creds-util: initialize default PCR mask in encrypt_credential_and_warn()

If UINT32_MAX is passed in the PCR masks pick some reasonable defaults
in encrypt_credential_and_warn().

These defaults copy what "systemd-creds encrypt" uses. By adding these
defaults to the internal functions any user of them can take benefit of
them.

diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index c035dd671d2715c243ab8211e9a23e095db4b21f..ae448cbd59b1c1781d290075f57c57022eca15ef 100644 (file)
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -41,6 +41,7 @@
 #include "stat-util.h"
 #include "string-util.h"
 #include "tmpfile-util.h"
+#include "tpm2-pcr.h"
 #include "tpm2-util.h"
 #include "user-util.h"
 
@@ -879,6 +880,11 @@ int encrypt_credential_and_warn(
                         return log_error_errno(r, "Failed to determine local credential host secret: %m");
         }
 
+        if (tpm2_hash_pcr_mask == UINT32_MAX)
+                tpm2_hash_pcr_mask = 0;
+        if (tpm2_pubkey_pcr_mask == UINT32_MAX)
+                tpm2_pubkey_pcr_mask = UINT32_C(1) << TPM2_PCR_KERNEL_BOOT;
+
 #if HAVE_TPM2
         bool try_tpm2;
         if (CRED_KEY_WANTS_TPM2(with_key)) {