cryptenroll: make sure enrolling signed PCR policy without literal PCR policy works correctly #32993

poettering · 2024-05-23T12:08:23Z

…but signed PCR binding is on We so far derived the PCR bank to use from the PCR values specified fr literal PCR binding. However, when that's not used then we left the bank uninitialized – which will break if signed PCR binds are used (where we need to pick a bank too after all). Hence, let's explicitly pick a bank to use if literal PCR values are not used, to make things just work. Fixes: systemd#32946

github-actions · 2024-05-23T12:10:01Z

Note

We had successfully released a new major release. We are no longer in a development freeze phase.
We will try our best to get back to your PR as soon as possible. Thank you for your patience.

poettering · 2024-05-23T12:11:15Z

Should not be merged unless @Itxaka (or someone else who ran into this) verified this works.

@Itxaka, any chance you can give this a whirl? Would love to get the fix into v256 still, but we'd need a quick feedback for that. Thanks!

Itxaka · 2024-05-23T12:18:26Z

Will check and come back @poettering !

src/shared/tpm2-util.c

Itxaka · 2024-05-23T12:32:19Z

Seems to work.

Using --tpm2-public-key-pcrs=11 --tpm2-pcrs=""

Reading PCR selection: [sha256(11)]
Read PCR selection: [sha256(11)]
PCR value: 11:sha256=cd4a21cb128034894805634efa3de7bf7ad64bab838831a22d525a33b6afe133
Adding PCR signature policy.
Loading external key into TPM.
Object name: 000bad2a981c0eed83d41d9544750be2bc8f80b39f8af1ab3463bd7dbefb6576da3e
Submitting PCR hash policy.
Acquiring policy digest.
Session policy digest: bd34d71c240e83bcfc49b2f6e5becf220c5f1f7380d57838e7b65aad1d963b23
Acquiring policy digest.
Session policy digest: 513c0686708c06d99dd558564d916e0cfd3ed03040e91cc6de5a8ac89d5b02b6
Acquiring policy digest.
Session policy digest: 513c0686708c06d99dd558564d916e0cfd3ed03040e91cc6de5a8ac89d5b02b6
Unsealing HMAC key.
Completed TPM2 key unsealing in 242.156ms.
PBKDF pbkdf2-sha512, time_ms 0 (iterations 1000).
Adding new keyslot -1 by passphrase, volume key provided by key (-1).
Selected keyslot 1.
Keyslot 1 assigned to digest 0.
Trying to allocate LUKS2 keyslot 1.
Found area 290816 -> 548864
Reusing PBKDF values (no benchmark flag is set).
Calculating attributes for LUKS2 keyslot 1.
