-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tpm2: try a transient primary key if the sealed key object fails to load for any reason #207
Comments
Latest secboot version in snapd: github.com/snapcore/secboot v0.0.0-20211018143212-802bb19ca263 In the case of a Lines 80 to 86 in 802bb19
Lines 48 to 52 in 802bb19
|
Thanks for taking a look at this - so I've actually misunderstood my own code and probably the issue that started me looking at this. I think it would probably still be a good idea to implement trying with other persistent keys on the TPM. |
loadForUnseal() will now try all the persistent SRKs stored in NV before falling back to creating a transient SRK. Any errors during that process are returned as an ErrTPMProvisioning error to the caller. This resolves snapcore#207.
The TPM unsealing code will fall back to trying with a transient primary key if the initial unsealing attempt with the persistent primary key fails in some cases - if the TPM2_Load command fails with a handle error, indicating that the supplied parent handle is not a valid storage key.
But it fails immediately if TPM2_Load returns a TPM_RC_INTEGRITY error for the inPrivate parameter, which may indicate that although the parent handle corresponds to a valid storage key, it may not be the correct parent key. This might happen if other software that uses the TPM evicts the primary key we create during install and then creates a new one with a non-standard template.
The unsealing code should probably adopt a belt and braces approach to error handling here and fall back to trying with a transient primary key if the TPM2_Load command fails for any reason, rather than implementing handling that is specific to each error type. I would also extend the existing error handling to work like this:
The text was updated successfully, but these errors were encountered: