shared: Move cryptsetup-tpm2.[ch] from systemd-cryptsetup

author Gabríel Arthúr Pétursson <gabriel.petursson@marel.com>

Wed, 3 Jan 2024 15:55:18 +0000 (15:55 +0000)

committer Gabríel Arthúr Pétursson <gabriel.petursson@marel.com>

Thu, 1 Feb 2024 11:57:52 +0000 (11:57 +0000)
author Gabríel Arthúr Pétursson <gabriel.petursson@marel.com>
Wed, 3 Jan 2024 15:55:18 +0000 (15:55 +0000)
committer Gabríel Arthúr Pétursson <gabriel.petursson@marel.com>
Thu, 1 Feb 2024 11:57:52 +0000 (11:57 +0000)
diff --git a/src/cryptsetup/cryptsetup-tpm2.c b/src/cryptsetup/cryptsetup-tpm2.c

deleted file mode 100644 (file)

index 297ef6f..0000000
--- a/src/cryptsetup/cryptsetup-tpm2.c
+++ /dev/null
@@ -1,299 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-
-#include "alloc-util.h"
-#include "ask-password-api.h"
-#include "cryptsetup-tpm2.h"
-#include "env-util.h"
-#include "fileio.h"
-#include "hexdecoct.h"
-#include "json.h"
-#include "parse-util.h"
-#include "random-util.h"
-#include "sha256.h"
-#include "tpm2-util.h"
-
-static int get_pin(usec_t until, AskPasswordFlags ask_password_flags, bool headless, char **ret_pin_str) {
-        _cleanup_(erase_and_freep) char *pin_str = NULL;
-        _cleanup_strv_free_erase_ char **pin = NULL;
-        int r;
-
-        assert(ret_pin_str);
-
-        r = getenv_steal_erase("PIN", &pin_str);
-        if (r < 0)
-                return log_error_errno(r, "Failed to acquire PIN from environment: %m");
-        if (!r) {
-                if (headless)
-                        return log_error_errno(
-                                        SYNTHETIC_ERRNO(ENOPKG),
-                                        "PIN querying disabled via 'headless' option. "
-                                        "Use the '$PIN' environment variable.");
-
-                pin = strv_free_erase(pin);
-                r = ask_password_auto(
-                                "Please enter TPM2 PIN:",
-                                "drive-harddisk",
-                                NULL,
-                                "tpm2-pin",
-                                "cryptsetup.tpm2-pin",
-                                until,
-                                ask_password_flags,
-                                &pin);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to ask for user pin: %m");
-                assert(strv_length(pin) == 1);
-
-                pin_str = strdup(pin[0]);
-                if (!pin_str)
-                        return log_oom();
-        }
-
-        *ret_pin_str = TAKE_PTR(pin_str);
-
-        return r;
-}
-
-int acquire_tpm2_key(
-                const char *volume_name,
-                const char *device,
-                uint32_t hash_pcr_mask,
-                uint16_t pcr_bank,
-                const struct iovec *pubkey,
-                uint32_t pubkey_pcr_mask,
-                const char *signature_path,
-                const char *pcrlock_path,
-                uint16_t primary_alg,
-                const char *key_file,
-                size_t key_file_size,
-                uint64_t key_file_offset,
-                const struct iovec *key_data,
-                const struct iovec *policy_hash,
-                const struct iovec *salt,
-                const struct iovec *srk,
-                const struct iovec *pcrlock_nv,
-                TPM2Flags flags,
-                usec_t until,
-                bool headless,
-                AskPasswordFlags ask_password_flags,
-                struct iovec *ret_decrypted_key) {
-
-        _cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL;
-        _cleanup_free_ void *loaded_blob = NULL;
-        _cleanup_free_ char *auto_device = NULL;
-        struct iovec blob;
-        int r;
-
-        assert(iovec_is_valid(salt));
-
-        if (!device) {
-                r = tpm2_find_device_auto(&auto_device);
-                if (r == -ENODEV)
-                        return -EAGAIN; /* Tell the caller to wait for a TPM2 device to show up */
-                if (r < 0)
-                        return log_error_errno(r, "Could not find TPM2 device: %m");
-
-                device = auto_device;
-        }
-
-        if (iovec_is_set(key_data))
-                blob = *key_data;
-        else {
-                _cleanup_free_ char *bindname = NULL;
-
-                /* If we read the salt via AF_UNIX, make this client recognizable */
