Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package systemd for openSUSE:Factory checked in at 2024-12-19 21:39:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/systemd (Old) and /work/SRC/openSUSE:Factory/.systemd.new.29675 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "systemd" Thu Dec 19 21:39:52 2024 rev:434 rq:1231884 version:256.9 Changes: -------- --- /work/SRC/openSUSE:Factory/systemd/systemd.changes 2024-12-04 15:26:50.824530486 +0100 +++ /work/SRC/openSUSE:Factory/.systemd.new.29675/systemd.changes 2024-12-19 21:39:53.942862153 +0100 @@ -1,0 +2,8 @@ +Mon Dec 16 18:11:24 UTC 2024 - Fabian Vogt <fv...@suse.com> + +- Add 5006-tpm2-util-Also-retry-unsealing-after-policy_pcr-retu.patch + + Backport of https://github.com/systemd/systemd/pull/35657, which fixes + https://github.com/systemd/systemd/issues/35490 (boo#1233752, bsc#1234313). + +------------------------------------------------------------------- @@ -159,0 +168,4 @@ + + - This includes the following bug fixes: + + - commit 3b2e7dc5a285edbbb1bf6aed2d88b889d801613f (bsc#1234015) New: ---- 5006-tpm2-util-Also-retry-unsealing-after-policy_pcr-retu.patch BETA DEBUG BEGIN: New: - Add 5006-tpm2-util-Also-retry-unsealing-after-policy_pcr-retu.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ systemd.spec ++++++ --- /var/tmp/diff_new_pack.6ZI65h/_old 2024-12-19 21:39:55.154912390 +0100 +++ /var/tmp/diff_new_pack.6ZI65h/_new 2024-12-19 21:39:55.154912390 +0100 @@ -238,6 +238,7 @@ Patch: 5002-Revert-udev-revert-workarounds-for-issues-caused-by-.patch Patch: 5004-disable-session-freeze.patch Patch: 5005-Revert-boot-Make-initrd_prepare-semantically-equival.patch +Patch: 5006-tpm2-util-Also-retry-unsealing-after-policy_pcr-retu.patch %endif %description ++++++ 5006-tpm2-util-Also-retry-unsealing-after-policy_pcr-retu.patch ++++++ >From 14d5ee7b48491ccc4e62a648474dcf24dad9e568 Mon Sep 17 00:00:00 2001 From: Fabian Vogt <fv...@suse.de> Date: Mon, 16 Dec 2024 19:08:13 +0100 Subject: [PATCH] tpm2-util: Also retry unsealing after policy_pcr returns PCR_CHANGED It's not just Esys_Unseal that may fail due to PCR changes during the session, but also Esys_PolicyPCR. Perform a retry in that case as well. Fixes #35490 (cherry picked from commit e61032bf47e6a7e572643a0060c6dd610635c854) [fvogt: rebase on top of v256] [fvogt: fixes boo#1233752] [fvogt: fixes bsc#1234313] --- src/shared/tpm2-util.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 495789024b..6ce77f9a4f 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -3979,6 +3979,9 @@ int tpm2_policy_pcr( ESYS_TR_NONE, NULL, pcr_selection); + if (rc == TPM2_RC_PCR_CHANGED) + return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN), + "Failed to add PCR policy to TPM: %s", sym_Tss2_RC_Decode(rc)); if (rc != TSS2_RC_SUCCESS) return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to add PCR policy to TPM: %s", sym_Tss2_RC_Decode(rc)); @@ -5744,6 +5747,8 @@ int tpm2_unseal(Tpm2Context *c, !!pin, pcrlock_policy, &policy_digest); + if (r == -EUCLEAN && i > 0) + goto retry_after_pcr_changed; if (r < 0) return r; @@ -5783,6 +5788,8 @@ int tpm2_unseal(Tpm2Context *c, if (rc != TPM2_RC_PCR_CHANGED || i == 0) return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to unseal HMAC key in TPM: %s", sym_Tss2_RC_Decode(rc)); + +retry_after_pcr_changed: log_debug("A PCR value changed during the TPM2 policy session, restarting HMAC key unsealing (%u tries left).", i); } -- 2.47.0
