teknoraver / rpms / systemd

Forked from rpms/systemd 2 months ago
Clone

Blame SOURCES/0057-shared-tpm2-util-Fix-Error-Esys-invalid-ESAPI-handle.patch

2aacef
From fda254c954d6a543e1977edc1d283c915ee43adc Mon Sep 17 00:00:00 2001
2aacef
From: Vitaly Kuznetsov <vkuznets@redhat.com>
2aacef
Date: Tue, 15 Nov 2022 14:57:23 +0100
2aacef
Subject: [PATCH] shared/tpm2-util: Fix "Error: Esys invalid ESAPI handle
2aacef
 (40000001)" warning
2aacef
2aacef
systemd-cryptenroll complains (but succeeds!) upon binding to a signed PCR
2aacef
policy:
2aacef
2aacef
$ systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto
2aacef
  --tpm2-public-key=... --tpm2-signature=..." /tmp/tmp.img
2aacef
2aacef
ERROR:esys:src/tss2-esys/esys_iutil.c:394:iesys_handle_to_tpm_handle() Error: Esys invalid ESAPI handle (40000001).
2aacef
WARNING:esys:src/tss2-esys/esys_iutil.c:415:iesys_is_platform_handle() Convert handle from TPM2_RH to ESYS_TR, got: 0x40000001
2aacef
ERROR:esys:src/tss2-esys/esys_iutil.c:394:iesys_handle_to_tpm_handle() Error: Esys invalid ESAPI handle (40000001).
2aacef
WARNING:esys:src/tss2-esys/esys_iutil.c:415:iesys_is_platform_handle() Convert handle from TPM2_RH to ESYS_TR, got: 0x4000000
2aacef
New TPM2 token enrolled as key slot 1.
2aacef
2aacef
The problem seems to be that Esys_LoadExternal() function from tpm2-tss
2aacef
expects a 'ESYS_TR_RH*' constant specifying the requested hierarchy and not
2aacef
a 'TPM2_RH_*' one (see Esys_LoadExternal() -> Esys_LoadExternal_Async() ->
2aacef
iesys_handle_to_tpm_handle() call chain).
2aacef
2aacef
It all works because Esys_LoadExternal_Async() falls back to using the
2aacef
supplied values when iesys_handle_to_tpm_handle() fails:
2aacef
2aacef
    r = iesys_handle_to_tpm_handle(hierarchy, &tpm_hierarchy);
2aacef
    if (r != TSS2_RC_SUCCESS) {
2aacef
        ...
2aacef
        tpm_hierarchy = hierarchy;
2aacef
    }
2aacef
2aacef
Note, TPM2_RH_OWNER was used on purpose to support older tpm2-tss versions
2aacef
(pre https://github.com/tpm2-software/tpm2-tss/pull/1531), use meson magic
2aacef
to preserve compatibility.
2aacef
2aacef
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
2aacef
(cherry picked from commit 155c51293d5bf37f54c65fd0a66ea29e6eedd580)
2aacef
2aacef
Related: #2138081
2aacef
---
2aacef
 meson.build            | 3 +++
2aacef
 src/shared/tpm2-util.c | 6 ++++++
2aacef
 2 files changed, 9 insertions(+)
2aacef
2aacef
diff --git a/meson.build b/meson.build
2aacef
index 7750534466..015849af49 100644
2aacef
--- a/meson.build
2aacef
+++ b/meson.build
2aacef
@@ -1474,11 +1474,14 @@ if want_tpm2 != 'false' and not skip_deps
2aacef
         tpm2 = dependency('tss2-esys tss2-rc tss2-mu',
2aacef
                           required : want_tpm2 == 'true')
2aacef
         have = tpm2.found()
2aacef
+        have_esys3 = tpm2.version().version_compare('>= 3.0.0')
2aacef
 else
2aacef
         have = false
2aacef
+        have_esys3 = false
2aacef
         tpm2 = []
2aacef
 endif
2aacef
 conf.set10('HAVE_TPM2', have)
2aacef
+conf.set10('HAVE_TSS2_ESYS3', have_esys3)
2aacef
 
2aacef
 want_elfutils = get_option('elfutils')
2aacef
 if want_elfutils != 'false' and not skip_deps
2aacef
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
2aacef
index 4d0df944a9..8171b3e9e9 100644
2aacef
--- a/src/shared/tpm2-util.c
2aacef
+++ b/src/shared/tpm2-util.c
2aacef
@@ -1117,7 +1117,13 @@ static int tpm2_make_policy_session(
2aacef
                                 ESYS_TR_NONE,
2aacef
                                 NULL,
2aacef
                                 &pubkey_tpm2,
2aacef
+#if HAVE_TSS2_ESYS3
2aacef
+                                /* tpm2-tss >= 3.0.0 requires a ESYS_TR_RH_* constant specifying the requested
2aacef
+                                 * hierarchy, older versions need TPM2_RH_* instead. */
2aacef
+                                ESYS_TR_RH_OWNER,
2aacef
+#else
2aacef
                                 TPM2_RH_OWNER,
2aacef
+#endif
2aacef
                                 &pubkey_handle);
2aacef
                 if (rc != TSS2_RC_SUCCESS) {
2aacef
                         r = log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),