|
|
|
|
From 80c19ca9c613a0909bca238b7e71165ed9d8f546 Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: Dan Streetman <ddstreet@ieee.org>
|
|
|
|
|
Date: Fri, 8 Sep 2023 12:39:49 -0400
|
|
|
|
|
Subject: [PATCH] tpm2: downgrade most log functions from error to debug
|
|
|
|
|
|
|
|
|
|
Because most TPM2 functions here are 'library-like' functions, they should be
|
|
|
|
|
at debug level, not error level.
|
|
|
|
|
|
|
|
|
|
The only functions not reduced to logging at debug are tpm2_list_devices(),
|
|
|
|
|
since it is expected to print output, and the tpm2_parse_pcr_argument_*()
|
|
|
|
|
functions, since the system-wide parse_*_argument() functions generally log at
|
|
|
|
|
error level.
|
|
|
|
|
|
|
|
|
|
(cherry picked from commit f9a0ee7554d18f8f1c1968811efed85a2f5e9013)
|
|
|
|
|
|
|
|
|
|
Related: RHEL-16182
|
|
|
|
|
---
|
|
|
|
|
src/boot/measure.c | 2 +-
|
|
|
|
|
src/boot/pcrphase.c | 6 +-
|
|
|
|
|
src/cryptenroll/cryptenroll-tpm2.c | 8 +-
|
|
|
|
|
src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c | 13 +-
|
|
|
|
|
src/cryptsetup/cryptsetup-tpm2.c | 30 +-
|
|
|
|
|
src/cryptsetup/cryptsetup.c | 6 +-
|
|
|
|
|
src/partition/repart.c | 6 +-
|
|
|
|
|
src/shared/creds-util.c | 15 +-
|
|
|
|
|
src/shared/tpm2-util.c | 312 +++++++++---------
|
|
|
|
|
src/shared/tpm2-util.h | 2 +-
|
|
|
|
|
10 files changed, 203 insertions(+), 197 deletions(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/src/boot/measure.c b/src/boot/measure.c
|
|
|
|
|
index 76f7f3fbfa..8882850e13 100644
|
|
|
|
|
--- a/src/boot/measure.c
|
|
|
|
|
+++ b/src/boot/measure.c
|
|
|
|
|
@@ -807,7 +807,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
|
|
|
|
|
|
|
|
|
|
r = tpm2_calculate_policy_pcr(&pcr_value, 1, &pcr_policy_digest);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not calculate PolicyPCR digest: %m");
|
|
|
|
|
|
|
|
|
|
_cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX* mdctx = NULL;
|
|
|
|
|
mdctx = EVP_MD_CTX_new();
|
|
|
|
|
diff --git a/src/boot/pcrphase.c b/src/boot/pcrphase.c
|
|
|
|
|
index 16d71e6a22..8b2b837222 100644
|
|
|
|
|
--- a/src/boot/pcrphase.c
|
|
|
|
|
+++ b/src/boot/pcrphase.c
|
|
|
|
|
@@ -165,7 +165,7 @@ static int determine_banks(Tpm2Context *c, unsigned target_pcr_nr) {
|
|
|
|
|
|
|
|
|
|
r = tpm2_get_good_pcr_banks_strv(c, UINT32_C(1) << target_pcr_nr, &l);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not verify pcr banks: %m");
|
|
|
|
|
|
|
|
|
|
strv_free_and_replace(arg_banks, l);
|
|
|
|
|
return 0;
|
|
|
|
|
@@ -343,7 +343,7 @@ static int run(int argc, char *argv[]) {
|
|
|
|
|
_cleanup_(tpm2_context_unrefp) Tpm2Context *c = NULL;
|
|
|
|
|
r = tpm2_context_new(arg_tpm2_device, &c);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Failed to create TPM2 context: %m");
|
|
|
|
|
|
|
|
|
|
r = determine_banks(c, target_pcr_nr);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
@@ -359,7 +359,7 @@ static int run(int argc, char *argv[]) {
|
|
|
|
|
|
|
|
|
|
r = tpm2_extend_bytes(c, arg_banks, target_pcr_nr, word, length, NULL, 0);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not extend PCR: %m");
|
|
|
|
|
|
|
|
|
|
log_struct(LOG_INFO,
|
|
|
|
|
"MESSAGE_ID=" SD_MESSAGE_TPM_PCR_EXTEND_STR,
|
|
|
|
|
diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
|
|
|
|
|
index e16039590a..96e0183d4f 100644
|
|
|
|
|
--- a/src/cryptenroll/cryptenroll-tpm2.c
|
|
|
|
|
+++ b/src/cryptenroll/cryptenroll-tpm2.c
|
|
|
|
|
@@ -212,13 +212,13 @@ int enroll_tpm2(struct crypt_device *cd,
|
|
|
|
|
_cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
|
|
|
|
|
r = tpm2_context_new(device, &tpm2_context);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Failed to create TPM2 context: %m");
|
|
|
|
|
|
|
|
|
|
bool pcr_value_specified = tpm2_pcr_values_has_any_values(hash_pcr_values, n_hash_pcr_values);
|
|
|
|
|
|
|
|
|
|
r = tpm2_pcr_read_missing_values(tpm2_context, hash_pcr_values, n_hash_pcr_values);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not read pcr values: %m");
|
|
|
|
|
|
|
|
|
|
uint16_t hash_pcr_bank = 0;
|
|
|
|
|
uint32_t hash_pcr_mask = 0;
|
|
|
|
|
@@ -263,7 +263,7 @@ int enroll_tpm2(struct crypt_device *cd,
|
|
|
|
|
&srk_buf,
|
|
|
|
|
&srk_buf_size);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Failed to seal to TPM2: %m");
|
|
|
|
|
|
|
|
|
|
/* Let's see if we already have this specific PCR policy hash enrolled, if so, exit early. */
|
|
|
|
|
r = search_policy_hash(cd, policy.buffer, policy.size);
|
|
|
|
|
@@ -295,7 +295,7 @@ int enroll_tpm2(struct crypt_device *cd,
|
|
|
|
|
srk_buf, srk_buf_size,
|
|
|
|
|
&secret2, &secret2_size);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
|
|
|
|
|
|
|
|
|
|
if (memcmp_nn(secret, secret_size, secret2, secret2_size) != 0)
|
|
|
|
|
return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM2 seal/unseal verification failed.");
|
|
|
|
|
diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
|
|
|
|
|
index af747af613..71334129a6 100644
|
|
|
|
|
--- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
|
|
|
|
|
+++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
|
|
|
|
|
@@ -44,11 +44,11 @@ int acquire_luks2_key(
|
|
|
|
|
assert(ret_decrypted_key_size);
|
|
|
|
|
|
|
|
|
|
if (!device) {
|
|
|
|
|
- r = tpm2_find_device_auto(LOG_DEBUG, &auto_device);
|
|
|
|
|
+ r = tpm2_find_device_auto(&auto_device);
|
|
|
|
|
if (r == -ENODEV)
|
|
|
|
|
return -EAGAIN; /* Tell the caller to wait for a TPM2 device to show up */
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not find TPM2 device: %m");
|
|
|
|
|
|
|
|
|
|
device = auto_device;
|
|
|
|
|
}
|
|
|
|
|
@@ -76,11 +76,10 @@ int acquire_luks2_key(
|
|
|
|
|
if (pubkey_pcr_mask != 0) {
|
|
|
|
|
r = tpm2_load_pcr_signature(signature_path, &signature_json);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Failed to load PCR signature: %m");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- return tpm2_unseal(
|
|
|
|
|
- device,
|
|
|
|
|
+ r = tpm2_unseal(device,
|
|
|
|
|
hash_pcr_mask,
|
|
|
|
|
pcr_bank,
|
|
|
|
|
pubkey, pubkey_size,
|
|
|
|
|
@@ -92,4 +91,8 @@ int acquire_luks2_key(
|
|
|
|
|
policy_hash, policy_hash_size,
|
|
|
|
|
srk_buf, srk_buf_size,
|
|
|
|
|
ret_decrypted_key, ret_decrypted_key_size);
|
|
|
|
|
+ if (r < 0)
|
|
|
|
|
+ return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
|
|
|
|
|
+
|
|
|
|
|
+ return r;
|
|
|
|
|
}
|
|
|
|
|
diff --git a/src/cryptsetup/cryptsetup-tpm2.c b/src/cryptsetup/cryptsetup-tpm2.c
|
|
|
|
|
index 6b650b0d26..ffb399a0b2 100644
|
|
|
|
|
--- a/src/cryptsetup/cryptsetup-tpm2.c
|
|
|
|
|
+++ b/src/cryptsetup/cryptsetup-tpm2.c
|
|
|
|
|
@@ -89,11 +89,11 @@ int acquire_tpm2_key(
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
if (!device) {
|
|
|
|
|
- r = tpm2_find_device_auto(LOG_DEBUG, &auto_device);
|
|
|
|
|
+ r = tpm2_find_device_auto(&auto_device);
|
|
|
|
|
if (r == -ENODEV)
|
|
|
|
|
return -EAGAIN; /* Tell the caller to wait for a TPM2 device to show up */
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not find TPM2 device: %m");
|
|
|
|
|
|
|
|
|
|
device = auto_device;
|
|
|
|
|
}
|
|
|
|
|
@@ -124,12 +124,11 @@ int acquire_tpm2_key(
|
|
|
|
|
if (pubkey_pcr_mask != 0) {
|
|
|
|
|
r = tpm2_load_pcr_signature(signature_path, &signature_json);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Failed to load pcr signature: %m");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- if (!(flags & TPM2_FLAGS_USE_PIN))
|
|
|
|
|
- return tpm2_unseal(
|
|
|
|
|
- device,
|
|
|
|
|
+ if (!(flags & TPM2_FLAGS_USE_PIN)) {
|
|
|
|
|
+ r = tpm2_unseal(device,
|
|
|
|
|
hash_pcr_mask,
|
|
|
|
|
pcr_bank,
|
|
|
|
|
pubkey, pubkey_size,
|
|
|
|
|
@@ -145,6 +144,11 @@ int acquire_tpm2_key(
|
|
|
|
|
srk_buf_size,
|
|
|
|
|
ret_decrypted_key,
|
|
|
|
|
ret_decrypted_key_size);
|
|
|
|
|
+ if (r < 0)
|
|
|
|
|
+ return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
|
|
|
|
|
+
|
|
|
|
|
+ return r;