-                if (asprintf(&bindname, "@%" PRIx64"/cryptsetup-tpm2/%s", random_u64(), volume_name) < 0)
-                        return log_oom();
-
-                r = read_full_file_full(
-                                AT_FDCWD, key_file,
-                                key_file_offset == 0 ? UINT64_MAX : key_file_offset,
-                                key_file_size == 0 ? SIZE_MAX : key_file_size,
-                                READ_FULL_FILE_CONNECT_SOCKET,
-                                bindname,
-                                (char**) &loaded_blob, &blob.iov_len);
-                if (r < 0)
-                        return r;
-
-                blob.iov_base = loaded_blob;
-        }
-
-        if (pubkey_pcr_mask != 0) {
-                r = tpm2_load_pcr_signature(signature_path, &signature_json);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to load pcr signature: %m");
-        }
-
-        _cleanup_(tpm2_pcrlock_policy_done) Tpm2PCRLockPolicy pcrlock_policy = {};
-
-        if (FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK)) {
-                r = tpm2_pcrlock_policy_load(pcrlock_path, &pcrlock_policy);
-                if (r < 0)
-                        return r;
-                if (r == 0) {
-                        /* Not found? Then search among passed credentials */
-                        r = tpm2_pcrlock_policy_from_credentials(srk, pcrlock_nv, &pcrlock_policy);
-                        if (r < 0)
-                                return r;
-                        if (r == 0)
-                                return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Couldn't find pcrlock policy for volume.");
-                }
-        }
-
-        _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
-        r = tpm2_context_new(device, &tpm2_context);
-        if (r < 0)
-                return log_error_errno(r, "Failed to create TPM2 context: %m");
-
-        if (!(flags & TPM2_FLAGS_USE_PIN)) {
-                r = tpm2_unseal(tpm2_context,
-                                hash_pcr_mask,
-                                pcr_bank,
-                                pubkey,
-                                pubkey_pcr_mask,
-                                signature_json,
-                                /* pin= */ NULL,
-                                FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK) ? &pcrlock_policy : NULL,
-                                primary_alg,
-                                &blob,
-                                policy_hash,
-                                srk,
-                                ret_decrypted_key);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
-
-                return r;
-        }
-
-        for (int i = 5;; i--) {
-                _cleanup_(erase_and_freep) char *pin_str = NULL, *b64_salted_pin = NULL;
-
-                if (i <= 0)
-                        return -EACCES;
-
-                r = get_pin(until, ask_password_flags, headless, &pin_str);
-                if (r < 0)
-                        return r;
-
-                if (iovec_is_set(salt)) {
-                        uint8_t salted_pin[SHA256_DIGEST_SIZE] = {};
-                        CLEANUP_ERASE(salted_pin);
-
-                        r = tpm2_util_pbkdf2_hmac_sha256(pin_str, strlen(pin_str), salt->iov_base, salt->iov_len, salted_pin);
-                        if (r < 0)
-                                return log_error_errno(r, "Failed to perform PBKDF2: %m");
-
-                        r = base64mem(salted_pin, sizeof(salted_pin), &b64_salted_pin);
-                        if (r < 0)
-                                return log_error_errno(r, "Failed to base64 encode salted pin: %m");
-                } else
-                        /* no salting needed, backwards compat with non-salted pins */
-                        b64_salted_pin = TAKE_PTR(pin_str);
-
-                r = tpm2_unseal(tpm2_context,
-                                hash_pcr_mask,
-                                pcr_bank,
-                                pubkey,
-                                pubkey_pcr_mask,
-                                signature_json,
-                                b64_salted_pin,
-                                pcrlock_path ? &pcrlock_policy : NULL,
-                                primary_alg,
