rpms
/
systemd
7
0
Fork 0
Code Issues Pull Requests Releases Activity
systemd/0500-tpm2-use-Tpm2Context-i...

483 lines
20 KiB
Diff
Raw Permalink Blame History

From 2932f601fd1957a1778f58301e8c529ed308fa42 Mon Sep 17 00:00:00 2001
From: Dan Streetman <ddstreet@ieee.org>
Date: Tue, 6 Dec 2022 13:07:34 -0500
Subject: [PATCH] tpm2: use Tpm2Context* instead of ESYS_CONTEXT*
This is needed for later patches that use Tpm2Handle, which requires access
to the Tpm2Context.
(cherry picked from commit 23e9ccc24ae0e7d3f3f609c69dbde171f1c55302)
Related: RHEL-16182
---
src/boot/measure.c | 4 +-
src/boot/pcrphase.c | 4 +-
src/cryptsetup/cryptsetup.c | 4 +-
src/shared/tpm2-util.c | 90 ++++++++++++++++++-------------------
src/shared/tpm2-util.h | 8 ++--
5 files changed, 55 insertions(+), 55 deletions(-)
diff --git a/src/boot/measure.c b/src/boot/measure.c
index 701d5471a1..1bb35e5f76 100644
--- a/src/boot/measure.c
+++ b/src/boot/measure.c
@@ -874,7 +874,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
goto finish;
}
- session_handle = tpm2_flush_context_verbose(c->esys_context, session_handle);
+ session_handle = tpm2_flush_context_verbose(c, session_handle);
_cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX* mdctx = NULL;
mdctx = EVP_MD_CTX_new();
@@ -965,7 +965,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
r = 0;
finish:
- session_handle = tpm2_flush_context_verbose(c->esys_context, session_handle);
+ session_handle = tpm2_flush_context_verbose(c, session_handle);
return r;
}
diff --git a/src/boot/pcrphase.c b/src/boot/pcrphase.c
index bbe58fa209..6c37d34fd6 100644
--- a/src/boot/pcrphase.c
+++ b/src/boot/pcrphase.c
@@ -163,7 +163,7 @@ static int determine_banks(Tpm2Context *c, unsigned target_pcr_nr) {
if (!strv_isempty(arg_banks)) /* Explicitly configured? Then use that */
return 0;
- r = tpm2_get_good_pcr_banks_strv(c->esys_context, UINT32_C(1) << target_pcr_nr, &l);
+ r = tpm2_get_good_pcr_banks_strv(c, UINT32_C(1) << target_pcr_nr, &l);
if (r < 0)
return r;
@@ -361,7 +361,7 @@ static int run(int argc, char *argv[]) {
log_debug("Measuring '%s' into PCR index %u, banks %s.", word, target_pcr_nr, joined);
- r = tpm2_extend_bytes(c->esys_context, arg_banks, target_pcr_nr, word, length, NULL, 0);
+ r = tpm2_extend_bytes(c, arg_banks, target_pcr_nr, word, length, NULL, 0);
if (r < 0)
return r;
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 08744bda0c..a78272bc11 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -848,7 +848,7 @@ static int measure_volume_key(
_cleanup_strv_free_ char **l = NULL;
if (strv_isempty(arg_tpm2_measure_banks)) {
- r = tpm2_get_good_pcr_banks_strv(c->esys_context, UINT32_C(1) << arg_tpm2_measure_pcr, &l);
+ r = tpm2_get_good_pcr_banks_strv(c, UINT32_C(1) << arg_tpm2_measure_pcr, &l);
if (r < 0)
return r;
}
@@ -871,7 +871,7 @@ static int measure_volume_key(
if (!s)
return log_oom();
