From c7e506ca313d32ed5634f4c14f44378a029eec94 Mon Sep 17 00:00:00 2001
From: Itxaka <itxaka@kairos.io>
Date: Tue, 21 May 2024 17:31:44 +0200
Subject: [PATCH] Try to use the public keys pcrs if tpm2 pcrs are blank

From issue #32946

If you want to bind a policy to PCR11 and especify the tpm2-pcr
flag with and empty value, the bank calculation will fail as it tries to
use a non valid value for the calculation of hash.

This works around it by trying to use the public keys pcr values if
they are set and if the usual tpm2 pcrs banks are empty as to not fail

Signed-off-by: Itxaka <itxaka@kairos.io>
---
 src/cryptenroll/cryptenroll.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c
index 04352bfec6ddf..d4fba8fee19d9 100644
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@@ -43,7 +43,9 @@ static char *arg_tpm2_device = NULL;
 static uint32_t arg_tpm2_seal_key_handle = 0;
 static char *arg_tpm2_device_key = NULL;
 static Tpm2PCRValue *arg_tpm2_hash_pcr_values = NULL;
+static Tpm2PCRValue *arg_tpm2_key_pcr_values = NULL;
 static size_t arg_tpm2_n_hash_pcr_values = 0;
+static size_t arg_tpm2_n_key_pcr_values = 0;
 static bool arg_tpm2_pin = false;
 static char *arg_tpm2_public_key = NULL;
 static bool arg_tpm2_load_public_key = true;
@@ -515,6 +517,9 @@ static int parse_argv(int argc, char *argv[]) {
 
                 case ARG_TPM2_PUBLIC_KEY_PCRS:
                         auto_public_key_pcr_mask = false;
+                        r = tpm2_parse_pcr_argument_append(optarg, &arg_tpm2_key_pcr_values, &arg_tpm2_n_key_pcr_values);
+                        if (r < 0)
+                                return r;
                         r = tpm2_parse_pcr_argument_to_mask(optarg, &arg_tpm2_public_key_pcr_mask);
                         if (r < 0)
                                 return r;
@@ -845,6 +850,12 @@ static int run(int argc, char *argv[]) {
                 break;
 
         case ENROLL_TPM2:
+                // If no tpm2 PCR values are specified, use the key PCR values if they exist so the bank calculation works as expected
+                // Otherwise if user sets the tpm2-pcrs option to blank to not bind them, it will fail to calculate the bank
+                if (arg_tpm2_hash_pcr_values == NULL && arg_tpm2_n_hash_pcr_values == 0 && arg_tpm2_key_pcr_values != NULL && arg_tpm2_n_key_pcr_values > 0) {
+                        arg_tpm2_hash_pcr_values = arg_tpm2_key_pcr_values;
+                        arg_tpm2_n_hash_pcr_values = arg_tpm2_n_key_pcr_values;
+                }
                 slot = enroll_tpm2(cd, vk, vks, arg_tpm2_device, arg_tpm2_seal_key_handle, arg_tpm2_device_key, arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values, arg_tpm2_public_key, arg_tpm2_load_public_key, arg_tpm2_public_key_pcr_mask, arg_tpm2_signature, arg_tpm2_pin, arg_tpm2_pcrlock, &slot_to_wipe);
 
                 if (slot >= 0 && slot_to_wipe >= 0) {