-                                &blob,
-                                policy_hash,
-                                srk,
-                                ret_decrypted_key);
-                if (r < 0) {
-                        log_error_errno(r, "Failed to unseal secret using TPM2: %m");
-
-                        /* We get this error in case there is an authentication policy mismatch. This should
-                         * not happen, but this avoids confusing behavior, just in case. */
-                        if (!IN_SET(r, -EPERM, -ENOLCK))
-                                continue;
-                }
-
-                return r;
-        }
-}
-
-int find_tpm2_auto_data(
-                struct crypt_device *cd,
-                uint32_t search_pcr_mask,
-                int start_token,
-                uint32_t *ret_hash_pcr_mask,
-                uint16_t *ret_pcr_bank,
-                struct iovec *ret_pubkey,
-                uint32_t *ret_pubkey_pcr_mask,
-                uint16_t *ret_primary_alg,
-                struct iovec *ret_blob,
-                struct iovec *ret_policy_hash,
-                struct iovec *ret_salt,
-                struct iovec *ret_srk,
-                struct iovec *ret_pcrlock_nv,
-                TPM2Flags *ret_flags,
-                int *ret_keyslot,
-                int *ret_token) {
-
-        int r, token;
-
-        assert(cd);
-
-        for (token = start_token; token < sym_crypt_token_max(CRYPT_LUKS2); token++) {
-                _cleanup_(iovec_done) struct iovec blob = {}, policy_hash = {}, pubkey = {}, salt = {}, srk = {}, pcrlock_nv = {};
-                _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
-                uint32_t hash_pcr_mask, pubkey_pcr_mask;
-                uint16_t pcr_bank, primary_alg;
-                TPM2Flags flags;
-                int keyslot;
-
-                r = cryptsetup_get_token_as_json(cd, token, "systemd-tpm2", &v);
-                if (IN_SET(r, -ENOENT, -EINVAL, -EMEDIUMTYPE))
-                        continue;
-                if (r < 0)
-                        return log_error_errno(r, "Failed to read JSON token data off disk: %m");
-
-                r = tpm2_parse_luks2_json(
-                                v,
-                                &keyslot,
-                                &hash_pcr_mask,
-                                &pcr_bank,
-                                &pubkey,
-                                &pubkey_pcr_mask,
-                                &primary_alg,
-                                &blob,
-                                &policy_hash,
-                                &salt,
-                                &srk,
-                                &pcrlock_nv,
-                                &flags);
-                if (r == -EUCLEAN) /* Gracefully handle issues in JSON fields not owned by us */
-                        continue;
-                if (r < 0)
-                        return log_error_errno(r, "Failed to parse TPM2 JSON data: %m");
-
-                if (search_pcr_mask == UINT32_MAX ||
-                    search_pcr_mask == hash_pcr_mask) {
-
-                        if (start_token <= 0)
-                                log_info("Automatically discovered security TPM2 token unlocks volume.");
-
-                        *ret_hash_pcr_mask = hash_pcr_mask;
-                        *ret_pcr_bank = pcr_bank;
-                        *ret_pubkey = TAKE_STRUCT(pubkey);
-                        *ret_pubkey_pcr_mask = pubkey_pcr_mask;
-                        *ret_primary_alg = primary_alg;
-                        *ret_blob = TAKE_STRUCT(blob);
-                        *ret_policy_hash = TAKE_STRUCT(policy_hash);
-                        *ret_salt = TAKE_STRUCT(salt);
-                        *ret_keyslot = keyslot;
-                        *ret_token = token;
-                        *ret_srk = TAKE_STRUCT(srk);
-                        *ret_pcrlock_nv = TAKE_STRUCT(pcrlock_nv);
-                        *ret_flags = flags;
-                        return 0;
-                }
-
-                /* PCR mask doesn't match what is configured, ignore this entry, let's see next */
-        }
-
-        return log_error_errno(SYNTHETIC_ERRNO(ENXIO), "No valid TPM2 token data found.");
-}
diff --git a/src/cryptsetup/cryptsetup-tpm2.h b/src/cryptsetup/cryptsetup-tpm2.h

