Enable systemd-cryptenroll to support pcr literals on the command line.

src/basic/hashmap.c

@@ -1357,6 +1357,7 @@ void* _hashmap_get(HashmapBase *h, const void *key) {
 
         hash = bucket_hash(h, key);
         idx = bucket_scan(h, hash, key);
+        fprintf(stderr, "HM: %p %s %u %u\n", h, (char*)key, hash, idx);
         if (idx == IDX_NIL)
                 return NULL;
 

src/creds/creds.c

@@ -9,6 +9,7 @@
 #include "escape.h"
 #include "fileio.h"
 #include "format-table.h"
+#include "hashmap.h"
 #include "hexdecoct.h"
 #include "io-util.h"
 #include "json.h"
@@ -45,6 +46,7 @@ static int arg_newline = -1;
 static sd_id128_t arg_with_key = _CRED_AUTO;
 static const char *arg_tpm2_device = NULL;
 static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
+static Hashmap *arg_tpm2_pcr_literal = NULL;
 static char *arg_tpm2_public_key = NULL;
 static uint32_t arg_tpm2_public_key_pcr_mask = UINT32_MAX;
 static char *arg_tpm2_signature = NULL;
@@ -495,6 +497,7 @@ static int verb_encrypt(int argc, char **argv, void *userdata) {
                         arg_not_after,
                         arg_tpm2_device,
                         arg_tpm2_pcr_mask,
+                        arg_tpm2_pcr_literal,
                         arg_tpm2_public_key,
                         arg_tpm2_public_key_pcr_mask,
                         plaintext, plaintext_size,
@@ -858,7 +861,7 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case ARG_TPM2_PCRS: /* For fixed hash PCR policies only */
-                        r = tpm2_parse_pcr_argument(optarg, &arg_tpm2_pcr_mask);
+                        r = tpm2_parse_pcr_argument(optarg, &arg_tpm2_pcr_mask, arg_tpm2_pcr_literal);
                         if (r < 0)
                                 return r;
 
@@ -872,7 +875,7 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case ARG_TPM2_PUBLIC_KEY_PCRS: /* For public key PCR policies only */
-                        r = tpm2_parse_pcr_argument(optarg, &arg_tpm2_public_key_pcr_mask);
+                        r = tpm2_parse_pcr_argument(optarg, &arg_tpm2_public_key_pcr_mask, arg_tpm2_pcr_literal);
                         if (r < 0)
                                 return r;
 

src/cryptenroll/cryptenroll-tpm2.c

@@ -134,6 +134,7 @@ int enroll_tpm2(struct crypt_device *cd,
                 size_t volume_key_size,
                 const char *device,
                 uint32_t hash_pcr_mask,
+                Hashmap *hash_pcr_literal,
                 const char *pubkey_path,
                 uint32_t pubkey_pcr_mask,
                 const char *signature_path,
@@ -164,6 +165,7 @@ int enroll_tpm2(struct crypt_device *cd,
         assert(volume_key);
         assert(volume_key_size > 0);
         assert(TPM2_PCR_MASK_VALID(hash_pcr_mask));
+        assert(TPM2_PCR_MASK_VALID(tpm2_mask_from_literals(hash_pcr_literal)));
         assert(TPM2_PCR_MASK_VALID(pubkey_pcr_mask));
 
         assert_se(node = crypt_get_device_name(cd));
@@ -208,6 +210,7 @@ int enroll_tpm2(struct crypt_device *cd,
 
         r = tpm2_seal(device,
                       hash_pcr_mask,
+                      hash_pcr_literal,
                       pubkey, pubkey_size,
                       pubkey_pcr_mask,
                       pin_str,
@@ -240,6 +243,7 @@ int enroll_tpm2(struct crypt_device *cd,
                 log_debug("Unsealing for verification...");
                 r = tpm2_unseal(device,
                                 hash_pcr_mask,
+                                hash_pcr_literal,
                                 pcr_bank,
                                 pubkey, pubkey_size,
                                 pubkey_pcr_mask,
@@ -279,6 +283,7 @@ int enroll_tpm2(struct crypt_device *cd,
         r = tpm2_make_luks2_json(
                         keyslot,
                         hash_pcr_mask,
+                        hash_pcr_literal,
                         pcr_bank,
                         pubkey, pubkey_size,
                         pubkey_pcr_mask,

src/cryptenroll/cryptenroll-tpm2.h

@@ -4,12 +4,13 @@
 #include <sys/types.h>
 
 #include "cryptsetup-util.h"
+#include "sha256.h"
 #include "log.h"
 