|
|
|
|
|
+ }
|
|
|
|
|
|
|
|
|
|
for (int i = 5;; i--) {
|
|
|
|
|
_cleanup_(erase_and_freep) char *pin_str = NULL, *b64_salted_pin = NULL;
|
|
|
|
|
@@ -187,12 +191,14 @@ int acquire_tpm2_key(
|
|
|
|
|
srk_buf_size,
|
|
|
|
|
ret_decrypted_key,
|
|
|
|
|
ret_decrypted_key_size);
|
|
|
|
|
- /* We get this error in case there is an authentication policy mismatch. This should
|
|
|
|
|
- * not happen, but this avoids confusing behavior, just in case. */
|
|
|
|
|
- if (IN_SET(r, -EPERM, -ENOLCK))
|
|
|
|
|
- return r;
|
|
|
|
|
- if (r < 0)
|
|
|
|
|
- continue;
|
|
|
|
|
+ if (r < 0) {
|
|
|
|
|
+ log_error_errno(r, "Failed to unseal secret using TPM2: %m");
|
|
|
|
|
+
|
|
|
|
|
+ /* We get this error in case there is an authentication policy mismatch. This should
|
|
|
|
|
+ * not happen, but this avoids confusing behavior, just in case. */
|
|
|
|
|
+ if (!IN_SET(r, -EPERM, -ENOLCK))
|
|
|
|
|
+ continue;
|
|
|
|
|
+ }
|
|
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
|
|
|
|
|
index d70516c237..3f2cab1e41 100644
|
|
|
|
|
--- a/src/cryptsetup/cryptsetup.c
|
|
|
|
|
+++ b/src/cryptsetup/cryptsetup.c
|
|
|
|
|
@@ -826,13 +826,13 @@ static int measure_volume_key(
|
|
|
|
|
_cleanup_(tpm2_context_unrefp) Tpm2Context *c = NULL;
|
|
|
|
|
r = tpm2_context_new(arg_tpm2_device, &c);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Failed to create TPM2 context: %m");
|
|
|
|
|
|
|
|
|
|
_cleanup_strv_free_ char **l = NULL;
|
|
|
|
|
if (strv_isempty(arg_tpm2_measure_banks)) {
|
|
|
|
|
r = tpm2_get_good_pcr_banks_strv(c, UINT32_C(1) << arg_tpm2_measure_pcr, &l);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not verify pcr banks: %m");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_cleanup_free_ char *joined = strv_join(l ?: arg_tpm2_measure_banks, ", ");
|
|
|
|
|
@@ -855,7 +855,7 @@ static int measure_volume_key(
|
|
|
|
|
|
|
|
|
|
r = tpm2_extend_bytes(c, l ?: arg_tpm2_measure_banks, arg_tpm2_measure_pcr, s, SIZE_MAX, volume_key, volume_key_size);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not extend PCR: %m");
|
|
|
|
|
|
|
|
|
|
log_struct(LOG_INFO,
|
|
|
|
|
"MESSAGE_ID=" SD_MESSAGE_TPM_PCR_EXTEND_STR,
|
|
|
|
|
diff --git a/src/partition/repart.c b/src/partition/repart.c
|
|
|
|
|
index 611bd541b0..481680768a 100644
|
|
|
|
|
--- a/src/partition/repart.c
|
|
|
|
|
+++ b/src/partition/repart.c
|
|
|
|
|
@@ -3043,7 +3043,7 @@ static int partition_encrypt(
|
|
|
|
|
_cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
|
|
|
|
|
r = tpm2_context_new(arg_tpm2_device, &tpm2_context);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Failed to create TPM2 context: %m");
|
|
|
|
|
|
|
|
|
|
TPM2B_PUBLIC public;
|
|
|
|
|
if (pubkey) {
|
|
|
|
|
@@ -3054,7 +3054,7 @@ static int partition_encrypt(
|
|
|
|
|
|
|
|
|
|
r = tpm2_pcr_read_missing_values(tpm2_context, arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not read pcr values: %m");
|
|
|
|
|
|
|
|
|
|
uint16_t hash_pcr_bank = 0;
|
|
|
|
|
uint32_t hash_pcr_mask = 0;
|
|
|
|
|
@@ -3076,7 +3076,7 @@ static int partition_encrypt(
|
|
|
|
|
TPM2B_DIGEST policy = TPM2B_DIGEST_MAKE(NULL, TPM2_SHA256_DIGEST_SIZE);
|
|
|
|
|
r = tpm2_calculate_sealing_policy(arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values, &public, /* use_pin= */ false, &policy);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not calculate sealing policy digest: %m");
|
|
|
|
|
|
|
|
|
|
r = tpm2_seal(tpm2_context,
|
|
|
|
|
&policy,
|
|
|
|
|
diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
|
|
|
|
|
index ae7919631b..783fe75ca6 100644
|
|
|
|
|
--- a/src/shared/creds-util.c
|
|
|
|
|
+++ b/src/shared/creds-util.c
|
|
|
|
|
@@ -651,11 +651,11 @@ int encrypt_credential_and_warn(
|
|
|
|
|
_cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
|
|
|
|
|
r = tpm2_context_new(tpm2_device, &tpm2_context);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Failed to create TPM2 context: %m");
|
|
|
|
|
|
|
|
|
|
r = tpm2_get_best_pcr_bank(tpm2_context, tpm2_hash_pcr_mask | tpm2_pubkey_pcr_mask, &tpm2_pcr_bank);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not find best pcr bank: %m");
|
|
|
|
|
|
|
|
|
|
TPML_PCR_SELECTION tpm2_hash_pcr_selection;
|
|
|
|
|
tpm2_tpml_pcr_selection_from_mask(tpm2_hash_pcr_mask, tpm2_pcr_bank, &tpm2_hash_pcr_selection);
|
|
|
|
|
@@ -664,7 +664,7 @@ int encrypt_credential_and_warn(
|
|
|
|
|
size_t tpm2_n_hash_pcr_values;
|
|
|
|
|
r = tpm2_pcr_read(tpm2_context, &tpm2_hash_pcr_selection, &tpm2_hash_pcr_values, &tpm2_n_hash_pcr_values);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not read PCR values: %m");
|
|
|
|
|
|
|
|
|
|
TPM2B_PUBLIC public;
|
|
|
|
|
if (pubkey) {
|
|
|
|
|
@@ -681,7 +681,7 @@ int encrypt_credential_and_warn(
|
|
|
|
|
/* use_pin= */ false,
|
|
|
|
|
&tpm2_policy);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not calculate sealing policy digest: %m");
|
|
|
|
|
|
|
|
|
|
r = tpm2_seal(tpm2_context,
|
|
|
|
|
&tpm2_policy,
|
|
|
|
|
@@ -695,7 +695,7 @@ int encrypt_credential_and_warn(
|
|
|
|
|
if (sd_id128_equal(with_key, _CRED_AUTO_INITRD))
|
|
|
|
|
log_warning("Firmware reported a TPM2 being present and used, but we didn't manage to talk to it. Credential will be refused if SecureBoot is enabled.");
|
|
|
|
|
else if (!sd_id128_equal(with_key, _CRED_AUTO))
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Failed to seal to TPM2: %m");
|
|
|
|
|
|
|
|
|
|
log_notice_errno(r, "TPM2 sealing didn't work, continuing without TPM2: %m");
|
|
|
|
|
}
|
|
|
|
|
@@ -927,7 +927,7 @@ int decrypt_credential_and_warn(
|
|
|
|
|
if (with_tpm2_pk) {
|
|
|
|
|
r = tpm2_load_pcr_signature(tpm2_signature_path, &signature_json);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Failed to load pcr signature: %m");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (is_tpm2_absent) {
|
|
|
|
|
@@ -1046,8 +1046,7 @@ int decrypt_credential_and_warn(
|
|
|
|
|
&tpm2_key,
|
|
|
|
|
&tpm2_key_size);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
-
|
|
|
|
|
+ return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
|
|
|
|
|
#else
|
|
|
|
|
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Credential requires TPM2 support, but TPM2 support not available.");
|
|
|
|
|
#endif
|
|
|
|
|
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
|
|
|
|
|
index 944bf91019..ffadfa1498 100644
|
|
|
|
|
--- a/src/shared/tpm2-util.c
|
|
|
|
|
+++ b/src/shared/tpm2-util.c
|
|
|
|
|
@@ -188,12 +188,12 @@ static int tpm2_get_capability(
|
|
|
|
|
&more,
|
|
|
|
|
&capabilities);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to get TPM2 capability 0x%04" PRIx32 " property 0x%04" PRIx32 ": %s",
|
|
|
|
|
capability, property, sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
if (capabilities->capability != capability)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"TPM provided wrong capability: 0x%04" PRIx32 " instead of 0x%04" PRIx32 ".",
|
|
|
|
|
capabilities->capability, capability);
|
|
|
|
|
|
|
|
|
|
@@ -240,7 +240,7 @@ static int tpm2_cache_capabilities(Tpm2Context *c) {
|
|
|
|
|
c->n_capability_algorithms,
|
|
|
|
|
algorithms.algProperties,
|
|
|
|
|
algorithms.count))
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
if (r == 0)
|
|
|
|
|
break;
|
|
|
|
|
@@ -273,7 +273,7 @@ static int tpm2_cache_capabilities(Tpm2Context *c) {
|
|
|
|
|
c->n_capability_commands,
|
|
|
|
|
commands.commandAttributes,
|
|
|
|
|
commands.count))
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
if (r == 0)
|
|
|
|
|
break;
|
|
|
|
|
@@ -299,7 +299,7 @@ static int tpm2_cache_capabilities(Tpm2Context *c) {
|
|
|
|
|
* TPM2_GetCapability states: "TPM_CAP_PCRS – Returns the current allocation of PCR in a
|
|
|
|
|
* TPML_PCR_SELECTION. The property parameter shall be zero. The TPM will always respond to
|
|
|
|
|
* this command with the full PCR allocation and moreData will be NO." */
|
|
|
|
|
