diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c index 28bbb932f31..ca80058c661 100644 --- a/src/cryptenroll/cryptenroll-tpm2.c +++ b/src/cryptenroll/cryptenroll-tpm2.c @@ -279,7 +279,7 @@ int enroll_tpm2(struct crypt_device *cd, size_t secret2_size; log_debug("Unsealing for verification..."); - r = tpm2_unseal(device, + r = tpm2_unseal(tpm2_context, hash_pcr_mask, hash_pcr_bank, pubkey, pubkey_size, diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c index dc06e55b643..5230a840254 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c @@ -80,7 +80,12 @@ int acquire_luks2_key( return log_error_errno(r, "Failed to load PCR signature: %m"); } - r = tpm2_unseal(device, + _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL; + r = tpm2_context_new(device, &tpm2_context); + if (r < 0) + return log_error_errno(r, "Failed to create TPM2 context: %m"); + + r = tpm2_unseal(tpm2_context, hash_pcr_mask, pcr_bank, pubkey, pubkey_size, diff --git a/src/cryptsetup/cryptsetup-tpm2.c b/src/cryptsetup/cryptsetup-tpm2.c index fd21408d831..036f3d3a006 100644 --- a/src/cryptsetup/cryptsetup-tpm2.c +++ b/src/cryptsetup/cryptsetup-tpm2.c @@ -129,8 +129,13 @@ int acquire_tpm2_key( return log_error_errno(r, "Failed to load pcr signature: %m"); } + _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL; + r = tpm2_context_new(device, &tpm2_context); + if (r < 0) + return log_error_errno(r, "Failed to create TPM2 context: %m"); + if (!(flags & TPM2_FLAGS_USE_PIN)) { - r = tpm2_unseal(device, + r = tpm2_unseal(tpm2_context, hash_pcr_mask, pcr_bank, pubkey, pubkey_size, @@ -177,7 +182,7 @@ int acquire_tpm2_key( /* no salting needed, backwards compat with non-salted pins */ b64_salted_pin = TAKE_PTR(pin_str); - r = tpm2_unseal(device, + r = tpm2_unseal(tpm2_context, hash_pcr_mask, pcr_bank, pubkey, pubkey_size, diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index b755a2afa8e..71aff5ef293 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -1203,9 +1203,14 @@ int decrypt_credential_and_warn( le32toh(z->size)); } + _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL; + r = tpm2_context_new(tpm2_device, &tpm2_context); + if (r < 0) + return r; + // TODO: Add the SRK data to the credential structure so it can be plumbed // through and used to verify the TPM session. - r = tpm2_unseal(tpm2_device, + r = tpm2_unseal(tpm2_context, le64toh(t->pcr_mask), le16toh(t->pcr_bank), z ? z->data : NULL, diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 21e0ad71599..47a88d3d20f 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -4081,7 +4081,7 @@ int tpm2_seal(Tpm2Context *c, #define RETRY_UNSEAL_MAX 30u -int tpm2_unseal(const char *device, +int tpm2_unseal(Tpm2Context *c, uint32_t hash_pcr_mask, uint16_t pcr_bank, const void *pubkey, @@ -4112,10 +4112,6 @@ int tpm2_unseal(const char *device, assert(TPM2_PCR_MASK_VALID(hash_pcr_mask)); assert(TPM2_PCR_MASK_VALID(pubkey_pcr_mask)); - r = dlopen_tpm2(); - if (r < 0) - return r; - /* So here's what we do here: We connect to the TPM2 chip. As we do when sealing we generate a * "primary" key on the TPM2 chip, with the same parameters as well as a PCR-bound policy session. * Given we pass the same parameters, this will result in the same "primary" key, and same policy @@ -4132,11 +4128,6 @@ int tpm2_unseal(const char *device, if (r < 0) return log_debug_errno(r, "Could not extract parts from blob: %m"); - _cleanup_(tpm2_context_unrefp) Tpm2Context *c = NULL; - r = tpm2_context_new(device, &c); - if (r < 0) - return r; - /* Older code did not save the pcr_bank, and unsealing needed to detect the best pcr bank to use, * so we need to handle that legacy situation. */ if (pcr_bank == UINT16_MAX) { diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index 05627492e3f..045f200fbb9 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -193,7 +193,7 @@ int tpm2_unmarshal_blob(const void *blob, size_t blob_size, TPM2B_PUBLIC *ret_pu int tpm2_get_or_create_srk(Tpm2Context *c, const Tpm2Handle *session, TPM2B_PUBLIC **ret_public, TPM2B_NAME **ret_name, TPM2B_NAME **ret_qname, Tpm2Handle **ret_handle); int tpm2_seal(Tpm2Context *c, const TPM2B_DIGEST *policy, const char *pin, void **ret_secret, size_t *ret_secret_size, void **ret_blob, size_t *ret_blob_size, uint16_t *ret_primary_alg, void **ret_srk_buf, size_t *ret_srk_buf_size); -int tpm2_unseal(const char *device, uint32_t hash_pcr_mask, uint16_t pcr_bank, const void *pubkey, size_t pubkey_size, uint32_t pubkey_pcr_mask, JsonVariant *signature, const char *pin, uint16_t primary_alg, const void *blob, size_t blob_size, const void *policy_hash, size_t policy_hash_size, const void *srk_buf, size_t srk_buf_size, void **ret_secret, size_t *ret_secret_size); +int tpm2_unseal(Tpm2Context *c, uint32_t hash_pcr_mask, uint16_t pcr_bank, const void *pubkey, size_t pubkey_size, uint32_t pubkey_pcr_mask, JsonVariant *signature, const char *pin, uint16_t primary_alg, const void *blob, size_t blob_size, const void *policy_hash, size_t policy_hash_size, const void *srk_buf, size_t srk_buf_size, void **ret_secret, size_t *ret_secret_size); #if HAVE_OPENSSL int tpm2_tpm2b_public_to_openssl_pkey(const TPM2B_PUBLIC *public, EVP_PKEY **ret);