diff options
author | Luca Boccassi <bluca@debian.org> | 2023-02-08 02:10:28 +0000 |
---|---|---|
committer | Luca Boccassi <luca.boccassi@gmail.com> | 2023-02-08 10:58:57 +0000 |
commit | b0fc23fae51d244d2c33d70c10003aa5d5840223 (patch) | |
tree | b7bdaca48b856c42374a660a108d175901b62daa /test | |
parent | 500cd2e83b8246fbf20d99db898039cfba746223 (diff) | |
download | systemd-b0fc23fae51d244d2c33d70c10003aa5d5840223.tar.gz |
cryptenroll: do not implicitly verify with default tpm policy signature
If it was not requested to use a tpm2 signature file when enrolling, do
not fallback to the default /run/systemd/tpm2-pcr-signature.json as it
likely will be unrelated if it exists.
Fixes https://github.com/systemd/systemd/issues/25435
Diffstat (limited to 'test')
-rwxr-xr-x | test/units/testsuite-70.sh | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh index 5667c8ab57..589baf370f 100755 --- a/test/units/testsuite-70.sh +++ b/test/units/testsuite-70.sh @@ -128,6 +128,12 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \ # Now, do the same, but with a cryptsetup binding truncate -s 20M $img cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom $img /tmp/passphrase + # Ensure that an unrelated signature, when not requested, is not used + touch /run/systemd/tpm2-pcr-signature.json + systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" $img + # Reset and use the signature now + rm -f /run/systemd/tpm2-pcr-signature.json + systemd-cryptenroll --wipe-slot=tpm2 $img systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" --tpm2-signature="/tmp/pcrsign.sig2" $img # Check if we can activate that (without the token module stuff) |