 #if HAVE_TPM2
-int enroll_tpm2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, uint32_t hash_pcr_mask, const char *pubkey_path, uint32_t pubkey_pcr_mask, const char *signature_path, bool use_pin);
+int enroll_tpm2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, uint32_t hash_pcr_mask, Hashmap *hash_pcr_literal, const char *pubkey_path, uint32_t pubkey_pcr_mask, const char *signature_path, bool use_pin);
 #else
-static inline int enroll_tpm2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, uint32_t hash_pcr_mask, const char *pubkey_path, uint32_t pubkey_pcr_mask, const char *signature_path, bool use_pin) {
+static inline int enroll_tpm2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, uint32_t hash_pcr_mask, Hashmap *hash_pcr_literal, const char *pubkey_path, uint32_t pubkey_pcr_mask, const char *signature_path, bool use_pin) {
         return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                "TPM2 key enrollment not supported.");
 }

src/cryptenroll/cryptenroll.c

@@ -16,6 +16,7 @@
 #include "env-util.h"
 #include "escape.h"
 #include "fileio.h"
+#include "hashmap.h"
 #include "libfido2-util.h"
 #include "main-func.h"
 #include "memory-util.h"
@@ -38,6 +39,7 @@ static char *arg_pkcs11_token_uri = NULL;
 static char *arg_fido2_device = NULL;
 static char *arg_tpm2_device = NULL;
 static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
+static Hashmap *arg_tpm2_pcr_literal = NULL;
 static bool arg_tpm2_pin = false;
 static char *arg_tpm2_public_key = NULL;
 static uint32_t arg_tpm2_public_key_pcr_mask = UINT32_MAX;
@@ -356,7 +358,7 @@ static int parse_argv(int argc, char *argv[]) {
                 }
 
                 case ARG_TPM2_PCRS:
-                        r = tpm2_parse_pcr_argument(optarg, &arg_tpm2_pcr_mask);
+                        r = tpm2_parse_pcr_argument(optarg, &arg_tpm2_pcr_mask, arg_tpm2_pcr_literal);
                         if (r < 0)
                                 return r;
 
@@ -377,7 +379,7 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case ARG_TPM2_PUBLIC_KEY_PCRS:
-                        r = tpm2_parse_pcr_argument(optarg, &arg_tpm2_public_key_pcr_mask);
+                        r = tpm2_parse_pcr_argument(optarg, &arg_tpm2_public_key_pcr_mask, arg_tpm2_pcr_literal);
                         if (r < 0)
                                 return r;
 
@@ -623,6 +625,8 @@ static int run(int argc, char *argv[]) {
         log_parse_environment();
         log_open();
 
+        //tpm2_create_literals_store(&arg_tpm2_pcr_literal);
+
         r = parse_argv(argc, argv);
         if (r <= 0)
                 return r;
@@ -655,7 +659,7 @@ static int run(int argc, char *argv[]) {
                 break;
 
         case ENROLL_TPM2:
-                slot = enroll_tpm2(cd, vk, vks, arg_tpm2_device, arg_tpm2_pcr_mask, arg_tpm2_public_key, arg_tpm2_public_key_pcr_mask, arg_tpm2_signature, arg_tpm2_pin);
+                slot = enroll_tpm2(cd, vk, vks, arg_tpm2_device, arg_tpm2_pcr_mask, arg_tpm2_pcr_literal, arg_tpm2_public_key, arg_tpm2_public_key_pcr_mask, arg_tpm2_signature, arg_tpm2_pin);
                 break;
 
         case _ENROLL_TYPE_INVALID:

src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c

@@ -39,6 +39,7 @@ int acquire_luks2_key(
         _cleanup_free_ char *auto_device = NULL;
         _cleanup_(erase_and_freep) char *b64_salted_pin = NULL;
         int r;
+        Hashmap *hash_pcr_literal = NULL;
 
         assert(salt || salt_size == 0);
         assert(ret_decrypted_key);
@@ -83,6 +84,7 @@ int acquire_luks2_key(
         return tpm2_unseal(
                         device,
                         hash_pcr_mask,
+                        hash_pcr_literal,
                         pcr_bank,
                         pubkey, pubkey_size,
                         pubkey_pcr_mask,

