condition: Check that subsystem is enabled in ConditionSecurity=tpm2

Instead of succeeding when either the firmware reports a TPM device or we find a TPM device, let's check that the firmware reports a TPM device and the TPM subsystem is enabled in the kernel. To check whether the subsystem enabled, we check if the relevant subdirectory in /sys exists at all.
author: Daan De Meyer <daan.j.demeyer@gmail.com> 2022-10-27 11:12:10 +0200
committer: Daan De Meyer <daan.j.demeyer@gmail.com> 2022-11-01 14:50:47 +0100
commit: 300bba79c22e4be1effe2faad0e59ac725d396a1 (patch)
tree: c5192a0c6db13c6b790a936628430abd47cf01ea /src/creds
parent: cd00185881fffd404e04f1b786f51be0aff214f8 (diff)
download: systemd-300bba79c22e4be1effe2faad0e59ac725d396a1.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/src/creds/creds.c b/src/creds/creds.c
index 5586fd776a..a755a52c34 100644
--- a/src/creds/creds.c
+++ b/src/creds/creds.c
@@ -637,10 +637,12 @@ static int verb_has_tpm2(int argc, char **argv, void *userdata) {
 
                 printf("%sfirmware\n"
                        "%sdriver\n"
-                       "%ssystem\n",
+                       "%ssystem\n"
+                       "%ssubsystem\n",
                        plus_minus(s & TPM2_SUPPORT_FIRMWARE),
                        plus_minus(s & TPM2_SUPPORT_DRIVER),
-                       plus_minus(s & TPM2_SUPPORT_SYSTEM));
+                       plus_minus(s & TPM2_SUPPORT_SYSTEM),
+                       plus_minus(s & TPM2_SUPPORT_SUBSYSTEM));
         }
 
         /* Return inverted bit flags. So that TPM2_SUPPORT_FULL becomes EXIT_SUCCESS and the other values
author	Daan De Meyer <daan.j.demeyer@gmail.com>	2022-10-27 11:12:10 +0200
committer	Daan De Meyer <daan.j.demeyer@gmail.com>	2022-11-01 14:50:47 +0100
commit	300bba79c22e4be1effe2faad0e59ac725d396a1 (patch)
tree	c5192a0c6db13c6b790a936628430abd47cf01ea /src/creds
parent	cd00185881fffd404e04f1b786f51be0aff214f8 (diff)
download	systemd-300bba79c22e4be1effe2faad0e59ac725d396a1.tar.gz