From caebda361e59e69898c2f2f7f757165a825ec4a3 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sun, 26 May 2024 04:29:00 +0900
Subject: [PATCH 1/3] cryptsetup: use TPM2_FLAGS_USE_PCRLOCK at one more place

Follow-up for 404aea7815595c1324947ed7f2a7502b17d3cc01.
---
 src/shared/cryptsetup-tpm2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/shared/cryptsetup-tpm2.c b/src/shared/cryptsetup-tpm2.c
index 335bb2eb890..bfd7d3ab092 100644
--- a/src/shared/cryptsetup-tpm2.c
+++ b/src/shared/cryptsetup-tpm2.c
@@ -199,7 +199,7 @@ int acquire_tpm2_key(
                                 pubkey_pcr_mask,
                                 signature_json,
                                 b64_salted_pin,
-                                pcrlock_path ? &pcrlock_policy : NULL,
+                                FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK) ? &pcrlock_policy : NULL,
                                 primary_alg,
                                 &blob,
                                 policy_hash,

From 16f51e2909be4714496a1bf5173489c9a7e43efb Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sun, 26 May 2024 04:42:16 +0900
Subject: [PATCH 2/3] cryptenroll: do not pass an empty pcrlock policy

Otherwise, tpm2_uneal() -> tpm2_build_sealing_policy() ->
tpm2_deserialize() will trigger assertion.

Prompted by #33017.
---
 src/cryptenroll/cryptenroll-tpm2.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index 4e5d02a97e7..10bd8d77237 100644
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -342,6 +342,8 @@ int enroll_tpm2(struct crypt_device *cd,
                 r = tpm2_pcrlock_policy_load(pcrlock_path, &pcrlock_policy);
                 if (r < 0)
                         return r;
+                if (r == 0)
+                        return log_error_errno(SYNTHETIC_ERRNO(ENOENT), "Couldn't find pcrlock policy %s.", pcrlock_path);
 
                 any_pcr_value_specified = true;
                 flags |= TPM2_FLAGS_USE_PCRLOCK;

From 41d45bd96c2fd37184884a4f0a0ba1965c8a3661 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sun, 26 May 2024 04:45:55 +0900
Subject: [PATCH 3/3] cryptenroll: upgrade log level of critical failure

---
 src/cryptenroll/cryptenroll-tpm2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index 10bd8d77237..1ee3525a817 100644
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -329,7 +329,7 @@ int enroll_tpm2(struct crypt_device *cd,
 
                                 r = tpm2_load_pcr_signature(signature_path, &signature_json);
                                 if (r < 0)
-                                        return log_debug_errno(r, "Failed to read TPM PCR signature: %m");
+                                        return log_error_errno(r, "Failed to read TPM PCR signature: %m");
                         }
                 }
         } else