test: do not fail TEST-70-TPM2 when secure boot is enabled

[  183.037401] TEST-70-TPM2.sh[2876]: + systemd-creds decrypt --name=pcrlock.arch /tmp/fakexbootldr/loader/credentials/pcrlock.arch.cred
[  183.054755] TEST-70-TPM2.sh[3003]: Found container virtualization none.
[  183.083789] TEST-70-TPM2.sh[3003]: Reading EFI variable /sys/firmware/efi/efivars/LoaderTpm2ActivePcrBanks-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
[  183.094377] TEST-70-TPM2.sh[3003]: Detected slow EFI variable read access on LoaderTpm2ActivePcrBanks-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f: 55.799ms
[  183.095353] TEST-70-TPM2.sh[3003]: Reading EFI variable /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
[  183.099653] TEST-70-TPM2.sh[3003]: Credential uses fixed key for fallback use when TPM2 is absent — but TPM2 is present, and SecureBoot is enabled, refusing.

diff --git a/test/units/TEST-70-TPM2.pcrlock.sh b/test/units/TEST-70-TPM2.pcrlock.sh
index 38e082bb88617b1df29f0717c59f5fdc80f8ea53..7e546273b39deb777c59b7071c86b2e0285e88e1 100755 (executable)
--- a/test/units/TEST-70-TPM2.pcrlock.sh
+++ b/test/units/TEST-70-TPM2.pcrlock.sh
@@ -156,7 +156,11 @@ test -f "$CREDENTIAL_FILE"
 CREDENTIAL_NAME=${CREDENTIAL_FILE#/tmp/fakexbootldr/loader/credentials/}
 CREDENTIAL_NAME=${CREDENTIAL_NAME%.cred}
 
-systemd-creds decrypt --name="$CREDENTIAL_NAME" "$CREDENTIAL_FILE"
+# If SB is enabled then this will fail as it's not locked but TPM2 is enabled
+if cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1'); then
+    ALLOW_NULL=--allow-null
+fi
+systemd-creds decrypt "${ALLOW_NULL:-}" --name="$CREDENTIAL_NAME" "$CREDENTIAL_FILE"
 ln -s "$CREDENTIAL_FILE" /tmp/fakexbootldr/loader/credentials/"$CREDENTIAL_NAME"
 test -f /tmp/fakexbootldr/loader/credentials/"$CREDENTIAL_NAME"