From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 19 Feb 2024 16:34:20 +0000 (+0100)
Subject: cryptenroll: use a different credential for new new PIN
X-Git-Tag: v256-rc1~797^2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7252be60833c67077f8a27177ccc62888a91c539;p=thirdparty%2Fsystemd.git

cryptenroll: use a different credential for new new PIN

The TPM2 enrollment is the only of the three token enrollments where the
user picks a PIN at enrollment time (the others have a PIN set for the
token, not for the enrollment). Let's make sure it uses a different
credential for retrieving this PIN, in order to make sure people can
programmatically change PINs via credentials (in which case they need to
supply both).
---

diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index e5e0cd65294..d7497c756b4 100644
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -91,7 +91,7 @@ static int get_pin(char **ret_pin_str, TPM2Flags *ret_flags) {
                                 .message = "Please enter TPM2 PIN:",
                                 .icon = "drive-harddisk",
                                 .keyring = "tpm2-pin",
-                                .credential = "cryptenroll.tpm2-pin",
+                                .credential = "cryptenroll.new-tpm2-pin",
                         };
 
                         pin = strv_free_erase(pin);