<varlistentry>
<term><option>tpm2-pcrs=</option></term>
- <listitem><para>Takes a comma separated list of numeric TPM2 PCR (i.e. "Platform Configuration
- Register") indexes to bind the TPM2 volume unlocking to. This option is only useful when TPM2
- enrollment metadata is not available in the LUKS2 JSON token header already, the way
+ <listitem><para>Takes a <literal>+</literal> separated list of numeric TPM2 PCR (i.e. "Platform
+ Configuration Register") indexes to bind the TPM2 volume unlocking to. This option is only useful
+ when TPM2 enrollment metadata is not available in the LUKS2 JSON token header already, the way
<command>systemd-cryptenroll</command> writes it there. If not used (and no metadata in the LUKS2
JSON token header defines it), defaults to a list of a single entry: PCR 7. Assign an empty string to
encode a policy that binds the key to no PCRs, making the key accessible to local programs regardless
<varlistentry>
<term><command>terminate-session</command> <replaceable>ID</replaceable>…</term>
- <listitem><para>Terminates a session. This kills all processes
- of the session and deallocates all resources attached to the
- session. </para></listitem>
+ <listitem><para>Terminates a session. This kills all processes of the session and deallocates all
+ resources attached to the session. If the argument is specified as empty string the session invoking
+ the command is terminated.</para></listitem>
</varlistentry>
<varlistentry>
<term><command>kill-session</command> <replaceable>ID</replaceable>…</term>
- <listitem><para>Send a signal to one or more processes of the
- session. Use <option>--kill-who=</option> to select which
- process to kill. Use <option>--signal=</option> to select the
- signal to send.</para></listitem>
+ <listitem><para>Send a signal to one or more processes of the session. Use
+ <option>--kill-who=</option> to select which process to kill. Use <option>--signal=</option> to
+ select the signal to send. If the argument is specified as empty string the signal is sent to the
+ session invoking the command.</para></listitem>
</varlistentry>
</variablelist></refsect2>
<varlistentry>
<term><command>terminate-user</command> <replaceable>USER</replaceable>…</term>
- <listitem><para>Terminates all sessions of a user. This kills
- all processes of all sessions of the user and deallocates all
- runtime resources attached to the user.</para></listitem>
+ <listitem><para>Terminates all sessions of a user. This kills all processes of all sessions of the
+ user and deallocates all runtime resources attached to the user. If the argument is specified as
+ empty string the sessions of the user invoking the command are terminated.</para></listitem>
</varlistentry>
<varlistentry>
<term><command>kill-user</command> <replaceable>USER</replaceable>…</term>
- <listitem><para>Send a signal to all processes of a user. Use
- <option>--signal=</option> to select the signal to send.
- </para></listitem>
+ <listitem><para>Send a signal to all processes of a user. Use <option>--signal=</option> to select
+ the signal to send. If the argument is specified as empty string the signal is sent to the sessions
+ of the user invoking the command.</para></listitem>
</varlistentry>
</variablelist></refsect2>
<term><option>--tpm2-pcrs=</option><arg rep="repeat">PCR</arg></term>
<listitem><para>Configures the TPM2 PCRs (Platform Configuration Registers) to bind the enrollment
- requested via <option>--tpm2-device=</option> to. Takes a comma separated list of numeric PCR indexes
- in the range 0…23. If not used, defaults to PCR 7 only. If an empty string is specified, binds the
- enrollment to no PCRs at all. PCRs allow binding the enrollment to specific software versions and
- system state, so that the enrolled unlocking key is only accessible (may be "unsealed") if specific
- trusted software and/or configuration is used.</para></listitem>
+ requested via <option>--tpm2-device=</option> to. Takes a <literal>+</literal> separated list of
+ numeric PCR indexes in the range 0…23. If not used, defaults to PCR 7 only. If an empty string is
+ specified, binds the enrollment to no PCRs at all. PCRs allow binding the enrollment to specific
+ software versions and system state, so that the enrolled unlocking key is only accessible (may be
+ "unsealed") if specific trusted software and/or configuration is used.</para></listitem>
<table>
<title>Well-known PCR Definitions</title>
return ignore ? 0 : -ENOEXEC;
}
