, session, ESYS_TR_NONE, ESYS_TR_NONE, @@ -1306,7 +1306,7 @@ static int tpm2_make_policy_session( TPML_PCR_SELECTION pcr_selection; tpm2_pcr_mask_to_selection(hash_pcr_mask, pcr_bank, &pcr_selection); rc = sym_Esys_PolicyPCR( - c, + c->esys_context, session, ESYS_TR_NONE, ESYS_TR_NONE, @@ -1324,7 +1324,7 @@ static int tpm2_make_policy_session( log_debug("Configuring PIN policy."); rc = sym_Esys_PolicyAuthValue( - c, + c->esys_context, session, ESYS_TR_NONE, ESYS_TR_NONE, @@ -1341,7 +1341,7 @@ static int tpm2_make_policy_session( log_debug("Acquiring policy digest."); rc = sym_Esys_PolicyGetDigest( - c, + c->esys_context, session, ESYS_TR_NONE, ESYS_TR_NONE, @@ -1455,17 +1455,17 @@ int tpm2_seal(const char *device, if (r < 0) return r; - r = tpm2_make_primary(c->esys_context, &primary, 0, &primary_alg); + r = tpm2_make_primary(c, &primary, 0, &primary_alg); if (r < 0) return r; /* we cannot use the bind key before its created */ - r = tpm2_make_encryption_session(c->esys_context, primary, ESYS_TR_NONE, NULL, &session); + r = tpm2_make_encryption_session(c, primary, ESYS_TR_NONE, NULL, &session); if (r < 0) goto finish; r = tpm2_make_policy_session( - c->esys_context, + c, primary, session, TPM2_SE_TRIAL, @@ -1505,7 +1505,7 @@ int tpm2_seal(const char *device, assert(sizeof(hmac_sensitive.sensitive.data.buffer) >= hmac_sensitive.sensitive.data.size); - (void) tpm2_credit_random(c->esys_context); + (void) tpm2_credit_random(c); log_debug("Generating secret key data."); @@ -1599,8 +1599,8 @@ int tpm2_seal(const char *device, r = 0; finish: - primary = tpm2_flush_context_verbose(c->esys_context, primary); - session = tpm2_flush_context_verbose(c->esys_context, session); + primary = tpm2_flush_context_verbose(c, primary); + session = tpm2_flush_context_verbose(c, session); return r; } @@ -1677,7 +1677,7 @@ int tpm2_unseal(const char *device, if (r < 0) return r; - r = tpm2_make_primary(c->esys_context, &primary, primary_alg, NULL); + r = tpm2_make_primary(c, &primary, primary_alg, NULL); if (r < 0) return r; @@ -1713,13 +1713,13 @@ int tpm2_unseal(const char *device, goto finish; } - r = tpm2_make_encryption_session(c->esys_context, primary, hmac_key, pin, &hmac_session); + r = tpm2_make_encryption_session(c, primary, hmac_key, pin, &hmac_session); if (r < 0) goto finish; for (unsigned i = RETRY_UNSEAL_MAX;; i--) { r = tpm2_make_policy_session( - c->esys_context, + c, primary, hmac_session, TPM2_SE_POLICY, @@ -1754,7 +1754,7 @@ int tpm2_unseal(const char *device, &unsealed); if (rc == TPM2_RC_PCR_CHANGED && i > 0) { log_debug("A PCR value changed during the TPM2 policy session, restarting HMAC key unsealing (%u tries left).", i); - session = tpm2_flush_context_verbose(c->esys_context, session); + session = tpm2_flush_context_verbose(c, session); continue; } if (rc != TSS2_RC_SUCCESS) { @@ -1782,9 +1782,9 @@ int tpm2_unseal(const char *device, r = 0; finish: - primary = tpm2_flush_context_verbose(c->esys_context, primary); - session = tpm2_flush_context_verbose(c->esys_context, session); - hmac_key = tpm2_flush_context_verbose(c->esys_context, hmac_key); + primary = tpm2_flush_context_verbose(c, primary); + session = tpm2_flush_context_verbose(c, session); + hmac_key = tpm2_flush_context_verbose(c, hmac_key); return r; } @@ -1916,7 +1916,7 @@ int tpm2_find_device_auto( #if HAVE_TPM2 int tpm2_extend_bytes( - ESYS_CONTEXT *c, + Tpm2Context *c, char **banks, unsigned pcr_index, const void *data, @@ -1977,7 +1977,7 @@ int tpm2_extend_bytes( } rc = sym_Esys_PCR_Extend( - c, + c->esys_context, ESYS_TR_PCR0 + pcr_index, ESYS_TR_PASSWORD, ESYS_TR_NONE, diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index 65c875899e..0266f8128f 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -66,7 +66,7 @@ Tpm2Context *tpm2_context_unref(Tpm2Context *context); DEFINE_TRIVIAL_CLEANUP_FUNC(Tpm2Context*, tpm2_context_unref); #define _cleanup_tpm2_context_ _cleanup_(tpm2_context_unrefp) -ESYS_TR tpm2_flush_context_verbose(ESYS_CONTEXT *c, ESYS_TR handle); +ESYS_TR tpm2_flush_context_verbose(Tpm2Context *c, ESYS_TR handle); void tpm2_pcr_mask_to_selection(uint32_t mask, uint16_t bank, TPML_PCR_SELECTION *ret); @@ -75,10 +75,10 @@ static inline void Esys_Freep(void *p) { sym_Esys_Free(*(void**) p); } -int tpm2_get_good_pcr_banks(ESYS_CONTEXT *c, uint32_t pcr_mask, TPMI_ALG_HASH **ret_banks); -int tpm2_get_good_pcr_banks_strv(ESYS_CONTEXT *c, uint32_t pcr_mask, char ***ret); +int tpm2_get_good_pcr_banks(Tpm2Context *c, uint32_t pcr_mask, TPMI_ALG_HASH **ret_banks); +int tpm2_get_good_pcr_banks_strv(Tpm2Context *c, uint32_t pcr_mask, char ***ret); -int tpm2_extend_bytes(ESYS_CONTEXT *c, char **banks, unsigned pcr_index, const void *data, size_t data_size, const void *secret, size_t secret_size); +int tpm2_extend_bytes(Tpm2Context *c, char **banks, unsigned pcr_index, const void *data, size_t data_size, const void *secret, size_t secret_size); #else /* HAVE_TPM2 */ typedef struct {} Tpm2Context;