From d4470bcda87c53035e14339b47474a2d598942d2 Mon Sep 17 00:00:00 2001 From: Joseph Kogut Date: Wed, 24 Jul 2024 15:24:27 -0700 Subject: [PATCH] tpm2: ensure auth session contexts are flushed after use The TPM is capable of storing a limited number of auth session handles. Ensure auth sessions are flushed after use, to prevent tpm2_startauthsession from failing with 'out of session handles'. Change-type: patch Signed-off-by: Joseph Kogut --- .../recipes-core/initrdscripts/files/cryptsetup-efi-tpm | 4 ++++ .../hostapp-update-hooks/files/0-signed-update | 6 ++++-- .../files/95-secureboot/2-fwd_commit_update-policy | 4 ++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/meta-balena-common/recipes-core/initrdscripts/files/cryptsetup-efi-tpm b/meta-balena-common/recipes-core/initrdscripts/files/cryptsetup-efi-tpm index 975ea02e3d..3bd40e3f36 100644 --- a/meta-balena-common/recipes-core/initrdscripts/files/cryptsetup-efi-tpm +++ b/meta-balena-common/recipes-core/initrdscripts/files/cryptsetup-efi-tpm @@ -106,6 +106,8 @@ cryptsetup_run() { tpm2_startauthsession --policy-session -S "${SESSION_CTX}" tpm2_policypcr -S "${SESSION_CTX}" -l "${PCRS}" + trap 'tpm2_flushcontext "${SESSION_CTX}"' EXIT + # combined multiple policies with tpm2_policyor POLICIES="$(find "${POLICY_PATH}" -type f | sort | xargs)" if [ "$(echo "${POLICIES}" | wc -w)" -gt 1 ]; then @@ -121,6 +123,8 @@ cryptsetup_run() { fail "Failed to unlock LUKS passphrase using the TPM" fi + tpm2_flushcontext "${SESSION_CTX}" >/dev/null 2>&1 + BOOT_DEVICE=$(lsblk -nlo pkname "${EFI_DEV}") # Check that we have the expected amount of encrypted partitions on the boot device diff --git a/meta-balena-common/recipes-support/hostapp-update-hooks/files/0-signed-update b/meta-balena-common/recipes-support/hostapp-update-hooks/files/0-signed-update index 0a3ac0f0e8..a40151020c 100644 --- a/meta-balena-common/recipes-support/hostapp-update-hooks/files/0-signed-update +++ b/meta-balena-common/recipes-support/hostapp-update-hooks/files/0-signed-update @@ -124,7 +124,7 @@ updateKeys() { CURRENT_POLICY_PATH="$(find /mnt/efi -name "policies.*")" for UNLOCK_PCRS in 0,2,3,7 0,1,2,3; do { - [ -f "${SESSION_CTX}" ] && tpm2_flushcontext "${SESSION_CTX}" 2>&1 || true + tpm2_flushcontext "${SESSION_CTX}" 2>&1 || true tpm2_startauthsession --policy-session -S "${SESSION_CTX}" tpm2_policypcr -S "${SESSION_CTX}" -l "sha256:${UNLOCK_PCRS}" POLICIES="$(find "${CURRENT_POLICY_PATH}" -type f | sort | xargs)" @@ -140,6 +140,8 @@ updateKeys() { fi done + tpm2_flushcontext "${SESSION_CTX}" >/dev/null 2>&1 + POLICY_UPDATED="${POLICY_PATH}/policy.updated" POLICY_EFIBIN="${POLICY_PATH}/policy.efibin" POLICY_COMBINED="$(mktemp -t)" @@ -186,7 +188,7 @@ updateKeys() { esac { - tpm2_flushcontext "${SESSION_CTX}" + tpm2_flushcontext "${SESSION_CTX}" 2>&1 hw_encrypt_passphrase "$PASSPHRASE_FILE" "$POLICY" "$RESULT_DIR" rm -rf "${CURRENT_POLICY_PATH}" diff --git a/meta-balena-common/recipes-support/hostapp-update-hooks/files/95-secureboot/2-fwd_commit_update-policy b/meta-balena-common/recipes-support/hostapp-update-hooks/files/95-secureboot/2-fwd_commit_update-policy index 7ddbf8da69..12232d14d9 100644 --- a/meta-balena-common/recipes-support/hostapp-update-hooks/files/95-secureboot/2-fwd_commit_update-policy +++ b/meta-balena-common/recipes-support/hostapp-update-hooks/files/95-secureboot/2-fwd_commit_update-policy @@ -46,6 +46,8 @@ if [ "$(echo "${POLICIES}" | wc -w)" -gt 1 ]; then update_reason="Combined policy in use" fi +trap 'tpm2_flushcontext "${SESSION_CTX}"' EXIT + if hw_decrypt_passphrase "${EFI_MOUNT_DIR}" "session:${SESSION_CTX}" "${PASSPHRASE_FILE}"; then echo "Unlocked passphrase using pcr:sha256:0,2,3,7" elif hw_decrypt_passphrase "${EFI_MOUNT_DIR}" "pcr:sha256:0,1,2,3" "${PASSPHRASE_FILE}"; then @@ -56,6 +58,8 @@ else exit 1 fi +tpm2_flushcontext "${SESSION_CTX}" >/dev/null 2>&1 + POLICY="$(mktemp -t)" PCRS="0,2,3,7" PCR_VAL_BIN="$(mktemp -t)"