- r = tpm2_extend_bytes(c->esys_context, l ?: arg_tpm2_measure_banks, arg_tpm2_measure_pcr, s, SIZE_MAX, volume_key, volume_key_size);
+ r = tpm2_extend_bytes(c, l ?: arg_tpm2_measure_banks, arg_tpm2_measure_pcr, s, SIZE_MAX, volume_key, volume_key_size);
if (r < 0)
return r;
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 51bb1c082d..2111d0c638 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -118,13 +118,13 @@ static Tpm2Context *tpm2_context_free(Tpm2Context *c) {
DEFINE_TRIVIAL_REF_UNREF_FUNC(Tpm2Context, tpm2_context, tpm2_context_free);
-ESYS_TR tpm2_flush_context_verbose(ESYS_CONTEXT *c, ESYS_TR handle) {
+ESYS_TR tpm2_flush_context_verbose(Tpm2Context *c, ESYS_TR handle) {
TSS2_RC rc;
- if (!c || handle == ESYS_TR_NONE)
+ if (!c || !c->esys_context || handle == ESYS_TR_NONE)
return ESYS_TR_NONE;
- rc = sym_Esys_FlushContext(c, handle);
+ rc = sym_Esys_FlushContext(c->esys_context, handle);
if (rc != TSS2_RC_SUCCESS) /* We ignore failures here (besides debug logging), since this is called
* in error paths, where we cannot do anything about failures anymore. And
* when it is called in successful codepaths by this time we already did
@@ -247,7 +247,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) {
#define TPM2_CREDIT_RANDOM_FLAG_PATH "/run/systemd/tpm-rng-credited"
-static int tpm2_credit_random(ESYS_CONTEXT *c) {
+static int tpm2_credit_random(Tpm2Context *c) {
size_t rps, done = 0;
TSS2_RC rc;
usec_t t;
@@ -274,7 +274,7 @@ static int tpm2_credit_random(ESYS_CONTEXT *c) {
_cleanup_(Esys_Freep) TPM2B_DIGEST *buffer = NULL;
rc = sym_Esys_GetRandom(
- c,
+ c->esys_context,
ESYS_TR_NONE,
ESYS_TR_NONE,
ESYS_TR_NONE,
@@ -306,7 +306,7 @@ static int tpm2_credit_random(ESYS_CONTEXT *c) {
}
static int tpm2_make_primary(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
ESYS_TR *ret_primary,
TPMI_ALG_PUBLIC alg,
TPMI_ALG_PUBLIC *ret_alg) {
@@ -363,7 +363,7 @@ static int tpm2_make_primary(
if (IN_SET(alg, 0, TPM2_ALG_ECC)) {
rc = sym_Esys_CreatePrimary(
- c,
+ c->esys_context,
ESYS_TR_RH_OWNER,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
@@ -392,7 +392,7 @@ static int tpm2_make_primary(
if (IN_SET(alg, 0, TPM2_ALG_RSA)) {
rc = sym_Esys_CreatePrimary(
- c,
+ c->esys_context,
ESYS_TR_RH_OWNER,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
@@ -468,7 +468,7 @@ static unsigned find_nth_bit(uint32_t mask, unsigned n) {
}
static int tpm2_pcr_mask_good(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
TPMI_ALG_HASH bank,
uint32_t mask) {
@@ -486,7 +486,7 @@ static int tpm2_pcr_mask_good(
tpm2_pcr_mask_to_selection(mask, bank, &selection);
rc = sym_Esys_PCR_Read(
- c,
+ c->esys_context,
ESYS_TR_NONE,
ESYS_TR_NONE,
ESYS_TR_NONE,
@@ -550,7 +550,7 @@ static int tpm2_bank_has24(const TPMS_PCR_SELECTION *selection) {
}
static int tpm2_get_best_pcr_bank(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
uint32_t pcr_mask,
TPMI_ALG_HASH *ret) {
