From 537c10f937745f379b8397205c0758125ecec606 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 11 Feb 2021 23:12:46 +0100
Subject: [PATCH] condition: if spelunking through /sys/class/tpmrm doesn't
 work ask EFI if TPM2 exists

This makes ConditionSecurity=tpm2 work reliably during early boot: if
Linux doesn't know about the TPM2 then maybe the firmware does.
---
 src/shared/condition.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/shared/condition.c b/src/shared/condition.c
index 8b00697762c..485b3bab39e 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -487,6 +487,17 @@ static int has_tpm2(void) {
          * class device */
 
         r = dir_is_empty("/sys/class/tpmrm");
+        if (r == 0)
+                return true; /* nice! we have a device */
+
+        /* Hmm, so Linux doesn't know of the TPM2 device (or we couldn't check for it), most likely because
+         * the driver wasn't loaded yet. Let's see if the firmware knows about a TPM2 device, in this
+         * case. This way we can answer the TPM2 question already during early boot (where we most likely
+         * need it) */
+        if (efi_has_tpm2())
+                return true;
+
+        /* OK, this didn't work either, in this case propagate the original errors */
         if (r == -ENOENT)
                 return false;
         if (r < 0)
-- 
2.47.3