- if (!path_is_absolute(path) && !filename_is_valid(path)) {
+ if (!(path_is_absolute(path) ? path_is_valid(path) : filename_is_valid(path))) {
log_syntax(unit, ignore ? LOG_WARNING : LOG_ERR, filename, line, 0,
"Neither a valid executable name nor an absolute path%s: %s",
ignore ? ", ignoring" : "", path);
r = extract_first_word(&value, &fdn, NULL, EXTRACT_CUNESCAPE | EXTRACT_UNQUOTE);
if (r <= 0) {
- log_unit_debug_errno(u, r, "Failed to parse fd-store-fd value \"%s\": %m", value);
+ log_unit_debug(u, "Failed to parse fd-store-fd value: %s", value);
return 0;
}
" Whether to require user verification to unlock the volume\n"
" --tpm2-device=PATH\n"
" Enroll a TPM2 device\n"
- " --tpm2-pcrs=PCR1,PCR2,PCR3,…\n"
+ " --tpm2-pcrs=PCR1+PCR2+PCR3,…\n"
" Specify TPM2 PCRs to seal against\n"
" --wipe-slot=SLOT1,SLOT2,…\n"
" Wipe specified slots\n"
for (int i = 1; i < argc; i++) {
uid_t uid;
- r = get_user_creds((const char**) (argv+i), &uid, NULL, NULL, NULL, 0);
- if (r < 0)
- return log_error_errno(r, "Failed to look up user %s: %m", argv[i]);
+ if (isempty(argv[i]))
+ uid = getuid();
+ else {
+ const char *u = argv[i];
+
+ r = get_user_creds(&u, &uid, NULL, NULL, NULL, 0);
+ if (r < 0)
+ return log_error_errno(r, "Failed to look up user %s: %m", argv[i]);
+ }
r = bus_call_method(bus, bus_login_mgr, "TerminateUser", &error, NULL, "u", (uint32_t) uid);
if (r < 0)
for (int i = 1; i < argc; i++) {
uid_t uid;
- r = get_user_creds((const char**) (argv+i), &uid, NULL, NULL, NULL, 0);
- if (r < 0)
- return log_error_errno(r, "Failed to look up user %s: %m", argv[i]);
+ if (isempty(argv[i]))
+ uid = getuid();
+ else {
+ const char *u = argv[i];
+
+ r = get_user_creds(&u, &uid, NULL, NULL, NULL, 0);
+ if (r < 0)
+ return log_error_errno(r, "Failed to look up user %s: %m", argv[i]);
+ }
r = bus_call_method(
bus,
" --definitions=DIR Find partition definitions in specified directory\n"
" --key-file=PATH Key to use when encrypting partitions\n"
" --tpm2-device=PATH Path to TPM2 device node to use\n"
- " --tpm2-pcrs=PCR1,PCR2,…\n"
+ " --tpm2-pcrs=PCR1+PCR2+PCR3+…\n"
" TPM2 PCR indexes to use for TPM2 enrollment\n"
" --seed=UUID 128bit seed UUID to derive all UUIDs from\n"
" --size=BYTES Grow loopback file to specified size\n"
return -EINVAL;
#elif HAVE_LIBIDN
_cleanup_free_ char *buf = NULL;
- size_t n = 0, allocated = 0;
+ size_t n = 0;
bool first = true;
int r, q;
if (q > 0)
r = q;
- if (!GREEDY_REALLOC(buf, allocated, n + !first + DNS_LABEL_ESCAPED_MAX))
+ if (!GREEDY_REALLOC(buf, n + !first + DNS_LABEL_ESCAPED_MAX))
return -ENOMEM;
r = dns_label_escape(label, r, buf + n + !first, DNS_LABEL_ESCAPED_MAX);
if (n > DNS_HOSTNAME_MAX)
return -EINVAL;
- if (!GREEDY_REALLOC(buf, allocated, n + 1))
+ if (!GREEDY_REALLOC(buf, n + 1))
return -ENOMEM;
buf[n] = 0;
uint32_t mask = 0;
int r;
- /* Parses a comma-separated list of PCR indexes */
+ assert(s);
+
+ if (isempty(s)) {
+ *ret = 0;
+ return 0;
+ }
+
+ /* Parses a "," or "+" separated list of PCR indexes. We support "," since this is a list after all,
+ * and most other tools expect comma separated PCR specifications. We also support "+" since in
+ * /etc/crypttab the "," is already used to separate options, hence a different separator is nice to
+ * avoid escaping. */
for (;;) {
_cleanup_free_ char *pcr = NULL;
unsigned n;
- r = extract_first_word(&p, &pcr, ",", EXTRACT_DONT_COALESCE_SEPARATORS);
+ r = extract_first_word(&p, &pcr, ",+", EXTRACT_DONT_COALESCE_SEPARATORS);
if (r == 0)
break;
if (r < 0)
[['src/test/test-sleep.c']],
+ [['src/test/test-tpm2.c']],
+
[['src/test/test-replace-var.c']],
[['src/test/test-calendarspec.c']],
--- /dev/null
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "tpm2-util.h"
+#include "tests.h"
+
+static void test_tpm2_parse_pcrs(const char *s, uint32_t mask, int ret) {
+ uint32_t m;
+
+ assert_se(tpm2_parse_pcrs(s, &m) == ret);
+
+ if (ret >= 0)
+ assert_se(m == mask);
+}
+
+int main(int argc, char *argv[]) {
+
+ test_setup_logging(LOG_DEBUG);
+
+ test_tpm2_parse_pcrs("", 0, 0);
+ test_tpm2_parse_pcrs("0", 1, 0);
+ test_tpm2_parse_pcrs("1", 2, 0);
+ test_tpm2_parse_pcrs("0,1", 3, 0);
+ test_tpm2_parse_pcrs("0+1", 3, 0);
+ test_tpm2_parse_pcrs("0-1", 0, -EINVAL);
+ test_tpm2_parse_pcrs("0,1,2", 7, 0);
+ test_tpm2_parse_pcrs("0+1+2", 7, 0);
+ test_tpm2_parse_pcrs("0+1,2", 7, 0);
+ test_tpm2_parse_pcrs("0,1+2", 7, 0);
+ test_tpm2_parse_pcrs("0,2", 5, 0);
+ test_tpm2_parse_pcrs("0+2", 5, 0);
+ test_tpm2_parse_pcrs("foo", 0, -EINVAL);
+
+ return 0;
+}