From: Kai Lüke Date: Mon, 29 Jun 2026 14:26:37 +0000 (+0900) Subject: cryptsetup: Reduce log level for TPM mismatches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=14c0b8414f17f5f4cc2c8b8808b122d33dab466d;p=thirdparty%2Fsystemd.git cryptsetup: Reduce log level for TPM mismatches When we iterate over tokens we should not print mismatches as errors but rather warnings. At the end there is still a summary with the notice level (gated by found_some) which the user can relate to the warnings. --- diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c index 761eb1f7193..d53b00518c7 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c @@ -112,18 +112,18 @@ int acquire_luks2_key( srk, ret_decrypted_key); if (r == -EREMOTE) - return log_error_errno(r, "TPM key integrity check failed or NV index unusable. Key enrolled in superblock most likely does not belong to this TPM."); + return log_warning_errno(r, "TPM key integrity check failed or NV index unusable. Key enrolled in superblock most likely does not belong to this TPM."); if (r == -EILSEQ) return log_error_errno(SYNTHETIC_ERRNO(ENOANO), "Bad PIN."); /* cryptsetup docs say we should return ENOANO on bad PIN */ if (r == -ENOLCK) return log_error_errno(r, "TPM is in dictionary attack lock-out mode."); if (ERRNO_IS_NEG_TPM2_UNSEAL_BAD_PCR(r)) { - log_error_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m"); + log_warning_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m"); /* Normalize to -EPERM so callers don't confuse it with -ENOANO's "needs PIN" meaning. */ return -EPERM; } if (r == -ENOSTR) - return log_error_errno(r, "No signature for current PCR policy in TPM2 signature JSON, token does not apply to current boot state: %m"); + return log_warning_errno(r, "No signature for current PCR policy in TPM2 signature JSON, token does not apply to current boot state: %m"); if (r < 0) return log_error_errno(r, "Failed to unseal secret using TPM2: %m"); diff --git a/src/shared/cryptsetup-tpm2.c b/src/shared/cryptsetup-tpm2.c index 66fbfeb18b8..7a0b9a236da 100644 --- a/src/shared/cryptsetup-tpm2.c +++ b/src/shared/cryptsetup-tpm2.c @@ -174,14 +174,14 @@ int acquire_tpm2_key( srk, ret_decrypted_key); if (r == -EREMOTE) - return log_error_errno(r, "TPM key integrity check failed or NV index unusable. Key enrolled in superblock most likely does not belong to this TPM."); + return log_warning_errno(r, "TPM key integrity check failed or NV index unusable. Key enrolled in superblock most likely does not belong to this TPM."); if (ERRNO_IS_NEG_TPM2_UNSEAL_BAD_PCR(r)) { - log_error_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m"); + log_warning_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m"); /* Normalize to -EPERM so callers don't confuse it with -ENOANO's "needs PIN" meaning. */ return -EPERM; } if (r == -ENOSTR) - return log_error_errno(r, "No signature for current PCR policy in TPM2 signature JSON, token does not apply to current boot state: %m"); + return log_warning_errno(r, "No signature for current PCR policy in TPM2 signature JSON, token does not apply to current boot state: %m"); if (r < 0) return log_error_errno(r, "Failed to unseal secret using TPM2: %m"); @@ -232,14 +232,14 @@ int acquire_tpm2_key( srk, ret_decrypted_key); if (r == -EREMOTE) - return log_error_errno(r, "TPM key integrity check failed or NV index unusable. Key enrolled in superblock most likely does not belong to this TPM."); + return log_warning_errno(r, "TPM key integrity check failed or NV index unusable. Key enrolled in superblock most likely does not belong to this TPM."); if (ERRNO_IS_NEG_TPM2_UNSEAL_BAD_PCR(r)) { - log_error_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m"); + log_warning_errno(r, "TPM policy does not match current system state. Either system has been tempered with or policy out-of-date: %m"); /* Normalize to -EPERM so callers don't confuse it with -ENOANO's "needs PIN" meaning. */ return -EPERM; } if (r == -ENOSTR) - return log_error_errno(r, "No signature for current PCR policy in TPM2 signature JSON, token does not apply to current boot state: %m"); + return log_warning_errno(r, "No signature for current PCR policy in TPM2 signature JSON, token does not apply to current boot state: %m"); if (r == -ENOLCK) return log_error_errno(r, "TPM is in dictionary attack lock-out mode."); if (r == -EILSEQ) {