git.ipfire.org Git - thirdparty/systemd.git/commit

author	Luca Boccassi <luca.boccassi@gmail.com>
	Sat, 5 Jul 2025 22:04:35 +0000 (23:04 +0100)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Mon, 14 Jul 2025 19:56:22 +0000 (20:56 +0100)
commit	6eab4cd44c3c43698dcfc2c3bc8cd31ed610a812
tree	d0390ef45cefd6e7c1f294cef3ba9f1d6738f737	tree \| snapshot
parent	91200225872225d8ad1e8dc0708fe7f6a3a686df	commit \| diff

boot: add LoaderTpm2ActivePcrBanks runtime variable

It turns out checking sysfs is not 100% reliable to figure out whether
the firmware had TPM2 support enabled or not. For example with EDK2 arm64, the
default upstream build config bundles TPM2 support with SecureBoot support,
so if the latter is disabled, TPM2 is also unavailable. But still, the ACPI
TPM2 table is created just as if it was enabled. So /sys/firmware/acpi/tables/TPM2
exists and looks correct, but there are no measurements, neither the firmware
nor the loader/stub can do them, and /sys/kernel/security/tpm0/binary_bios_measurements
does not exist.

The loader can use the apposite UEFI protocol to check, which is a more
definitive answer. Given userspace can also make use of this information, export
the bitmask with the list of active banks as-is. If it's not 0, then we can be
sure a working TPM2 was available in EFI mode.

Partially fixes https://github.com/systemd/systemd/issues/38071

man/systemd-boot.xml		diff \| blob \| blame \| history
man/systemd-stub.xml		diff \| blob \| blame \| history
src/boot/boot.c		diff \| blob \| blame \| history
src/boot/export-vars.c		diff \| blob \| blame \| history
src/boot/measure.c		diff \| blob \| blame \| history
src/boot/measure.h		diff \| blob \| blame \| history
src/boot/proto/tcg.h		diff \| blob \| blame \| history
src/bootctl/bootctl-status.c		diff \| blob \| blame \| history
src/fundamental/efivars-fundamental.h		diff \| blob \| blame \| history
src/shared/efi-api.c		diff \| blob \| blame \| history