morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 08:25:20 +09:00
Code Issues Packages Projects Releases Wiki Activity

tpm2: downgrade most log functions from error to debug

Browse Source 
Because most TPM2 functions here are 'library-like' functions, they should be
at debug level, not error level.

The only functions not reduced to logging at debug are tpm2_list_devices(),
since it is expected to print output, and the tpm2_parse_pcr_argument_*()
functions, since the system-wide parse_*_argument() functions generally log at
error level.
This commit is contained in:
Dan Streetman
2023-09-08 12:39:49 -04:00
committed by Luca Boccassi
parent d3dde190c1
commit f9a0ee7554
11 changed files with 220 additions and 214 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/boot/measure.c
View File

@@ -835,7 +835,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
r = tpm2_calculate_policy_pcr(&pcr_value, 1, &pcr_policy_digest);
if (r < 0)
return r;
return log_error_errno(r, "Could not calculate PolicyPCR digest: %m");
_cleanup_free_ void *sig = NULL;
size_t ss;

8
src/cryptenroll/cryptenroll-tpm2.c
View File

@@ -209,13 +209,13 @@ int enroll_tpm2(struct crypt_device *cd,
_cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
r = tpm2_context_new(device, &tpm2_context);
if (r < 0)
return r;
return log_error_errno(r, "Failed to create TPM2 context: %m");
bool pcr_value_specified = tpm2_pcr_values_has_any_values(hash_pcr_values, n_hash_pcr_values);
r = tpm2_pcr_read_missing_values(tpm2_context, hash_pcr_values, n_hash_pcr_values);
if (r < 0)
return r;
return log_error_errno(r, "Could not read pcr values: %m");
uint16_t hash_pcr_bank = 0;
uint32_t hash_pcr_mask = 0;
@@ -260,7 +260,7 @@ int enroll_tpm2(struct crypt_device *cd,
&srk_buf,
&srk_buf_size);
if (r < 0)
return r;
return log_error_errno(r, "Failed to seal to TPM2: %m");
/* Let's see if we already have this specific PCR policy hash enrolled, if so, exit early. */
r = search_policy_hash(cd, policy.buffer, policy.size);
@@ -292,7 +292,7 @@ int enroll_tpm2(struct crypt_device *cd,
srk_buf, srk_buf_size,
&secret2, &secret2_size);
if (r < 0)
return r;
return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
if (memcmp_nn(secret, secret_size, secret2, secret2_size) != 0)
return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM2 seal/unseal verification failed.");

13
src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c
View File

@@ -45,11 +45,11 @@ int acquire_luks2_key(
assert(ret_decrypted_key_size);
if (!device) {
r = tpm2_find_device_auto(LOG_DEBUG, &auto_device);
r = tpm2_find_device_auto(&auto_device);
if (r == -ENODEV)
return -EAGAIN; /* Tell the caller to wait for a TPM2 device to show up */
if (r < 0)
return r;
return log_error_errno(r, "Could not find TPM2 device: %m");
device = auto_device;
}
@@ -77,11 +77,10 @@ int acquire_luks2_key(
if (pubkey_pcr_mask != 0) {
r = tpm2_load_pcr_signature(signature_path, &signature_json);
if (r < 0)
return r;
return log_error_errno(r, "Failed to load PCR signature: %m");
}
return tpm2_unseal(
device,
r = tpm2_unseal(device,
hash_pcr_mask,
pcr_bank,
pubkey, pubkey_size,
@@ -93,4 +92,8 @@ int acquire_luks2_key(
policy_hash, policy_hash_size,
srk_buf, srk_buf_size,
ret_decrypted_key, ret_decrypted_key_size);
if (r < 0)
return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
return r;
}