Acquiring write lock for device /dev/vda3.
Opening lock resource file /run/cryptsetup/L_253:3
Verifying lock handle for /dev/vda3.
Device /dev/vda3 WRITE lock taken.
Checking context sequence id matches value stored on disk.
Reusing open ro fd on device /dev/vda3
Running keyslot key derivation.
Updating keyslot area [0x47000].
Opening locked device /dev/vda3
Verifying locked device handle (bdev)
Device size 37511757824, offset 16777216.
Device /dev/vda3 WRITE lock already held.
Trying to write LUKS2 header (16384 bytes) at offset 0.
Reusing open rw fd on device /dev/vda3
Checksum:7d3665de71a69f918279302bc45f10dea1c29dc75441690e6028f055cbcb8e9b (in-memory)
Trying to write LUKS2 header (16384 bytes) at offset 16384.
Reusing open rw fd on device /dev/vda3
Checksum:ee49ce15fd2c9e23d3063f5f3e1157261a538b575622513317fc53f843bccf5c (in-memory)
Device /dev/vda3 WRITE lock released.
Unknown asymmetric algorithm id 0x0
Adding token text <{"type":"systemd-tpm2","keyslots":["1"],"tpm2-blob":"AJ4AIBl1WkEG/b5QjhYiWItV5accGq8hCTIrCxc28D28JfveABCH9osuwHINnEu8rayxM6zh5iPORNKkOX/E9oO/MpRs+IJq0vYMLqBr74sBCUJv5EYWAL9umxc4TxBxAiPmvfz2oY3Ul0IihldRRdhwKS8kSY8wnO65yOrqdQSA4rg2ITrzl9OdXVqLtsK5QEJC846IqnWhFsGLz3l6xQBOAAgACwAABBIAIFE8BoZwjAbZndVYVk2Rbgz9PtAwQOkcxt5aisidWwK2ABAAIJFC52azt291Jh6SrdVq3No9a8sXDEOkY3dgBr0SnxjS","tpm2-pcrs":[],"tpm2-pcr-bank":"sha256","tpm2-policy-hash":"513c0686708c06d99dd558564d916e0cfd3ed03040e91cc6de5a8ac89d5b02b6","tpm2_pubkey_pcrs":[11],"tpm2_pubkey":"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUExTldTU3RWNDRIQVowdkdGaFBuUAp3eHJZbUhHRU1NeHVzUXRPVnBXNVFiLzN2dHRDMFpieG05MGdMQ2w0UjYzNUl2WGVwb2I1NmZhR2YyL2l5TTJyCnA2MlRHSnpLdFNLODFGNjFLQnlZRjdaS2pWeWFNTmMzSjdoMVBmQjdlT0oyZ1EzUGdybWpLM0lKdUkxT2hGMzcKUi9maWt3cFYvZ2VTU2diUGxqZ3IyUmw1b1d4VFluNXFDaC9CQ3dmbDVZTnp0N0lPOEVFdEUwTThycklvTHpTMQp4UnhmaWdoOTNQaEltdG5tbDN2ZDlnd1FIcnJPN2NzNGVsQVkrOFhSdW5kRVZCYmd1TTd6QzBIUlRocDRZYWh0Cmw4bVREQ1YwaGFZOVVvSWp0ZGJkcG10K3NEMmZyYllEVlk5Zis3VTJSZDdZcDFkaDhNc1BHMkJ5M1RVQ2l3a1EKYVFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==","tpm2_srk":"gQAAAQAiAAtFmtcOfTaTsqkzrcwxonwYAc9HacRwvfKkGhbjR9uaLAAAAAEAWgAjAAsAAwRyAAAABgCAAEMAEAADABAAICn301ozNM+qA0RKpa/ptgcIYxLjBPYKJvcfxSpaCILlACBkbJ6JNOT36Spcm1s3hFSP+RVLj0JG+/ZQPRDTF+0jmA=="}>

