From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 10 Jun 2024 12:58:52 +0000 (+0200)
Subject: creds-util: initialize default PCR mask in encrypt_credential_and_warn()
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3e9ff7c0d8912b0a8ea01bb7e3355e4026ffa266;p=thirdparty%2Fsystemd.git

creds-util: initialize default PCR mask in encrypt_credential_and_warn()

If UINT32_MAX is passed in the PCR masks pick some reasonable defaults
in encrypt_credential_and_warn().

These defaults copy what "systemd-creds encrypt" uses. By adding these
defaults to the internal functions any user of them can take benefit of
them.
---

diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index c035dd671d2..ae448cbd59b 100644
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -41,6 +41,7 @@
 #include "stat-util.h"
 #include "string-util.h"
 #include "tmpfile-util.h"
+#include "tpm2-pcr.h"
 #include "tpm2-util.h"
 #include "user-util.h"
 
@@ -879,6 +880,11 @@ int encrypt_credential_and_warn(
                         return log_error_errno(r, "Failed to determine local credential host secret: %m");
         }
 
+        if (tpm2_hash_pcr_mask == UINT32_MAX)
+                tpm2_hash_pcr_mask = 0;
+        if (tpm2_pubkey_pcr_mask == UINT32_MAX)
+                tpm2_pubkey_pcr_mask = UINT32_C(1) << TPM2_PCR_KERNEL_BOOT;
+
 #if HAVE_TPM2
         bool try_tpm2;
         if (CRED_KEY_WANTS_TPM2(with_key)) {