From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 8 Aug 2025 04:09:14 +0000 (+0900)
Subject: pcrlock: make-policy should use path specified by --policy= rather than --pcrlock
X-Git-Tag: v258-rc3~55
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=59c26be53c1181af3856cd16aad72a4524b17507;p=thirdparty%2Fsystemd.git

pcrlock: make-policy should use path specified by --policy= rather than --pcrlock

Follow-up for a43427013949c6593629f551cf46e9cf9c167100.
Fixes #38506.
---

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index 72f02229010..eae3075f953 100644
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -4480,9 +4480,18 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) {
         if (DEBUG_LOGGING)
                 (void) sd_json_variant_dump(new_prediction_json, SD_JSON_FORMAT_PRETTY_AUTO|SD_JSON_FORMAT_COLOR_AUTO, stderr, NULL);
 
-        _cleanup_(tpm2_pcrlock_policy_done) Tpm2PCRLockPolicy old_policy = {};
+        /* v257 and older mistakenly used --pcrlock= for the path. To keep backward compatibility, let's fallback to it when
+         * --policy= is unspecified but --pcrlock is specified. */
+        if (!arg_policy_path && arg_pcrlock_path) {
+                log_notice("Specified --pcrlock= option for make-policy command. Please use --policy= instead.");
 
-        r = tpm2_pcrlock_policy_load(arg_pcrlock_path, &old_policy);
+                arg_policy_path = strdup(arg_pcrlock_path);
+                if (!arg_policy_path)
+                        return log_oom();
+        }
+
+        _cleanup_(tpm2_pcrlock_policy_done) Tpm2PCRLockPolicy old_policy = {};
+        r = tpm2_pcrlock_policy_load(arg_policy_path, &old_policy);
         if (r < 0)
                 return r;
 
@@ -4825,12 +4834,12 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) {
         if (r < 0)
                 return log_error_errno(r, "Failed to format new configuration to JSON: %m");
 
-        const char *path = arg_pcrlock_path ?: (in_initrd() ? "/run/systemd/pcrlock.json" : "/var/lib/systemd/pcrlock.json");
+        const char *path = arg_policy_path ?: (in_initrd() ? "/run/systemd/pcrlock.json" : "/var/lib/systemd/pcrlock.json");
         r = write_string_file(path, text, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_SYNC|WRITE_STRING_FILE_MKDIR_0755);
         if (r < 0)
                 return log_error_errno(r, "Failed to write new configuration to '%s': %m", path);
 
-        if (!arg_pcrlock_path && !in_initrd()) {
+        if (!arg_policy_path && !in_initrd()) {
                 r = remove_policy_file("/run/systemd/pcrlock.json");
                 if (r < 0)
                         return r;