system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-21 10:17:21 +00:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

tpm2: log about invalid PCRs on each unsealing

Browse source 
Let's log every time we use uninitialized PCRs when unsealing a secret
via TPM2. This indicates a firmware issue usually, and is something we
shouldn't just show when enrolling but also show every time we unseal,
so that the fact that the selected PCR policy is pretty much pointless
is repeatedly shown.
This commit is contained in:
Lennart Poettering 2021-09-13 12:43:53 +02:00
parent 321a9d9ee5
commit d38466bae6
1 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/shared/tpm2-util.c
View file

@ -617,9 +617,15 @@ static int tpm2_make_pcr_session(
log_debug("Starting authentication session.");
if (pcr_bank != UINT16_MAX)
if (pcr_bank != UINT16_MAX) {
r = tpm2_pcr_mask_good(c, pcr_bank, pcr_mask);
if (r < 0)
return r;
if (r == 0)
log_notice("Selected TPM2 PCRs are not initialized on this system, most likely due to a firmware issue. PCR policy is effectively not enforced. Proceeding anyway.");
tpm2_pcr_mask_to_selecion(pcr_mask, pcr_bank, &pcr_selection);
else {
} else {
TPMI_ALG_HASH h;
/* No bank configured, pick automatically. Some TPM2 devices only can do SHA1. If we detect