deleted file mode 100644 (file)

index 0eaf928..0000000
--- a/src/cryptsetup/cryptsetup-tpm2.h
+++ /dev/null
@@ -1,108 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-#pragma once
-
-#include <sys/types.h>
-
-#include "ask-password-api.h"
-#include "cryptsetup-util.h"
-#include "log.h"
-#include "time-util.h"
-#include "tpm2-util.h"
-
-#if HAVE_TPM2
-
-int acquire_tpm2_key(
-                const char *volume_name,
-                const char *device,
-                uint32_t hash_pcr_mask,
-                uint16_t pcr_bank,
-                const struct iovec *pubkey,
-                uint32_t pubkey_pcr_mask,
-                const char *signature_path,
-                const char *pcrlock_path,
-                uint16_t primary_alg,
-                const char *key_file,
-                size_t key_file_size,
-                uint64_t key_file_offset,
-                const struct iovec *key_data,
-                const struct iovec *policy_hash,
-                const struct iovec *salt,
-                const struct iovec *srk,
-                const struct iovec *pcrlock_nv,
-                TPM2Flags flags,
-                usec_t until,
-                bool headless,
-                AskPasswordFlags ask_password_flags,
-                struct iovec *ret_decrypted_key);
-
-int find_tpm2_auto_data(
-                struct crypt_device *cd,
-                uint32_t search_pcr_mask,
-                int start_token,
-                uint32_t *ret_hash_pcr_mask,
-                uint16_t *ret_pcr_bank,
-                struct iovec *ret_pubkey,
-                uint32_t *ret_pubkey_pcr_mask,
-                uint16_t *ret_primary_alg,
-                struct iovec *ret_blob,
-                struct iovec *ret_policy_hash,
-                struct iovec *ret_salt,
-                struct iovec *ret_srk,
-                struct iovec *ret_pcrlock_nv,
-                TPM2Flags *ret_flags,
-                int *ret_keyslot,
-                int *ret_token);
-
-#else
-
-static inline int acquire_tpm2_key(
-                const char *volume_name,
-                const char *device,
-                uint32_t hash_pcr_mask,
-                uint16_t pcr_bank,
-                const struct iovec *pubkey,
-                uint32_t pubkey_pcr_mask,
-                const char *signature_path,
-                const char *pcrlock_path,
-                uint16_t primary_alg,
-                const char *key_file,
-                size_t key_file_size,
-                uint64_t key_file_offset,
-                const struct iovec *key_data,
-                const struct iovec *policy_hash,
-                const struct iovec *salt,
-                const struct iovec *srk,
-                const struct iovec *pcrlock_nv,
-                TPM2Flags flags,
-                usec_t until,
-                bool headless,
-                AskPasswordFlags ask_password_flags,
-                struct iovec *ret_decrypted_key) {
-
-        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
-                               "TPM2 support not available.");
-}
-
-static inline int find_tpm2_auto_data(
-                struct crypt_device *cd,
-                uint32_t search_pcr_mask,
-                int start_token,
-                uint32_t *ret_hash_pcr_mask,
-                uint16_t *ret_pcr_bank,
-                struct iovec *ret_pubkey,
-                uint32_t *ret_pubkey_pcr_mask,
-                uint16_t *ret_primary_alg,
-                struct iovec *ret_blob,
-                struct iovec *ret_policy_hash,
-                struct iovec *ret_salt,
-                struct iovec *ret_srk,
-                struct iovec *ret_pcrlock_nv,
-                TPM2Flags *ret_flags,
-                int *ret_keyslot,
-                int *ret_token) {
-
-        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
-                               "TPM2 support not available.");
-}
-
-#endif
diff --git a/src/cryptsetup/meson.build b/src/cryptsetup/meson.build

index 90e2be7a911ef1224bce84ed554151cf35c5f384..9ccc0982b59c347d4ff9894a4a678d9cad006cd9 100644 (file)
--- a/src/cryptsetup/meson.build
+++ b/src/cryptsetup/meson.build
@@ -11,10 +11,6 @@ if conf.get('HAVE_P11KIT') == 1
          systemd_cryptsetup_sources += files('cryptsetup-pkcs11.c')
  endif
  