with --tpm2-public-key-pcrs=11 --tpm2-pcrs=11

Building sealing policy.
Reading PCR selection: [sha256(11)]
Read PCR selection: [sha256(11)]
PCR value: 11:sha256=cd4a21cb128034894805634efa3de7bf7ad64bab838831a22d525a33b6afe133
Adding PCR signature policy.
Loading external key into TPM.
Object name: 000bad2a981c0eed83d41d9544750be2bc8f80b39f8af1ab3463bd7dbefb6576da3e
Submitting PCR hash policy.
Acquiring policy digest.
Session policy digest: bd34d71c240e83bcfc49b2f6e5becf220c5f1f7380d57838e7b65aad1d963b23
Acquiring policy digest.
Session policy digest: 513c0686708c06d99dd558564d916e0cfd3ed03040e91cc6de5a8ac89d5b02b6
Submitting PCR hash policy.
Acquiring policy digest.
Session policy digest: 7b1583483ab680be0156633c05dc59b9758e53d56083144c64b28aab6d072fa9
Acquiring policy digest.
Session policy digest: 7b1583483ab680be0156633c05dc59b9758e53d56083144c64b28aab6d072fa9
Unsealing HMAC key.
Completed TPM2 key unsealing in 265.466ms.
PBKDF pbkdf2-sha512, time_ms 0 (iterations 1000).
Adding new keyslot -1 by passphrase, volume key provided by key (-1).
Selected keyslot 2.
Keyslot 2 assigned to digest 0.
Trying to allocate LUKS2 keyslot 2.
Found area 548864 -> 806912
Reusing PBKDF values (no benchmark flag is set).
Calculating attributes for LUKS2 keyslot 2.
Acquiring write lock for device /dev/vda3.
Opening lock resource file /run/cryptsetup/L_253:3
Verifying lock handle for /dev/vda3.
Device /dev/vda3 WRITE lock taken.
Checking context sequence id matches value stored on disk.
Reusing open ro fd on device /dev/vda3
Running keyslot key derivation.
Updating keyslot area [0x86000].
Opening locked device /dev/vda3
Verifying locked device handle (bdev)
Device size 37511757824, offset 16777216.
Device /dev/vda3 WRITE lock already held.
Trying to write LUKS2 header (16384 bytes) at offset 0.
Reusing open rw fd on device /dev/vda3
Checksum:1193bc7b983d858d4aae42851e82704acb97d8876449aea95634a96d077105f9 (in-memory)
Trying to write LUKS2 header (16384 bytes) at offset 16384.
Reusing open rw fd on device /dev/vda3
Checksum:e25fc49550787bd7aa18a894fba1f65832bdce75447b2ab5a1322d714be586ac (in-memory)
Device /dev/vda3 WRITE lock released.
Unknown asymmetric algorithm id 0x0
Adding token text <{"type":"systemd-tpm2","keyslots":["2"],"tpm2-blob":"AJ4AIGMLqF/jBjTo1fSYdWYUztI3tYwpkPkUuirLP7MwFoAVABBJn4/MvzgwEynp3XBYXX7IP6WcAWFXf3XL5RhVRxiiolekiqcNorgYzpAJMI/yaacx5A+cosvN1gq5eeyRo+E7sAjzF6RduZXf7pkON1GCkPyKHxywmTpuE3PAAzCHel+A/oUVg4+3umtFp/EyZM0DWPtOQEQ2fo1dXQBOAAgACwAABBIAIHsVg0g6toC+AVZjPAXcWbl1jlPVYIMUTGSyiqttBy+pABAAIDAKLvpWI5GDsKZhCms+YtcQ7bJyVe/GwKdzhFoEcquh","tpm2-pcrs":[11],"tpm2-pcr-bank":"sha256","tpm2-policy-hash":"7b1583483ab680be0156633c05dc59b9758e53d56083144c64b28aab6d072fa9","tpm2_pubkey_pcrs":[11],"tpm2_pubkey":"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUExTldTU3RWNDRIQVowdkdGaFBuUAp3eHJZbUhHRU1NeHVzUXRPVnBXNVFiLzN2dHRDMFpieG05MGdMQ2w0UjYzNUl2WGVwb2I1NmZhR2YyL2l5TTJyCnA2MlRHSnpLdFNLODFGNjFLQnlZRjdaS2pWeWFNTmMzSjdoMVBmQjdlT0oyZ1EzUGdybWpLM0lKdUkxT2hGMzcKUi9maWt3cFYvZ2VTU2diUGxqZ3IyUmw1b1d4VFluNXFDaC9CQ3dmbDVZTnp0N0lPOEVFdEUwTThycklvTHpTMQp4UnhmaWdoOTNQaEltdG5tbDN2ZDlnd1FIcnJPN2NzNGVsQVkrOFhSdW5kRVZCYmd1TTd6QzBIUlRocDRZYWh0Cmw4bVREQ1YwaGFZOVVvSWp0ZGJkcG10K3NEMmZyYllEVlk5Zis3VTJSZDdZcDFkaDhNc1BHMkJ5M1RVQ2l3a1EKYVFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==","tpm2_srk":"gQAAAQAiAAtFmtcOfTaTsqkzrcwxonwYAc9HacRwvfKkGhbjR9uaLAAAAAEAWgAjAAsAAwRyAAAABgCAAEMAEAADABAAICn301ozNM+qA0RKpa/ptgcIYxLjBPYKJvcfxSpaCILlACBkbJ6JNOT36Spcm1s3hFSP+RVLj0JG+/ZQPRDTF+0jmA=="}>