@@ -563,7 +563,7 @@ static int tpm2_get_best_pcr_bank(
assert(c);
rc = sym_Esys_GetCapability(
- c,
+ c->esys_context,
ESYS_TR_NONE,
ESYS_TR_NONE,
ESYS_TR_NONE,
@@ -647,7 +647,7 @@ static int tpm2_get_best_pcr_bank(
}
int tpm2_get_good_pcr_banks(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
uint32_t pcr_mask,
TPMI_ALG_HASH **ret) {
@@ -662,7 +662,7 @@ int tpm2_get_good_pcr_banks(
assert(ret);
rc = sym_Esys_GetCapability(
- c,
+ c->esys_context,
ESYS_TR_NONE,
ESYS_TR_NONE,
ESYS_TR_NONE,
@@ -726,7 +726,7 @@ int tpm2_get_good_pcr_banks(
}
int tpm2_get_good_pcr_banks_strv(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
uint32_t pcr_mask,
char ***ret) {
@@ -784,7 +784,7 @@ static void hash_pin(const char *pin, size_t len, TPM2B_AUTH *auth) {
}
static int tpm2_make_encryption_session(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
ESYS_TR primary,
ESYS_TR bind_key,
const char *pin,
@@ -816,7 +816,7 @@ static int tpm2_make_encryption_session(
hash_pin(pin, strlen(pin), &auth);
- rc = sym_Esys_TR_SetAuth(c, bind_key, &auth);
+ rc = sym_Esys_TR_SetAuth(c->esys_context, bind_key, &auth);
if (rc != TSS2_RC_SUCCESS)
return log_error_errno(
SYNTHETIC_ERRNO(ENOTRECOVERABLE),
@@ -830,7 +830,7 @@ static int tpm2_make_encryption_session(
* means that the random salt will be encrypted with the well-known key. That way, only the TPM can
* recover the salt, which is then used for key derivation. */
rc = sym_Esys_StartAuthSession(
- c,
+ c->esys_context,
primary,
bind_key,
ESYS_TR_NONE,
@@ -848,7 +848,7 @@ static int tpm2_make_encryption_session(
/* Enable parameter encryption/decryption with AES in CFB mode. Together with HMAC digests (which are
* always used for sessions), this provides confidentiality, integrity and replay protection for
* operations that use this session. */
- rc = sym_Esys_TRSess_SetAttributes(c, session, sessionAttributes, 0xff);
+ rc = sym_Esys_TRSess_SetAttributes(c->esys_context, session, sessionAttributes, 0xff);
if (rc != TSS2_RC_SUCCESS)
return log_error_errno(
SYNTHETIC_ERRNO(ENOTRECOVERABLE),
@@ -1047,7 +1047,7 @@ static int find_signature(
#endif
static int tpm2_make_policy_session(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
ESYS_TR primary,
ESYS_TR parent_session,
TPM2_SE session_type,
@@ -1124,7 +1124,7 @@ static int tpm2_make_policy_session(
#endif
rc = sym_Esys_StartAuthSession(
- c,
+ c->esys_context,
primary,
ESYS_TR_NONE,
parent_session,
@@ -1150,7 +1150,7 @@ static int tpm2_make_policy_session(
goto finish;
rc = sym_Esys_LoadExternal(
- c,
+ c->esys_context,
ESYS_TR_NONE,
ESYS_TR_NONE,
ESYS_TR_NONE,
@@ -1173,7 +1173,7 @@ static int tpm2_make_policy_session(
/* Acquire the "name" of what we just loaded */
_cleanup_(Esys_Freep) TPM2B_NAME *pubkey_name = NULL;
rc = sym_Esys_TR_GetName(
- c,
+ c->esys_context,
pubkey_handle,
&pubkey_name);
if (rc != TSS2_RC_SUCCESS) {
@@ -1186,7 +1186,7 @@ static int tpm2_make_policy_session(
