creds-util: tweak error code generation in decrypt_credential_and_warn() a bit, and add a comment listing it

Let's make some specific condition more recognizable via error codes of
their own, and in particular remove confusion between EREMOTE as
returned by tpm2_unseal() and by us.

src/creds/creds.c

@@ -1411,7 +1411,7 @@ static int vl_method_decrypt(sd_varlink *link, sd_json_variant *parameters, sd_v
 
         if (r == -EBADMSG)
                 return sd_varlink_error(link, "io.systemd.Credentials.BadFormat", NULL);
-        if (r == -EREMOTE)
+        if (r == -EDESTADDRREQ)
                 return sd_varlink_error(link, "io.systemd.Credentials.NameMismatch", NULL);
         if (r == -ESTALE)
                 return sd_varlink_error(link, "io.systemd.Credentials.TimeMismatch", NULL);

src/shared/creds-util.c

@@ -1201,6 +1201,19 @@ int decrypt_credential_and_warn(
         assert(iovec_is_valid(input));
         assert(ret);
 
+        /* Relevant error codes:
+         *
+         *   -EBADMSG      → Corrupted file
+         *   -EOPNOTSUPP   → Unsupported file type (could be: requires TPM but we have no TPM)
+         *   -EHOSTDOWN    → Need PCR signature file, but couldn't find it
+         *   -EHWPOISON    → Attempt to decode NULL key (and CREDENTIAL_ALLOW_NULL is off), but the system has a TPM and SecureBoot is on
+         *   -EMEDIUMTYPE  → File has unexpected scope, i.e. user-scoped credential is attempted to be unlocked in system scope, or vice versa
+         *   -EDESTADDRREQ → Credential is incorrectly named (i.e. the authenticated name does not match the actual name)
+         *   -ESTALE       → Credential's valdity has passed
+         *   -ESRCH        → User specified for scope does not exist on this system
+         *
+         *   (plus the various error codes tpm2_unseal() returns) */
+
         h = (struct encrypted_credential_header*) input->iov_base;
 
         /* The ID must fit in, for the current and all future formats */
@@ -1218,8 +1231,10 @@ int decrypt_credential_and_warn(
 
         if (with_tpm2_pk) {
                 r = tpm2_load_pcr_signature(tpm2_signature_path, &signature_json);
+                if (r == -ENOENT)
+                        return log_error_errno(SYNTHETIC_ERRNO(EHOSTDOWN), "Couldn't find PCR signature file: %m");
                 if (r < 0)
-                        return log_error_errno(r, "Failed to load pcr signature: %m");
+                        return log_error_errno(r, "Failed to load PCR signature: %m");
         }
 
         if (with_null && !FLAGS_SET(flags, CREDENTIAL_ALLOW_NULL)) {
@@ -1234,7 +1249,7 @@ int decrypt_credential_and_warn(
 
                 if (efi_has_tpm2()) {
                         if (is_efi_secure_boot())
-                                return log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
+                                return log_error_errno(SYNTHETIC_ERRNO(EHWPOISON),
                                                        "Credential uses fixed key for fallback use when TPM2 is absent — but TPM2 is present, and SecureBoot is enabled, refusing.");
 
                         log_warning("Credential uses fixed key for use when TPM2 is absent, but TPM2 is present! Accepting anyway, since SecureBoot is disabled.");
@@ -1486,7 +1501,7 @@ int decrypt_credential_and_warn(
                         if (r < 0 && r != -ENXIO)
                                 log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NAME: %m");
                         if (r != 0)
-                                return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Embedded credential name '%s' does not match filename '%s', refusing.", embedded_name, validate_name);
+                                return log_error_errno(SYNTHETIC_ERRNO(EDESTADDRREQ), "Embedded credential name '%s' does not match filename '%s', refusing.", embedded_name, validate_name);
 
                         log_debug("Embedded credential name '%s' does not match expected name '%s', but configured to use credential anyway.", embedded_name, validate_name);
                 }
@@ -1640,7 +1655,7 @@ int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp,
                 if (streq(error_id, "io.systemd.Credentials.BadFormat"))
                         return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Bad credential format.");
                 if (streq(error_id, "io.systemd.Credentials.NameMismatch"))
-                        return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Name in credential doesn't match expectations.");
+                        return log_error_errno(SYNTHETIC_ERRNO(EDESTADDRREQ), "Name in credential doesn't match expectations.");
                 if (streq(error_id, "io.systemd.Credentials.TimeMismatch"))
                         return log_error_errno(SYNTHETIC_ERRNO(ESTALE), "Outside of credential validity time window.");
                 if (streq(error_id, "io.systemd.Credentials.NoSuchUser"))

src/test/test-creds.c

@@ -164,7 +164,7 @@ static void test_encrypt_decrypt_with(sd_id128_t mode, uid_t uid) {
                         &encrypted,
                         CREDENTIAL_ALLOW_NULL,
                         &decrypted);
-        ASSERT_ERROR(r, EREMOTE); /* name didn't match */
+        ASSERT_ERROR(r, EDESTADDRREQ); /* name didn't match */
 
         r = decrypt_credential_and_warn(
                         "foo",