with --tpm2-public-key-pcrs=11 --tpm2-pcrs=3

Building sealing policy.
Reading PCR selection: [sha256(3+11)]
Read PCR selection: [sha256(3+11)]
PCR value: 3:sha256=3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
PCR value: 11:sha256=cd4a21cb128034894805634efa3de7bf7ad64bab838831a22d525a33b6afe133
Adding PCR signature policy.
Loading external key into TPM.
Object name: 000bad2a981c0eed83d41d9544750be2bc8f80b39f8af1ab3463bd7dbefb6576da3e
Submitting PCR hash policy.
Acquiring policy digest.
Session policy digest: bd34d71c240e83bcfc49b2f6e5becf220c5f1f7380d57838e7b65aad1d963b23
Acquiring policy digest.
Session policy digest: 513c0686708c06d99dd558564d916e0cfd3ed03040e91cc6de5a8ac89d5b02b6
Submitting PCR hash policy.
Acquiring policy digest.
Session policy digest: 7f9fa4e54d3d064b06b5f614d7e134ae6167e29036ec5fcaf3d1318ec3636a95
Acquiring policy digest.
Session policy digest: 7f9fa4e54d3d064b06b5f614d7e134ae6167e29036ec5fcaf3d1318ec3636a95
Unsealing HMAC key.
Completed TPM2 key unsealing in 290.357ms.
PBKDF pbkdf2-sha512, time_ms 0 (iterations 1000).
Adding new keyslot -1 by passphrase, volume key provided by key (-1).
Selected keyslot 1.
Keyslot 1 assigned to digest 0.
Trying to allocate LUKS2 keyslot 1.
Found area 290816 -> 548864
Reusing PBKDF values (no benchmark flag is set).
Calculating attributes for LUKS2 keyslot 1.
Acquiring write lock for device /dev/vda3.
Opening lock resource file /run/cryptsetup/L_253:3
Verifying lock handle for /dev/vda3.
Device /dev/vda3 WRITE lock taken.
Checking context sequence id matches value stored on disk.
Reusing open ro fd on device /dev/vda3
Running keyslot key derivation.
Updating keyslot area [0x47000].
Opening locked device /dev/vda3
Verifying locked device handle (bdev)
Device size 37511757824, offset 16777216.
Device /dev/vda3 WRITE lock already held.
Trying to write LUKS2 header (16384 bytes) at offset 0.
Reusing open rw fd on device /dev/vda3
Checksum:3cb5d05ce2dccdce1e0c2827315a7cce00f3f4b9a79a2f1d024f9cb7383174ff (in-memory)
Trying to write LUKS2 header (16384 bytes) at offset 16384.
Reusing open rw fd on device /dev/vda3
Checksum:dfb1502848f5f34b62701a214b946c327b8cf5bb98e3d3af2db75cc32a8f934d (in-memory)
Device /dev/vda3 WRITE lock released.
Unknown asymmetric algorithm id 0x0
Adding token text <{"type":"systemd-tpm2","keyslots":["1"],"tpm2-blob":"AJ4AIDRhGmvcksRR+2ZbVby/RnCtso/A2TqUsEZIovLy8dyPABAmYK8MxcN1aAHnnwMuEQ65O8/uZB+axlgnl3N6i2zmeHsgbsQXYM4RzZXM2Z8Lx14+N+OIGrDdVpyjDNCWK2P/E4Z5yquEk/q8PCSPd/hnSRZMJYnienzD4IgAeT6VZY7SL3VWGAkiE1xs2Ee7DVVM2y3i8If1jNwnkwBOAAgACwAABBIAIH+fpOVNPQZLBrX2FNfhNK5hZ+KQNuxfyvPRMY7DY2qVABAAINkA2cL0HmXpcE4zAGjow6u90FWlTCXlsPBHTdhoqKsL","tpm2-pcrs":[3],"tpm2-pcr-bank":"sha256","tpm2-policy-hash":"7f9fa4e54d3d064b06b5f614d7e134ae6167e29036ec5fcaf3d1318ec3636a95","tpm2_pubkey_pcrs":[11],"tpm2_pubkey":"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUExTldTU3RWNDRIQVowdkdGaFBuUAp3eHJZbUhHRU1NeHVzUXRPVnBXNVFiLzN2dHRDMFpieG05MGdMQ2w0UjYzNUl2WGVwb2I1NmZhR2YyL2l5TTJyCnA2MlRHSnpLdFNLODFGNjFLQnlZRjdaS2pWeWFNTmMzSjdoMVBmQjdlT0oyZ1EzUGdybWpLM0lKdUkxT2hGMzcKUi9maWt3cFYvZ2VTU2diUGxqZ3IyUmw1b1d4VFluNXFDaC9CQ3dmbDVZTnp0N0lPOEVFdEUwTThycklvTHpTMQp4UnhmaWdoOTNQaEltdG5tbDN2ZDlnd1FIcnJPN2NzNGVsQVkrOFhSdW5kRVZCYmd1TTd6QzBIUlRocDRZYWh0Cmw4bVREQ1YwaGFZOVVvSWp0ZGJkcG10K3NEMmZyYllEVlk5Zis3VTJSZDdZcDFkaDhNc1BHMkJ5M1RVQ2l3a1EKYVFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==","tpm2_srk":"gQAAAQAiAAtFmtcOfTaTsqkzrcwxonwYAc9HacRwvfKkGhbjR9uaLAAAAAEAWgAjAAsAAwRyAAAABgCAAEMAEAADABAAICn301ozNM+qA0RKpa/ptgcIYxLjBPYKJvcfxSpaCILlACBkbJ6JNOT36Spcm1s3hFSP+RVLj0JG+/ZQPRDTF+0jmA=="}>

