2023-02-17 17:03:01 +00:00
|
|
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
2023-01-15 12:20:50 +00:00
|
|
|
From: Nick Cao <nickcao@nichi.co>
|
|
|
|
Date: Sun, 15 Jan 2023 20:15:55 +0800
|
|
|
|
Subject: [PATCH] tpm2_context_init: fix driver name checking
|
|
|
|
|
|
|
|
https://github.com/systemd/systemd/commit/542dbc623e introduced
|
|
|
|
additional checks for tpm2 driver names, namely ensuring the driver
|
|
|
|
name, when concated with "libtss2-tcti-" and ".so.0", generates a valid
|
|
|
|
filename (with no '/' inside).
|
|
|
|
|
|
|
|
For example, if the driver is name "device", the line
|
|
|
|
fn = strjoina("libtss2-tcti-", driver, ".so.0")
|
|
|
|
would yield "libtss2-tcti-device.so.0", passing the check. And the
|
|
|
|
filename is then passed to dlopen for loading the driver.
|
|
|
|
|
|
|
|
Our current approach for systemd to correctly locate these dynamically
|
|
|
|
loaded libraries is to patch the filenames to include their absolute
|
|
|
|
path. Thus the line mentioned above is patched into
|
|
|
|
fn = strjoina("/nix/store/xxxxxxx-tpm2-tss-3.2.0/lib/libtss2-tcti-", driver, ".so.0")
|
|
|
|
yielding "/nix/store/xxxxxxx-tpm2-tss-3.2.0/lib/libtss2-tcti-device.so.0",
|
|
|
|
tripping the check.
|
|
|
|
|
|
|
|
This patch relaxes the check to also accept absolute paths, by replacing
|
|
|
|
filename_is_valid with path_is_valid.
|
|
|
|
---
|
|
|
|
src/shared/tpm2-util.c | 2 +-
|
|
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
|
|
|
|
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
|
2023-06-19 00:40:27 +00:00
|
|
|
index ae8a8bc073..c284b244f8 100644
|
2023-01-15 12:20:50 +00:00
|
|
|
--- a/src/shared/tpm2-util.c
|
|
|
|
+++ b/src/shared/tpm2-util.c
|
2023-06-19 00:40:27 +00:00
|
|
|
@@ -582,7 +582,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) {
|
2023-01-15 12:20:50 +00:00
|
|
|
fn = strjoina("libtss2-tcti-", driver, ".so.0");
|
|
|
|
|
|
|
|
/* Better safe than sorry, let's refuse strings that cannot possibly be valid driver early, before going to disk. */
|
|
|
|
- if (!filename_is_valid(fn))
|
|
|
|
+ if (!path_is_valid(fn))
|
|
|
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver);
|
|
|
|
|
2023-02-17 17:03:01 +00:00
|
|
|
context->tcti_dl = dlopen(fn, RTLD_NOW);
|