forked from systemd/systemd
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
cryptsetup: retry TPM2 unseal operation if it fails with TPM2_RC_PCR_…
…CHANGED Quoting "Trusted Platform Module Library - Part 3: Commands (Rev. 01.59)": "pcrUpdateCounter – this parameter is updated by TPM2_PolicyPCR(). This value may only be set once during a policy. Each time TPM2_PolicyPCR() executes, it checks to see if policySession->pcrUpdateCounter has its default state, indicating that this is the first TPM2_PolicyPCR(). If it has its default value, then policySession->pcrUpdateCounter is set to the current value of pcrUpdateCounter. If policySession->pcrUpdateCounter does not have its default value and its value is not the same as pcrUpdateCounter, the TPM shall return TPM_RC_PCR_CHANGED. If this parameter and pcrUpdateCounter are not the same, it indicates that PCR have changed since checked by the previous TPM2_PolicyPCR(). Since they have changed, the previous PCR validation is no longer valid." The TPM will return TPM_RC_PCR_CHANGED if any PCR value changes (no matter which) between validating the PCRs binded to the enrollment and unsealing the HMAC key, so this patch adds a retry mechanism in this case. Fixes systemd#24906
- Loading branch information
1 parent
f0c24a0
commit f6a077f
Showing
3 changed files
with
42 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters