cryptenroll: do not implicitly verify with default tpm policy signature

If it was not requested to use a tpm2 signature file when enrolling, do not fallback to the default /run/systemd/tpm2-pcr-signature.json as it likely will be unrelated if it exists. Fixes https://github.com/systemd/systemd/issues/25435
author: Luca Boccassi <bluca@debian.org> 2023-02-08 02:10:28 +0000
committer: Luca Boccassi <luca.boccassi@gmail.com> 2023-02-08 10:58:57 +0000
commit: b0fc23fae51d244d2c33d70c10003aa5d5840223 (patch)
tree: b7bdaca48b856c42374a660a108d175901b62daa /src/cryptenroll
parent: 500cd2e83b8246fbf20d99db898039cfba746223 (diff)
download: systemd-b0fc23fae51d244d2c33d70c10003aa5d5840223.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index 3098b2e7ac..658db6a523 100644
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -196,8 +196,9 @@ int enroll_tpm2(struct crypt_device *cd,
 
                 log_debug_errno(r, "Failed to read TPM2 PCR public key, proceeding without: %m");
                 pubkey_pcr_mask = 0;
-        } else {
-                /* Also try to load the signature JSON object, to verify that our enrollment will work. This is optional however. */
+        } else if (signature_path) {
+                /* Also try to load the signature JSON object, to verify that our enrollment will work.
+                 * This is optional however, skip it if it's not explicitly provided. */
 
                 r = tpm2_load_pcr_signature(signature_path, &signature_json);
                 if (r < 0) {
author	Luca Boccassi <bluca@debian.org>	2023-02-08 02:10:28 +0000
committer	Luca Boccassi <luca.boccassi@gmail.com>	2023-02-08 10:58:57 +0000
commit	b0fc23fae51d244d2c33d70c10003aa5d5840223 (patch)
tree	b7bdaca48b856c42374a660a108d175901b62daa /src/cryptenroll
parent	500cd2e83b8246fbf20d99db898039cfba746223 (diff)
download	systemd-b0fc23fae51d244d2c33d70c10003aa5d5840223.tar.gz