diff options
author | Lennart Poettering <lennart@poettering.net> | 2021-02-11 23:12:46 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2021-02-11 23:12:46 +0100 |
commit | 537c10f937745f379b8397205c0758125ecec606 (patch) | |
tree | 80854f01f9a7ba7f07ba28f22c64219fb4e3b2f4 /src/shared/condition.c | |
parent | bootctl: show whether the firmware has TPM2 support (diff) | |
download | systemd-537c10f937745f379b8397205c0758125ecec606.tar.xz systemd-537c10f937745f379b8397205c0758125ecec606.zip |
condition: if spelunking through /sys/class/tpmrm doesn't work ask EFI if TPM2 exists
This makes ConditionSecurity=tpm2 work reliably during early boot: if
Linux doesn't know about the TPM2 then maybe the firmware does.
Diffstat (limited to 'src/shared/condition.c')
-rw-r--r-- | src/shared/condition.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/shared/condition.c b/src/shared/condition.c index 8b00697762..485b3bab39 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -487,6 +487,17 @@ static int has_tpm2(void) { * class device */ r = dir_is_empty("/sys/class/tpmrm"); + if (r == 0) + return true; /* nice! we have a device */ + + /* Hmm, so Linux doesn't know of the TPM2 device (or we couldn't check for it), most likely because + * the driver wasn't loaded yet. Let's see if the firmware knows about a TPM2 device, in this + * case. This way we can answer the TPM2 question already during early boot (where we most likely + * need it) */ + if (efi_has_tpm2()) + return true; + + /* OK, this didn't work either, in this case propagate the original errors */ if (r == -ENOENT) return false; if (r < 0) |