diff options
| author | Luca Boccassi <bluca@debian.org> | 2023-02-08 02:10:28 +0000 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2023-02-08 10:58:57 +0000 |
| commit | b0fc23fae51d244d2c33d70c10003aa5d5840223 (patch) | |
| tree | b7bdaca48b856c42374a660a108d175901b62daa | |
| parent | 500cd2e83b8246fbf20d99db898039cfba746223 (diff) | |
| download | systemd-b0fc23fae51d244d2c33d70c10003aa5d5840223.tar.gz | |
cryptenroll: do not implicitly verify with default tpm policy signature
If it was not requested to use a tpm2 signature file when enrolling, do
not fallback to the default /run/systemd/tpm2-pcr-signature.json as it
likely will be unrelated if it exists.
Fixes https://github.com/systemd/systemd/issues/25435
| -rw-r--r-- | src/cryptenroll/cryptenroll-tpm2.c | 5 | ||||
| -rwxr-xr-x | test/units/testsuite-70.sh | 6 |
2 files changed, 9 insertions, 2 deletions
diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c index 3098b2e7ac..658db6a523 100644 --- a/src/cryptenroll/cryptenroll-tpm2.c +++ b/src/cryptenroll/cryptenroll-tpm2.c @@ -196,8 +196,9 @@ int enroll_tpm2(struct crypt_device *cd, log_debug_errno(r, "Failed to read TPM2 PCR public key, proceeding without: %m"); pubkey_pcr_mask = 0; - } else { - /* Also try to load the signature JSON object, to verify that our enrollment will work. This is optional however. */ + } else if (signature_path) { + /* Also try to load the signature JSON object, to verify that our enrollment will work. + * This is optional however, skip it if it's not explicitly provided. */ r = tpm2_load_pcr_signature(signature_path, &signature_json); if (r < 0) { diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh index 5667c8ab57..589baf370f 100755 --- a/test/units/testsuite-70.sh +++ b/test/units/testsuite-70.sh @@ -128,6 +128,12 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \ # Now, do the same, but with a cryptsetup binding truncate -s 20M $img cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom $img /tmp/passphrase + # Ensure that an unrelated signature, when not requested, is not used + touch /run/systemd/tpm2-pcr-signature.json + systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" $img + # Reset and use the signature now + rm -f /run/systemd/tpm2-pcr-signature.json + systemd-cryptenroll --wipe-slot=tpm2 $img systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" --tpm2-signature="/tmp/pcrsign.sig2" $img # Check if we can activate that (without the token module stuff) |