src/cryptsetup/cryptsetup-tpm2.c

@@ -57,6 +57,7 @@ int acquire_tpm2_key(
                 const char *volume_name,
                 const char *device,
                 uint32_t hash_pcr_mask,
+                Hashmap *hash_pcr_literal,
                 uint16_t pcr_bank,
                 const void *pubkey,
                 size_t pubkey_size,
@@ -133,6 +134,7 @@ int acquire_tpm2_key(
                 return tpm2_unseal(
                                 device,
                                 hash_pcr_mask,
+                                hash_pcr_literal,
                                 pcr_bank,
                                 pubkey, pubkey_size,
                                 pubkey_pcr_mask,
@@ -175,6 +177,7 @@ int acquire_tpm2_key(
 
                 r = tpm2_unseal(device,
                                 hash_pcr_mask,
+                                hash_pcr_literal,
                                 pcr_bank,
                                 pubkey, pubkey_size,
                                 pubkey_pcr_mask,

src/cryptsetup/cryptsetup-tpm2.h

@@ -15,6 +15,7 @@ int acquire_tpm2_key(
                 const char *volume_name,
                 const char *device,
                 uint32_t hash_pcr_mask,
+                Hashmap *hash_pcr_literal,
                 uint16_t pcr_bank,
                 const void *pubkey,
                 size_t pubkey_size,
@@ -67,6 +68,7 @@ static inline int acquire_tpm2_key(
                 const char *volume_name,
                 const char *device,
                 uint32_t hash_pcr_mask,
+                Hashmap *hash_pcr_literal,
                 uint16_t pcr_bank,
                 const void *pubkey,
                 size_t pubkey_size,

src/cryptsetup/cryptsetup.c

@@ -96,6 +96,7 @@ static char *arg_fido2_rp_id = NULL;
 static char *arg_tpm2_device = NULL; /* These and the following fields are about locking an encrypted volume to the local TPM */
 static bool arg_tpm2_device_auto = false;
 static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
+static Hashmap *arg_tpm2_pcr_literal = NULL;
 static char *arg_tpm2_signature = NULL;
 static bool arg_tpm2_pin = false;
 static bool arg_headless = false;
@@ -399,7 +400,7 @@ static int parse_one_option(const char *option) {
 
         } else if ((val = startswith(option, "tpm2-pcrs="))) {
 
-                r = tpm2_parse_pcr_argument(val, &arg_tpm2_pcr_mask);
+                r = tpm2_parse_pcr_argument(val, &arg_tpm2_pcr_mask, arg_tpm2_pcr_literal);
                 if (r < 0)
                         return r;
 
@@ -1644,6 +1645,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
                                         name,
                                         arg_tpm2_device,
                                         arg_tpm2_pcr_mask == UINT32_MAX ? TPM2_PCR_MASK_DEFAULT : arg_tpm2_pcr_mask,
+                                        arg_tpm2_pcr_literal,
                                         UINT16_MAX,
                                         /* pubkey= */ NULL, /* pubkey_size= */ 0,
                                         /* pubkey_pcr_mask= */ 0,
@@ -1739,6 +1741,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
                                                 name,
                                                 arg_tpm2_device,
                                                 hash_pcr_mask,
+                                                arg_tpm2_pcr_literal,
                                                 pcr_bank,
                                                 pubkey, pubkey_size,
                                                 pubkey_pcr_mask,

src/partition/repart.c

@@ -141,6 +141,7 @@ static EVP_PKEY *arg_private_key = NULL;
 static X509 *arg_certificate = NULL;
 static char *arg_tpm2_device = NULL;
 static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
+static Hashmap *arg_tpm2_pcr_literal = NULL;
 static char *arg_tpm2_public_key = NULL;
 static uint32_t arg_tpm2_public_key_pcr_mask = UINT32_MAX;
 static bool arg_split = false;
@@ -3526,6 +3527,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
 
