You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
133 lines
5.9 KiB
133 lines
5.9 KiB
2 months ago
|
From 30df42a9277bbf138d52887c9b79e452db425585 Mon Sep 17 00:00:00 2001
|
||
|
From: Daan De Meyer <daan.j.demeyer@gmail.com>
|
||
|
Date: Fri, 17 May 2024 16:20:11 +0200
|
||
|
Subject: [PATCH] tpm2-setup: Don't fail if we can't access the TPM due to
|
||
|
authorization failure
|
||
|
|
||
|
The TPM might be password/pin protected for various reasons even if
|
||
|
there is no SRK yet. Let's handle those cases gracefully instead of
|
||
|
failing the unit as it is enabled by default.
|
||
|
|
||
|
(cherry picked from commit d6518003f8ebbfb6f85dbf227736ae05b0961199)
|
||
|
---
|
||
|
catalog/systemd.catalog.in | 13 +++++++++++++
|
||
|
src/shared/tpm2-util.c | 2 ++
|
||
|
src/systemd/sd-messages.h | 3 +++
|
||
|
src/tpm2-setup/tpm2-setup.c | 13 ++++++++++++-
|
||
|
units/systemd-tpm2-setup-early.service.in | 3 +++
|
||
|
units/systemd-tpm2-setup.service.in | 3 +++
|
||
|
6 files changed, 36 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in
|
||
|
index 3c9a6860da..2831152763 100644
|
||
|
--- a/catalog/systemd.catalog.in
|
||
|
+++ b/catalog/systemd.catalog.in
|
||
|
@@ -780,3 +780,16 @@ Documentation: https://systemd.io/PORTABLE_SERVICES/
|
||
|
A Portable Service @PORTABLE_ROOT@ (with extensions: @PORTABLE_EXTENSION@) has been
|
||
|
detached from the system and is no longer available for use. The list of attached
|
||
|
Portable Services can be queried with 'portablectl list'.
|
||
|
+
|
||
|
+-- ad7089f928ac4f7ea00c07457d47ba8a
|
||
|
+Subject: Authorization failure while attempting to enroll SRK into TPM
|
||
|
+Defined-By: systemd
|
||
|
+Support: %SUPPORT_URL%
|
||
|
+Documentation: man:systemd-tpm2-setup.service(8)
|
||
|
+
|
||
|
+An authorization failure occured while attempting to enroll a Storage Root Key (SRK) on the Trusted Platform
|
||
|
+Module (TPM). Most likely this means that a PIN/Password (authValue) has been set on the Owner hierarchy of
|
||
|
+the TPM.
|
||
|
+
|
||
|
+Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password
|
||
|
+protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p <OLDPW> ""'.
|
||
|
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
|
||
|
index 87ce53cf95..9603f1837e 100644
|
||
|
--- a/src/shared/tpm2-util.c
|
||
|
+++ b/src/shared/tpm2-util.c
|
||
|
@@ -2119,6 +2119,8 @@ int tpm2_create_primary(
|
||
|
/* creationData= */ NULL,
|
||
|
/* creationHash= */ NULL,
|
||
|
/* creationTicket= */ NULL);
|
||
|
+ if (rc == TPM2_RC_BAD_AUTH)
|
||
|
+ return log_debug_errno(SYNTHETIC_ERRNO(EDEADLK), "Authorization failure while attempting to enroll SRK into TPM.");
|
||
|
if (rc != TSS2_RC_SUCCESS)
|
||
|
return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
|
||
|
"Failed to generate primary key in TPM: %s",
|
||
|
diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h
|
||
|
index e3f68068a8..16e9986be3 100644
|
||
|
--- a/src/systemd/sd-messages.h
|
||
|
+++ b/src/systemd/sd-messages.h
|
||
|
@@ -272,6 +272,9 @@ _SD_BEGIN_DECLARATIONS;
|
||
|
#define SD_MESSAGE_PORTABLE_DETACHED SD_ID128_MAKE(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
|
||
|
#define SD_MESSAGE_PORTABLE_DETACHED_STR SD_ID128_MAKE_STR(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
|
||
|
|
||
|
+#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION SD_ID128_MAKE(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
|
||
|
+#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR SD_ID128_MAKE_STR(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
|
||
|
+
|
||
|
_SD_END_DECLARATIONS;
|
||
|
|
||
|
#endif
|
||
|
diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c
|
||
|
index 35628fc02a..b95c5e7a58 100644
|
||
|
--- a/src/tpm2-setup/tpm2-setup.c
|
||
|
+++ b/src/tpm2-setup/tpm2-setup.c
|
||
|
@@ -3,6 +3,8 @@
|
||
|
#include <getopt.h>
|
||
|
#include <unistd.h>
|
||
|
|
||
|
+#include "sd-messages.h"
|
||
|
+
|
||
|
#include "build.h"
|
||
|
#include "fd-util.h"
|
||
|
#include "fileio.h"
|
||
|
@@ -223,6 +225,8 @@ static int load_public_key_tpm2(struct public_key_data *ret) {
|
||
|
/* ret_name= */ NULL,
|
||
|
/* ret_qname= */ NULL,
|
||
|
NULL);
|
||
|
+ if (r == -EDEADLK)
|
||
|
+ return r;
|
||
|
if (r < 0)
|
||
|
return log_error_errno(r, "Failed to get or create SRK: %m");
|
||
|
if (r > 0)
|
||
|
@@ -289,6 +293,13 @@ static int run(int argc, char *argv[]) {
|
||
|
}
|
||
|
|
||
|
r = load_public_key_tpm2(&tpm2_key);
|
||
|
+ if (r == -EDEADLK) {
|
||
|
+ log_struct_errno(LOG_INFO, r,
|
||
|
+ LOG_MESSAGE("Insufficient permissions to access TPM, not generating SRK."),
|
||
|
+ "MESSAGE_ID=" SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR);
|
||
|
+ return 76; /* Special return value which means "Insufficient permissions to access TPM,
|
||
|
+ * cannot generate SRK". This isn't really an error when called at boot. */;
|
||
|
+ }
|
||
|
if (r < 0)
|
||
|
return r;
|
||
|
|
||
|
@@ -383,4 +394,4 @@ static int run(int argc, char *argv[]) {
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
-DEFINE_MAIN_FUNCTION(run);
|
||
|
+DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run);
|
||
|
diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in
|
||
|
index 9982c84aba..7fdb99b53f 100644
|
||
|
--- a/units/systemd-tpm2-setup-early.service.in
|
||
|
+++ b/units/systemd-tpm2-setup-early.service.in
|
||
|
@@ -21,3 +21,6 @@ ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem
|
||
|
Type=oneshot
|
||
|
RemainAfterExit=yes
|
||
|
ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes --graceful
|
||
|
+
|
||
|
+# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
|
||
|
+SuccessExitStatus=76
|
||
|
diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in
|
||
|
index 0af7292528..ac29a76966 100644
|
||
|
--- a/units/systemd-tpm2-setup.service.in
|
||
|
+++ b/units/systemd-tpm2-setup.service.in
|
||
|
@@ -22,3 +22,6 @@ ConditionPathExists=!/etc/initrd-release
|
||
|
Type=oneshot
|
||
|
RemainAfterExit=yes
|
||
|
ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --graceful
|
||
|
+
|
||
|
+# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
|
||
|
+SuccessExitStatus=76
|