- log_warning("TPM bug: reported multiple PCR sets; using only first set.");
|
|
|
|
|
+ log_debug("TPM bug: reported multiple PCR sets; using only first set.");
|
|
|
|
|
c->capability_pcrs = capability.assignedPCR;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
@@ -408,10 +408,10 @@ static int tpm2_get_capability_handles(
|
|
|
|
|
assert(handle_list.count <= max);
|
|
|
|
|
|
|
|
|
|
if (n_handles > SIZE_MAX - handle_list.count)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
if (!GREEDY_REALLOC(handles, n_handles + handle_list.count))
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
memcpy_safe(&handles[n_handles], handle_list.handle, sizeof(handles[0]) * handle_list.count);
|
|
|
|
|
|
|
|
|
|
@@ -537,7 +537,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) {
|
|
|
|
|
|
|
|
|
|
context = new(Tpm2Context, 1);
|
|
|
|
|
if (!context)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
*context = (Tpm2Context) {
|
|
|
|
|
.n_ref = 1,
|
|
|
|
|
@@ -545,7 +545,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) {
|
|
|
|
|
|
|
|
|
|
r = dlopen_tpm2();
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "TPM2 support not installed: %m");
|
|
|
|
|
+ return log_debug_errno(r, "TPM2 support not installed: %m");
|
|
|
|
|
|
|
|
|
|
if (!device) {
|
|
|
|
|
device = secure_getenv("SYSTEMD_TPM2_DEVICE");
|
|
|
|
|
@@ -572,7 +572,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) {
|
|
|
|
|
/* Syntax #1: Pair of driver string and arbitrary parameter */
|
|
|
|
|
driver = strndupa_safe(device, param - device);
|
|
|
|
|
if (isempty(driver))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name is empty, refusing.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name is empty, refusing.");
|
|
|
|
|
|
|
|
|
|
param++;
|
|
|
|
|
} else if (path_is_absolute(device) && path_is_valid(device)) {
|
|
|
|
|
@@ -580,7 +580,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) {
|
|
|
|
|
driver = "device";
|
|
|
|
|
param = device;
|
|
|
|
|
} else
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid TPM2 driver string, refusing.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid TPM2 driver string, refusing.");
|
|
|
|
|
|
|
|
|
|
log_debug("Using TPM2 TCTI driver '%s' with device '%s'.", driver, param);
|
|
|
|
|
|
|
|
|
|
@@ -588,42 +588,42 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) {
|
|
|
|
|
|
|
|
|
|
/* Better safe than sorry, let's refuse strings that cannot possibly be valid driver early, before going to disk. */
|
|
|
|
|
if (!filename_is_valid(fn))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver);
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver);
|
|
|
|
|
|
|
|
|
|
context->tcti_dl = dlopen(fn, RTLD_NOW);
|
|
|
|
|
if (!context->tcti_dl)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to load %s: %s", fn, dlerror());
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to load %s: %s", fn, dlerror());
|
|
|
|
|
|
|
|
|
|
func = dlsym(context->tcti_dl, TSS2_TCTI_INFO_SYMBOL);
|
|
|
|
|
if (!func)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to find TCTI info symbol " TSS2_TCTI_INFO_SYMBOL ": %s",
|
|
|
|
|
dlerror());
|
|
|
|
|
|
|
|
|
|
info = func();
|
|
|
|
|
if (!info)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Unable to get TCTI info data.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Unable to get TCTI info data.");
|
|
|
|
|
|
|
|
|
|
log_debug("Loaded TCTI module '%s' (%s) [Version %" PRIu32 "]", info->name, info->description, info->version);
|
|
|
|
|
|
|
|
|
|
rc = info->init(NULL, &sz, NULL);
|
|
|
|
|
if (rc != TPM2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to initialize TCTI context: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
context->tcti_context = malloc0(sz);
|
|
|
|
|
if (!context->tcti_context)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
rc = info->init(context->tcti_context, &sz, param);
|
|
|
|
|
if (rc != TPM2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to initialize TCTI context: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rc = sym_Esys_Initialize(&context->esys_context, context->tcti_context, NULL);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to initialize TPM context: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
rc = sym_Esys_Startup(context->esys_context, TPM2_SU_CLEAR);
|
|
|
|
|
@@ -632,22 +632,22 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) {
|
|
|
|
|
else if (rc == TSS2_RC_SUCCESS)
|
|
|
|
|
log_debug("TPM successfully started up.");
|
|
|
|
|
else
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to start up TPM: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
r = tpm2_cache_capabilities(context);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_debug_errno(r, "Failed to cache TPM capbilities: %m");
|
|
|
|
|
|
|
|
|
|
/* We require AES and CFB support for session encryption. */
|
|
|
|
|
if (!tpm2_supports_alg(context, TPM2_ALG_AES))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support AES.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support AES.");
|
|
|
|
|
|
|
|
|
|
if (!tpm2_supports_alg(context, TPM2_ALG_CFB))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support CFB.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support CFB.");
|
|
|
|
|
|
|
|
|
|
if (!tpm2_supports_tpmt_sym_def(context, &SESSION_TEMPLATE_SYM_AES_128_CFB))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support AES-128-CFB.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support AES-128-CFB.");
|
|
|
|
|
|
|
|
|
|
*ret_context = TAKE_PTR(context);
|
|
|
|
|
|
|
|
|
|
@@ -693,7 +693,7 @@ int tpm2_handle_new(Tpm2Context *context, Tpm2Handle **ret_handle) {
|
|
|
|
|
|
|
|
|
|
handle = new(Tpm2Handle, 1);
|
|
|
|
|
if (!handle)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
*handle = (Tpm2Handle) {
|
|
|
|
|
.tpm2_context = tpm2_context_ref(context),
|
|
|
|
|
@@ -732,17 +732,17 @@ int tpm2_index_to_handle(
|
|
|
|
|
case TPM2_HT_TRANSIENT:
|
|
|
|
|
break;
|
|
|
|
|
case TPM2_HT_PCR:
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
"Invalid handle 0x%08" PRIx32 " (in PCR range).", index);
|
|
|
|
|
case TPM2_HT_HMAC_SESSION:
|
|
|
|
|
case TPM2_HT_POLICY_SESSION:
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
"Invalid handle 0x%08" PRIx32 " (in session range).", index);
|
|
|
|
|
case TPM2_HT_PERMANENT: /* Permanent handles are defined, e.g. ESYS_TR_RH_OWNER. */
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
"Invalid handle 0x%08" PRIx32 " (in permanent range).", index);
|
|
|
|
|
default:
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
"Invalid handle 0x%08" PRIx32 " (in unknown range).", index);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -779,7 +779,7 @@ int tpm2_index_to_handle(
|
|
|
|
|
ESYS_TR_NONE,
|
|
|
|
|
&handle->esys_handle);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to read public info: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
if (ret_public || ret_name || ret_qname) {
|
|
|
|
|
@@ -805,12 +805,12 @@ int tpm2_index_from_handle(Tpm2Context *c, const Tpm2Handle *handle, TPM2_HANDLE
|
|
|
|
|
/* Esys_TR_GetTpmHandle was added to tpm2-tss in version 2.4.0. Once we can set a minimum tpm2-tss
|
|
|
|
|
* version of 2.4.0 this check can be removed. */
|
|
|
|
|
if (!sym_Esys_TR_GetTpmHandle)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
"libtss2-esys too old, does not include Esys_TR_GetTpmHandle.");
|
|
|
|
|
|
|
|
|
|
rc = sym_Esys_TR_GetTpmHandle(c->esys_context, handle->esys_handle, ret_index);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to get handle index: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
@@ -882,7 +882,7 @@ static int tpm2_persist_handle(
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
if (rc != TPM2_RC_NV_DEFINED)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to persist handle: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -928,16 +928,16 @@ static int tpm2_credit_random(Tpm2Context *c) {
