Merge pull request #19727 from poettering/pcr-comma

Allow PCRs to be separated by "+" instead of ","

man/crypttab.xml

@@ -659,9 +659,9 @@
       <varlistentry>
         <term><option>tpm2-pcrs=</option></term>
 
-        <listitem><para>Takes a comma separated list of numeric TPM2 PCR (i.e. "Platform Configuration
-        Register") indexes to bind the TPM2 volume unlocking to. This option is only useful when TPM2
-        enrollment metadata is not available in the LUKS2 JSON token header already, the way
+        <listitem><para>Takes a <literal>+</literal> separated list of numeric TPM2 PCR (i.e. "Platform
+        Configuration Register") indexes to bind the TPM2 volume unlocking to. This option is only useful
+        when TPM2 enrollment metadata is not available in the LUKS2 JSON token header already, the way
         <command>systemd-cryptenroll</command> writes it there. If not used (and no metadata in the LUKS2
         JSON token header defines it), defaults to a list of a single entry: PCR 7. Assign an empty string to
         encode a policy that binds the key to no PCRs, making the key accessible to local programs regardless

man/systemd-cryptenroll.xml

@@ -176,11 +176,11 @@
         <term><option>--tpm2-pcrs=</option><arg rep="repeat">PCR</arg></term>
 
         <listitem><para>Configures the TPM2 PCRs (Platform Configuration Registers) to bind the enrollment
-        requested via <option>--tpm2-device=</option> to. Takes a comma separated list of numeric PCR indexes
-        in the range 0…23. If not used, defaults to PCR 7 only. If an empty string is specified, binds the
-        enrollment to no PCRs at all. PCRs allow binding the enrollment to specific software versions and
-        system state, so that the enrolled unlocking key is only accessible (may be "unsealed") if specific
-        trusted software and/or configuration is used.</para></listitem>
+        requested via <option>--tpm2-device=</option> to. Takes a <literal>+</literal> separated list of
+        numeric PCR indexes in the range 0…23. If not used, defaults to PCR 7 only. If an empty string is
+        specified, binds the enrollment to no PCRs at all. PCRs allow binding the enrollment to specific
+        software versions and system state, so that the enrolled unlocking key is only accessible (may be
+        "unsealed") if specific trusted software and/or configuration is used.</para></listitem>
 
         <table>
           <title>Well-known PCR Definitions</title>

src/cryptenroll/cryptenroll.c

@@ -97,7 +97,7 @@ static int help(void) {
                "                       Whether to require user verification to unlock the volume\n"
                "     --tpm2-device=PATH\n"
                "                       Enroll a TPM2 device\n"
-               "     --tpm2-pcrs=PCR1,PCR2,PCR3,…\n"
+               "     --tpm2-pcrs=PCR1+PCR2+PCR3,…\n"
                "                       Specify TPM2 PCRs to seal against\n"
                "     --wipe-slot=SLOT1,SLOT2,…\n"
                "                       Wipe specified slots\n"

src/partition/repart.c

@@ -4070,7 +4070,7 @@ static int help(void) {
                "     --definitions=DIR    Find partition definitions in specified directory\n"
                "     --key-file=PATH      Key to use when encrypting partitions\n"
                "     --tpm2-device=PATH   Path to TPM2 device node to use\n"
-               "     --tpm2-pcrs=PCR1,PCR2,…\n"
+               "     --tpm2-pcrs=PCR1+PCR2+PCR3+…\n"
                "                          TPM2 PCR indexes to use for TPM2 enrollment\n"
                "     --seed=UUID          128bit seed UUID to derive all UUIDs from\n"
                "     --size=BYTES         Grow loopback file to specified size\n"

src/shared/tpm2-util.c

@@ -920,13 +920,23 @@ int tpm2_parse_pcrs(const char *s, uint32_t *ret) {
         uint32_t mask = 0;
         int r;
 
-        /* Parses a comma-separated list of PCR indexes */
+        assert(s);
+
+        if (isempty(s)) {
+                *ret = 0;
+                return 0;
+        }
+
+        /* Parses a "," or "+" separated list of PCR indexes. We support "," since this is a list after all,
+         * and most other tools expect comma separated PCR specifications. We also support "+" since in
+         * /etc/crypttab the "," is already used to separate options, hence a different separator is nice to
+         * avoid escaping. */
 
         for (;;) {
                 _cleanup_free_ char *pcr = NULL;
                 unsigned n;
 
-                r = extract_first_word(&p, &pcr, ",", EXTRACT_DONT_COALESCE_SEPARATORS);
+                r = extract_first_word(&p, &pcr, ",+", EXTRACT_DONT_COALESCE_SEPARATORS);
                 if (r == 0)
                         break;
                 if (r < 0)

src/test/meson.build

@@ -422,6 +422,8 @@ tests += [
 
         [['src/test/test-sleep.c']],
 
+        [['src/test/test-tpm2.c']],
+
         [['src/test/test-replace-var.c']],
 
         [['src/test/test-calendarspec.c']],

src/test/test-tpm2.c

@@ -0,0 +1,34 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "tpm2-util.h"
+#include "tests.h"
+
+static void test_tpm2_parse_pcrs(const char *s, uint32_t mask, int ret) {
+        uint32_t m;
+
+        assert_se(tpm2_parse_pcrs(s, &m) == ret);
+
+        if (ret >= 0)
+                assert_se(m == mask);
+}
+
+int main(int argc, char *argv[]) {
+
+        test_setup_logging(LOG_DEBUG);
+
+        test_tpm2_parse_pcrs("", 0, 0);
+        test_tpm2_parse_pcrs("0", 1, 0);
+        test_tpm2_parse_pcrs("1", 2, 0);
+        test_tpm2_parse_pcrs("0,1", 3, 0);
+        test_tpm2_parse_pcrs("0+1", 3, 0);
+        test_tpm2_parse_pcrs("0-1", 0, -EINVAL);
+        test_tpm2_parse_pcrs("0,1,2", 7, 0);
+        test_tpm2_parse_pcrs("0+1+2", 7, 0);
+        test_tpm2_parse_pcrs("0+1,2", 7, 0);
+        test_tpm2_parse_pcrs("0,1+2", 7, 0);
+        test_tpm2_parse_pcrs("0,2", 5, 0);
+        test_tpm2_parse_pcrs("0+2", 5, 0);
+        test_tpm2_parse_pcrs("foo", 0, -EINVAL);
+
+        return 0;
+}