xref: /systemd-251/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include "alloc-util.h"
#include "ask-password-api.h"
#include "env-util.h"
#include "hexdecoct.h"
#include "json.h"
#include "log.h"
#include "luks2-tpm2.h"
#include "parse-util.h"
#include "random-util.h"
#include "strv.h"
#include "tpm2-util.h"

int acquire_luks2_key(
                uint32_t pcr_mask,
                uint16_t pcr_bank,
                uint16_t primary_alg,
                const char *device,
                const void *key_data,
                size_t key_data_size,
                const void *policy_hash,
                size_t policy_hash_size,
                TPM2Flags flags,
                void **ret_decrypted_key,
                size_t *ret_decrypted_key_size) {

        _cleanup_free_ char *auto_device = NULL;
        _cleanup_(erase_and_freep) char *pin_str = NULL;
        int r;

        assert(ret_decrypted_key);
        assert(ret_decrypted_key_size);

        if (!device) {
                r = tpm2_find_device_auto(LOG_DEBUG, &auto_device);
                if (r == -ENODEV)
                        return -EAGAIN; /* Tell the caller to wait for a TPM2 device to show up */
                if (r < 0)
                        return r;

                device = auto_device;
        }

        r = getenv_steal_erase("PIN", &pin_str);
        if (r < 0)
                return log_error_errno(r, "Failed to acquire PIN from environment: %m");
        if (!r) {
                /* PIN entry is not supported by plugin, let it fallback, possibly to sd-cryptsetup's
                 * internal handling. */
                if (flags & TPM2_FLAGS_USE_PIN)
                        return -EOPNOTSUPP;
        }

        return tpm2_unseal(
                        device,
                        pcr_mask, pcr_bank,
                        primary_alg,
                        key_data, key_data_size,
                        policy_hash, policy_hash_size, pin_str,
                        ret_decrypted_key, ret_decrypted_key_size);
}

/* this function expects valid "systemd-tpm2" in json */
int parse_luks2_tpm2_data(
                const char *json,
                uint32_t search_pcr_mask,
                uint32_t *ret_pcr_mask,
                uint16_t *ret_pcr_bank,
                uint16_t *ret_primary_alg,
                char **ret_base64_blob,
                char **ret_hex_policy_hash,
                TPM2Flags *ret_flags) {

        int r;
        JsonVariant *w, *e;
        uint32_t pcr_mask = 0;
        uint16_t pcr_bank = UINT16_MAX, primary_alg = TPM2_ALG_ECC;
        _cleanup_free_ char *base64_blob = NULL, *hex_policy_hash = NULL;
        _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
        TPM2Flags flags = 0;

        assert(json);
        assert(ret_pcr_mask);
        assert(ret_pcr_bank);
        assert(ret_primary_alg);
        assert(ret_base64_blob);
        assert(ret_hex_policy_hash);

        r = json_parse(json, 0, &v, NULL, NULL);
        if (r < 0)
                return -EINVAL;

        w = json_variant_by_key(v, "tpm2-pcrs");
        if (!w || !json_variant_is_array(w))
                return -EINVAL;

        JSON_VARIANT_ARRAY_FOREACH(e, w) {
                uint64_t u;

                if (!json_variant_is_number(e))
                        return -EINVAL;

                u = json_variant_unsigned(e);
                if (u >= TPM2_PCRS_MAX)
                        return -EINVAL;

                pcr_mask |= UINT32_C(1) << u;
        }

        if (search_pcr_mask != UINT32_MAX &&
            search_pcr_mask != pcr_mask)
                return -ENXIO;

        w = json_variant_by_key(v, "tpm2-pcr-bank");
        if (w) {
                /* The PCR bank field is optional */

                if (!json_variant_is_string(w))
                        return -EINVAL;

                r = tpm2_pcr_bank_from_string(json_variant_string(w));
                if (r < 0)
                        return r;

                pcr_bank = r;
        }

        w = json_variant_by_key(v, "tpm2-primary-alg");
        if (w) {
                /* The primary key algorithm is optional */

                if (!json_variant_is_string(w))
                        return -EINVAL;

                r = tpm2_primary_alg_from_string(json_variant_string(w));
                if (r < 0)
                        return r;

                primary_alg = r;
        }

        w = json_variant_by_key(v, "tpm2-blob");
        if (!w || !json_variant_is_string(w))
                return -EINVAL;

        base64_blob = strdup(json_variant_string(w));
        if (!base64_blob)
                return -ENOMEM;

        w = json_variant_by_key(v, "tpm2-policy-hash");
        if (!w || !json_variant_is_string(w))
                return -EINVAL;

        hex_policy_hash = strdup(json_variant_string(w));
        if (!hex_policy_hash)
                return -ENOMEM;

        w = json_variant_by_key(v, "tpm2-pin");
        if (w) {
                if (!json_variant_is_boolean(w))
                        return -EINVAL;

                if (json_variant_boolean(w))
                        flags |= TPM2_FLAGS_USE_PIN;
        }

        *ret_pcr_mask = pcr_mask;
        *ret_pcr_bank = pcr_bank;
        *ret_primary_alg = primary_alg;
        *ret_base64_blob = TAKE_PTR(base64_blob);
        *ret_hex_policy_hash = TAKE_PTR(hex_policy_hash);
        *ret_flags = flags;

        return 0;
}