From: Lennart Poettering Date: Wed, 29 Jan 2025 14:13:35 +0000 (+0100) Subject: cryptenroll,repart: print a log message if no access restrictions are applied to... X-Git-Tag: v258-rc1~1449^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F36200%2Fhead;p=thirdparty%2Fsystemd.git cryptenroll,repart: print a log message if no access restrictions are applied to TPM-based encryption --- diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c index 101cc5f1dd1..8941d7a5ae8 100644 --- a/src/cryptenroll/cryptenroll.c +++ b/src/cryptenroll/cryptenroll.c @@ -697,6 +697,13 @@ static int parse_argv(int argc, char *argv[]) { assert(arg_tpm2_public_key_pcr_mask == 0); arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM2_PCR_KERNEL_BOOT); } + + if (arg_tpm2_n_hash_pcr_values == 0 && + !arg_tpm2_pin && + arg_tpm2_public_key_pcr_mask == 0 && + !arg_tpm2_pcrlock) + log_notice("Notice: enrolling TPM2 with an empty policy, i.e. without any state or access restrictions.\n" + "Use --tpm2-public-key=, --tpm2-pcrlock=, --tpm2-with-pin= or --tpm2-pcrs= to enable one or more restrictions."); } return 1; diff --git a/src/repart/repart.c b/src/repart/repart.c index 9f7d9c75d0a..05b9f6d4373 100644 --- a/src/repart/repart.c +++ b/src/repart/repart.c @@ -4597,6 +4597,12 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta int keyslot; TPM2Flags flags = 0; + if (arg_tpm2_n_hash_pcr_values == 0 && + arg_tpm2_public_key_pcr_mask == 0 && + !arg_tpm2_pcrlock) + log_notice("Notice: encrypting future partition %" PRIu64 ", locking against TPM2 with an empty policy, i.e. without any state or access restrictions.\n" + "Use --tpm2-public-key=, --tpm2-pcrlock=, or --tpm2-pcrs= to enable one or more restrictions.", p->partno); + if (arg_tpm2_public_key_pcr_mask != 0) { r = tpm2_load_pcr_public_key(arg_tpm2_public_key, &pubkey.iov_base, &pubkey.iov_len); if (r < 0) {