diff --git a/man/man8/swtpm_setup.conf.pod b/man/man8/swtpm_setup.conf.pod index a5b237b..cb97709 100644 --- a/man/man8/swtpm_setup.conf.pod +++ b/man/man8/swtpm_setup.conf.pod @@ -89,6 +89,12 @@ that will be passed to the invoked program using the --optsfile option described above. If omitted, the invoked program will use the default options file. +=item B (since v0.7) + +This keyword is to be followed by a comma-separated list +of names of PCR banks. The list must not contain any spaces. +Valid PCR bank names are sha1, sha256, sha384, and sha512. + =back =head1 SEE ALSO diff --git a/man/man8/swtpm_setup.pod b/man/man8/swtpm_setup.pod index 1b0ff67..59f98d6 100644 --- a/man/man8/swtpm_setup.pod +++ b/man/man8/swtpm_setup.pod @@ -164,8 +164,12 @@ used for creating the certificates and may be required by that tool. =item B<--pcr-banks > Optional comma-separated list of PCR banks to activate. Providing '-' -allows a user to skip the selection and activates all PCR banks. By default -the sha1 and sha256 banks are activated. +allows a user to skip the selection and activates all PCR banks. +If this option is not provided, the I configuration +file will be consulted for the active_pcr_banks entry. If no such +entry is found then the default set of PCR banks will be activated. +The default set of PCR banks can be determined using the I<--help> +option. =item B<--swtpm_ioctl > diff --git a/src/swtpm_setup/swtpm_setup.c b/src/swtpm_setup/swtpm_setup.c index 794fe08..c3bafe9 100644 --- a/src/swtpm_setup/swtpm_setup.c +++ b/src/swtpm_setup/swtpm_setup.c @@ -431,6 +431,29 @@ static int tpm2_create_eks_and_certs(unsigned long flags, const gchar *config_fi user_certsdir); } +/* Get the default PCR banks from the config file and if nothing can + be found there use the DEFAULT_PCR_BANKS #define. + */ +static gchar *get_default_pcr_banks(const gchar *config_file) +{ + g_auto(GStrv) config_file_lines = NULL; + gchar *pcr_banks; + int ret; + + ret = read_file_lines(config_file, &config_file_lines); + if (ret != 0) + return NULL; + + pcr_banks = get_config_value(config_file_lines, "active_pcr_banks"); + if (pcr_banks) + g_strstrip(pcr_banks); + if (pcr_banks == NULL || strlen(pcr_banks) == 0) { + g_free(pcr_banks); + pcr_banks = g_strdup(DEFAULT_PCR_BANKS); + } + return pcr_banks; +} + /* Activate the given list of PCR banks. If pcr_banks is '-' then leave * the configuration as-is. */ @@ -1419,14 +1442,6 @@ int main(int argc, char *argv[]) if (!got_srkpass) srkpass = g_strdup(DEFAULT_SRK_PASSWORD); - /* check pcr_banks */ - tmp_l = g_strsplit(pcr_banks ? pcr_banks : "", ",", -1); - for (i = 0, n = 0; tmp_l[i]; i++) - n += strlen(tmp_l[i]); - g_strfreev(tmp_l); - if (n == 0) - pcr_banks = g_strdup(DEFAULT_PCR_BANKS); - if (gl_LOGFILE != NULL) { FILE *tmpfile; if (stat(gl_LOGFILE, &statbuf) == 0 && @@ -1496,6 +1511,18 @@ int main(int argc, char *argv[]) goto error; } + /* check pcr_banks; read from config file if not given */ + tmp_l = g_strsplit(pcr_banks ? pcr_banks : "", ",", -1); + for (i = 0, n = 0; tmp_l[i]; i++) { + g_strstrip(tmp_l[i]); + n += strlen(tmp_l[i]); + } + g_strfreev(tmp_l); + if (n == 0) { + g_free(pcr_banks); + pcr_banks = get_default_pcr_banks(config_file); + } + if (cipher != NULL) { if (strcmp(cipher, "aes-128-cbc") != 0 && strcmp(cipher, "aes-cbc") != 0 &&