git.ipfire.org Git - thirdparty/systemd.git/commit

author	Chris Down <chris@chrisdown.name>
	Fri, 3 Apr 2026 15:03:28 +0000 (00:03 +0900)
committer	Chris Down <chris@chrisdown.name>
	Sat, 4 Apr 2026 02:17:12 +0000 (11:17 +0900)
commit	cd18656d47710c251a44a8f5f9d616151a909152
tree	b553cad8db6d6d919d7237e1de04f4132a2422ad	tree \| snapshot
parent	6a9888c4c6ca1318cad3a30dc3b7628d305eadf6	commit \| diff

TEST-70-TPM2: Suppress PCR public key auto-loading in basic tests

When systemd-cryptenroll --tpm2-device=auto is called on a system where
a tpm2-pcr-public-key.pem exists it automatically creates tokens with a
signed PCR policy. Unlocking such a token via --unlock-tpm2-device=auto
requires a tpm2-pcr-signature.json file, which is not present.

This creates a race with systemd-tpm2-setup.service at boot: if the
service completes before the test, the key exists and the subsequent
--unlock-tpm2-device=auto calls fail, which I believe is the cause of
the test flakiness.

This also seems to mesh with the fact that this only flakes on Debian
CI, since that's built with ukify which installs a public key.

Let's hopefully fix this by passing --tpm2-public-key= to all
--tpm2-device= enrollment calls that aren't explicitly intended to test
signed PCR policy behaviour.

test/units/TEST-70-TPM2.cryptenroll.sh		diff \| blob \| blame \| history
test/units/TEST-70-TPM2.cryptsetup.sh		diff \| blob \| blame \| history