diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-04-19 14:47:02 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2022-04-20 16:58:18 +0200 |
| commit | 6e0cb81505deb8fd785492f90cdac10388d1858e (patch) | |
| tree | fcc1a7ed9515e944ff3a9df830739b7678009bca /src/shared/tpm2-util.h | |
| parent | 0ea911d14c738447511b5a807750b356e0758895 (diff) | |
| download | systemd-6e0cb81505deb8fd785492f90cdac10388d1858e.tar.gz | |
creds-tool: add new "has-tpm2" verb
Sometimes it's useful from shell scripts to check if we have a working
TPM2 chip around. For example, when putting together encrypted
credentials for the initrd (after all: it might be wise to place the
root pw in a credential for the initrd to consume, but do so only if we
can lock it to the TPM2, and not otherwise, so that we risk nothing).
Hence, let's add a new "systemd-creds has-tpm2" verb: it returns zero if we
have a working TPM2 (which means: supported by kernel + firmware + us),
or non-zero otherwise. Also show which parts are available.
Use-case: in future the 'kernel-install' script should use this when
deciding whether to augment kernels with security sensitive credentials.
Diffstat (limited to 'src/shared/tpm2-util.h')
| -rw-r--r-- | src/shared/tpm2-util.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index 7a0c47e233..ef19bed4f6 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -91,6 +91,8 @@ typedef struct { } systemd_tpm2_plugin_params; typedef enum Tpm2Support { + /* NOTE! The systemd-creds tool returns these flags 1:1 as exit status. Hence these flags are pretty + * much ABI! Hence, be extra careful when changing/extending these definitions. */ TPM2_SUPPORT_NONE = 0, /* no support */ TPM2_SUPPORT_FIRMWARE = 1 << 0, /* firmware reports TPM2 was used */ TPM2_SUPPORT_DRIVER = 1 << 1, /* the kernel has a driver loaded for it */ |