-if conf.get('HAVE_TPM2') == 1
-        systemd_cryptsetup_sources += files('cryptsetup-tpm2.c')
-endif
-
  executables += [
          executable_template + {
                  'name' : 'systemd-cryptsetup',
diff --git a/src/shared/cryptsetup-tpm2.c b/src/shared/cryptsetup-tpm2.c

new file mode 100644 (file)

index 0000000..297ef6f
--- /dev/null
+++ b/src/shared/cryptsetup-tpm2.c
@@ -0,0 +1,299 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "alloc-util.h"
+#include "ask-password-api.h"
+#include "cryptsetup-tpm2.h"
+#include "env-util.h"
+#include "fileio.h"
+#include "hexdecoct.h"
+#include "json.h"
+#include "parse-util.h"
+#include "random-util.h"
+#include "sha256.h"
+#include "tpm2-util.h"
+
+static int get_pin(usec_t until, AskPasswordFlags ask_password_flags, bool headless, char **ret_pin_str) {
+        _cleanup_(erase_and_freep) char *pin_str = NULL;
+        _cleanup_strv_free_erase_ char **pin = NULL;
+        int r;
+
+        assert(ret_pin_str);
+
+        r = getenv_steal_erase("PIN", &pin_str);
+        if (r < 0)
+                return log_error_errno(r, "Failed to acquire PIN from environment: %m");
+        if (!r) {
+                if (headless)
+                        return log_error_errno(
+                                        SYNTHETIC_ERRNO(ENOPKG),
+                                        "PIN querying disabled via 'headless' option. "
+                                        "Use the '$PIN' environment variable.");
+
+                pin = strv_free_erase(pin);
+                r = ask_password_auto(
+                                "Please enter TPM2 PIN:",
+                                "drive-harddisk",
+                                NULL,
+                                "tpm2-pin",
+                                "cryptsetup.tpm2-pin",
+                                until,
+                                ask_password_flags,
+                                &pin);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to ask for user pin: %m");
+                assert(strv_length(pin) == 1);
+
+                pin_str = strdup(pin[0]);
+                if (!pin_str)
+                        return log_oom();
+        }
+
+        *ret_pin_str = TAKE_PTR(pin_str);
+
+        return r;
+}
+
+int acquire_tpm2_key(
+                const char *volume_name,
+                const char *device,
+                uint32_t hash_pcr_mask,
+                uint16_t pcr_bank,
+                const struct iovec *pubkey,
+                uint32_t pubkey_pcr_mask,
+                const char *signature_path,
+                const char *pcrlock_path,
+                uint16_t primary_alg,
+                const char *key_file,
+                size_t key_file_size,
+                uint64_t key_file_offset,
+                const struct iovec *key_data,
+                const struct iovec *policy_hash,
+                const struct iovec *salt,
+                const struct iovec *srk,
+                const struct iovec *pcrlock_nv,
+                TPM2Flags flags,
+                usec_t until,
+                bool headless,
+                AskPasswordFlags ask_password_flags,
+                struct iovec *ret_decrypted_key) {
+
+        _cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL;
+        _cleanup_free_ void *loaded_blob = NULL;
+        _cleanup_free_ char *auto_device = NULL;
+        struct iovec blob;
+        int r;
+
+        assert(iovec_is_valid(salt));
+
+        if (!device) {
+                r = tpm2_find_device_auto(&auto_device);
+                if (r == -ENODEV)
+                        return -EAGAIN; /* Tell the caller to wait for a TPM2 device to show up */
+                if (r < 0)
+                        return log_error_errno(r, "Could not find TPM2 device: %m");
+
+                device = auto_device;
+        }
+
+        if (iovec_is_set(key_data))
+                blob = *key_data;
+        else {
+                _cleanup_free_ char *bindname = NULL;
+
+                /* If we read the salt via AF_UNIX, make this client recognizable */
+                if (asprintf(&bindname, "@%" PRIx64"/cryptsetup-tpm2/%s", random_u64(), volume_name) < 0)
+                        return log_oom();
+
