Revert "Add null key verfication to detect TPM reset attacks"

shjala · eriknordmark · commit 50fd83d5fb09 · 2026-01-20T16:35:54.000-08:00
This reverts commit 9c11d07. Signed-off-by: Shahriyar Jalayeri <shahriyar@posteo.de>
diff --git a/pkg/pillar/cmd/tpmmgr/tpmmgr.go b/pkg/pillar/cmd/tpmmgr/tpmmgr.go
@@ -314,11 +314,6 @@ func getQuote(nonce []byte) ([]byte, []byte, []types.PCRValue, error) {
 		return nil, nil, nil, fmt.Errorf("invalid nonce length %d", len(nonce))
 	}
 
-	// First make sure TPM is somewhat trustworthy
-	if err := etpm.ValidateKernelNullPrimary(log); err != nil {
-		return nil, nil, nil, fmt.Errorf("failed to verify null primary, possibly due to a tpm reset attack: %v", err)
-	}
-
 	rw, err := tpm2.OpenTPM(etpm.TpmDevicePath)
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("unable to open TPM device handle (%v), returning empty quote/PCRs", err)
diff --git a/pkg/pillar/evetpm/null_key.go b/pkg/pillar/evetpm/null_key.go
diff --git a/pkg/pillar/evetpm/tpm.go b/pkg/pillar/evetpm/tpm.go
@@ -231,32 +231,6 @@ var (
 			CurveID: tpm2.CurveNISTP256,
 		},
 	}
-	// NullKeyTemplate is used for detecting TPM reset attacks
-	NullKeyTemplate = tpm2.Public{
-		Type:    tpm2.AlgECC,    // TPM_ALG_ECC
-		NameAlg: tpm2.AlgSHA256, // TPM_ALG_SHA256
-		Attributes: tpm2.FlagFixedTPM | tpm2.FlagFixedParent | tpm2.FlagSensitiveDataOrigin |
-			tpm2.FlagUserWithAuth | tpm2.FlagNoDA | tpm2.FlagRestricted | tpm2.FlagDecrypt, // TPM2_OA_NULL_KEY
-		AuthPolicy: []byte{}, // Empty auth policy
-		ECCParameters: &tpm2.ECCParams{
-			Symmetric: &tpm2.SymScheme{
-				Alg:     tpm2.AlgAES, // TPM_ALG_AES
-				KeyBits: 128,         // AES_KEY_BITS (128)
-				Mode:    tpm2.AlgCFB, // TPM_ALG_CFB
-			},
-			Sign: &tpm2.SigScheme{
-				Alg: tpm2.AlgNull, // TPM_ALG_NULL
-			},
-			CurveID: tpm2.CurveNISTP256, // TPM2_ECC_NIST_P256
-			KDF: &tpm2.KDFScheme{
-				Alg: tpm2.AlgNull, // TPM_ALG_NULL
-			},
-			Point: tpm2.ECPoint{
-				XRaw: []byte{}, // Zero size X point
-				YRaw: []byte{}, // Zero size Y point
-			},
-		},
-	}
 )
 
 // GetTpmLogFileNames returns paths to saved TPM logs
@@ -772,11 +746,6 @@ func FetchSealedVaultKey(log *base.LogObject) ([]byte, error) {
 
 // SealDiskKey seals key into TPM2.0, with provided PCRs
 func SealDiskKey(log *base.LogObject, key []byte, pcrSel tpm2.PCRSelection) error {
-	// First make sure TPM is somewhat trustworthy
-	if err := ValidateKernelNullPrimary(log); err != nil {
-		return fmt.Errorf("failed to verify null primary, possibly due to a tpm reset attack: %v", err)
-	}
-
 	rw, err := tpm2.OpenTPM(TpmDevicePath)
 	if err != nil {
 		return err
@@ -904,11 +873,6 @@ func isLegacyKeyPresent() bool {
 
 // UnsealDiskKey unseals key from TPM2.0
 func UnsealDiskKey(pcrSel tpm2.PCRSelection) ([]byte, error) {
-	// First make sure TPM is somewhat trustworthy
-	if err := ValidateKernelNullPrimary(nil); err != nil {
-		return nil, fmt.Errorf("failed to verify null primary, possibly due to a tpm reset attack: %v", err)
-	}
-
 	rw, err := tpm2.OpenTPM(TpmDevicePath)
 	if err != nil {
 		return nil, err