|
|
|
|
|
MIN(rps, 32U), /* 32 is supposedly a safe choice, given that AES 256bit keys are this long, and TPM2 baseline requires support for those. */
|
|
|
|
|
&buffer);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to acquire entropy from TPM: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
if (buffer->size == 0)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Zero-sized entropy returned from TPM.");
|
|
|
|
|
|
|
|
|
|
r = random_write_entropy(-1, buffer->buffer, buffer->size, /* credit= */ false);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Failed wo write entropy to kernel: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Failed wo write entropy to kernel: %m");
|
|
|
|
|
|
|
|
|
|
done += buffer->size;
|
|
|
|
|
rps = LESS_BY(rps, buffer->size);
|
|
|
|
|
@@ -975,7 +975,7 @@ int tpm2_read_public(
|
|
|
|
|
ret_name,
|
|
|
|
|
ret_qname);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to read public info: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
@@ -1188,7 +1188,7 @@ static int tpm2_get_or_create_srk(
|
|
|
|
|
TPM2B_PUBLIC template = { .size = sizeof(TPMT_PUBLIC), };
|
|
|
|
|
r = tpm2_get_best_srk_template(c, &template.publicArea);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Could not get best SRK template: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Could not get best SRK template: %m");
|
|
|
|
|
|
|
|
|
|
_cleanup_(tpm2_handle_freep) Tpm2Handle *transient_handle = NULL;
|
|
|
|
|
r = tpm2_create_primary(
|
|
|
|
|
@@ -1214,7 +1214,7 @@ static int tpm2_get_or_create_srk(
|
|
|
|
|
return r;
|
|
|
|
|
if (r == 0)
|
|
|
|
|
/* This should never happen. */
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "SRK we just persisted couldn't be found.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "SRK we just persisted couldn't be found.");
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
@@ -1238,8 +1238,8 @@ void tpm2_tpms_pcr_selection_from_mask(uint32_t mask, TPMI_ALG_HASH hash_alg, TP
|
|
|
|
|
|
|
|
|
|
/* This is currently hardcoded at 24 PCRs, above. */
|
|
|
|
|
if (!TPM2_PCR_MASK_VALID(mask))
|
|
|
|
|
- log_warning("PCR mask selections (%x) out of range, ignoring.",
|
|
|
|
|
- mask & ~((uint32_t)TPM2_PCRS_MASK));
|
|
|
|
|
+ log_debug("PCR mask selections (%x) out of range, ignoring.",
|
|
|
|
|
+ mask & ~((uint32_t)TPM2_PCRS_MASK));
|
|
|
|
|
|
|
|
|
|
*ret = (TPMS_PCR_SELECTION){
|
|
|
|
|
.hash = hash_alg,
|
|
|
|
|
@@ -1752,22 +1752,22 @@ int tpm2_pcr_value_from_string(const char *arg, Tpm2PCRValue *ret_pcr_value) {
|
|
|
|
|
_cleanup_free_ char *index = NULL;
|
|
|
|
|
r = extract_first_word(&p, &index, ":", /* flags= */ 0);
|
|
|
|
|
if (r < 1)
|
|
|
|
|
- return log_error_errno(r, "Could not parse pcr value '%s': %m", p);
|
|
|
|
|
+ return log_debug_errno(r, "Could not parse pcr value '%s': %m", p);
|
|
|
|
|
|
|
|
|
|
r = pcr_index_from_string(index);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Invalid pcr index '%s': %m", index);
|
|
|
|
|
+ return log_debug_errno(r, "Invalid pcr index '%s': %m", index);
|
|
|
|
|
pcr_value.index = (unsigned) r;
|
|
|
|
|
|
|
|
|
|
if (!isempty(p)) {
|
|
|
|
|
_cleanup_free_ char *hash = NULL;
|
|
|
|
|
r = extract_first_word(&p, &hash, "=", /* flags= */ 0);
|
|
|
|
|
if (r < 1)
|
|
|
|
|
- return log_error_errno(r, "Could not parse pcr hash algorithm '%s': %m", p);
|
|
|
|
|
+ return log_debug_errno(r, "Could not parse pcr hash algorithm '%s': %m", p);
|
|
|
|
|
|
|
|
|
|
r = tpm2_hash_alg_from_string(hash);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Invalid pcr hash algorithm '%s': %m", hash);
|
|
|
|
|
+ return log_debug_errno(r, "Invalid pcr hash algorithm '%s': %m", hash);
|
|
|
|
|
pcr_value.hash = (TPMI_ALG_HASH) r;
|
|
|
|
|
|
|
|
|
|
if (!isempty(p)) {
|
|
|
|
|
@@ -1778,11 +1778,11 @@ int tpm2_pcr_value_from_string(const char *arg, Tpm2PCRValue *ret_pcr_value) {
|
|
|
|
|
size_t buf_size = 0;
|
|
|
|
|
r = unhexmem(p, SIZE_MAX, &buf, &buf_size);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Invalid pcr hash value '%s': %m", p);
|
|
|
|
|
+ return log_debug_errno(r, "Invalid pcr hash value '%s': %m", p);
|
|
|
|
|
|
|
|
|
|
r = TPM2B_DIGEST_CHECK_SIZE(buf_size);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "PCR hash value size %zu too large.", buf_size);
|
|
|
|
|
+ return log_debug_errno(r, "PCR hash value size %zu too large.", buf_size);
|
|
|
|
|
|
|
|
|
|
pcr_value.value = TPM2B_DIGEST_MAKE(buf, buf_size);
|
|
|
|
|
}
|
|
|
|
|
@@ -1832,7 +1832,7 @@ int tpm2_pcr_values_from_string(const char *arg, Tpm2PCRValue **ret_pcr_values,
|
|
|
|
|
_cleanup_free_ char *pcr_arg = NULL;
|
|
|
|
|
r = extract_first_word(&p, &pcr_arg, ",+", /* flags= */ 0);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Could not parse pcr values '%s': %m", p);
|
|
|
|
|
+ return log_debug_errno(r, "Could not parse pcr values '%s': %m", p);
|
|
|
|
|
if (r == 0)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
@@ -1842,7 +1842,7 @@ int tpm2_pcr_values_from_string(const char *arg, Tpm2PCRValue **ret_pcr_values,
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
if (!GREEDY_REALLOC_APPEND(pcr_values, n_pcr_values, &pcr_value, 1))
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*ret_pcr_values = TAKE_PTR(pcr_values);
|
|
|
|
|
@@ -1923,7 +1923,7 @@ static int tpm2_get_policy_digest(
|
|
|
|
|
ESYS_TR_NONE,
|
|
|
|
|
&policy_digest);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to get policy digest from TPM: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
tpm2_log_debug_digest(policy_digest, "Session policy digest");
|
|
|
|
|
@@ -1975,7 +1975,7 @@ int tpm2_create_primary(
|
|
|
|
|
/* creationHash= */ NULL,
|
|
|
|
|
/* creationTicket= */ NULL);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to generate primary key in TPM: %s",
|
|
|
|
|
sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
@@ -2046,7 +2046,7 @@ int tpm2_create(Tpm2Context *c,
|
|
|
|
|
/* creationHash= */ NULL,
|
|
|
|
|
/* creationTicket= */ NULL);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to generate object in TPM: %s",
|
|
|
|
|
sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
@@ -2094,10 +2094,10 @@ static int tpm2_load(
|
|
|
|
|
public,
|
|
|
|
|
&handle->esys_handle);
|
|
|
|
|
if (rc == TPM2_RC_LOCKOUT)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOLCK),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOLCK),
|
|
|
|
|
"TPM2 device is in dictionary attack lockout mode.");
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to load key into TPM: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
*ret_handle = TAKE_PTR(handle);
|
|
|
|
|
@@ -2141,7 +2141,7 @@ static int tpm2_load_external(
|
|
|
|
|
#endif
|
|
|
|
|
&handle->esys_handle);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to load public key into TPM: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
*ret_handle = TAKE_PTR(handle);
|
|
|
|
|
@@ -2185,7 +2185,7 @@ static int _tpm2_create_loaded(
|
|
|
|
|
sizeof(tpm2b_template.buffer),
|
|
|
|
|
&size);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to marshal public key template: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
assert(size <= UINT16_MAX);
|
|
|
|
|
tpm2b_template.size = size;
|
|
|
|
|
@@ -2218,7 +2218,7 @@ static int _tpm2_create_loaded(
|
|
|
|
|
&private,
|
|
|
|
|
&public);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to generate loaded object in TPM: %s",
|
|
|
|
|
sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
@@ -2314,13 +2314,13 @@ int tpm2_pcr_read(
|
|
|
|
|
¤t_read,
|
|
|
|
|
¤t_values);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to read TPM2 PCRs: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
tpm2_log_debug_tpml_pcr_selection(current_read, "Read PCR selection");
|
|
|
|
|
|
|
|
|
|
if (tpm2_tpml_pcr_selection_is_empty(current_read)) {
|
|
|
|
|
- log_warning("TPM2 refused to read possibly unimplemented PCRs, ignoring.");
