From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 11 Sep 2024 09:44:02 +0000 (+0200)
Subject: pcrlock: log if we generate an "empty" policy
X-Git-Tag: v257-rc1~484
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9807539b034ae5995033a994588debbd8461067;p=thirdparty%2Fsystemd.git

pcrlock: log if we generate an "empty" policy

Such a policy won't provide any protection, but it's still entirely fine
to have it like this in various contexts, for example at OS install
time, to allocate the nvindex and reference it in enrollments. However,
it does deserve mention, hence log about it at LOG_NOTICE level.

This is based on a similar patch by Arnaud Patard
<arnaud.patard@collabora.com> proposed at #33663.
---

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index 21d83801d98..46e971f4bfe 100644
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -4438,6 +4438,9 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) {
         if (r < 0)
                 return r;
 
+        if (!force && new_prediction.pcrs == 0)
+                log_notice("Set of PCRs to use for policy is empty. Generated policy will not provide any protection in its current form. Proceeding.");
+
         usec_t predict_start_usec = now(CLOCK_MONOTONIC);
 
         r = tpm2_pcr_prediction_run(el, &new_prediction);