We simply don't carry any userspace support for TPM1.2 in our tree, and
we shouldn't given it's too weak by today's standards. Hence, if we
check if we are booted in UKI measured boot mode, don't just check if we
are booted in EFI, but also check that we have a TPM2 chip (as opposed
to none or only a TPM1.2 chip).
This is an alternative to #30652 but more comprehensive (and simpler),
since it covers all invocations of efi_measured_uki().
Fixes: #30650
Replaces: #30652
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "alloc-util.h"
+#include "efi-api.h"
#include "efi-loader.h"
#include "env-util.h"
#include "parse-util.h"
if (cached >= 0)
return cached;
- /* Checks if we are booted on a kernel with sd-stub which measured the kernel into PCR 11. Or in
- * other words, if we are running on a TPM enabled UKI.
+ /* Checks if we are booted on a kernel with sd-stub which measured the kernel into PCR 11 on a TPM2
+ * chip. Or in other words, if we are running on a TPM enabled UKI. (TPM 1.2 situations are ignored.)
*
* Returns == 0 and > 0 depending on the result of the test. Returns -EREMOTE if we detected a stub
* being used, but it measured things into a different PCR than we are configured for in
if (r != -ENXIO)
log_debug_errno(r, "Failed to parse $SYSTEMD_FORCE_MEASURE, ignoring: %m");
- if (!is_efi_boot())
+ if (!efi_has_tpm2())
return (cached = 0);
r = efi_get_variable_string(EFI_LOADER_VARIABLE(StubPcrKernelImage), &pcr_string);
projects / thirdparty / systemd.git / commitdiff