|
|
|
|
|
+ log_debug("TPM2 refused to read possibly unimplemented PCRs, ignoring.");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -2336,7 +2336,7 @@ int tpm2_pcr_read(
|
|
|
|
|
tpm2_log_debug_pcr_value(&pcr_value, /* msg= */ NULL);
|
|
|
|
|
|
|
|
|
|
if (!GREEDY_REALLOC_APPEND(pcr_values, n_pcr_values, &pcr_value, 1))
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
}
|
|
|
|
|
assert(i == current_values->count);
|
|
|
|
|
|
|
|
|
|
@@ -2346,7 +2346,7 @@ int tpm2_pcr_read(
|
|
|
|
|
tpm2_sort_pcr_values(pcr_values, n_pcr_values);
|
|
|
|
|
|
|
|
|
|
if (!tpm2_pcr_values_valid(pcr_values, n_pcr_values))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "PCR values read from TPM are not valid.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "PCR values read from TPM are not valid.");
|
|
|
|
|
|
|
|
|
|
*ret_pcr_values = TAKE_PTR(pcr_values);
|
|
|
|
|
*ret_n_pcr_values = n_pcr_values;
|
|
|
|
|
@@ -2369,7 +2369,7 @@ int tpm2_pcr_read_missing_values(Tpm2Context *c, Tpm2PCRValue *pcr_values, size_
|
|
|
|
|
size_t hash_count;
|
|
|
|
|
r = tpm2_pcr_values_hash_count(pcr_values, n_pcr_values, &hash_count);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Could not get hash count from pcr values: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Could not get hash count from pcr values: %m");
|
|
|
|
|
|
|
|
|
|
if (hash_count == 1 && pcr_values[0].hash == 0) {
|
|
|
|
|
uint32_t mask;
|
|
|
|
|
@@ -2402,7 +2402,7 @@ int tpm2_pcr_read_missing_values(Tpm2Context *c, Tpm2PCRValue *pcr_values, size_
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
if (n_read_values == 0)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Could not read PCR hash 0x%" PRIu16 " index %u",
|
|
|
|
|
v->hash, v->index);
|
|
|
|
|
|
|
|
|
|
@@ -2551,7 +2551,7 @@ int tpm2_get_best_pcr_bank(
|
|
|
|
|
log_notice("TPM2 device lacks support for SHA256 bank, but SHA1 bank is supported, but none of the selected PCRs are valid! Firmware apparently did not initialize any of the selected PCRs. Proceeding anyway with SHA1 bank. PCR policy effectively unenforced!");
|
|
|
|
|
*ret = TPM2_ALG_SHA1;
|
|
|
|
|
} else
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
"TPM2 module supports neither SHA1 nor SHA256 PCR banks, cannot operate.");
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
@@ -2585,16 +2585,16 @@ int tpm2_get_good_pcr_banks(
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
if (n_good_banks + n_fallback_banks >= INT_MAX)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(E2BIG), "Too many good TPM2 banks?");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(E2BIG), "Too many good TPM2 banks?");
|
|
|
|
|
|
|
|
|
|
if (r) {
|
|
|
|
|
if (!GREEDY_REALLOC(good_banks, n_good_banks+1))
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
good_banks[n_good_banks++] = hash;
|
|
|
|
|
} else {
|
|
|
|
|
if (!GREEDY_REALLOC(fallback_banks, n_fallback_banks+1))
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
fallback_banks[n_fallback_banks++] = hash;
|
|
|
|
|
}
|
|
|
|
|
@@ -2642,26 +2642,26 @@ int tpm2_get_good_pcr_banks_strv(
|
|
|
|
|
|
|
|
|
|
salg = tpm2_hash_alg_to_string(*a);
|
|
|
|
|
if (!salg)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM2 operates with unknown PCR algorithm, can't measure.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM2 operates with unknown PCR algorithm, can't measure.");
|
|
|
|
|
|
|
|
|
|
implementation = EVP_get_digestbyname(salg);
|
|
|
|
|
if (!implementation)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM2 operates with unsupported PCR algorithm, can't measure.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM2 operates with unsupported PCR algorithm, can't measure.");
|
|
|
|
|
|
|
|
|
|
n = strdup(ASSERT_PTR(EVP_MD_name(implementation)));
|
|
|
|
|
if (!n)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
ascii_strlower(n); /* OpenSSL uses uppercase digest names, we prefer them lower case. */
|
|
|
|
|
|
|
|
|
|
if (strv_consume(&l, TAKE_PTR(n)) < 0)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*ret = TAKE_PTR(l);
|
|
|
|
|
return 0;
|
|
|
|
|
#else /* HAVE_OPENSSL */
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -2689,11 +2689,11 @@ int tpm2_digest_many(
|
|
|
|
|
assert(data || n_data == 0);
|
|
|
|
|
|
|
|
|
|
if (alg != TPM2_ALG_SHA256)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
"Hash algorithm not supported: 0x%x", alg);
|
|
|
|
|
|
|
|
|
|
if (extend && digest->size != SHA256_DIGEST_SIZE)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
"Digest size 0x%x, require 0x%x",
|
|
|
|
|
digest->size, (unsigned)SHA256_DIGEST_SIZE);
|
|
|
|
|
|
|
|
|
|
@@ -2734,7 +2734,7 @@ int tpm2_digest_many_digests(
|
|
|
|
|
|
|
|
|
|
iovecs = new(struct iovec, n_data);
|
|
|
|
|
if (!iovecs)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
for (size_t i = 0; i < n_data; i++)
|
|
|
|
|
iovecs[i] = IOVEC_MAKE((void*) data[i].buffer, data[i].size);
|
|
|
|
|
@@ -2761,7 +2761,7 @@ static int tpm2_set_auth(Tpm2Context *c, const Tpm2Handle *handle, const char *p
|
|
|
|
|
|
|
|
|
|
rc = sym_Esys_TR_SetAuth(c->esys_context, handle->esys_handle, &auth);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to load PIN in TPM: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
@@ -2818,7 +2818,7 @@ static int tpm2_make_encryption_session(
|
|
|
|
|
TPM2_ALG_SHA256,
|
|
|
|
|
&session->esys_handle);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to open session in TPM: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
/* Enable parameter encryption/decryption with AES in CFB mode. Together with HMAC digests (which are
|
|
|
|
|
@@ -2826,10 +2826,8 @@ static int tpm2_make_encryption_session(
|
|
|
|
|
* operations that use this session. */
|
|
|
|
|
rc = sym_Esys_TRSess_SetAttributes(c->esys_context, session->esys_handle, sessionAttributes, 0xff);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(
|
|
|
|
|
- SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
- "Failed to configure TPM session: %s",
|
|
|
|
|
- sym_Tss2_RC_Decode(rc));
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ "Failed to configure TPM session: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
*ret_session = TAKE_PTR(session);
|
|
|
|
|
|
|
|
|
|
@@ -2853,7 +2851,7 @@ static int tpm2_make_policy_session(
|
|
|
|
|
assert(ret_session);
|
|
|
|
|
|
|
|
|
|
if (!tpm2_is_encryption_session(c, encryption_session))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
"Missing encryption session");
|
|
|
|
|
|
|
|
|
|
log_debug("Starting policy session.");
|
|
|
|
|
@@ -2876,7 +2874,7 @@ static int tpm2_make_policy_session(
|
|
|
|
|
TPM2_ALG_SHA256,
|
|
|
|
|
&session->esys_handle);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to open session in TPM: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
*ret_session = TAKE_PTR(session);
|
|
|
|
|
@@ -2903,22 +2901,22 @@ static int find_signature(
|
|
|
|
|
* public key, and policy digest. */
|
|
|
|
|
|
|
|
|
|
if (!json_variant_is_object(v))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Signature is not a JSON object.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature is not a JSON object.");
|
|
|
|
|
|
|
|
|
|
uint16_t pcr_bank = pcr_selection->pcrSelections[0].hash;
|
|
|
|
|
uint32_t pcr_mask = tpm2_tpml_pcr_selection_to_mask(pcr_selection, pcr_bank);
|
|
|
|
|
|
|
|
|
|
k = tpm2_hash_alg_to_string(pcr_bank);
|
|
|
|
|
if (!k)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Don't know PCR bank %" PRIu16, pcr_bank);
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Don't know PCR bank %" PRIu16, pcr_bank);
|
|
|
|
|
|
|
|
|
|
/* First, find field by bank */
|
|
|
|
|
b = json_variant_by_key(v, k);
|
|
|
|
|
if (!b)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENXIO), "Signature lacks data for PCR bank '%s'.", k);
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENXIO), "Signature lacks data for PCR bank '%s'.", k);
