From 8d647ed2ff10b1bd02ca0775e76371314954bf37 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 11 Sep 2024 17:28:43 +0200
Subject: [PATCH] cryptenroll: don't try to get PCR bank if we know the device
 key

If we operate in "offline" mode, i.e. know the device key, then we will
not have a TPM2 connection, hence don't try to read the PCR bank to use form
it.

We don't need it anyway because we are not going to test unseal things.

Fixes: #33855
---
 src/cryptenroll/cryptenroll-tpm2.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index ca1b433201a..d58194fb851 100644
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -425,7 +425,8 @@ int enroll_tpm2(struct crypt_device *cd,
                 r = tpm2_pcr_values_to_mask(hash_pcr_values, n_hash_pcr_values, hash_pcr_bank, &hash_pcr_mask);
                 if (r < 0)
                         return log_error_errno(r, "Could not get hash mask: %m");
-        } else if (pubkey_pcr_mask != 0) {
+
+        } else if (pubkey_pcr_mask != 0 && !device_key) {
 
                 /* If no literal PCR value policy is used, then let's determine the mask to use automatically
                  * from the measurements of the TPM. */