30
src/cryptsetup/cryptsetup-tpm2.c
View File

@@ -91,11 +91,11 @@ int acquire_tpm2_key(
assert(salt || salt_size == 0);
if (!device) {
r = tpm2_find_device_auto(LOG_DEBUG, &auto_device);
r = tpm2_find_device_auto(&auto_device);
if (r == -ENODEV)
return -EAGAIN; /* Tell the caller to wait for a TPM2 device to show up */
if (r < 0)
return r;
return log_error_errno(r, "Could not find TPM2 device: %m");
device = auto_device;
}
@@ -126,12 +126,11 @@ int acquire_tpm2_key(
if (pubkey_pcr_mask != 0) {
r = tpm2_load_pcr_signature(signature_path, &signature_json);
if (r < 0)
return r;
return log_error_errno(r, "Failed to load pcr signature: %m");
}
if (!(flags & TPM2_FLAGS_USE_PIN))
return tpm2_unseal(
device,
if (!(flags & TPM2_FLAGS_USE_PIN)) {
r = tpm2_unseal(device,
hash_pcr_mask,
pcr_bank,
pubkey, pubkey_size,
@@ -147,6 +146,11 @@ int acquire_tpm2_key(
srk_buf_size,
ret_decrypted_key,
ret_decrypted_key_size);
if (r < 0)
return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
return r;
}
for (int i = 5;; i--) {
_cleanup_(erase_and_freep) char *pin_str = NULL, *b64_salted_pin = NULL;
@@ -189,12 +193,14 @@ int acquire_tpm2_key(
srk_buf_size,
ret_decrypted_key,
ret_decrypted_key_size);
/* We get this error in case there is an authentication policy mismatch. This should
* not happen, but this avoids confusing behavior, just in case. */
if (IN_SET(r, -EPERM, -ENOLCK))
return r;
if (r < 0)
continue;
if (r < 0) {
log_error_errno(r, "Failed to unseal secret using TPM2: %m");
/* We get this error in case there is an authentication policy mismatch. This should
* not happen, but this avoids confusing behavior, just in case. */
if (!IN_SET(r, -EPERM, -ENOLCK))
continue;
}
return r;
}

6
src/cryptsetup/cryptsetup.c
View File

@@ -836,13 +836,13 @@ static int measure_volume_key(
_cleanup_(tpm2_context_unrefp) Tpm2Context *c = NULL;
r = tpm2_context_new(arg_tpm2_device, &c);
if (r < 0)
return r;
return log_error_errno(r, "Failed to create TPM2 context: %m");
_cleanup_strv_free_ char **l = NULL;
if (strv_isempty(arg_tpm2_measure_banks)) {
r = tpm2_get_good_pcr_banks_strv(c, UINT32_C(1) << arg_tpm2_measure_pcr, &l);
if (r < 0)
return r;
return log_error_errno(r, "Could not verify pcr banks: %m");
}
_cleanup_free_ char *joined = strv_join(l ?: arg_tpm2_measure_banks, ", ");
@@ -865,7 +865,7 @@ static int measure_volume_key(
r = tpm2_extend_bytes(c, l ?: arg_tpm2_measure_banks, arg_tpm2_measure_pcr, s, SIZE_MAX, volume_key, volume_key_size, TPM2_EVENT_VOLUME_KEY, s);
if (r < 0)
return r;
return log_error_errno(r, "Could not extend PCR: %m");
log_struct(LOG_INFO,
"MESSAGE_ID=" SD_MESSAGE_TPM_PCR_EXTEND_STR,

6
src/partition/repart.c
View File

@@ -3761,7 +3761,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
_cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
r = tpm2_context_new(arg_tpm2_device, &tpm2_context);
if (r < 0)
return r;
return log_error_errno(r, "Failed to create TPM2 context: %m");
TPM2B_PUBLIC public;
if (pubkey) {
@@ -3772,7 +3772,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
r = tpm2_pcr_read_missing_values(tpm2_context, arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values);
if (r < 0)
return r;
return log_error_errno(r, "Could not read pcr values: %m");
uint16_t hash_pcr_bank = 0;
uint32_t hash_pcr_mask = 0;
@@ -3794,7 +3794,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
TPM2B_DIGEST policy = TPM2B_DIGEST_MAKE(NULL, TPM2_SHA256_DIGEST_SIZE);
r = tpm2_calculate_sealing_policy(arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values, &public, /* use_pin= */ false, &policy);
if (r < 0)
return r;
return log_error_errno(r, "Could not calculate sealing policy digest: %m");
r = tpm2_seal(tpm2_context,
&policy,

6
src/pcrextend/pcrextend.c
View File

@@ -184,7 +184,7 @@ static int determine_banks(Tpm2Context *c, unsigned target_pcr_nr) {
r = tpm2_get_good_pcr_banks_strv(c, UINT32_C(1) << target_pcr_nr, &l);
if (r < 0)
return r;
return log_error_errno(r, "Could not verify pcr banks: %m");
strv_free_and_replace(arg_banks, l);
return 0;
@@ -362,7 +362,7 @@ static int run(int argc, char *argv[]) {
_cleanup_(tpm2_context_unrefp) Tpm2Context *c = NULL;
r = tpm2_context_new(arg_tpm2_device, &c);
if (r < 0)
return r;
return log_error_errno(r, "Failed to create TPM2 context: %m");
r = determine_banks(c, arg_pcr_index);
if (r < 0)
@@ -378,7 +378,7 @@ static int run(int argc, char *argv[]) {
r = tpm2_extend_bytes(c, arg_banks, arg_pcr_index, word, length, NULL, 0, event, word);
if (r < 0)
return r;
return log_error_errno(r, "Could not extend PCR: %m");
log_struct(LOG_INFO,
"MESSAGE_ID=" SD_MESSAGE_TPM_PCR_EXTEND_STR,