|
|
|
|
|
|
|
|
|
|
if (!json_variant_is_array(b))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Bank data is not a JSON array.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Bank data is not a JSON array.");
|
|
|
|
|
|
|
|
|
|
/* Now iterate through all signatures known for this bank */
|
|
|
|
|
JSON_VARIANT_ARRAY_FOREACH(i, b) {
|
|
|
|
|
@@ -2928,7 +2926,7 @@ static int find_signature(
|
|
|
|
|
uint32_t parsed_mask;
|
|
|
|
|
|
|
|
|
|
if (!json_variant_is_object(i))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Bank data element is not a JSON object");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Bank data element is not a JSON object");
|
|
|
|
|
|
|
|
|
|
/* Check if the PCR mask matches our expectations */
|
|
|
|
|
maskj = json_variant_by_key(i, "pcrs");
|
|
|
|
|
@@ -2937,7 +2935,7 @@ static int find_signature(
|
|
|
|
|
|
|
|
|
|
r = tpm2_parse_pcr_json_array(maskj, &parsed_mask);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Failed to parse JSON PCR mask");
|
|
|
|
|
+ return log_debug_errno(r, "Failed to parse JSON PCR mask");
|
|
|
|
|
|
|
|
|
|
if (parsed_mask != pcr_mask)
|
|
|
|
|
continue; /* Not for this PCR mask */
|
|
|
|
|
@@ -2949,7 +2947,7 @@ static int find_signature(
|
|
|
|
|
|
|
|
|
|
r = json_variant_unhex(fpj, &fpj_data, &fpj_size);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Failed to decode fingerprint in JSON data: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Failed to decode fingerprint in JSON data: %m");
|
|
|
|
|
|
|
|
|
|
if (memcmp_nn(fp, fp_size, fpj_data, fpj_size) != 0)
|
|
|
|
|
continue; /* Not for this public key */
|
|
|
|
|
@@ -2961,7 +2959,7 @@ static int find_signature(
|
|
|
|
|
|
|
|
|
|
r = json_variant_unhex(polj, &polj_data, &polj_size);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Failed to decode policy hash JSON data: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Failed to decode policy hash JSON data: %m");
|
|
|
|
|
|
|
|
|
|
if (memcmp_nn(policy, policy_size, polj_data, polj_size) != 0)
|
|
|
|
|
continue;
|
|
|
|
|
@@ -2974,9 +2972,9 @@ static int find_signature(
|
|
|
|
|
return json_variant_unbase64(sigj, ret_signature, ret_signature_size);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENXIO), "Couldn't find signature for this PCR bank, PCR index and public key.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENXIO), "Couldn't find signature for this PCR bank, PCR index and public key.");
|
|
|
|
|
#else /* HAVE_OPENSSL */
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -2999,10 +2997,10 @@ int tpm2_calculate_name(const TPMT_PUBLIC *public, TPM2B_NAME *ret_name) {
|
|
|
|
|
|
|
|
|
|
r = dlopen_tpm2();
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "TPM2 support not installed: %m");
|
|
|
|
|
+ return log_debug_errno(r, "TPM2 support not installed: %m");
|
|
|
|
|
|
|
|
|
|
if (public->nameAlg != TPM2_ALG_SHA256)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
"Unsupported nameAlg: 0x%x",
|
|
|
|
|
public->nameAlg);
|
|
|
|
|
|
|
|
|
|
@@ -3011,11 +3009,11 @@ int tpm2_calculate_name(const TPMT_PUBLIC *public, TPM2B_NAME *ret_name) {
|
|
|
|
|
|
|
|
|
|
buf = (uint8_t*) new(TPMT_PUBLIC, 1);
|
|
|
|
|
if (!buf)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
rc = sym_Tss2_MU_TPMT_PUBLIC_Marshal(public, buf, sizeof(TPMT_PUBLIC), &size);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to marshal public key: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
TPM2B_DIGEST digest = {};
|
|
|
|
|
@@ -3033,7 +3031,7 @@ int tpm2_calculate_name(const TPMT_PUBLIC *public, TPM2B_NAME *ret_name) {
|
|
|
|
|
size = 0;
|
|
|
|
|
rc = sym_Tss2_MU_TPMT_HA_Marshal(&ha, name.name, sizeof(name.name), &size);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to marshal key name: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
name.size = size;
|
|
|
|
|
|
|
|
|
|
@@ -3064,7 +3062,7 @@ static int tpm2_get_name(
|
|
|
|
|
|
|
|
|
|
rc = sym_Esys_TR_GetName(c->esys_context, handle->esys_handle, &name);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to get name of public key from TPM: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
tpm2_log_debug_name(name, "Object name");
|
|
|
|
|
@@ -3085,18 +3083,18 @@ int tpm2_calculate_policy_auth_value(TPM2B_DIGEST *digest) {
|
|
|
|
|
|
|
|
|
|
r = dlopen_tpm2();
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "TPM2 support not installed: %m");
|
|
|
|
|
+ return log_debug_errno(r, "TPM2 support not installed: %m");
|
|
|
|
|
|
|
|
|
|
uint8_t buf[sizeof(command)];
|
|
|
|
|
size_t offset = 0;
|
|
|
|
|
|
|
|
|
|
rc = sym_Tss2_MU_TPM2_CC_Marshal(command, buf, sizeof(buf), &offset);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to marshal PolicyAuthValue command: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
if (offset != sizeof(command))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Offset 0x%zx wrong after marshalling PolicyAuthValue command", offset);
|
|
|
|
|
|
|
|
|
|
r = tpm2_digest_buffer(TPM2_ALG_SHA256, digest, buf, offset, /* extend= */ true);
|
|
|
|
|
@@ -3127,7 +3125,7 @@ static int tpm2_policy_auth_value(
|
|
|
|
|
ESYS_TR_NONE,
|
|
|
|
|
ESYS_TR_NONE);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to add authValue policy to TPM: %s",
|
|
|
|
|
sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
@@ -3150,14 +3148,14 @@ int tpm2_calculate_policy_pcr(
|
|
|
|
|
|
|
|
|
|
r = dlopen_tpm2();
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "TPM2 support not installed: %m");
|
|
|
|
|
+ return log_debug_errno(r, "TPM2 support not installed: %m");
|
|
|
|
|
|
|
|
|
|
TPML_PCR_SELECTION pcr_selection;
|
|
|
|
|
_cleanup_free_ TPM2B_DIGEST *values = NULL;
|
|
|
|
|
size_t n_values;
|
|
|
|
|
r = tpm2_tpml_pcr_selection_from_pcr_values(pcr_values, n_pcr_values, &pcr_selection, &values, &n_values);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Could not convert PCR values to TPML_PCR_SELECTION: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Could not convert PCR values to TPML_PCR_SELECTION: %m");
|
|
|
|
|
|
|
|
|
|
TPM2B_DIGEST hash = {};
|
|
|
|
|
r = tpm2_digest_many_digests(TPM2_ALG_SHA256, &hash, values, n_values, /* extend= */ false);
|
|
|
|
|
@@ -3169,16 +3167,16 @@ int tpm2_calculate_policy_pcr(
|
|
|
|
|
|
|
|
|
|
buf = malloc(maxsize);
|
|
|
|
|
if (!buf)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
rc = sym_Tss2_MU_TPM2_CC_Marshal(command, buf, maxsize, &size);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to marshal PolicyPCR command: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
rc = sym_Tss2_MU_TPML_PCR_SELECTION_Marshal(&pcr_selection, buf, maxsize, &size);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to marshal PCR selection: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
struct iovec data[] = {
|
|
|
|
|
@@ -3217,7 +3215,7 @@ static int tpm2_policy_pcr(
|
|
|
|
|
NULL,
|
|
|
|
|
pcr_selection);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to add PCR policy to TPM: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
return tpm2_get_policy_digest(c, session, ret_policy_digest);
|
|
|
|
|
@@ -3239,18 +3237,18 @@ int tpm2_calculate_policy_authorize(
|
|
|
|
|
|
|
|
|
|
r = dlopen_tpm2();
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "TPM2 support not installed: %m");
|
|
|
|
|
+ return log_debug_errno(r, "TPM2 support not installed: %m");
|
|
|
|
|
|
|
|
|
|
uint8_t buf[sizeof(command)];
|
|
|
|
|
size_t offset = 0;
|
|
|
|
|
|
|
|
|
|
rc = sym_Tss2_MU_TPM2_CC_Marshal(command, buf, sizeof(buf), &offset);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to marshal PolicyAuthorize command: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
if (offset != sizeof(command))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Offset 0x%zx wrong after marshalling PolicyAuthorize command", offset);
|
|
|
|
|
|
|
|
|
|
TPM2B_NAME name = {};
|
|
|
