tpm2-util: force default TCTI to be "device" with parameter "/dev/tpmrm0"

Apparently some distros default to tss-abmrd. Let's bypass that and
always go to the kernel resource manager.

abmrd cannot really work for us, since we want to access the TPM already
in earliest boot i.e. in environments the abmrd service is not available
in.

Fixes: #25352

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index ba8a23e18cad7efc96df885555c670662d50e13d..b4808691da6258eb48668fd363ac5b7e7e18749a 100644 (file)
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -152,8 +152,19 @@ int tpm2_context_init(const char *device, struct tpm2_context *ret) {
         if (r < 0)
                 return log_error_errno(r, "TPM2 support not installed: %m");
 
-        if (!device)
+        if (!device) {
                 device = secure_getenv("SYSTEMD_TPM2_DEVICE");
+                if (device)
+                        /* Setting the env var to an empty string forces tpm2-tss' own device picking
+                         * logic to be used. */
+                        device = empty_to_null(device);
+                else
+                        /* If nothing was specified explicitly, we'll use a hardcoded default: the "device" tcti
+                         * driver and the "/dev/tpmrm0" device. We do this since on some distributions the tpm2-abrmd
+                         * might be used and we really don't want that, since it is a system service and that creates
+                         * various ordering issues/deadlocks during early boot. */
+                        device = "device:/dev/tpmrm0";
+        }
 
         if (device) {
                 const char *param, *driver, *fn;