swtpm_setup: Get active PCR banks from swtpm_setup.conf

If the user did not provide the PCR banks to activate through the command line options, try to read it from the config file and if nothing is found there, fall back to the DEFAULT_PCR_BANKS as set during configure time. Move the check for the PCR banks after the access check to the configuration file. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
2026-02-05 14:12:54 +00:00 · 2021-10-28 12:23:14 -04:00 · 2021-10-28 12:23:14 -04:00 · a5cc0bf6e2
commit a5cc0bf6e2
parent 87755f8cc4
3 changed files with 47 additions and 10 deletions
--- a/man/man8/swtpm_setup.conf.pod
+++ b/man/man8/swtpm_setup.conf.pod
@ -89,6 +89,12 @@ that will be passed to the invoked program using the --optsfile
 option described above. If omitted, the invoked program will use
 the default options file.

+=item B<active_pcr_banks> (since v0.7)
+
+This keyword is to be followed by a comma-separated list
+of names of PCR banks. The list must not contain any spaces.
+Valid PCR bank names are sha1, sha256, sha384, and sha512.
+
 =back

 =head1 SEE ALSO
--- a/man/man8/swtpm_setup.pod
+++ b/man/man8/swtpm_setup.pod
@ -164,8 +164,12 @@ used for creating the certificates and may be required by that tool.
 =item B<--pcr-banks <PCR banks>>

 Optional comma-separated list of PCR banks to activate. Providing '-'
-allows a user to skip the selection and activates all PCR banks. By default
-the sha1 and sha256 banks are activated.
+allows a user to skip the selection and activates all PCR banks.
+If this option is not provided, the I<swtpm_setup.conf> configuration
+file will be consulted for the active_pcr_banks entry. If no such
+entry is found then the default set of PCR banks will be activated.
+The default set of PCR banks can be determined using the I<--help>
+option.

 =item B<--swtpm_ioctl <executable>>

--- a/src/swtpm_setup/swtpm_setup.c
+++ b/src/swtpm_setup/swtpm_setup.c
@ -431,6 +431,29 @@ static int tpm2_create_eks_and_certs(unsigned long flags, const gchar *config_fi
                                    user_certsdir);
 }

+/* Get the default PCR banks from the config file and if nothing can
+   be found there use the DEFAULT_PCR_BANKS #define.
+ */
+static gchar *get_default_pcr_banks(const gchar *config_file)
+{
+    g_auto(GStrv) config_file_lines = NULL;
+    gchar *pcr_banks;
+    int ret;
+
+    ret = read_file_lines(config_file, &config_file_lines);
+    if (ret != 0)
+        return NULL;
+
+    pcr_banks = get_config_value(config_file_lines, "active_pcr_banks");
+    if (pcr_banks)
+        g_strstrip(pcr_banks);
+    if (pcr_banks == NULL || strlen(pcr_banks) == 0) {
+        g_free(pcr_banks);
+        pcr_banks = g_strdup(DEFAULT_PCR_BANKS);
+    }
+    return pcr_banks;
+}
+
 /* Activate the given list of PCR banks. If pcr_banks is '-' then leave
 * the configuration as-is.
 */
@ -1419,14 +1442,6 @@ int main(int argc, char *argv[])
    if (!got_srkpass)
        srkpass = g_strdup(DEFAULT_SRK_PASSWORD);

-    /* check pcr_banks */
-    tmp_l = g_strsplit(pcr_banks ? pcr_banks : "", ",", -1);
-    for (i = 0, n = 0; tmp_l[i]; i++)
-        n += strlen(tmp_l[i]);
-    g_strfreev(tmp_l);
-    if (n == 0)
-        pcr_banks = g_strdup(DEFAULT_PCR_BANKS);
-
    if (gl_LOGFILE != NULL) {
        FILE *tmpfile;
        if (stat(gl_LOGFILE, &statbuf) == 0 &&
@ -1496,6 +1511,18 @@ int main(int argc, char *argv[])
        goto error;
    }

+    /* check pcr_banks; read from config file if not given */
+    tmp_l = g_strsplit(pcr_banks ? pcr_banks : "", ",", -1);
+    for (i = 0, n = 0; tmp_l[i]; i++) {
+        g_strstrip(tmp_l[i]);
+        n += strlen(tmp_l[i]);
+    }
+    g_strfreev(tmp_l);
+    if (n == 0) {
+        g_free(pcr_banks);
+        pcr_banks = get_default_pcr_banks(config_file);
+    }
+
    if (cipher != NULL) {
        if (strcmp(cipher, "aes-128-cbc") != 0 &&
            strcmp(cipher, "aes-cbc") != 0 &&