TPML_PCR_SELECTION pcr_selection;
tpm2_pcr_mask_to_selection(pubkey_pcr_mask, pcr_bank, &pcr_selection);
rc = sym_Esys_PolicyPCR(
- c,
+ c->esys_context,
session,
ESYS_TR_NONE,
ESYS_TR_NONE,
@@ -1202,7 +1202,7 @@ static int tpm2_make_policy_session(
/* Get the policy hash of the PCR policy */
_cleanup_(Esys_Freep) TPM2B_DIGEST *approved_policy = NULL;
rc = sym_Esys_PolicyGetDigest(
- c,
+ c->esys_context,
session,
ESYS_TR_NONE,
ESYS_TR_NONE,
@@ -1255,7 +1255,7 @@ static int tpm2_make_policy_session(
memcpy(policy_signature.signature.rsassa.sig.buffer, signature_raw, signature_size);
rc = sym_Esys_VerifySignature(
- c,
+ c->esys_context,
pubkey_handle,
ESYS_TR_NONE,
ESYS_TR_NONE,
@@ -1281,7 +1281,7 @@ static int tpm2_make_policy_session(
}
rc = sym_Esys_PolicyAuthorize(
- c,
+ c->esys_context,
session,
ESYS_TR_NONE,
ESYS_TR_NONE,
@@ -1306,7 +1306,7 @@ static int tpm2_make_policy_session(
TPML_PCR_SELECTION pcr_selection;
tpm2_pcr_mask_to_selection(hash_pcr_mask, pcr_bank, &pcr_selection);
rc = sym_Esys_PolicyPCR(
- c,
+ c->esys_context,
session,
ESYS_TR_NONE,
ESYS_TR_NONE,
@@ -1324,7 +1324,7 @@ static int tpm2_make_policy_session(
log_debug("Configuring PIN policy.");
rc = sym_Esys_PolicyAuthValue(
- c,
+ c->esys_context,
session,
ESYS_TR_NONE,
ESYS_TR_NONE,
@@ -1341,7 +1341,7 @@ static int tpm2_make_policy_session(
log_debug("Acquiring policy digest.");
rc = sym_Esys_PolicyGetDigest(
- c,
+ c->esys_context,
session,
ESYS_TR_NONE,
ESYS_TR_NONE,
@@ -1455,17 +1455,17 @@ int tpm2_seal(const char *device,
if (r < 0)
return r;
- r = tpm2_make_primary(c->esys_context, &primary, 0, &primary_alg);
+ r = tpm2_make_primary(c, &primary, 0, &primary_alg);
if (r < 0)
return r;
/* we cannot use the bind key before its created */
- r = tpm2_make_encryption_session(c->esys_context, primary, ESYS_TR_NONE, NULL, &session);
+ r = tpm2_make_encryption_session(c, primary, ESYS_TR_NONE, NULL, &session);
if (r < 0)
goto finish;
r = tpm2_make_policy_session(
- c->esys_context,
+ c,
primary,
session,
TPM2_SE_TRIAL,
@@ -1505,7 +1505,7 @@ int tpm2_seal(const char *device,
assert(sizeof(hmac_sensitive.sensitive.data.buffer) >= hmac_sensitive.sensitive.data.size);
- (void) tpm2_credit_random(c->esys_context);
+ (void) tpm2_credit_random(c);
log_debug("Generating secret key data.");
@@ -1599,8 +1599,8 @@ int tpm2_seal(const char *device,
r = 0;
finish:
- primary = tpm2_flush_context_verbose(c->esys_context, primary);
- session = tpm2_flush_context_verbose(c->esys_context, session);
+ primary = tpm2_flush_context_verbose(c, primary);
+ session = tpm2_flush_context_verbose(c, session);
return r;
}
@@ -1677,7 +1677,7 @@ int tpm2_unseal(const char *device,
if (r < 0)
return r;
- r = tpm2_make_primary(c->esys_context, &primary, primary_alg, NULL);
+ r = tpm2_make_primary(c, &primary, primary_alg, NULL);
if (r < 0)
return r;
@@ -1713,13 +1713,13 @@ int tpm2_unseal(const char *device,