+                r = read_full_file_full(
+                                AT_FDCWD, key_file,
+                                key_file_offset == 0 ? UINT64_MAX : key_file_offset,
+                                key_file_size == 0 ? SIZE_MAX : key_file_size,
+                                READ_FULL_FILE_CONNECT_SOCKET,
+                                bindname,
+                                (char**) &loaded_blob, &blob.iov_len);
+                if (r < 0)
+                        return r;
+
+                blob.iov_base = loaded_blob;
+        }
+
+        if (pubkey_pcr_mask != 0) {
+                r = tpm2_load_pcr_signature(signature_path, &signature_json);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to load pcr signature: %m");
+        }
+
+        _cleanup_(tpm2_pcrlock_policy_done) Tpm2PCRLockPolicy pcrlock_policy = {};
+
+        if (FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK)) {
+                r = tpm2_pcrlock_policy_load(pcrlock_path, &pcrlock_policy);
+                if (r < 0)
+                        return r;
+                if (r == 0) {
+                        /* Not found? Then search among passed credentials */
+                        r = tpm2_pcrlock_policy_from_credentials(srk, pcrlock_nv, &pcrlock_policy);
+                        if (r < 0)
+                                return r;
+                        if (r == 0)
+                                return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Couldn't find pcrlock policy for volume.");
+                }
+        }
+
+        _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
+        r = tpm2_context_new(device, &tpm2_context);
+        if (r < 0)
+                return log_error_errno(r, "Failed to create TPM2 context: %m");
+
+        if (!(flags & TPM2_FLAGS_USE_PIN)) {
+                r = tpm2_unseal(tpm2_context,
+                                hash_pcr_mask,
+                                pcr_bank,
+                                pubkey,
+                                pubkey_pcr_mask,
+                                signature_json,
+                                /* pin= */ NULL,
+                                FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK) ? &pcrlock_policy : NULL,
+                                primary_alg,
+                                &blob,
+                                policy_hash,
+                                srk,
+                                ret_decrypted_key);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
+
+                return r;
+        }
+
+        for (int i = 5;; i--) {
+                _cleanup_(erase_and_freep) char *pin_str = NULL, *b64_salted_pin = NULL;
+
+                if (i <= 0)
+                        return -EACCES;
+
+                r = get_pin(until, ask_password_flags, headless, &pin_str);
+                if (r < 0)
+                        return r;
+
+                if (iovec_is_set(salt)) {
+                        uint8_t salted_pin[SHA256_DIGEST_SIZE] = {};
+                        CLEANUP_ERASE(salted_pin);
+
+                        r = tpm2_util_pbkdf2_hmac_sha256(pin_str, strlen(pin_str), salt->iov_base, salt->iov_len, salted_pin);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to perform PBKDF2: %m");
+
+                        r = base64mem(salted_pin, sizeof(salted_pin), &b64_salted_pin);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to base64 encode salted pin: %m");
+                } else
+                        /* no salting needed, backwards compat with non-salted pins */
+                        b64_salted_pin = TAKE_PTR(pin_str);
+
+                r = tpm2_unseal(tpm2_context,
+                                hash_pcr_mask,
+                                pcr_bank,
+                                pubkey,
+                                pubkey_pcr_mask,
+                                signature_json,
+                                b64_salted_pin,
+                                pcrlock_path ? &pcrlock_policy : NULL,
+                                primary_alg,
+                                &blob,
+                                policy_hash,
+                                srk,
