From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 17 Apr 2024 17:02:18 +0000 (+0200)
Subject: pcrlock: generate recovery PINs via make_recovery_key()
X-Git-Tag: v256-rc1~127^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0ec4c098ddc03ce548af9a34e91063b84f292290;p=thirdparty%2Fsystemd.git

pcrlock: generate recovery PINs via make_recovery_key()

We already have infrastructure for generating nice recovery keys, for
the usual cryptenroll recovery keys. Let's reuse them here, as they are
nicer to read and type than the base64 encoded randomness we so far
used.

Previously valid recovery keys remain valid, in their original format.
For future enrollments we'll however have nicer, easier recovery keys to
deal with.
---

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index fa382a22d8a..6651b1e3e1e 100644
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -4473,16 +4473,9 @@ static int make_policy(bool force, bool recovery_pin) {
                 }
 
         } else if (!have_old_policy) {
-                char rnd[256];
-
-                r = crypto_random_bytes(rnd, sizeof(rnd));
+                r = make_recovery_key(&pin);
                 if (r < 0)
                         return log_error_errno(r, "Failed to generate a randomized recovery PIN: %m");
-
-                (void) base64mem(rnd, sizeof(rnd), &pin);
-                explicit_bzero_safe(rnd, sizeof(rnd));
-                if (!pin)
-                        return log_oom();
         }
 
         _cleanup_(tpm2_handle_freep) Tpm2Handle *nv_handle = NULL;