From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 1 Jun 2021 14:35:13 +0000 (+0200)
Subject: cryptsetup: don't bother waiting for TPM2 devices if we are on EFI and EFI says there... 
X-Git-Tag: v249-rc1~118^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F19774%2Fhead;p=thirdparty%2Fsystemd.git

cryptsetup: don't bother waiting for TPM2 devices if we are on EFI and EFI says there is no TPM2 device

Note that this means EFI-systems with a manually added TPM device won't
be supported automatically, but given that the TPM2 trust model kinda
requires firmware support I doubt it matters supporting this. And in all
other cases it speeds things up a bit.
---

diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index ebd59ca68c4..dcaedac53ed 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -17,6 +17,7 @@
 #include "cryptsetup-tpm2.h"
 #include "cryptsetup-util.h"
 #include "device-util.h"
+#include "efi-loader.h"
 #include "escape.h"
 #include "fileio.h"
 #include "fs-util.h"
@@ -1136,6 +1137,10 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
 
                         assert(!event);
 
+                        if (is_efi_boot() && !efi_has_tpm2())
+                                return log_notice_errno(SYNTHETIC_ERRNO(EAGAIN),
+                                                        "No TPM2 hardware discovered and EFI bios indicates no support for it either, assuming TPM2-less system, falling back to traditional unocking.");
+
                         r = sd_event_default(&event);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to allocate event loop: %m");