with --tpm2-public-key-pcrs=11

Building sealing policy.
Reading PCR selection: [sha256(7+11)]
Read PCR selection: [sha256(7+11)]
PCR value: 7:sha256=b052e441d98f548a44e2b158104ca0d13cc606f6da8323de8efac367987b4495
PCR value: 11:sha256=cd4a21cb128034894805634efa3de7bf7ad64bab838831a22d525a33b6afe133
Adding PCR signature policy.
Loading external key into TPM.
Object name: 000bad2a981c0eed83d41d9544750be2bc8f80b39f8af1ab3463bd7dbefb6576da3e
Submitting PCR hash policy.
Acquiring policy digest.
Session policy digest: bd34d71c240e83bcfc49b2f6e5becf220c5f1f7380d57838e7b65aad1d963b23
Acquiring policy digest.
Session policy digest: 513c0686708c06d99dd558564d916e0cfd3ed03040e91cc6de5a8ac89d5b02b6
Submitting PCR hash policy.
Acquiring policy digest.
Session policy digest: d6f159ed795360f93828831e96c2064453ceb16c8c51014b9bbfaa28c36b0a00
Acquiring policy digest.
Session policy digest: d6f159ed795360f93828831e96c2064453ceb16c8c51014b9bbfaa28c36b0a00
Unsealing HMAC key.
Completed TPM2 key unsealing in 274.247ms.
PBKDF pbkdf2-sha512, time_ms 0 (iterations 1000).
Adding new keyslot -1 by passphrase, volume key provided by key (-1).
Selected keyslot 3.
Keyslot 3 assigned to digest 0.
Trying to allocate LUKS2 keyslot 3.
Found area 806912 -> 1064960
Reusing PBKDF values (no benchmark flag is set).
Calculating attributes for LUKS2 keyslot 3.
Acquiring write lock for device /dev/vda3.
Opening lock resource file /run/cryptsetup/L_253:3
Verifying lock handle for /dev/vda3.
Device /dev/vda3 WRITE lock taken.
Checking context sequence id matches value stored on disk.
Reusing open ro fd on device /dev/vda3
Running keyslot key derivation.
Updating keyslot area [0xc5000].
Opening locked device /dev/vda3
Verifying locked device handle (bdev)
Device size 37511757824, offset 16777216.
Device /dev/vda3 WRITE lock already held.
