Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cryptenroll: don't try to use pcrlock in combination with signed PCR policy if both are available, because we don't actually support that right now #32635

Merged
merged 3 commits into from
May 7, 2024
Merged

cryptenroll: don't try to use pcrlock in combination with signed PCR policy if both are available, because we don't actually support that right now #32635

merged 3 commits into from
May 7, 2024

Conversation

poettering
Copy link
Member

@poettering poettering commented May 2, 2024
edited by github-actions bot

Fixes: #32565

@github-actions github-actions bot added the please-review PR is ready for (re-)review by a maintainer label May 2, 2024
@poettering
Copy link
Member Author

/cc @DaanDeMeyer

@github-actions GitHub Actions
Copy link

github-actions bot commented May 2, 2024

Important

An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released.

@DaanDeMeyer DaanDeMeyer added good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed and removed please-review PR is ready for (re-)review by a maintainer labels May 2, 2024
@bluca
Copy link
Member

bluca commented May 2, 2024

TEST-70 looks very sad

@bluca bluca added ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR and removed good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed labels May 2, 2024
@DaanDeMeyer
Copy link
Contributor

We really need LogForwardToConsole= so you can see the journal errors in the test unit output.

@mrc0mmand
Copy link
Member

The failing CIs seem to be caused by #32500 which was merged with TEST-70 failing, so now it fails everywhere.

@bluca
Copy link
Member

bluca commented May 2, 2024

The failing CIs seem to be caused by #32500 which was merged with TEST-70 failing, so now it fails everywhere.

lol I thought it was a failing test, fixed by this PR

@github-actions github-actions bot added tests please-review PR is ready for (re-)review by a maintainer and removed ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR labels May 2, 2024
@bluca
Copy link
Member

bluca commented May 2, 2024

pushed commit to hopefully fix it

@bluca
Copy link
Member

bluca commented May 2, 2024

Still fails here but works with the standalone workaround #32636 so there's still some issue with this PR

@bluca bluca added needs-rebase ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR and removed please-review PR is ready for (re-)review by a maintainer labels May 3, 2024
@poettering
cryptenroll: do not combine pcrlock and signed PCR policies in TPM mode
27f4278 
We currently do not support pcrlock policies and signed PCR policies in
combination. Hence, when we auto-discover both, let's disable signed PCR
policies if pcrlock is available too (simple because that covers more
ground).

Fixes: systemd#32565
@poettering
cryptenroll: determine TPM enrollment parmaeters only if we actually …
e6ca81d 
…do TPM enrollments

Otherwise we'll do work (and possibly generate fatal errors) where we
really shouldn't.
@poettering
tpm2-util: tweak JSON condition check
3f24021 
As for the other fields let's check if the actual variable we serialize
is set before serializing it.

This shouldn't make any difference, since the pubkey and the PCR mask
should always be set together or neither, but I think it's easier to
grok this way, and makes the function nicely "dumb": it serializes what
is specified, without trying to be smart by suppressng specified fields.
@poettering poettering force-pushed the cryptenroll-no-pcrlock-conflict branch from e824035 to 3f24021 Compare May 6, 2024 14:17
@github-actions github-actions bot added util-lib please-review PR is ready for (re-)review by a maintainer and removed ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR labels May 6, 2024
@poettering
Copy link
Member Author

Here's another try. Let's see.

bluca
bluca approved these changes May 6, 2024
View reviewed changes
Copy link
Member

@bluca bluca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests look happier, let's wait for ubuntu ones too

@bluca bluca added good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed and removed please-review PR is ready for (re-)review by a maintainer labels May 6, 2024
@bluca bluca merged commit d78b695 into systemd:main May 7, 2024
46 of 49 checks passed
@github-actions github-actions bot removed the good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed label May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bluca bluca bluca approved these changes

@DaanDeMeyer DaanDeMeyer DaanDeMeyer approved these changes

Assignees
No one assigned
Labels
cryptsetup tests tpm2 util-lib
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TEST-70-TPM2 fails in environment with signed PCRs (mkosi)
4 participants
@poettering @bluca @DaanDeMeyer @mrc0mmand