|
|
@@ -3350,7 +3348,7 @@ static int tpm2_policy_authorize(
|
|
|
|
|
|
|
|
|
|
r = TPM2B_PUBLIC_KEY_RSA_CHECK_SIZE(signature_size);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Signature larger than buffer.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Signature larger than buffer.");
|
|
|
|
|
|
|
|
|
|
TPMT_SIGNATURE policy_signature = {
|
|
|
|
|
.sigAlg = TPM2_ALG_RSASSA,
|
|
|
|
|
@@ -3370,7 +3368,7 @@ static int tpm2_policy_authorize(
|
|
|
|
|
&policy_signature,
|
|
|
|
|
&check_ticket_buffer);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to validate signature in TPM: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
check_ticket = check_ticket_buffer;
|
|
|
|
|
@@ -3395,7 +3393,7 @@ static int tpm2_policy_authorize(
|
|
|
|
|
pubkey_name,
|
|
|
|
|
check_ticket);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to push Authorize policy into TPM: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
return tpm2_get_policy_digest(c, session, ret_policy_digest);
|
|
|
|
|
@@ -3461,7 +3459,7 @@ static int tpm2_build_sealing_policy(
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
if (r == 0)
|
|
|
|
|
- log_warning("Selected TPM2 PCRs are not initialized on this system.");
|
|
|
|
|
+ log_debug("Selected TPM2 PCRs are not initialized on this system.");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (pubkey_pcr_mask != 0) {
|
|
|
|
|
@@ -3692,7 +3690,7 @@ int tpm2_tpm2b_public_to_fingerprint(
|
|
|
|
|
/* Hardcode fingerprint to SHA256 */
|
|
|
|
|
return pubkey_fingerprint(pkey, EVP_sha256(), ret_fingerprint, ret_fingerprint_size);
|
|
|
|
|
#else
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -3710,7 +3708,7 @@ int tpm2_tpm2b_public_from_pem(const void *pem, size_t pem_size, TPM2B_PUBLIC *r
|
|
|
|
|
|
|
|
|
|
return tpm2_tpm2b_public_from_openssl_pkey(pkey, ret);
|
|
|
|
|
#else
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -3806,7 +3804,7 @@ static int tpm2_serialize(
|
|
|
|
|
size_t size = 0;
|
|
|
|
|
rc = sym_Esys_TR_Serialize(c->esys_context, handle->esys_handle, &serialized, &size);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to serialize: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
*ret_serialized = TAKE_PTR(serialized);
|
|
|
|
|
@@ -3838,7 +3836,7 @@ static int tpm2_deserialize(
|
|
|
|
|
|
|
|
|
|
rc = sym_Esys_TR_Deserialize(c->esys_context, serialized, serialized_size, &handle->esys_handle);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to deserialize: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
|
|
|
|
|
*ret_handle = TAKE_PTR(handle);
|
|
|
|
|
@@ -3915,7 +3913,7 @@ int tpm2_seal(Tpm2Context *c,
|
|
|
|
|
|
|
|
|
|
r = crypto_random_bytes(hmac_sensitive.data.buffer, hmac_sensitive.data.size);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Failed to generate secret key: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Failed to generate secret key: %m");
|
|
|
|
|
|
|
|
|
|
_cleanup_(tpm2_handle_freep) Tpm2Handle *primary_handle = NULL;
|
|
|
|
|
if (ret_srk_buf) {
|
|
|
|
|
@@ -3938,17 +3936,17 @@ int tpm2_seal(Tpm2Context *c,
|
|
|
|
|
TPM2B_PUBLIC template = { .size = sizeof(TPMT_PUBLIC), };
|
|
|
|
|
r = tpm2_get_legacy_template(primary_alg, &template.publicArea);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Could not get legacy ECC template: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Could not get legacy ECC template: %m");
|
|
|
|
|
|
|
|
|
|
if (!tpm2_supports_tpmt_public(c, &template.publicArea)) {
|
|
|
|
|
primary_alg = TPM2_ALG_RSA;
|
|
|
|
|
|
|
|
|
|
r = tpm2_get_legacy_template(primary_alg, &template.publicArea);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Could not get legacy RSA template: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Could not get legacy RSA template: %m");
|
|
|
|
|
|
|
|
|
|
if (!tpm2_supports_tpmt_public(c, &template.publicArea))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
"TPM does not support either ECC or RSA legacy template.");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -3977,7 +3975,7 @@ int tpm2_seal(Tpm2Context *c,
|
|
|
|
|
_cleanup_(erase_and_freep) void *secret = NULL;
|
|
|
|
|
secret = memdup(hmac_sensitive.data.buffer, hmac_sensitive.data.size);
|
|
|
|
|
if (!secret)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
log_debug("Marshalling private and public part of HMAC key.");
|
|
|
|
|
|
|
|
|
|
@@ -3985,7 +3983,7 @@ int tpm2_seal(Tpm2Context *c,
|
|
|
|
|
size_t blob_size;
|
|
|
|
|
r = tpm2_marshal_blob(public, private, &blob, &blob_size);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Could not create sealed blob: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Could not create sealed blob: %m");
|
|
|
|
|
|
|
|
|
|
if (DEBUG_LOGGING)
|
|
|
|
|
log_debug("Completed TPM2 key sealing in %s.", FORMAT_TIMESPAN(now(CLOCK_MONOTONIC) - start, 1));
|
|
|
|
|
@@ -4005,7 +4003,7 @@ int tpm2_seal(Tpm2Context *c,
|
|
|
|
|
*/
|
|
|
|
|
srk_buf = memdup(tmp, srk_buf_size);
|
|
|
|
|
if (!srk_buf)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
*ret_srk_buf = TAKE_PTR(srk_buf);
|
|
|
|
|
*ret_srk_buf_size = srk_buf_size;
|
|
|
|
|
@@ -4057,7 +4055,7 @@ int tpm2_unseal(const char *device,
|
|
|
|
|
|
|
|
|
|
r = dlopen_tpm2();
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "TPM2 support is not installed.");
|
|
|
|
|
+ return r;
|
|
|
|
|
|
|
|
|
|
/* So here's what we do here: We connect to the TPM2 chip. As we do when sealing we generate a
|
|
|
|
|
* "primary" key on the TPM2 chip, with the same parameters as well as a PCR-bound policy session.
|
|
|
|
|
@@ -4073,7 +4071,7 @@ int tpm2_unseal(const char *device,
|
|
|
|
|
TPM2B_PRIVATE private;
|
|
|
|
|
r = tpm2_unmarshal_blob(blob, blob_size, &public, &private);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Could not extract parts from blob: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Could not extract parts from blob: %m");
|
|
|
|
|
|
|
|
|
|
_cleanup_(tpm2_context_unrefp) Tpm2Context *c = NULL;
|
|
|
|
|
r = tpm2_context_new(device, &c);
|
|
|
|
|
@@ -4089,7 +4087,7 @@ int tpm2_unseal(const char *device,
|
|
|
|
|
TPM2B_PUBLIC template = { .size = sizeof(TPMT_PUBLIC), };
|
|
|
|
|
r = tpm2_get_legacy_template(primary_alg, &template.publicArea);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Could not get legacy template: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Could not get legacy template: %m");
|
|
|
|
|
|
|
|
|
|
r = tpm2_create_primary(
|
|
|
|
|
c,
|
|
|
|
|
@@ -4101,7 +4099,7 @@ int tpm2_unseal(const char *device,
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
} else
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
"No SRK or primary alg provided.");
|
|
|
|
|
|
|
|
|
|
log_debug("Loading HMAC key into TPM.");
|
|
|
|
|
@@ -4123,11 +4121,11 @@ int tpm2_unseal(const char *device,
|
|
|
|
|
if (pubkey) {
|
|
|
|
|
r = tpm2_tpm2b_public_from_pem(pubkey, pubkey_size, &pubkey_tpm2b);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Could not create TPMT_PUBLIC: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Could not create TPMT_PUBLIC: %m");
|
|
|
|
|
|
|
|
|
|
r = tpm2_tpm2b_public_to_fingerprint(&pubkey_tpm2b, &fp, &fp_size);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "Could not get key fingerprint: %m");
|
|
|
|
|
+ return log_debug_errno(r, "Could not get key fingerprint: %m");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
@@ -4177,7 +4175,7 @@ int tpm2_unseal(const char *device,
|
|
|
|
|
* wait until the TPM2 tells us to go away. */
|
|
|
|
|
if (known_policy_hash_size > 0 &&
|
|
|
|
|
memcmp_nn(policy_digest->buffer, policy_digest->size, known_policy_hash, known_policy_hash_size) != 0)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EPERM),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
|
|
|
|
|
"Current policy digest does not match stored policy digest, cancelling "
|
|
|
|
|
"TPM2 authentication attempt.");
|
|
|
|
|