goto finish;
}
- r = tpm2_make_encryption_session(c->esys_context, primary, hmac_key, pin, &hmac_session);
+ r = tpm2_make_encryption_session(c, primary, hmac_key, pin, &hmac_session);
if (r < 0)
goto finish;
for (unsigned i = RETRY_UNSEAL_MAX;; i--) {
r = tpm2_make_policy_session(
- c->esys_context,
+ c,
primary,
hmac_session,
TPM2_SE_POLICY,
@@ -1754,7 +1754,7 @@ int tpm2_unseal(const char *device,
&unsealed);
if (rc == TPM2_RC_PCR_CHANGED && i > 0) {
log_debug("A PCR value changed during the TPM2 policy session, restarting HMAC key unsealing (%u tries left).", i);
- session = tpm2_flush_context_verbose(c->esys_context, session);
+ session = tpm2_flush_context_verbose(c, session);
continue;
}
if (rc != TSS2_RC_SUCCESS) {
@@ -1782,9 +1782,9 @@ int tpm2_unseal(const char *device,
r = 0;
finish:
- primary = tpm2_flush_context_verbose(c->esys_context, primary);
- session = tpm2_flush_context_verbose(c->esys_context, session);
- hmac_key = tpm2_flush_context_verbose(c->esys_context, hmac_key);
+ primary = tpm2_flush_context_verbose(c, primary);
+ session = tpm2_flush_context_verbose(c, session);
+ hmac_key = tpm2_flush_context_verbose(c, hmac_key);
return r;
}
@@ -1916,7 +1916,7 @@ int tpm2_find_device_auto(
#if HAVE_TPM2
int tpm2_extend_bytes(
- ESYS_CONTEXT *c,
+ Tpm2Context *c,
char **banks,
unsigned pcr_index,
const void *data,
@@ -1977,7 +1977,7 @@ int tpm2_extend_bytes(
}
rc = sym_Esys_PCR_Extend(
- c,
+ c->esys_context,
ESYS_TR_PCR0 + pcr_index,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h
index 65c875899e..0266f8128f 100644
--- a/src/shared/tpm2-util.h
+++ b/src/shared/tpm2-util.h
@@ -66,7 +66,7 @@ Tpm2Context *tpm2_context_unref(Tpm2Context *context);
DEFINE_TRIVIAL_CLEANUP_FUNC(Tpm2Context*, tpm2_context_unref);
#define _cleanup_tpm2_context_ _cleanup_(tpm2_context_unrefp)
-ESYS_TR tpm2_flush_context_verbose(ESYS_CONTEXT *c, ESYS_TR handle);
+ESYS_TR tpm2_flush_context_verbose(Tpm2Context *c, ESYS_TR handle);
void tpm2_pcr_mask_to_selection(uint32_t mask, uint16_t bank, TPML_PCR_SELECTION *ret);
@@ -75,10 +75,10 @@ static inline void Esys_Freep(void *p) {
sym_Esys_Free(*(void**) p);
}
-int tpm2_get_good_pcr_banks(ESYS_CONTEXT *c, uint32_t pcr_mask, TPMI_ALG_HASH **ret_banks);
-int tpm2_get_good_pcr_banks_strv(ESYS_CONTEXT *c, uint32_t pcr_mask, char ***ret);
+int tpm2_get_good_pcr_banks(Tpm2Context *c, uint32_t pcr_mask, TPMI_ALG_HASH **ret_banks);
+int tpm2_get_good_pcr_banks_strv(Tpm2Context *c, uint32_t pcr_mask, char ***ret);
-int tpm2_extend_bytes(ESYS_CONTEXT *c, char **banks, unsigned pcr_index, const void *data, size_t data_size, const void *secret, size_t secret_size);
+int tpm2_extend_bytes(Tpm2Context *c, char **banks, unsigned pcr_index, const void *data, size_t data_size, const void *secret, size_t secret_size);
#else /* HAVE_TPM2 */
typedef struct {} Tpm2Context;
Reference in New Issue View Git Blame Copy Permalink