cryptenroll: fix bind default TPM2 signed policy to PCR 11

If `--tpm2-public-key=` is not specified, but `tpm2-pcr-public-key.pem` exists
in /{etc,run,usr/lib}/systemd/, the default PCR 11 is not being set.

Fixes 9e437994

diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index 631aeea3b58408f70ea7b5c5437ff2bf2308d86e..fab6fed09718fff0f3cb697e5e141ecd7695c0b4 100644 (file)
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -194,7 +194,7 @@ int enroll_tpm2(struct crypt_device *cd,
         r = tpm2_load_pcr_public_key(pubkey_path, &pubkey, &pubkey_size);
         if (r < 0) {
                 if (pubkey_path || signature_path || r != -ENOENT)
-                        return log_error_errno(r, "Failed read TPM PCR public key: %m");
+                        return log_error_errno(r, "Failed to read TPM PCR public key: %m");
 
                 log_debug_errno(r, "Failed to read TPM2 PCR public key, proceeding without: %m");
                 pubkey_pcr_mask = 0;

diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c
index 174247907daa9036bffd2636e864259ee57e8db5..8b65485a294a0b9e472d9d32aa8a4bd4344bf99e 100644 (file)
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@@ -500,7 +500,7 @@ static int parse_argv(int argc, char *argv[]) {
                 }
         }
 
-        if (auto_public_key_pcr_mask && arg_tpm2_public_key) {
+        if (auto_public_key_pcr_mask) {
                 assert(arg_tpm2_public_key_pcr_mask == 0);
                 arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM2_PCR_KERNEL_BOOT);
         }