Trying to write LUKS2 header (16384 bytes) at offset 0.
Reusing open rw fd on device /dev/vda3
Checksum:931614a0ecb1782d6bfadda0860f6147a8b01b35294d9d5b2596c0683d30f6ce (in-memory)
Trying to write LUKS2 header (16384 bytes) at offset 16384.
Reusing open rw fd on device /dev/vda3
Checksum:a6215f9082ed2fa2debfa140f9086410fb000baccc73183c875e7e240f0249f1 (in-memory)
Device /dev/vda3 WRITE lock released.
Unknown asymmetric algorithm id 0x0
Adding token text <{"type":"systemd-tpm2","keyslots":["3"],"tpm2-blob":"AJ4AIBFFByQOVMxl+ULqqimRIBPWmeFAE+RV+/FJcXu2HXvoABAP1qHzBLZMZIcH/e/dmppogkVl+WuwT9UlmDOfWHVZbFd7HqiL4c9md/Kn8dBBVqkyNKOFy9nEi9Jj0IFHpKw7LCsjwHGpSBwTrp30p5q5XUZkXf7yGHUZl+Gsbq0vTJUbv8iqOBV8uwBBHktGs3Jzq+37kGe9+C4XGwBOAAgACwAABBIAINbxWe15U2D5OCiDHpbCBkRTzrFsjFEBS5u/qijDawoAABAAIFMW5HlUq9sJ8qeY6OVh0lKhJdEd2KLp1fHLcDlYe4AI","tpm2-pcrs":[7],"tpm2-pcr-bank":"sha256","tpm2-policy-hash":"d6f159ed795360f93828831e96c2064453ceb16c8c51014b9bbfaa28c36b0a00","tpm2_pubkey_pcrs":[11],"tpm2_pubkey":"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUExTldTU3RWNDRIQVowdkdGaFBuUAp3eHJZbUhHRU1NeHVzUXRPVnBXNVFiLzN2dHRDMFpieG05MGdMQ2w0UjYzNUl2WGVwb2I1NmZhR2YyL2l5TTJyCnA2MlRHSnpLdFNLODFGNjFLQnlZRjdaS2pWeWFNTmMzSjdoMVBmQjdlT0oyZ1EzUGdybWpLM0lKdUkxT2hGMzcKUi9maWt3cFYvZ2VTU2diUGxqZ3IyUmw1b1d4VFluNXFDaC9CQ3dmbDVZTnp0N0lPOEVFdEUwTThycklvTHpTMQp4UnhmaWdoOTNQaEltdG5tbDN2ZDlnd1FIcnJPN2NzNGVsQVkrOFhSdW5kRVZCYmd1TTd6QzBIUlRocDRZYWh0Cmw4bVREQ1YwaGFZOVVvSWp0ZGJkcG10K3NEMmZyYllEVlk5Zis3VTJSZDdZcDFkaDhNc1BHMkJ5M1RVQ2l3a1EKYVFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==","tpm2_srk":"gQAAAQAiAAtFmtcOfTaTsqkzrcwxonwYAc9HacRwvfKkGhbjR9uaLAAAAAEAWgAjAAsAAwRyAAAABgCAAEMAEAADABAAICn301ozNM+qA0RKpa/ptgcIYxLjBPYKJvcfxSpaCILlACBkbJ6JNOT36Spcm1s3hFSP+RVLj0JG+/ZQPRDTF+0jmA=="}>

with no pcrs specified:

