cryptsetup: move default choice of nvpcr for keyslots from generator into cryptsetup

Let's pick the default NvPCR name to use inside of cryptsetup itself, instead
of in the generator. I think this is the better choice, since it means
the default can also be used if the regular verittab generator is used
instead of the gpt-auto generator.

diff --git a/man/crypttab.xml b/man/crypttab.xml
index f0d0ead947cd255d5c4d4c3afc42794d15659a88..d57823f88ad73da16896f136191ea7cd436df1f4 100644 (file)
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@@ -945,12 +945,12 @@
         <term><option>tpm2-measure-keyslot-nvpcr=</option></term>
 
         <listitem><para>Controls whether to measure information about the used LUKS unlock keyslot to a TPM2
-        non-volatile index (nvindex in PCR mode). If set to to an empty string (which is the default) no TPM2
-        nvindex extension is done, otherwise keyslot information is measured to an nvindex of the specified
-        name, which is allocated if needed. It is recommended to set this to <literal>cryptsetup</literal> to
-        enable this logic. The slot index and the used unlock mechanism (i.e. <literal>tpm2</literal>,
-        <literal>fido2</literal>, <literal>pkcs11</literal>) is measured along with the activated volume name
-        and its UUID.</para>
+        non-volatile index (nvindex in PCR mode). Takes a boolean argument, or an NvPCR name. If set to false
+        or an empty string (which is the default) no TPM2 nvindex extension is done, otherwise keyslot
+        information is measured to an nvindex of the specified name, which is allocated if needed. If set to
+        true the recommended default of <literal>cryptsetup</literal> is selected as NvPCR. The slot index
+        and the used unlock mechanism (i.e. <literal>tpm2</literal>, <literal>fido2</literal>,
+        <literal>pkcs11</literal>) are measured along with the activated volume name and its UUID.</para>
 
         <xi:include href="version-info.xml" xpointer="v259"/></listitem>
       </varlistentry>

diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index f715494418b425fba532125cd77a5f004624583c..d3e4ce3747faa64f69a5fdaa90af35bc07b58832 100644 (file)
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -557,12 +557,14 @@ static int parse_one_option(const char *option) {
 
         } else if ((val = startswith(option, "tpm2-measure-keyslot-nvpcr="))) {
 
-                if (isempty(val)) {
+                r = isempty(val) ? false : parse_boolean(val);
+                if (r == 0) {
                         arg_tpm2_measure_keyslot_nvpcr = mfree(arg_tpm2_measure_keyslot_nvpcr);
                         return 0;
                 }
-
-                if (!tpm2_nvpcr_name_is_valid(val)) {
+                if (r > 0)
+                        val = "cryptsetup";
+                else if (!tpm2_nvpcr_name_is_valid(val)) {
                         log_warning("Invalid NvPCR name, ignoring: %s", option);
                         return 0;
                 }

diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c
index 5a4e5d101e2602bef6343672aa4e22f610e39388..9e20e23abfe88ef2cbb475612ead213b504aebe8 100644 (file)
--- a/src/gpt-auto-generator/gpt-auto-generator.c
+++ b/src/gpt-auto-generator/gpt-auto-generator.c
@@ -127,7 +127,7 @@ static int add_cryptsetup(
                  * assignment, under the assumption that people who are fine to use sd-stub with its PCR
                  * assignments are also OK with our PCR 15 use here. */
                 if (r > 0)
-                        if (!strextend_with_separator(&options, ",", "tpm2-measure-pcr=yes,tpm2-measure-keyslot-nvpcr=cryptsetup"))
+                        if (!strextend_with_separator(&options, ",", "tpm2-measure-pcr=yes,tpm2-measure-keyslot-nvpcr=yes"))
                                 return log_oom();
                 if (r == 0)
                         log_debug("Will not measure volume key of volume '%s', not booted via systemd-stub with measurements enabled.", id);