diff options
author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2022-10-27 11:12:10 +0200 |
---|---|---|
committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2022-11-01 14:50:47 +0100 |
commit | 300bba79c22e4be1effe2faad0e59ac725d396a1 (patch) | |
tree | c5192a0c6db13c6b790a936628430abd47cf01ea /src/creds/creds.c | |
parent | cd00185881fffd404e04f1b786f51be0aff214f8 (diff) | |
download | systemd-300bba79c22e4be1effe2faad0e59ac725d396a1.tar.gz |
condition: Check that subsystem is enabled in ConditionSecurity=tpm2
Instead of succeeding when either the firmware reports a TPM device
or we find a TPM device, let's check that the firmware reports a TPM
device and the TPM subsystem is enabled in the kernel.
To check whether the subsystem enabled, we check if the relevant
subdirectory in /sys exists at all.
Diffstat (limited to 'src/creds/creds.c')
-rw-r--r-- | src/creds/creds.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/creds/creds.c b/src/creds/creds.c index 5586fd776a..a755a52c34 100644 --- a/src/creds/creds.c +++ b/src/creds/creds.c @@ -637,10 +637,12 @@ static int verb_has_tpm2(int argc, char **argv, void *userdata) { printf("%sfirmware\n" "%sdriver\n" - "%ssystem\n", + "%ssystem\n" + "%ssubsystem\n", plus_minus(s & TPM2_SUPPORT_FIRMWARE), plus_minus(s & TPM2_SUPPORT_DRIVER), - plus_minus(s & TPM2_SUPPORT_SYSTEM)); + plus_minus(s & TPM2_SUPPORT_SYSTEM), + plus_minus(s & TPM2_SUPPORT_SUBSYSTEM)); } /* Return inverted bit flags. So that TPM2_SUPPORT_FULL becomes EXIT_SUCCESS and the other values |