1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-25 10:04:04 +03:00

Merge pull request #19727 from poettering/pcr-comma

Allow PCRs to be separated by "+" instead of ","
This commit is contained in:
Yu Watanabe 2021-05-26 10:37:24 +09:00 committed by GitHub
commit b69855e645
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 58 additions and 12 deletions

View File

@ -659,9 +659,9 @@
<varlistentry> <varlistentry>
<term><option>tpm2-pcrs=</option></term> <term><option>tpm2-pcrs=</option></term>
<listitem><para>Takes a comma separated list of numeric TPM2 PCR (i.e. "Platform Configuration <listitem><para>Takes a <literal>+</literal> separated list of numeric TPM2 PCR (i.e. "Platform
Register") indexes to bind the TPM2 volume unlocking to. This option is only useful when TPM2 Configuration Register") indexes to bind the TPM2 volume unlocking to. This option is only useful
enrollment metadata is not available in the LUKS2 JSON token header already, the way when TPM2 enrollment metadata is not available in the LUKS2 JSON token header already, the way
<command>systemd-cryptenroll</command> writes it there. If not used (and no metadata in the LUKS2 <command>systemd-cryptenroll</command> writes it there. If not used (and no metadata in the LUKS2
JSON token header defines it), defaults to a list of a single entry: PCR 7. Assign an empty string to JSON token header defines it), defaults to a list of a single entry: PCR 7. Assign an empty string to
encode a policy that binds the key to no PCRs, making the key accessible to local programs regardless encode a policy that binds the key to no PCRs, making the key accessible to local programs regardless

View File

@ -176,11 +176,11 @@
<term><option>--tpm2-pcrs=</option><arg rep="repeat">PCR</arg></term> <term><option>--tpm2-pcrs=</option><arg rep="repeat">PCR</arg></term>
<listitem><para>Configures the TPM2 PCRs (Platform Configuration Registers) to bind the enrollment <listitem><para>Configures the TPM2 PCRs (Platform Configuration Registers) to bind the enrollment
requested via <option>--tpm2-device=</option> to. Takes a comma separated list of numeric PCR indexes requested via <option>--tpm2-device=</option> to. Takes a <literal>+</literal> separated list of
in the range 0…23. If not used, defaults to PCR 7 only. If an empty string is specified, binds the numeric PCR indexes in the range 0…23. If not used, defaults to PCR 7 only. If an empty string is
enrollment to no PCRs at all. PCRs allow binding the enrollment to specific software versions and specified, binds the enrollment to no PCRs at all. PCRs allow binding the enrollment to specific
system state, so that the enrolled unlocking key is only accessible (may be "unsealed") if specific software versions and system state, so that the enrolled unlocking key is only accessible (may be
trusted software and/or configuration is used.</para></listitem> "unsealed") if specific trusted software and/or configuration is used.</para></listitem>
<table> <table>
<title>Well-known PCR Definitions</title> <title>Well-known PCR Definitions</title>

View File

@ -97,7 +97,7 @@ static int help(void) {
" Whether to require user verification to unlock the volume\n" " Whether to require user verification to unlock the volume\n"
" --tpm2-device=PATH\n" " --tpm2-device=PATH\n"
" Enroll a TPM2 device\n" " Enroll a TPM2 device\n"
" --tpm2-pcrs=PCR1,PCR2,PCR3,…\n" " --tpm2-pcrs=PCR1+PCR2+PCR3,…\n"
" Specify TPM2 PCRs to seal against\n" " Specify TPM2 PCRs to seal against\n"
" --wipe-slot=SLOT1,SLOT2,…\n" " --wipe-slot=SLOT1,SLOT2,…\n"
" Wipe specified slots\n" " Wipe specified slots\n"

View File

@ -4070,7 +4070,7 @@ static int help(void) {
" --definitions=DIR Find partition definitions in specified directory\n" " --definitions=DIR Find partition definitions in specified directory\n"
" --key-file=PATH Key to use when encrypting partitions\n" " --key-file=PATH Key to use when encrypting partitions\n"
" --tpm2-device=PATH Path to TPM2 device node to use\n" " --tpm2-device=PATH Path to TPM2 device node to use\n"
" --tpm2-pcrs=PCR1,PCR2,\n" " --tpm2-pcrs=PCR1+PCR2+PCR3+\n"
" TPM2 PCR indexes to use for TPM2 enrollment\n" " TPM2 PCR indexes to use for TPM2 enrollment\n"
" --seed=UUID 128bit seed UUID to derive all UUIDs from\n" " --seed=UUID 128bit seed UUID to derive all UUIDs from\n"
" --size=BYTES Grow loopback file to specified size\n" " --size=BYTES Grow loopback file to specified size\n"

View File

@ -920,13 +920,23 @@ int tpm2_parse_pcrs(const char *s, uint32_t *ret) {
uint32_t mask = 0; uint32_t mask = 0;
int r; int r;
/* Parses a comma-separated list of PCR indexes */ assert(s);
if (isempty(s)) {
*ret = 0;
return 0;
}
/* Parses a "," or "+" separated list of PCR indexes. We support "," since this is a list after all,
* and most other tools expect comma separated PCR specifications. We also support "+" since in
* /etc/crypttab the "," is already used to separate options, hence a different separator is nice to
* avoid escaping. */
for (;;) { for (;;) {
_cleanup_free_ char *pcr = NULL; _cleanup_free_ char *pcr = NULL;
unsigned n; unsigned n;
r = extract_first_word(&p, &pcr, ",", EXTRACT_DONT_COALESCE_SEPARATORS); r = extract_first_word(&p, &pcr, ",+", EXTRACT_DONT_COALESCE_SEPARATORS);
if (r == 0) if (r == 0)
break; break;
if (r < 0) if (r < 0)

View File

@ -422,6 +422,8 @@ tests += [
[['src/test/test-sleep.c']], [['src/test/test-sleep.c']],
[['src/test/test-tpm2.c']],
[['src/test/test-replace-var.c']], [['src/test/test-replace-var.c']],
[['src/test/test-calendarspec.c']], [['src/test/test-calendarspec.c']],

34
src/test/test-tpm2.c Normal file
View File

@ -0,0 +1,34 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "tpm2-util.h"
#include "tests.h"
static void test_tpm2_parse_pcrs(const char *s, uint32_t mask, int ret) {
uint32_t m;
assert_se(tpm2_parse_pcrs(s, &m) == ret);
if (ret >= 0)
assert_se(m == mask);
}
int main(int argc, char *argv[]) {
test_setup_logging(LOG_DEBUG);
test_tpm2_parse_pcrs("", 0, 0);
test_tpm2_parse_pcrs("0", 1, 0);
test_tpm2_parse_pcrs("1", 2, 0);
test_tpm2_parse_pcrs("0,1", 3, 0);
test_tpm2_parse_pcrs("0+1", 3, 0);
test_tpm2_parse_pcrs("0-1", 0, -EINVAL);
test_tpm2_parse_pcrs("0,1,2", 7, 0);
test_tpm2_parse_pcrs("0+1+2", 7, 0);
test_tpm2_parse_pcrs("0+1,2", 7, 0);
test_tpm2_parse_pcrs("0,1+2", 7, 0);
test_tpm2_parse_pcrs("0,2", 5, 0);
test_tpm2_parse_pcrs("0+2", 5, 0);
test_tpm2_parse_pcrs("foo", 0, -EINVAL);
return 0;
}