You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
systemd/SOURCES/0007-tpm2-setup-Don-t-fail-...

133 lines
5.9 KiB

From 30df42a9277bbf138d52887c9b79e452db425585 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 17 May 2024 16:20:11 +0200
Subject: [PATCH] tpm2-setup: Don't fail if we can't access the TPM due to
authorization failure
The TPM might be password/pin protected for various reasons even if
there is no SRK yet. Let's handle those cases gracefully instead of
failing the unit as it is enabled by default.
(cherry picked from commit d6518003f8ebbfb6f85dbf227736ae05b0961199)
---
catalog/systemd.catalog.in | 13 +++++++++++++
src/shared/tpm2-util.c | 2 ++
src/systemd/sd-messages.h | 3 +++
src/tpm2-setup/tpm2-setup.c | 13 ++++++++++++-
units/systemd-tpm2-setup-early.service.in | 3 +++
units/systemd-tpm2-setup.service.in | 3 +++
6 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in
index 3c9a6860da..2831152763 100644
--- a/catalog/systemd.catalog.in
+++ b/catalog/systemd.catalog.in
@@ -780,3 +780,16 @@ Documentation: https://systemd.io/PORTABLE_SERVICES/
A Portable Service @PORTABLE_ROOT@ (with extensions: @PORTABLE_EXTENSION@) has been
detached from the system and is no longer available for use. The list of attached
Portable Services can be queried with 'portablectl list'.
+
+-- ad7089f928ac4f7ea00c07457d47ba8a
+Subject: Authorization failure while attempting to enroll SRK into TPM
+Defined-By: systemd
+Support: %SUPPORT_URL%
+Documentation: man:systemd-tpm2-setup.service(8)
+
+An authorization failure occured while attempting to enroll a Storage Root Key (SRK) on the Trusted Platform
+Module (TPM). Most likely this means that a PIN/Password (authValue) has been set on the Owner hierarchy of
+the TPM.
+
+Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password
+protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p <OLDPW> ""'.
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 87ce53cf95..9603f1837e 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -2119,6 +2119,8 @@ int tpm2_create_primary(
/* creationData= */ NULL,
/* creationHash= */ NULL,
/* creationTicket= */ NULL);
+ if (rc == TPM2_RC_BAD_AUTH)
+ return log_debug_errno(SYNTHETIC_ERRNO(EDEADLK), "Authorization failure while attempting to enroll SRK into TPM.");
if (rc != TSS2_RC_SUCCESS)
return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to generate primary key in TPM: %s",
diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h
index e3f68068a8..16e9986be3 100644
--- a/src/systemd/sd-messages.h
+++ b/src/systemd/sd-messages.h
@@ -272,6 +272,9 @@ _SD_BEGIN_DECLARATIONS;
#define SD_MESSAGE_PORTABLE_DETACHED SD_ID128_MAKE(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
#define SD_MESSAGE_PORTABLE_DETACHED_STR SD_ID128_MAKE_STR(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
+#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION SD_ID128_MAKE(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
+#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR SD_ID128_MAKE_STR(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
+
_SD_END_DECLARATIONS;
#endif
diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c
index 35628fc02a..b95c5e7a58 100644
--- a/src/tpm2-setup/tpm2-setup.c
+++ b/src/tpm2-setup/tpm2-setup.c
@@ -3,6 +3,8 @@
#include <getopt.h>
#include <unistd.h>
+#include "sd-messages.h"
+
#include "build.h"
#include "fd-util.h"
#include "fileio.h"
@@ -223,6 +225,8 @@ static int load_public_key_tpm2(struct public_key_data *ret) {
/* ret_name= */ NULL,
/* ret_qname= */ NULL,
NULL);
+ if (r == -EDEADLK)
+ return r;
if (r < 0)
return log_error_errno(r, "Failed to get or create SRK: %m");
if (r > 0)
@@ -289,6 +293,13 @@ static int run(int argc, char *argv[]) {
}
r = load_public_key_tpm2(&tpm2_key);
+ if (r == -EDEADLK) {
+ log_struct_errno(LOG_INFO, r,
+ LOG_MESSAGE("Insufficient permissions to access TPM, not generating SRK."),
+ "MESSAGE_ID=" SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR);
+ return 76; /* Special return value which means "Insufficient permissions to access TPM,
+ * cannot generate SRK". This isn't really an error when called at boot. */;
+ }
if (r < 0)
return r;
@@ -383,4 +394,4 @@ static int run(int argc, char *argv[]) {
return 0;
}
-DEFINE_MAIN_FUNCTION(run);
+DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run);
diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in
index 9982c84aba..7fdb99b53f 100644
--- a/units/systemd-tpm2-setup-early.service.in
+++ b/units/systemd-tpm2-setup-early.service.in
@@ -21,3 +21,6 @@ ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes --graceful
+
+# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
+SuccessExitStatus=76
diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in
index 0af7292528..ac29a76966 100644
--- a/units/systemd-tpm2-setup.service.in
+++ b/units/systemd-tpm2-setup.service.in
@@ -22,3 +22,6 @@ ConditionPathExists=!/etc/initrd-release
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --graceful
+
+# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
+SuccessExitStatus=76