Add defaults for policy path and pubkey path
This should send people strongly to use the defaults, so that other tools can easily determine whether policies are in use and what their values are. It still allows overriding them. Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
This commit is contained in:
parent
9f19dfa344
commit
3dcb2874e0
2 changed files with 30 additions and 4 deletions
23
src/cli.rs
23
src/cli.rs
|
@ -15,6 +15,8 @@ pub(super) struct TPM2Config {
|
|||
// PCR IDs can be passed in as comma-separated string or json array
|
||||
pub pcr_ids: Option<serde_json::Value>,
|
||||
pub pcr_digest: Option<String>,
|
||||
// Whether to use a policy. If this is specified without pubkey path or policy path, they get set to defaults
|
||||
pub use_policy: Option<bool>,
|
||||
// Public key (in JSON format) for a wildcard policy that's possibly OR'd with the PCR one
|
||||
pub policy_pubkey_path: Option<String>,
|
||||
pub policy_ref: Option<String>,
|
||||
|
@ -62,6 +64,10 @@ impl TryFrom<&TPM2Config> for TPMPolicyStep {
|
|||
}
|
||||
}
|
||||
|
||||
pub(crate) const DEFAULT_POLICY_PATH: &str = "/boot/clevis_policy.json";
|
||||
pub(crate) const DEFAULT_PUBKEY_PATH: &str = "/boot/clevis_pubkey.json";
|
||||
pub(crate) const DEFAULT_POLICY_REF: &str = "";
|
||||
|
||||
impl TPM2Config {
|
||||
pub(super) fn get_pcr_hash_alg(&self) -> tss_esapi::constants::algorithm::HashingAlgorithm {
|
||||
crate::utils::get_pcr_hash_alg_from_name(self.pcr_bank.as_ref())
|
||||
|
@ -95,6 +101,23 @@ impl TPM2Config {
|
|||
if self.pcr_ids.is_some() && self.pcr_bank.is_none() {
|
||||
self.pcr_bank = Some("sha256".to_string());
|
||||
}
|
||||
// Make use of the defaults if not specified
|
||||
if self.use_policy.is_some() && self.use_policy.unwrap() {
|
||||
if self.policy_path.is_none() {
|
||||
self.policy_path = Some(DEFAULT_POLICY_PATH.to_string());
|
||||
}
|
||||
if self.policy_pubkey_path.is_none() {
|
||||
self.policy_pubkey_path = Some(DEFAULT_PUBKEY_PATH.to_string());
|
||||
}
|
||||
if self.policy_ref.is_none() {
|
||||
self.policy_ref = Some(DEFAULT_POLICY_REF.to_string());
|
||||
}
|
||||
} else if self.policy_pubkey_path.is_some()
|
||||
|| self.policy_path.is_some()
|
||||
|| self.policy_ref.is_some()
|
||||
{
|
||||
eprintln!("To use a policy, please specifiy use_policy: true. Not specifying this will be a fatal error in a next release");
|
||||
}
|
||||
if (self.policy_pubkey_path.is_some()
|
||||
|| self.policy_path.is_some()
|
||||
|| self.policy_ref.is_some())
|
||||
|
|
11
src/main.rs
11
src/main.rs
|
@ -413,12 +413,15 @@ This command uses the following configuration properties:
|
|||
|
||||
pcr_ids: <string> PCR list used for policy. If not present, no PCR policy is used
|
||||
|
||||
policy_pubkey_path: <string> Path to the policy public key for authorized policy decryption
|
||||
use_policy: <bool> Whether to use a policy
|
||||
|
||||
policy_ref: <string> Reference to search for in signed policy file
|
||||
policy_ref: <string> Reference to search for in signed policy file (default: {})
|
||||
|
||||
policy_path: <string> Path to the policy path to search for decryption policy
|
||||
"
|
||||
> For policies, the path is {}, and the public key is at {}
|
||||
",
|
||||
cli::DEFAULT_POLICY_REF,
|
||||
cli::DEFAULT_POLICY_PATH,
|
||||
cli::DEFAULT_PUBKEY_PATH,
|
||||
);
|
||||
|
||||
std::process::exit(2);
|
||||
|
|
Loading…
Reference in a new issue