From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 11 Feb 2021 22:12:46 +0000 (+0100)
Subject: condition: if spelunking through /sys/class/tpmrm doesn't work ask EFI if TPM2 exists
X-Git-Tag: v248-rc1~151^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F18558%2Fhead;p=thirdparty%2Fsystemd.git

condition: if spelunking through /sys/class/tpmrm doesn't work ask EFI if TPM2 exists

This makes ConditionSecurity=tpm2 work reliably during early boot: if
Linux doesn't know about the TPM2 then maybe the firmware does.
---

diff --git a/src/shared/condition.c b/src/shared/condition.c
index 8b00697762c..485b3bab39e 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -487,6 +487,17 @@ static int has_tpm2(void) {
          * class device */
 
         r = dir_is_empty("/sys/class/tpmrm");
+        if (r == 0)
+                return true; /* nice! we have a device */
+
+        /* Hmm, so Linux doesn't know of the TPM2 device (or we couldn't check for it), most likely because
+         * the driver wasn't loaded yet. Let's see if the firmware knows about a TPM2 device, in this
+         * case. This way we can answer the TPM2 question already during early boot (where we most likely
+         * need it) */
+        if (efi_has_tpm2())
+                return true;
+
+        /* OK, this didn't work either, in this case propagate the original errors */
         if (r == -ENOENT)
                 return false;
         if (r < 0)