secboot: fix reading of pcr index handle from key file

canonical · Jun 11, 2024 · 39153b4 · 39153b4
1 parent b39eaa6
commit 39153b4
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 11 deletions.
diff --git a/secboot/secboot_sb_test.go b/secboot/secboot_sb_test.go
@@ -1066,7 +1066,7 @@ func (s *secbootSuite) TestResealKey(c *C) {
 		{tpmEnabled: true, addPCRProfileErr: mockErr, expectedErr: "cannot build new PCR protection profile: cannot add EFI secure boot and boot manager policy profiles: some error"},
 		{tpmEnabled: true, addSystemdEFIStubErr: mockErr, expectedErr: "cannot build new PCR protection profile: cannot add systemd EFI stub profile: some error"},
 		{tpmEnabled: true, addSnapModelErr: mockErr, expectedErr: "cannot build new PCR protection profile: cannot add snap model profile: some error"},
-		{tpmEnabled: true, readSealedKeyObjectErr: mockErr, expectedErr: "cannot read keyfile .*: some error"},
+		{tpmEnabled: true, readSealedKeyObjectErr: mockErr, expectedErr: "cannot read key file .*: some error"},
 		{tpmEnabled: true, resealErr: mockErr, resealCalls: 1, expectedErr: "cannot update legacy PCR protection policy: some error"},
 		{tpmEnabled: true, revokeErr: errors.New("revoke error"), resealCalls: 1, revokeCalls: 1, expectedErr: "cannot revoke old PCR protection policies: revoke error"},
 	} {
@@ -2003,14 +2003,14 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncryptedFdeRevealKeyBadJ
 func (s *secbootSuite) TestPCRHandleOfSealedKey(c *C) {
 	d := c.MkDir()
 	h, err := secboot.PCRHandleOfSealedKey(filepath.Join(d, "not-found"))
-	c.Assert(err, ErrorMatches, "cannot open key file: .*/not-found: no such file or directory")
+	c.Assert(err, ErrorMatches, "cannot read key file .*/not-found:.* no such file or directory")
 	c.Assert(h, Equals, uint32(0))
 
 	skf := filepath.Join(d, "sealed-key")
 	// partially valid sealed key with correct header magic
 	c.Assert(os.WriteFile(skf, []byte{0x55, 0x53, 0x4b, 0x24, 1, 1, 1, 'k', 'e', 'y', 1, 1, 1}, 0644), IsNil)
 	h, err = secboot.PCRHandleOfSealedKey(skf)
-	c.Assert(err, ErrorMatches, "(?s)cannot open key file: invalid key data: cannot unmarshal AFIS header: .*")
+	c.Assert(err, ErrorMatches, "(?s)cannot read key file .*: invalid key data: cannot unmarshal AFIS header: .*")
 	c.Check(h, Equals, uint32(0))
 
 	// TODO simulate the happy case, which needs a real (or at least

diff --git a/secboot/secboot_tpm.go b/secboot/secboot_tpm.go
@@ -520,7 +520,7 @@ func ResealKeys(params *ResealKeysParams) error {
 	for _, keyfile := range params.KeyFiles {
 		keyData, keyObject, err := readKeyFile(keyfile)
 		if err != nil {
-			return fmt.Errorf("cannot read keyfile %s: %w", keyfile, err)
+			return fmt.Errorf("cannot read key file %s: %w", keyfile, err)
 		}
 		keyDatas = append(keyDatas, keyData)
 		sealedKeyObjects = append(sealedKeyObjects, keyObject)
@@ -726,16 +726,21 @@ func efiImageFromBootFile(b *bootloader.BootFile) (sb_efi.Image, error) {
 // PCRHandleOfSealedKey retunrs the PCR handle which was used when sealing a
 // given key object.
 func PCRHandleOfSealedKey(p string) (uint32, error) {
-	r, err := sb_tpm2.NewFileSealedKeyObjectReader(p)
+	keyData, keyObject, err := readKeyFile(p)
 	if err != nil {
-		return 0, fmt.Errorf("cannot open key file: %v", err)
+		return 0, fmt.Errorf("cannot read key file %s: %w", p, err)
 	}
-	sko, err := sb_tpm2.ReadSealedKeyObject(r)
-	if err != nil {
-		return 0, fmt.Errorf("cannot read sealed key file: %v", err)
+	if keyObject != nil {
+		handle := uint32(keyObject.PCRPolicyCounterHandle())
+		return handle, nil
+	} else {
+		sealedKeyData, err := sb_tpm2.NewSealedKeyData(keyData)
+		if err != nil {
+			return 0, fmt.Errorf("cannot read key data in keyfile %s: %w", p, err)
+		}
+		handle := uint32(sealedKeyData.PCRPolicyCounterHandle())
+		return handle, nil
 	}
-	handle := uint32(sko.PCRPolicyCounterHandle())
-	return handle, nil
 }
 
 func tpmReleaseResourcesImpl(tpm *sb_tpm2.Connection, handle tpm2.Handle) error {