tpm2: ensure auth session contexts are flushed after use

jakogut · jakogut · commit 93f949ff05ec · 2024-10-04T14:11:17.000-07:00
The TPM is capable of storing a limited number of auth session handles.
Ensure auth sessions are flushed after use, to prevent
tpm2_startauthsession from failing with 'out of session handles'.

Change-type: patch
Signed-off-by: Joseph Kogut &lt;joseph@balena.io&gt;
diff --git a/meta-balena-common/recipes-core/initrdscripts/files/cryptsetup-efi-tpm b/meta-balena-common/recipes-core/initrdscripts/files/cryptsetup-efi-tpm
@@ -106,6 +106,8 @@ cryptsetup_run() {
     tpm2_startauthsession --policy-session -S "${SESSION_CTX}"
     tpm2_policypcr -S "${SESSION_CTX}" -l "${PCRS}"
 
+    trap 'tpm2_flushcontext "${SESSION_CTX}"' EXIT
+
     # combined multiple policies with tpm2_policyor
     POLICIES="$(find "${POLICY_PATH}" -type f | sort | xargs)"
     if [ "$(echo "${POLICIES}" | wc -w)" -gt 1 ]; then
@@ -121,6 +123,8 @@ cryptsetup_run() {
         fail "Failed to unlock LUKS passphrase using the TPM"
     fi
 
+    tpm2_flushcontext "${SESSION_CTX}" >/dev/null 2>&1
+
     BOOT_DEVICE=$(lsblk -nlo pkname "${EFI_DEV}")
 
     # Check that we have the expected amount of encrypted partitions on the boot device
diff --git a/meta-balena-common/recipes-support/hostapp-update-hooks/files/0-signed-update b/meta-balena-common/recipes-support/hostapp-update-hooks/files/0-signed-update
@@ -124,7 +124,7 @@ updateKeys() {
     CURRENT_POLICY_PATH="$(find /mnt/efi -name "policies.*")"
     for UNLOCK_PCRS in  0,2,3,7 0,1,2,3; do
         {
-            [ -f "${SESSION_CTX}" ] && tpm2_flushcontext "${SESSION_CTX}"  2>&1 || true
+            tpm2_flushcontext "${SESSION_CTX}"  2>&1 || true
             tpm2_startauthsession --policy-session -S "${SESSION_CTX}"
             tpm2_policypcr -S "${SESSION_CTX}" -l "sha256:${UNLOCK_PCRS}"
             POLICIES="$(find "${CURRENT_POLICY_PATH}" -type f | sort | xargs)"
@@ -140,6 +140,8 @@ updateKeys() {
         fi
     done
 
+    tpm2_flushcontext "${SESSION_CTX}"  >/dev/null 2>&1
+
     POLICY_UPDATED="${POLICY_PATH}/policy.updated"
     POLICY_EFIBIN="${POLICY_PATH}/policy.efibin"
     POLICY_COMBINED="$(mktemp -t)"
@@ -186,7 +188,7 @@ updateKeys() {
         esac
 
         {
-            tpm2_flushcontext "${SESSION_CTX}"
+            tpm2_flushcontext "${SESSION_CTX}" 2>&1
 
             hw_encrypt_passphrase "$PASSPHRASE_FILE" "$POLICY" "$RESULT_DIR"
             rm -rf "${CURRENT_POLICY_PATH}"
diff --git a/meta-balena-common/recipes-support/hostapp-update-hooks/files/95-secureboot/2-fwd_commit_update-policy b/meta-balena-common/recipes-support/hostapp-update-hooks/files/95-secureboot/2-fwd_commit_update-policy
@@ -46,6 +46,8 @@ if [ "$(echo "${POLICIES}" | wc -w)" -gt 1 ]; then
 	update_reason="Combined policy in use"
 fi
 
+trap 'tpm2_flushcontext "${SESSION_CTX}"' EXIT
+
 if hw_decrypt_passphrase "${EFI_MOUNT_DIR}" "session:${SESSION_CTX}" "${PASSPHRASE_FILE}"; then
 	echo "Unlocked passphrase using pcr:sha256:0,2,3,7"
 elif hw_decrypt_passphrase "${EFI_MOUNT_DIR}" "pcr:sha256:0,1,2,3" "${PASSPHRASE_FILE}"; then
@@ -56,6 +58,8 @@ else
 	exit 1
 fi
 
+tpm2_flushcontext "${SESSION_CTX}" >/dev/null 2>&1
+
 POLICY="$(mktemp -t)"
 PCRS="0,2,3,7"
 PCR_VAL_BIN="$(mktemp -t)"
