shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-24 14:50:17 +03:00
Code

cryptenroll,repart: print a log message if no access restrictions are applied to TPM-based encryption

Browse Source
This commit is contained in:
Lennart Poettering 2025-01-29 15:13:35 +01:00
parent 4b840414be
commit c205840fe0
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/cryptenroll/cryptenroll.c
View File

@ -697,6 +697,13 @@ static int parse_argv(int argc, char *argv[]) {
assert(arg_tpm2_public_key_pcr_mask == 0);
arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM2_PCR_KERNEL_BOOT);
}
if (arg_tpm2_n_hash_pcr_values == 0 &&
!arg_tpm2_pin &&
arg_tpm2_public_key_pcr_mask == 0 &&
!arg_tpm2_pcrlock)
log_notice("Notice: enrolling TPM2 with an empty policy, i.e. without any state or access restrictions.\n"
"Use --tpm2-public-key=, --tpm2-pcrlock=, --tpm2-with-pin= or --tpm2-pcrs= to enable one or more restrictions.");
}
return 1;

6
src/repart/repart.c
View File

@ -4597,6 +4597,12 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
int keyslot;
TPM2Flags flags = 0;
if (arg_tpm2_n_hash_pcr_values == 0 &&
arg_tpm2_public_key_pcr_mask == 0 &&
!arg_tpm2_pcrlock)
log_notice("Notice: encrypting future partition %" PRIu64 ", locking against TPM2 with an empty policy, i.e. without any state or access restrictions.\n"
"Use --tpm2-public-key=, --tpm2-pcrlock=, or --tpm2-pcrs= to enable one or more restrictions.", p->partno);
if (arg_tpm2_public_key_pcr_mask != 0) {
r = tpm2_load_pcr_public_key(arg_tpm2_public_key, &pubkey.iov_base, &pubkey.iov_len);
if (r < 0) {