diff options
| author | Alberto Planas <aplanas@suse.com> | 2023-01-16 11:16:53 +0100 |
|---|---|---|
| committer | Alberto Planas <aplanas@suse.com> | 2023-01-16 13:31:17 +0100 |
| commit | e653a194e490fae7d166f40762c334006d592051 (patch) | |
| tree | 5284983ce888ed1a8d697f0fe919d077803f37d1 /src/shared/creds-util.c | |
| parent | 1615578f2792fdeecaf65606861bd3db9eb949c3 (diff) | |
| download | systemd-e653a194e490fae7d166f40762c334006d592051.tar.gz | |
creds-util: do not try TPM2 if there is not support
During the credentials encryption, if systemd it is compiled with TPM2
support, it will try to use it depending on the key flags passed.
The current code only checks if the system has a functional TPM2 if the
case of the INITRD flag.
This patch do a similar check in the case that it is outside initrd (but
still automatic).
Signed-off-by: Alberto Planas <aplanas@suse.com>
Diffstat (limited to 'src/shared/creds-util.c')
| -rw-r--r-- | src/shared/creds-util.c | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index e60dce8425..ed40b6c19a 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -659,16 +659,13 @@ int encrypt_credential_and_warn( #if HAVE_TPM2 bool try_tpm2; if (sd_id128_equal(with_key, _CRED_AUTO)) { - /* If automatic mode is selected and we are running in a container, let's not try TPM2. OTOH - * if user picks TPM2 explicitly, let's always honour the request and try. */ + /* If automatic mode is selected lets see if a TPM2 it is present. If we are running in a + * container tpm2_support will detect this, and will return a different flag combination of + * TPM2_SUPPORT_FULL, effectively skipping the use of TPM2 when inside one. */ - r = detect_container(); - if (r < 0) - log_debug_errno(r, "Failed to determine whether we are running in a container, ignoring: %m"); - else if (r > 0) - log_debug("Running in container, not attempting to use TPM2."); - - try_tpm2 = r <= 0; + try_tpm2 = tpm2_support() == TPM2_SUPPORT_FULL; + if (!try_tpm2) + log_debug("System lacks TPM2 support or running in a container, not attempting to use TPM2."); } else if (sd_id128_equal(with_key, _CRED_AUTO_INITRD)) { /* If automatic mode for initrds is selected, we'll use the TPM2 key if the firmware does it, * otherwise we'll use a fixed key */ |