Getting TPM2 capability 0x0000 property 0x0001 count 127.
Getting TPM2 capability 0x0002 property 0x011f count 256.
Getting TPM2 capability 0x0008 property 0x0000 count 508.
Getting TPM2 capability 0x0005 property 0x0000 count 1.
TPM2 PCR bank sha1 has fewer than 24 PCR bits enabled, ignoring.
Reading PCR selection: [sha256(7)]
Read PCR selection: [sha256(7)]
PCR value: 7:sha256=b052e441d98f548a44e2b158104ca0d13cc606f6da8323de8efac367987b4495
TPM2 device supports SHA256 PCR bank and SHA256 PCRs are valid, yay!
Reading PCR selection: [sha256(7)]
Read PCR selection: [sha256(7)]
PCR value: 7:sha256=b052e441d98f548a44e2b158104ca0d13cc606f6da8323de8efac367987b4495
Calculated public key name: 000bad2a981c0eed83d41d9544750be2bc8f80b39f8af1ab3463bd7dbefb6576da3e
PolicyAuthorize calculated digest: 513c0686708c06d99dd558564d916e0cfd3ed03040e91cc6de5a8ac89d5b02b6
PolicyPCR calculated digest: d6f159ed795360f93828831e96c2064453ceb16c8c51014b9bbfaa28c36b0a00
Not adding TPM2 entropy to the kernel random pool again.
Generating secret key data.
Getting TPM2 capability 0x0001 property 0x81000001 count 1.
Starting HMAC encryption session.
Creating object on TPM.
Successfully created object on TPM in 6ms.
Marshalling private and public part of HMAC key.
Completed TPM2 key sealing in 13.956ms.

So it seems to cover all the possible permutations I guess?

Anything else you want me to try @poettering ? Any other logs that may be useful?

If both literal and signed PCR bindings are not used then we won't determine a PCR bank to use, and hence we shouldnt attempt to serialize it either. Hence, if the bank is zero, skip serialization. (And while we are at it, also skip serialization of the primary algorithm if not set, purely to make things systematic). [This effectively results in little change, as previously we'd then seralize a json "null", while now we simply won't genreate the field]

Let's only generate the pin and pcrlock booleans if they are enabled, in order to not unnecessarily confuse older unlocking tools.

poettering · 2024-05-23T13:55:23Z

Anything else you want me to try @poettering ? Any other logs that may be useful?

No thanks, that's all I needed.

poettering added the cryptsetup label May 23, 2024

github-actions bot added util-lib tpm2 please-review PR is ready for (re-)review by a maintainer labels May 23, 2024

poettering mentioned this pull request May 23, 2024

[UKI] Cant unlock luks device after adding new certs to EFI #32946

Closed

poettering added this to the v256 milestone May 23, 2024

poettering mentioned this pull request May 23, 2024

Try to use the public keys pcrs if tpm2 pcrs are blank #32960

Closed

YHNdnzj reviewed May 23, 2024

View reviewed changes

src/shared/tpm2-util.c Outdated Show resolved Hide resolved

poettering added 3 commits May 23, 2024 15:38

tpm2-util: improve compat with older unlocking tools

b3efb67

Let's only generate the pin and pcrlock booleans if they are enabled, in order to not unnecessarily confuse older unlocking tools.

update TODO

51a9a00

poettering force-pushed the cryptenroll-no-pcr branch from 698da8f to 51a9a00 Compare May 23, 2024 13:45

bluca approved these changes May 23, 2024

View reviewed changes

bluca added good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed and removed please-review PR is ready for (re-)review by a maintainer labels May 23, 2024

poettering merged commit c09f7e5 into systemd:main May 23, 2024
42 of 49 checks passed

github-actions bot removed the good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed label May 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cryptenroll: make sure enrolling signed PCR policy without literal PCR policy works correctly #32993

cryptenroll: make sure enrolling signed PCR policy without literal PCR policy works correctly #32993

poettering commented May 23, 2024 •

edited by github-actions bot

Loading

github-actions bot commented May 23, 2024 •

edited

Loading

poettering commented May 23, 2024

Itxaka commented May 23, 2024

Itxaka commented May 23, 2024

poettering commented May 23, 2024

cryptenroll: make sure enrolling signed PCR policy without literal PCR policy works correctly #32993

cryptenroll: make sure enrolling signed PCR policy without literal PCR policy works correctly #32993

Conversation

poettering commented May 23, 2024 • edited by github-actions bot Loading

github-actions bot commented May 23, 2024 • edited Loading

poettering commented May 23, 2024

Itxaka commented May 23, 2024

Itxaka commented May 23, 2024

poettering commented May 23, 2024

poettering commented May 23, 2024 •

edited by github-actions bot

Loading

github-actions bot commented May 23, 2024 •

edited

Loading