<listitem><para><varname>ConditionSecurity=</varname> may be used to check whether the given
security technology is enabled on the system. Currently, the recognized values are
<literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>,
- <literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal> and
- <literal>uefi-secureboot</literal>. The test may be negated by prepending an exclamation
- mark.</para>
+ <literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal>,
+ <literal>uefi-secureboot</literal> and <literal>tpm2</literal>. The test may be negated by prepending
+ an exclamation mark.</para>
</listitem>
</varlistentry>
return (on_ac_power() != 0) == !!r;
}
+static int has_tpm2(void) {
+ int r;
+
+ /* Checks whether the system has at least one TPM2 resource manager device, i.e. at least one "tpmrm"
+ * class device */
+
+ r = dir_is_empty("/sys/class/tpmrm");
+ if (r == -ENOENT)
+ return false;
+ if (r < 0)
+ return log_debug_errno(r, "Failed to determine whether system has TPM2 support: %m");
+
+ return !r;
+}
+
static int condition_test_security(Condition *c, char **env) {
assert(c);
assert(c->parameter);
return mac_tomoyo_use();
if (streq(c->parameter, "uefi-secureboot"))
return is_efi_secure_boot();
+ if (streq(c->parameter, "tpm2"))
+ return has_tpm2();
return false;
}
projects / thirdparty / systemd.git / commitdiff
