pcrlock: log if we generate an "empty" policy

Such a policy won't provide any protection, but it's still entirely fine
to have it like this in various contexts, for example at OS install
time, to allocate the nvindex and reference it in enrollments. However,
it does deserve mention, hence log about it at LOG_NOTICE level.

This is based on a similar patch by Arnaud Patard
<arnaud.patard@collabora.com> proposed at #33663.

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index 21d83801d98f75fb8224d49954fcd3fd968f1d5b..46e971f4bfe5259dc31474d68db184555e736fa6 100644 (file)
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -4438,6 +4438,9 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) {
         if (r < 0)
                 return r;
 
+        if (!force && new_prediction.pcrs == 0)
+                log_notice("Set of PCRs to use for policy is empty. Generated policy will not provide any protection in its current form. Proceeding.");
+
         usec_t predict_start_usec = now(CLOCK_MONOTONIC);
 
         r = tpm2_pcr_prediction_run(el, &new_prediction);