log_debug_errno(r, "Failed to read TPM2 PCR public key, proceeding without: %m");
pubkey_pcr_mask = 0;
- } else {
- /* Also try to load the signature JSON object, to verify that our enrollment will work. This is optional however. */
+ } else if (signature_path) {
+ /* Also try to load the signature JSON object, to verify that our enrollment will work.
+ * This is optional however, skip it if it's not explicitly provided. */
r = tpm2_load_pcr_signature(signature_path, &signature_json);
if (r < 0) {
# Now, do the same, but with a cryptsetup binding
truncate -s 20M $img
cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom $img /tmp/passphrase
+ # Ensure that an unrelated signature, when not requested, is not used
+ touch /run/systemd/tpm2-pcr-signature.json
+ systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" $img
+ # Reset and use the signature now
+ rm -f /run/systemd/tpm2-pcr-signature.json
+ systemd-cryptenroll --wipe-slot=tpm2 $img
systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" --tpm2-signature="/tmp/pcrsign.sig2" $img
# Check if we can activate that (without the token module stuff)