-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cryptenroll: make sure enrolling signed PCR policy without literal PCR policy works correctly #32993
Conversation
…but signed PCR binding is on We so far derived the PCR bank to use from the PCR values specified fr literal PCR binding. However, when that's not used then we left the bank uninitialized – which will break if signed PCR binds are used (where we need to pick a bank too after all). Hence, let's explicitly pick a bank to use if literal PCR values are not used, to make things just work. Fixes: systemd#32946
Note We had successfully released a new major release. We are no longer in a development freeze phase. |
Will check and come back @poettering ! |
Seems to work. Using
with
with
with
with no pcrs specified:
So it seems to cover all the possible permutations I guess? Anything else you want me to try @poettering ? Any other logs that may be useful? |
If both literal and signed PCR bindings are not used then we won't determine a PCR bank to use, and hence we shouldnt attempt to serialize it either. Hence, if the bank is zero, skip serialization. (And while we are at it, also skip serialization of the primary algorithm if not set, purely to make things systematic). [This effectively results in little change, as previously we'd then seralize a json "null", while now we simply won't genreate the field]
Let's only generate the pin and pcrlock booleans if they are enabled, in order to not unnecessarily confuse older unlocking tools.
698da8f
to
51a9a00
Compare
No thanks, that's all I needed. |
Fixes: #32946