+                                ret_decrypted_key);
+                if (r < 0) {
+                        log_error_errno(r, "Failed to unseal secret using TPM2: %m");
+
+                        /* We get this error in case there is an authentication policy mismatch. This should
+                         * not happen, but this avoids confusing behavior, just in case. */
+                        if (!IN_SET(r, -EPERM, -ENOLCK))
+                                continue;
+                }
+
+                return r;
+        }
+}
+
+int find_tpm2_auto_data(
+                struct crypt_device *cd,
+                uint32_t search_pcr_mask,
+                int start_token,
+                uint32_t *ret_hash_pcr_mask,
+                uint16_t *ret_pcr_bank,
+                struct iovec *ret_pubkey,
+                uint32_t *ret_pubkey_pcr_mask,
+                uint16_t *ret_primary_alg,
+                struct iovec *ret_blob,
+                struct iovec *ret_policy_hash,
+                struct iovec *ret_salt,
+                struct iovec *ret_srk,
+                struct iovec *ret_pcrlock_nv,
+                TPM2Flags *ret_flags,
+                int *ret_keyslot,
+                int *ret_token) {
+
+        int r, token;
+
+        assert(cd);
+
+        for (token = start_token; token < sym_crypt_token_max(CRYPT_LUKS2); token++) {
+                _cleanup_(iovec_done) struct iovec blob = {}, policy_hash = {}, pubkey = {}, salt = {}, srk = {}, pcrlock_nv = {};
+                _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
+                uint32_t hash_pcr_mask, pubkey_pcr_mask;
+                uint16_t pcr_bank, primary_alg;
+                TPM2Flags flags;
+                int keyslot;
+
+                r = cryptsetup_get_token_as_json(cd, token, "systemd-tpm2", &v);
+                if (IN_SET(r, -ENOENT, -EINVAL, -EMEDIUMTYPE))
+                        continue;
+                if (r < 0)
+                        return log_error_errno(r, "Failed to read JSON token data off disk: %m");
+
+                r = tpm2_parse_luks2_json(
+                                v,
+                                &keyslot,
+                                &hash_pcr_mask,
+                                &pcr_bank,
+                                &pubkey,
+                                &pubkey_pcr_mask,
+                                &primary_alg,
+                                &blob,
+                                &policy_hash,
+                                &salt,
+                                &srk,
+                                &pcrlock_nv,
+                                &flags);
+                if (r == -EUCLEAN) /* Gracefully handle issues in JSON fields not owned by us */
+                        continue;
+                if (r < 0)
+                        return log_error_errno(r, "Failed to parse TPM2 JSON data: %m");
+
+                if (search_pcr_mask == UINT32_MAX ||
+                    search_pcr_mask == hash_pcr_mask) {
+
+                        if (start_token <= 0)
+                                log_info("Automatically discovered security TPM2 token unlocks volume.");
+
+                        *ret_hash_pcr_mask = hash_pcr_mask;
+                        *ret_pcr_bank = pcr_bank;
+                        *ret_pubkey = TAKE_STRUCT(pubkey);
+                        *ret_pubkey_pcr_mask = pubkey_pcr_mask;
+                        *ret_primary_alg = primary_alg;
+                        *ret_blob = TAKE_STRUCT(blob);
+                        *ret_policy_hash = TAKE_STRUCT(policy_hash);
+                        *ret_salt = TAKE_STRUCT(salt);
+                        *ret_keyslot = keyslot;
+                        *ret_token = token;
+                        *ret_srk = TAKE_STRUCT(srk);
+                        *ret_pcrlock_nv = TAKE_STRUCT(pcrlock_nv);
+                        *ret_flags = flags;
+                        return 0;
+                }
+
+                /* PCR mask doesn't match what is configured, ignore this entry, let's see next */
+        }
+
+        return log_error_errno(SYNTHETIC_ERRNO(ENXIO), "No valid TPM2 token data found.");
+}
diff --git a/src/shared/cryptsetup-tpm2.h b/src/shared/cryptsetup-tpm2.h

