creds-util: initialize default PCR mask in encrypt_credential_and_warn()

If UINT32_MAX is passed in the PCR masks pick some reasonable defaults in encrypt_credential_and_warn(). These defaults copy what "systemd-creds encrypt" uses. By adding these defaults to the internal functions any user of them can take benefit of them.
2026-04-14 08:25:20 +09:00 · 2024-06-10 14:58:52 +02:00
parent ffe958b98f
commit 3e9ff7c0d8
1 changed files with 6 additions and 0 deletions
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -41,6 +41,7 @@
 #include "stat-util.h"
 #include "string-util.h"
 #include "tmpfile-util.h"
+#include "tpm2-pcr.h"
 #include "tpm2-util.h"
 #include "user-util.h"

@@ -879,6 +880,11 @@ int encrypt_credential_and_warn(
                        return log_error_errno(r, "Failed to determine local credential host secret: %m");
        }

+        if (tpm2_hash_pcr_mask == UINT32_MAX)
+                tpm2_hash_pcr_mask = 0;
+        if (tpm2_pubkey_pcr_mask == UINT32_MAX)
+                tpm2_pubkey_pcr_mask = UINT32_C(1) << TPM2_PCR_KERNEL_BOOT;
+
 #if HAVE_TPM2
        bool try_tpm2;
        if (CRED_KEY_WANTS_TPM2(with_key)) {