From 3dcb2874e051434127d223d39ada3f87ad0de709 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Thu, 3 Dec 2020 16:41:48 +0000
Subject: [PATCH] Add defaults for policy path and pubkey path

This should send people strongly to use the defaults, so that other
tools can easily determine whether policies are in use and what their
values are.
It still allows overriding them.

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 src/cli.rs  | 23 +++++++++++++++++++++++
 src/main.rs | 11 +++++++----
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/src/cli.rs b/src/cli.rs
index fd87991..d0b8a3d 100644
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -15,6 +15,8 @@ pub(super) struct TPM2Config {
     // PCR IDs can be passed in as comma-separated string or json array
     pub pcr_ids: Option<serde_json::Value>,
     pub pcr_digest: Option<String>,
+    // Whether to use a policy. If this is specified without pubkey path or policy path, they get set to defaults
+    pub use_policy: Option<bool>,
     // Public key (in JSON format) for a wildcard policy that's possibly OR'd with the PCR one
     pub policy_pubkey_path: Option<String>,
     pub policy_ref: Option<String>,
@@ -62,6 +64,10 @@ impl TryFrom<&TPM2Config> for TPMPolicyStep {
     }
 }
 
+pub(crate) const DEFAULT_POLICY_PATH: &str = "/boot/clevis_policy.json";
+pub(crate) const DEFAULT_PUBKEY_PATH: &str = "/boot/clevis_pubkey.json";
+pub(crate) const DEFAULT_POLICY_REF: &str = "";
+
 impl TPM2Config {
     pub(super) fn get_pcr_hash_alg(&self) -> tss_esapi::constants::algorithm::HashingAlgorithm {
         crate::utils::get_pcr_hash_alg_from_name(self.pcr_bank.as_ref())
@@ -95,6 +101,23 @@ impl TPM2Config {
         if self.pcr_ids.is_some() && self.pcr_bank.is_none() {
             self.pcr_bank = Some("sha256".to_string());
         }
+        // Make use of the defaults if not specified
+        if self.use_policy.is_some() && self.use_policy.unwrap() {
+            if self.policy_path.is_none() {
+                self.policy_path = Some(DEFAULT_POLICY_PATH.to_string());
+            }
+            if self.policy_pubkey_path.is_none() {
+                self.policy_pubkey_path = Some(DEFAULT_PUBKEY_PATH.to_string());
+            }
+            if self.policy_ref.is_none() {
+                self.policy_ref = Some(DEFAULT_POLICY_REF.to_string());
+            }
+        } else if self.policy_pubkey_path.is_some()
+            || self.policy_path.is_some()
+            || self.policy_ref.is_some()
+        {
+            eprintln!("To use a policy, please specifiy use_policy: true. Not specifying this will be a fatal error in a next release");
+        }
         if (self.policy_pubkey_path.is_some()
             || self.policy_path.is_some()
             || self.policy_ref.is_some())
diff --git a/src/main.rs b/src/main.rs
index 17ef48c..d1aac36 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -413,12 +413,15 @@ This command uses the following configuration properties:
 
   pcr_ids: <string>  PCR list used for policy. If not present, no PCR policy is used
 
-  policy_pubkey_path: <string>  Path to the policy public key for authorized policy decryption
+  use_policy: <bool>  Whether to use a policy
 
-  policy_ref: <string>  Reference to search for in signed policy file
+  policy_ref: <string>  Reference to search for in signed policy file (default: {})
 
-  policy_path: <string>  Path to the policy path to search for decryption policy
-"
+  > For policies, the path is {}, and the public key is at {}
+",
+        cli::DEFAULT_POLICY_REF,
+        cli::DEFAULT_POLICY_PATH,
+        cli::DEFAULT_PUBKEY_PATH,
     );
 
     std::process::exit(2);