15
src/shared/creds-util.c
View File

@@ -828,11 +828,11 @@ int encrypt_credential_and_warn(
_cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
r = tpm2_context_new(tpm2_device, &tpm2_context);
if (r < 0)
return r;
return log_error_errno(r, "Failed to create TPM2 context: %m");
r = tpm2_get_best_pcr_bank(tpm2_context, tpm2_hash_pcr_mask | tpm2_pubkey_pcr_mask, &tpm2_pcr_bank);
if (r < 0)
return r;
return log_error_errno(r, "Could not find best pcr bank: %m");
TPML_PCR_SELECTION tpm2_hash_pcr_selection;
tpm2_tpml_pcr_selection_from_mask(tpm2_hash_pcr_mask, tpm2_pcr_bank, &tpm2_hash_pcr_selection);
@@ -841,7 +841,7 @@ int encrypt_credential_and_warn(
size_t tpm2_n_hash_pcr_values;
r = tpm2_pcr_read(tpm2_context, &tpm2_hash_pcr_selection, &tpm2_hash_pcr_values, &tpm2_n_hash_pcr_values);
if (r < 0)
return r;
return log_error_errno(r, "Could not read PCR values: %m");
TPM2B_PUBLIC public;
if (pubkey) {
@@ -858,7 +858,7 @@ int encrypt_credential_and_warn(
/* use_pin= */ false,
&tpm2_policy);
if (r < 0)
return r;
return log_error_errno(r, "Could not calculate sealing policy digest: %m");
r = tpm2_seal(tpm2_context,
&tpm2_policy,
@@ -872,7 +872,7 @@ int encrypt_credential_and_warn(
if (sd_id128_equal(with_key, _CRED_AUTO_INITRD))
log_warning("TPM2 present and used, but we didn't manage to talk to it. Credential will be refused if SecureBoot is enabled.");
else if (!sd_id128_equal(with_key, _CRED_AUTO))
return r;
return log_error_errno(r, "Failed to seal to TPM2: %m");
log_notice_errno(r, "TPM2 sealing didn't work, continuing without TPM2: %m");
}
@@ -1104,7 +1104,7 @@ int decrypt_credential_and_warn(
if (with_tpm2_pk) {
r = tpm2_load_pcr_signature(tpm2_signature_path, &signature_json);
if (r < 0)
return r;
return log_error_errno(r, "Failed to load pcr signature: %m");
}
if (is_tpm2_absent) {
@@ -1223,8 +1223,7 @@ int decrypt_credential_and_warn(
&tpm2_key,
&tpm2_key_size);
if (r < 0)
return r;
return log_error_errno(r, "Failed to unseal secret using TPM2: %m");
#else
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Credential requires TPM2 support, but TPM2 support not available.");
#endif

342
src/shared/tpm2-util.c
View File

File diff suppressed because it is too large Load Diff

2
src/shared/tpm2-util.h
View File

@@ -268,7 +268,7 @@ typedef struct {} Tpm2PCRValue;
#endif /* HAVE_TPM2 */
int tpm2_list_devices(void);
int tpm2_find_device_auto(int log_level, char **ret);
int tpm2_find_device_auto(char **ret);
int tpm2_make_pcr_json_array(uint32_t pcr_mask, JsonVariant **ret);
int tpm2_parse_pcr_json_array(JsonVariant *v, uint32_t *ret);

4
src/tpm2-setup/tpm2-setup.c
View File

@@ -198,7 +198,7 @@ static int load_public_key_tpm2(struct public_key_data *ret) {
r = tpm2_context_new(arg_tpm2_device, &c);
if (r < 0)
return r;
return log_error_errno(r, "Failed to create TPM2 context: %m");
r = tpm2_get_or_create_srk(
c,
@@ -208,7 +208,7 @@ static int load_public_key_tpm2(struct public_key_data *ret) {
/* ret_qname= */ NULL,
NULL);
if (r < 0)
return r;
return log_error_errno(r, "Failed to get or create SRK: %m");
if (r > 0)
log_info("New SRK generated and stored in the TPM.");
else