new file mode 100644 (file)

index 0000000..0eaf928
--- /dev/null
+++ b/src/shared/cryptsetup-tpm2.h
@@ -0,0 +1,108 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include <sys/types.h>
+
+#include "ask-password-api.h"
+#include "cryptsetup-util.h"
+#include "log.h"
+#include "time-util.h"
+#include "tpm2-util.h"
+
+#if HAVE_TPM2
+
+int acquire_tpm2_key(
+                const char *volume_name,
+                const char *device,
+                uint32_t hash_pcr_mask,
+                uint16_t pcr_bank,
+                const struct iovec *pubkey,
+                uint32_t pubkey_pcr_mask,
+                const char *signature_path,
+                const char *pcrlock_path,
+                uint16_t primary_alg,
+                const char *key_file,
+                size_t key_file_size,
+                uint64_t key_file_offset,
+                const struct iovec *key_data,
+                const struct iovec *policy_hash,
+                const struct iovec *salt,
+                const struct iovec *srk,
+                const struct iovec *pcrlock_nv,
+                TPM2Flags flags,
+                usec_t until,
+                bool headless,
+                AskPasswordFlags ask_password_flags,
+                struct iovec *ret_decrypted_key);
+
+int find_tpm2_auto_data(
+                struct crypt_device *cd,
+                uint32_t search_pcr_mask,
+                int start_token,
+                uint32_t *ret_hash_pcr_mask,
+                uint16_t *ret_pcr_bank,
+                struct iovec *ret_pubkey,
+                uint32_t *ret_pubkey_pcr_mask,
+                uint16_t *ret_primary_alg,
+                struct iovec *ret_blob,
+                struct iovec *ret_policy_hash,
+                struct iovec *ret_salt,
+                struct iovec *ret_srk,
+                struct iovec *ret_pcrlock_nv,
+                TPM2Flags *ret_flags,
+                int *ret_keyslot,
+                int *ret_token);
+
+#else
+
+static inline int acquire_tpm2_key(
+                const char *volume_name,
+                const char *device,
+                uint32_t hash_pcr_mask,
+                uint16_t pcr_bank,
+                const struct iovec *pubkey,
+                uint32_t pubkey_pcr_mask,
+                const char *signature_path,
+                const char *pcrlock_path,
+                uint16_t primary_alg,
+                const char *key_file,
+                size_t key_file_size,
+                uint64_t key_file_offset,
+                const struct iovec *key_data,
+                const struct iovec *policy_hash,
+                const struct iovec *salt,
+                const struct iovec *srk,
+                const struct iovec *pcrlock_nv,
+                TPM2Flags flags,
+                usec_t until,
+                bool headless,
+                AskPasswordFlags ask_password_flags,
+                struct iovec *ret_decrypted_key) {
+
+        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+                               "TPM2 support not available.");
+}
+
+static inline int find_tpm2_auto_data(
+                struct crypt_device *cd,
+                uint32_t search_pcr_mask,
+                int start_token,
+                uint32_t *ret_hash_pcr_mask,
+                uint16_t *ret_pcr_bank,
+                struct iovec *ret_pubkey,
+                uint32_t *ret_pubkey_pcr_mask,
+                uint16_t *ret_primary_alg,
+                struct iovec *ret_blob,
+                struct iovec *ret_policy_hash,
+                struct iovec *ret_salt,
+                struct iovec *ret_srk,
+                struct iovec *ret_pcrlock_nv,
+                TPM2Flags *ret_flags,
+                int *ret_keyslot,
+                int *ret_token) {
+
+        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+                               "TPM2 support not available.");
+}
+
+#endif
diff --git a/src/shared/meson.build b/src/shared/meson.build

index 2a39bb04df46993cceb896fc2c678216c8dc7f69..dc9adeddc14bab428a016ed5cf5cde7d5998b38b 100644 (file)
--- a/src/shared/meson.build
+++ b/src/shared/meson.build
@@ -250,6 +250,10 @@ if conf.get('HAVE_LIBFIDO2') == 1 and conf.get('HAVE_LIBCRYPTSETUP') == 1
          shared_sources += files('cryptsetup-fido2.c')
  endif
  
+if conf.get('HAVE_TPM2') == 1 and conf.get('HAVE_LIBCRYPTSETUP') == 1
+        shared_sources += files('cryptsetup-tpm2.c')
+endif
+
  generate_ip_protocol_list = find_program('generate-ip-protocol-list.sh')
  ip_protocol_list_txt = custom_target(
          'ip-protocol-list.txt',
author	Gabríel Arthúr Pétursson <gabriel.petursson@marel.com>
	Wed, 3 Jan 2024 15:55:18 +0000 (15:55 +0000)
committer	Gabríel Arthúr Pétursson <gabriel.petursson@marel.com>
	Thu, 1 Feb 2024 11:57:52 +0000 (11:57 +0000)
src/cryptsetup/cryptsetup-tpm2.c	[deleted file]	patch \| blob \| history
src/cryptsetup/cryptsetup-tpm2.h	[deleted file]	patch \| blob \| history
src/cryptsetup/meson.build		patch \| blob \| history
src/shared/cryptsetup-tpm2.c	[new file with mode: 0644]	patch \| blob
src/shared/cryptsetup-tpm2.h	[new file with mode: 0644]	patch \| blob
src/shared/meson.build		patch \| blob \| history