cryptenroll: don't try to get PCR bank if we know the device key

If we operate in "offline" mode, i.e. know the device key, then we will
not have a TPM2 connection, hence don't try to read the PCR bank to use form
it.

We don't need it anyway because we are not going to test unseal things.

Fixes: #33855

diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index ca1b433201af7302d1415eeecbe7ce058890bf6d..d58194fb85116bdc4e3ef62038cfeb6a7310188c 100644 (file)
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -425,7 +425,8 @@ int enroll_tpm2(struct crypt_device *cd,
                 r = tpm2_pcr_values_to_mask(hash_pcr_values, n_hash_pcr_values, hash_pcr_bank, &hash_pcr_mask);
                 if (r < 0)
                         return log_error_errno(r, "Could not get hash mask: %m");
-        } else if (pubkey_pcr_mask != 0) {
+
+        } else if (pubkey_pcr_mask != 0 && !device_key) {
 
                 /* If no literal PCR value policy is used, then let's determine the mask to use automatically
                  * from the measurements of the TPM. */