summaryrefslogtreecommitdiffstats
path: root/src/shared/condition.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2021-02-11 23:12:46 +0100
committerLennart Poettering <lennart@poettering.net>2021-02-11 23:12:46 +0100
commit537c10f937745f379b8397205c0758125ecec606 (patch)
tree80854f01f9a7ba7f07ba28f22c64219fb4e3b2f4 /src/shared/condition.c
parentbootctl: show whether the firmware has TPM2 support (diff)
downloadsystemd-537c10f937745f379b8397205c0758125ecec606.tar.xz
systemd-537c10f937745f379b8397205c0758125ecec606.zip
condition: if spelunking through /sys/class/tpmrm doesn't work ask EFI if TPM2 exists
This makes ConditionSecurity=tpm2 work reliably during early boot: if Linux doesn't know about the TPM2 then maybe the firmware does.
Diffstat (limited to 'src/shared/condition.c')
-rw-r--r--src/shared/condition.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/src/shared/condition.c b/src/shared/condition.c
index 8b00697762..485b3bab39 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -487,6 +487,17 @@ static int has_tpm2(void) {
* class device */
r = dir_is_empty("/sys/class/tpmrm");
+ if (r == 0)
+ return true; /* nice! we have a device */
+
+ /* Hmm, so Linux doesn't know of the TPM2 device (or we couldn't check for it), most likely because
+ * the driver wasn't loaded yet. Let's see if the firmware knows about a TPM2 device, in this
+ * case. This way we can answer the TPM2 question already during early boot (where we most likely
+ * need it) */
+ if (efi_has_tpm2())
+ return true;
+
+ /* OK, this didn't work either, in this case propagate the original errors */
if (r == -ENOENT)
return false;
if (r < 0)