From 300bba79c22e4be1effe2faad0e59ac725d396a1 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 27 Oct 2022 11:12:10 +0200 Subject: condition: Check that subsystem is enabled in ConditionSecurity=tpm2 Instead of succeeding when either the firmware reports a TPM device or we find a TPM device, let's check that the firmware reports a TPM device and the TPM subsystem is enabled in the kernel. To check whether the subsystem enabled, we check if the relevant subdirectory in /sys exists at all. --- src/creds/creds.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src/creds') diff --git a/src/creds/creds.c b/src/creds/creds.c index 5586fd776a..a755a52c34 100644 --- a/src/creds/creds.c +++ b/src/creds/creds.c @@ -637,10 +637,12 @@ static int verb_has_tpm2(int argc, char **argv, void *userdata) { printf("%sfirmware\n" "%sdriver\n" - "%ssystem\n", + "%ssystem\n" + "%ssubsystem\n", plus_minus(s & TPM2_SUPPORT_FIRMWARE), plus_minus(s & TPM2_SUPPORT_DRIVER), - plus_minus(s & TPM2_SUPPORT_SYSTEM)); + plus_minus(s & TPM2_SUPPORT_SYSTEM), + plus_minus(s & TPM2_SUPPORT_SUBSYSTEM)); } /* Return inverted bit flags. So that TPM2_SUPPORT_FULL becomes EXIT_SUCCESS and the other values -- cgit v1.2.1