creds-util: add an explicit 128bit ID for identifying "automatic" key determination

Previously, when encrypting creds you could pick which key to use for
this via a 128bit ID identifying the key type, and use an all zero ID
for rquesting automatic mode.

Let's change this to use an explicitly picked 128bit ID for automatic
mode, i.e. something other than all zeros. This is in preparation for
adding one further automatic mode with slightly different semantics.

no change in behaviour.

Note that the new 128bit id is never written to disk but only used
internally to indicate a specific case.

1 files changed, 5 insertions, 0 deletions

diff --git a/src/shared/creds-util.h b/src/shared/creds-util.h
index caf632de6e..7f0ce421ad 100644
--- a/src/shared/creds-util.h
+++ b/src/shared/creds-util.h
@@ -43,5 +43,10 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *
 #define CRED_AES256_GCM_BY_TPM2_HMAC          SD_ID128_MAKE(0c,7c,c0,7b,11,76,45,91,9c,4b,0b,ea,08,bc,20,fe)
 #define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC SD_ID128_MAKE(93,a8,94,09,48,74,44,90,90,ca,f2,fc,93,ca,b5,53)
 
+/* Special ID to pick automatic mode (i.e. tpm2+host if TPM2 exists, only host otherwise). This ID will never
+ * be stored on disk, but is useful only internally while figuring out what precisely to write to disk. To
+ * mark that this isn't a "real" type, we'll prefix it with an underscore. */
+#define _CRED_AUTO                            SD_ID128_MAKE(a2,19,cb,07,85,b2,4c,04,b1,6d,18,ca,b9,d2,ee,01)
+
 int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size);
 int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const void *input, size_t input_size, void **ret, size_t *ret_size);