condition: if spelunking through /sys/class/tpmrm doesn't work ask EFI if TPM2 exists

This makes ConditionSecurity=tpm2 work reliably during early boot: if Linux doesn't know about the TPM2 then maybe the firmware does.
author: Lennart Poettering <lennart@poettering.net> 2021-02-11 23:12:46 +0100
committer: Lennart Poettering <lennart@poettering.net> 2021-02-11 23:12:46 +0100
commit: 537c10f937745f379b8397205c0758125ecec606 (patch)
tree: 80854f01f9a7ba7f07ba28f22c64219fb4e3b2f4 /src/shared
parent: b2a220492bc91c2f589381fc11556d9b46586c00 (diff)
download: systemd-537c10f937745f379b8397205c0758125ecec606.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/src/shared/condition.c b/src/shared/condition.c
index 8b00697762..485b3bab39 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -487,6 +487,17 @@ static int has_tpm2(void) {
          * class device */
 
         r = dir_is_empty("/sys/class/tpmrm");
+        if (r == 0)
+                return true; /* nice! we have a device */
+
+        /* Hmm, so Linux doesn't know of the TPM2 device (or we couldn't check for it), most likely because
+         * the driver wasn't loaded yet. Let's see if the firmware knows about a TPM2 device, in this
+         * case. This way we can answer the TPM2 question already during early boot (where we most likely
+         * need it) */
+        if (efi_has_tpm2())
+                return true;
+
+        /* OK, this didn't work either, in this case propagate the original errors */
         if (r == -ENOENT)
                 return false;
         if (r < 0)
author	Lennart Poettering <lennart@poettering.net>	2021-02-11 23:12:46 +0100
committer	Lennart Poettering <lennart@poettering.net>	2021-02-11 23:12:46 +0100
commit	537c10f937745f379b8397205c0758125ecec606 (patch)
tree	80854f01f9a7ba7f07ba28f22c64219fb4e3b2f4 /src/shared
parent	b2a220492bc91c2f589381fc11556d9b46586c00 (diff)
download	systemd-537c10f937745f379b8397205c0758125ecec606.tar.gz