From: Lennart Poettering Date: Wed, 11 Feb 2026 15:29:19 +0000 (+0100) Subject: cryptsetup: move default choice of nvpcr for keyslots from generator into cryptsetup X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d84d17853e120d2074d7f1a973fc965c6f7200f9;p=thirdparty%2Fsystemd.git cryptsetup: move default choice of nvpcr for keyslots from generator into cryptsetup Let's pick the default NvPCR name to use inside of cryptsetup itself, instead of in the generator. I think this is the better choice, since it means the default can also be used if the regular verittab generator is used instead of the gpt-auto generator. --- diff --git a/man/crypttab.xml b/man/crypttab.xml index f0d0ead947c..d57823f88ad 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -945,12 +945,12 @@ Controls whether to measure information about the used LUKS unlock keyslot to a TPM2 - non-volatile index (nvindex in PCR mode). If set to to an empty string (which is the default) no TPM2 - nvindex extension is done, otherwise keyslot information is measured to an nvindex of the specified - name, which is allocated if needed. It is recommended to set this to cryptsetup to - enable this logic. The slot index and the used unlock mechanism (i.e. tpm2, - fido2, pkcs11) is measured along with the activated volume name - and its UUID. + non-volatile index (nvindex in PCR mode). Takes a boolean argument, or an NvPCR name. If set to false + or an empty string (which is the default) no TPM2 nvindex extension is done, otherwise keyslot + information is measured to an nvindex of the specified name, which is allocated if needed. If set to + true the recommended default of cryptsetup is selected as NvPCR. The slot index + and the used unlock mechanism (i.e. tpm2, fido2, + pkcs11) are measured along with the activated volume name and its UUID. diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index f715494418b..d3e4ce3747f 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -557,12 +557,14 @@ static int parse_one_option(const char *option) { } else if ((val = startswith(option, "tpm2-measure-keyslot-nvpcr="))) { - if (isempty(val)) { + r = isempty(val) ? false : parse_boolean(val); + if (r == 0) { arg_tpm2_measure_keyslot_nvpcr = mfree(arg_tpm2_measure_keyslot_nvpcr); return 0; } - - if (!tpm2_nvpcr_name_is_valid(val)) { + if (r > 0) + val = "cryptsetup"; + else if (!tpm2_nvpcr_name_is_valid(val)) { log_warning("Invalid NvPCR name, ignoring: %s", option); return 0; } diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c index 5a4e5d101e2..9e20e23abfe 100644 --- a/src/gpt-auto-generator/gpt-auto-generator.c +++ b/src/gpt-auto-generator/gpt-auto-generator.c @@ -127,7 +127,7 @@ static int add_cryptsetup( * assignment, under the assumption that people who are fine to use sd-stub with its PCR * assignments are also OK with our PCR 15 use here. */ if (r > 0) - if (!strextend_with_separator(&options, ",", "tpm2-measure-pcr=yes,tpm2-measure-keyslot-nvpcr=cryptsetup")) + if (!strextend_with_separator(&options, ",", "tpm2-measure-pcr=yes,tpm2-measure-keyslot-nvpcr=yes")) return log_oom(); if (r == 0) log_debug("Will not measure volume key of volume '%s', not booted via systemd-stub with measurements enabled.", id);