                 r = tpm2_seal(arg_tpm2_device,
                               arg_tpm2_pcr_mask,
+                              arg_tpm2_pcr_literal,
                               pubkey, pubkey_size,
                               arg_tpm2_public_key_pcr_mask,
                               /* pin= */ NULL,
@@ -3560,6 +3562,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
                 r = tpm2_make_luks2_json(
                                 keyslot,
                                 arg_tpm2_pcr_mask,
+                                arg_tpm2_pcr_literal,
                                 pcr_bank,
                                 pubkey, pubkey_size,
                                 arg_tpm2_public_key_pcr_mask,
@@ -6283,7 +6286,7 @@ static int parse_argv(int argc, char *argv[]) {
                 }
 
                 case ARG_TPM2_PCRS:
-                        r = tpm2_parse_pcr_argument(optarg, &arg_tpm2_pcr_mask);
+                        r = tpm2_parse_pcr_argument(optarg, &arg_tpm2_pcr_mask, arg_tpm2_pcr_literal);
                         if (r < 0)
                                 return r;
 
@@ -6297,7 +6300,7 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case ARG_TPM2_PUBLIC_KEY_PCRS:
-                        r = tpm2_parse_pcr_argument(optarg, &arg_tpm2_public_key_pcr_mask);
+                        r = tpm2_parse_pcr_argument(optarg, &arg_tpm2_public_key_pcr_mask, arg_tpm2_pcr_literal);
                         if (r < 0)
                                 return r;
 

src/shared/creds-util.c

@@ -704,6 +704,7 @@ int encrypt_credential_and_warn(
                 usec_t not_after,
                 const char *tpm2_device,
                 uint32_t tpm2_hash_pcr_mask,
+                Hashmap *hash_pcr_literal,
                 const char *tpm2_pubkey_path,
                 uint32_t tpm2_pubkey_pcr_mask,
                 const void *input,
@@ -815,6 +816,7 @@ int encrypt_credential_and_warn(
 
                 r = tpm2_seal(tpm2_device,
                               tpm2_hash_pcr_mask,
+                              hash_pcr_literal,
                               pubkey, pubkey_size,
                               tpm2_pubkey_pcr_mask,
                               /* pin= */ NULL,
@@ -1108,6 +1110,7 @@ int decrypt_credential_and_warn(
 #if HAVE_TPM2
                 struct tpm2_credential_header* t = (struct tpm2_credential_header*) ((uint8_t*) input + p);
                 struct tpm2_public_key_credential_header *z = NULL;
+                Hashmap *hash_pcr_literal = NULL;
 
                 if (!TPM2_PCR_MASK_VALID(t->pcr_mask))
                         return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range.");
@@ -1158,6 +1161,7 @@ int decrypt_credential_and_warn(
                  // through and used to verify the TPM session.
                 r = tpm2_unseal(tpm2_device,
                                 le64toh(t->pcr_mask),
+                                hash_pcr_literal,
                                 le16toh(t->pcr_bank),
                                 z ? z->data : NULL,
                                 z ? le32toh(z->size) : 0,
@@ -1328,7 +1332,7 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *
         return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
 }
 
-int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_hash_pcr_mask, const char *tpm2_pubkey_path, uint32_t tpm2_pubkey_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size) {
+int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_hash_pcr_mask, Hashmap *hash_pcr_literal, const char *tpm2_pubkey_path, uint32_t tpm2_pubkey_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size) {
         return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
 }
 

src/shared/creds-util.h

@@ -5,6 +5,8 @@
 #include <stdbool.h>
 #include <sys/types.h>
 
+#include "hashmap.h"
+#include "sha256.h"
 #include "sd-id128.h"
 
 #include "fd-util.h"
@@ -73,5 +75,5 @@ int get_credential_user_password(const char *username, char **ret_password, bool
 #define _CRED_AUTO                            SD_ID128_MAKE(a2,19,cb,07,85,b2,4c,04,b1,6d,18,ca,b9,d2,ee,01)
 #define _CRED_AUTO_INITRD                     SD_ID128_MAKE(02,dc,8e,de,3a,02,43,ab,a9,ec,54,9c,05,e6,a0,71)
 
-int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_hash_pcr_mask, const char *tpm2_pubkey_path, uint32_t tpm2_pubkey_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size);
+int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_hash_pcr_mask, Hashmap *hash_pcr_literal, const char *tpm2_pubkey_path, uint32_t tpm2_pubkey_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size);
 int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const char *tpm2_signature_path, const void *input, size_t input_size, void **ret, size_t *ret_size);