-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cryptenroll: don't try to use pcrlock in combination with signed PCR policy if both are available, because we don't actually support that right now #32635
Conversation
/cc @DaanDeMeyer |
Important An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released. |
TEST-70 looks very sad |
We really need |
The failing CIs seem to be caused by #32500 which was merged with TEST-70 failing, so now it fails everywhere. |
lol I thought it was a failing test, fixed by this PR |
pushed commit to hopefully fix it |
Still fails here but works with the standalone workaround #32636 so there's still some issue with this PR |
We currently do not support pcrlock policies and signed PCR policies in combination. Hence, when we auto-discover both, let's disable signed PCR policies if pcrlock is available too (simple because that covers more ground). Fixes: systemd#32565
…do TPM enrollments Otherwise we'll do work (and possibly generate fatal errors) where we really shouldn't.
As for the other fields let's check if the actual variable we serialize is set before serializing it. This shouldn't make any difference, since the pubkey and the PCR mask should always be set together or neither, but I think it's easier to grok this way, and makes the function nicely "dumb": it serializes what is specified, without trying to be smart by suppressng specified fields.
e824035
to
3f24021
Compare
Here's another try. Let's see. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tests look happier, let's wait for ubuntu ones too
Fixes: #32565