tpm2: support "+" as separator for TPM PCR lists

Previously, we supported only "," as separator. This adds support for
"+" and makes it the documented choice.

This is to make specifying PCRs in crypttab easier, since commas are
already used there for separating volume options, and needless escaping
sucks.

"," continues to be supported, but in order to keep things minimal not
documented.

Fixe: #19205

3 files changed, 7 insertions, 4 deletions

diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c
index 559a346804..83b0b42ff2 100644
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@@ -97,7 +97,7 @@ static int help(void) {
                "                       Whether to require user verification to unlock the volume\n"
                "     --tpm2-device=PATH\n"
                "                       Enroll a TPM2 device\n"
-               "     --tpm2-pcrs=PCR1,PCR2,PCR3,…\n"
+               "     --tpm2-pcrs=PCR1+PCR2+PCR3,…\n"
                "                       Specify TPM2 PCRs to seal against\n"
                "     --wipe-slot=SLOT1,SLOT2,…\n"
                "                       Wipe specified slots\n"
diff --git a/src/partition/repart.c b/src/partition/repart.c
index 341cae33a6..877d2a091d 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -4070,7 +4070,7 @@ static int help(void) {
                "     --definitions=DIR    Find partition definitions in specified directory\n"
                "     --key-file=PATH      Key to use when encrypting partitions\n"
                "     --tpm2-device=PATH   Path to TPM2 device node to use\n"
-               "     --tpm2-pcrs=PCR1,PCR2,…\n"
+               "     --tpm2-pcrs=PCR1+PCR2+PCR3+…\n"
                "                          TPM2 PCR indexes to use for TPM2 enrollment\n"
                "     --seed=UUID          128bit seed UUID to derive all UUIDs from\n"
                "     --size=BYTES         Grow loopback file to specified size\n"
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 4d17f3c96a..09f38ac867 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -920,13 +920,16 @@ int tpm2_parse_pcrs(const char *s, uint32_t *ret) {
         uint32_t mask = 0;
         int r;
 
-        /* Parses a comma-separated list of PCR indexes */
+        /* Parses a "," or "+" separated list of PCR indexes. We support "," since this is a list after all,
+         * and most other tools expect comma separated PCR specifications. We also support "+" since in
+         * /etc/crypttab the "," is already used to separate options, hence a different separator is nice to
+         * avoid escaping. */
 
         for (;;) {
                 _cleanup_free_ char *pcr = NULL;
                 unsigned n;
 
-                r = extract_first_word(&p, &pcr, ",", EXTRACT_DONT_COALESCE_SEPARATORS);
+                r = extract_first_word(&p, &pcr, ",+", EXTRACT_DONT_COALESCE_SEPARATORS);
                 if (r == 0)
                         break;
                 if (r < 0)