|
|
|
|
|
@@ -4193,7 +4191,7 @@ int tpm2_unseal(const char *device,
|
|
|
|
|
if (rc == TSS2_RC_SUCCESS)
|
|
|
|
|
break;
|
|
|
|
|
if (rc != TPM2_RC_PCR_CHANGED || i == 0)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to unseal HMAC key in TPM: %s", sym_Tss2_RC_Decode(rc));
|
|
|
|
|
log_debug("A PCR value changed during the TPM2 policy session, restarting HMAC key unsealing (%u tries left).", i);
|
|
|
|
|
}
|
|
|
|
|
@@ -4202,7 +4200,7 @@ int tpm2_unseal(const char *device,
|
|
|
|
|
secret = memdup(unsealed->buffer, unsealed->size);
|
|
|
|
|
explicit_bzero_safe(unsealed->buffer, unsealed->size);
|
|
|
|
|
if (!secret)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
if (DEBUG_LOGGING)
|
|
|
|
|
log_debug("Completed TPM2 key unsealing in %s.", FORMAT_TIMESPAN(now(CLOCK_MONOTONIC) - start, 1));
|
|
|
|
|
@@ -4290,21 +4288,18 @@ int tpm2_list_devices(void) {
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
-int tpm2_find_device_auto(
|
|
|
|
|
- int log_level, /* log level when no device is found */
|
|
|
|
|
- char **ret) {
|
|
|
|
|
+int tpm2_find_device_auto(char **ret) {
|
|
|
|
|
#if HAVE_TPM2
|
|
|
|
|
_cleanup_(closedirp) DIR *d = NULL;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
r = dlopen_tpm2();
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return log_error_errno(r, "TPM2 support is not installed.");
|
|
|
|
|
+ return log_debug_errno(r, "TPM2 support is not installed.");
|
|
|
|
|
|
|
|
|
|
d = opendir("/sys/class/tpmrm");
|
|
|
|
|
if (!d) {
|
|
|
|
|
- log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_ERR, errno,
|
|
|
|
|
- "Failed to open /sys/class/tpmrm: %m");
|
|
|
|
|
+ log_debug_errno(errno, "Failed to open /sys/class/tpmrm: %m");
|
|
|
|
|
if (errno != ENOENT)
|
|
|
|
|
return -errno;
|
|
|
|
|
} else {
|
|
|
|
|
@@ -4318,12 +4313,12 @@ int tpm2_find_device_auto(
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
if (node)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
|
|
|
|
|
"More than one TPM2 (tpmrm) device found.");
|
|
|
|
|
|
|
|
|
|
node = path_join("/dev", de->d_name);
|
|
|
|
|
if (!node)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (node) {
|
|
|
|
|
@@ -4332,9 +4327,9 @@ int tpm2_find_device_auto(
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- return log_full_errno(log_level, SYNTHETIC_ERRNO(ENODEV), "No TPM2 (tpmrm) device found.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENODEV), "No TPM2 (tpmrm) device found.");
|
|
|
|
|
#else
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
|
|
|
|
"TPM2 not supported on this build.");
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
@@ -4363,7 +4358,7 @@ int tpm2_extend_bytes(
|
|
|
|
|
secret_size = strlen(secret);
|
|
|
|
|
|
|
|
|
|
if (pcr_index >= TPM2_PCRS_MAX)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Can't measure into unsupported PCR %u, refusing.", pcr_index);
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Can't measure into unsupported PCR %u, refusing.", pcr_index);
|
|
|
|
|
|
|
|
|
|
if (strv_isempty(banks))
|
|
|
|
|
return 0;
|
|
|
|
|
@@ -4375,14 +4370,14 @@ int tpm2_extend_bytes(
|
|
|
|
|
assert_se(implementation = EVP_get_digestbyname(*bank));
|
|
|
|
|
|
|
|
|
|
if (values.count >= ELEMENTSOF(values.digests))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(E2BIG), "Too many banks selected.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(E2BIG), "Too many banks selected.");
|
|
|
|
|
|
|
|
|
|
if ((size_t) EVP_MD_size(implementation) > sizeof(values.digests[values.count].digest))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(E2BIG), "Hash result too large for TPM2.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(E2BIG), "Hash result too large for TPM2.");
|
|
|
|
|
|
|
|
|
|
id = tpm2_hash_alg_from_string(EVP_MD_name(implementation));
|
|
|
|
|
if (id < 0)
|
|
|
|
|
- return log_error_errno(id, "Can't map hash name to TPM2.");
|
|
|
|
|
+ return log_debug_errno(id, "Can't map hash name to TPM2.");
|
|
|
|
|
|
|
|
|
|
values.digests[values.count].hashAlg = id;
|
|
|
|
|
|
|
|
|
|
@@ -4394,9 +4389,9 @@ int tpm2_extend_bytes(
|
|
|
|
|
* private non-secret string instead. */
|
|
|
|
|
if (secret_size > 0) {
|
|
|
|
|
if (!HMAC(implementation, secret, secret_size, data, data_size, (unsigned char*) &values.digests[values.count].digest, NULL))
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to calculate HMAC of data to measure.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to calculate HMAC of data to measure.");
|
|
|
|
|
} else if (EVP_Digest(data, data_size, (unsigned char*) &values.digests[values.count].digest, NULL, implementation, NULL) != 1)
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to hash data to measure.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to hash data to measure.");
|
|
|
|
|
|
|
|
|
|
values.count++;
|
|
|
|
|
}
|
|
|
|
|
@@ -4409,7 +4404,7 @@ int tpm2_extend_bytes(
|
|
|
|
|
ESYS_TR_NONE,
|
|
|
|
|
&values);
|
|
|
|
|
if (rc != TSS2_RC_SUCCESS)
|
|
|
|
|
- return log_error_errno(
|
|
|
|
|
+ return log_debug_errno(
|
|
|
|
|
SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
|
|
|
|
"Failed to measure into PCR %u: %s",
|
|
|
|
|
pcr_index,
|
|
|
|
|
@@ -4417,7 +4412,7 @@ int tpm2_extend_bytes(
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
#else /* HAVE_OPENSSL */
|
|
|
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
|
|
|
|
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled.");
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
@@ -4838,6 +4833,9 @@ static void tpm2_pcr_values_apply_default_hash_alg(Tpm2PCRValue *pcr_values, siz
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
+/* The following tpm2_parse_pcr_argument*() functions all log errors, to match the behavior of system-wide
|
|
|
|
|
+ * parse_*_argument() functions. */
|
|
|
|
|
+
|
|
|
|
|
/* Parse the PCR selection/value arg(s) and return a corresponding array of Tpm2PCRValue objects.
|
|
|
|
|
*
|
|
|
|
|
* The format is the same as tpm2_pcr_values_from_string(). The first provided entry with a hash algorithm
|
|
|
|
|
@@ -4858,7 +4856,7 @@ int tpm2_parse_pcr_argument(const char *arg, Tpm2PCRValue **ret_pcr_values, size
|
|
|
|
|
size_t n_pcr_values = 0;
|
|
|
|
|
r = tpm2_pcr_values_from_string(arg, &pcr_values, &n_pcr_values);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
- return r;
|
|
|
|
|
+ return log_error_errno(r, "Could not parse PCR values from '%s': %m", arg);
|
|
|
|
|
|
|
|
|
|
tpm2_pcr_values_apply_default_hash_alg(pcr_values, n_pcr_values);
|
|
|
|
|
|
|
|
|
|
@@ -4976,7 +4974,7 @@ int tpm2_load_pcr_signature(const char *path, JsonVariant **ret) {
|
|
|
|
|
|
|
|
|
|
search = strv_split_nulstr(CONF_PATHS_NULSTR("systemd"));
|
|
|
|
|
if (!search)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
|
|
|
|
|
if (!path) {
|
|
|
|
|
/* If no path is specified, then look for "tpm2-pcr-signature.json" automatically. Also, in
|
|
|
|
|
@@ -4987,7 +4985,7 @@ int tpm2_load_pcr_signature(const char *path, JsonVariant **ret) {
|
|
|
|
|
|
|
|
|
|
if (in_initrd())
|
|
|
|
|
if (strv_extend(&search, "/.extra") < 0)
|
|
|
|
|
- return log_oom();
|
|
|
|
|
+ return log_oom_debug();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r = search_and_fopen(path, "re", NULL, (const char**) search, &f, &discovered_path);
|
|
|
|
|
diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h
|
|
|
|
|
index c8da857eb4..35c13eda82 100644
|
|
|
|
|
--- a/src/shared/tpm2-util.h
|
|
|
|
|
+++ b/src/shared/tpm2-util.h
|
|
|
|
|
@@ -248,7 +248,7 @@ typedef struct {} Tpm2PCRValue;
|
|
|
|
|
#endif /* HAVE_TPM2 */
|
|
|
|
|
|
|
|
|
|
int tpm2_list_devices(void);
|
|
|
|
|
-int tpm2_find_device_auto(int log_level, char **ret);
|
|
|
|
|
+int tpm2_find_device_auto(char **ret);
|
|
|
|
|
|
|
|
|
|
int tpm2_make_pcr_json_array(uint32_t pcr_mask, JsonVariant **ret);
|
|
|
|
|
int tpm2_parse_pcr_json_array(JsonVariant *v, uint32_t *ret);
|