tree-wide: relax TPM available checks for many cases

In many cases it's essential to know if the firmware supports a TPM, but
in others we should accept it if the firmware doesn't have TPM support,
in particular if we want to run the OS with a software TPM.

Hence, add tpm2_is_mostly_supported() as function similar to
tpm2_is_fully_supported(), with the only difference that the former
doesn't insist on a firmware supported TPM. Then, change a number of
users over to this (but not all).

diff --git a/src/analyze/analyze-nvpcrs.c b/src/analyze/analyze-nvpcrs.c
index 68e7acb33ac3e60bcbc4f9b2ff36879ae15e9069..56b5c9a20494574335f0675e9d92d1d4d1569c6c 100644 (file)
--- a/src/analyze/analyze-nvpcrs.c
+++ b/src/analyze/analyze-nvpcrs.c
@@ -56,7 +56,7 @@ int verb_nvpcrs(int argc, char *argv[], uintptr_t _data, void *userdata) {
         _cleanup_(table_unrefp) Table *table = NULL;
         int r;
 
-        bool have_tpm2 = tpm2_is_fully_supported();
+        bool have_tpm2 = tpm2_is_mostly_supported();
 
         if (!have_tpm2)
                 log_notice("System lacks full TPM2 support, not showing NvPCR state.");

diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c
index f98f4a8d50fe925acbc980968145d46c83b74d17..7e3ddde800bc22d15fef48469239220efffcb45a 100644 (file)
--- a/src/analyze/analyze-pcrs.c
+++ b/src/analyze/analyze-pcrs.c
@@ -101,8 +101,8 @@ int verb_pcrs(int argc, char *argv[], uintptr_t _data, void *userdata) {
         const char *alg = NULL;
         int r;
 
-        if (!tpm2_is_fully_supported())
-                log_notice("System lacks full TPM2 support, not showing PCR state.");
+        if (!tpm2_is_mostly_supported())
+                log_notice("System lacks sufficient TPM2 support, not showing PCR state.");
         else {
                 r = get_pcr_alg(&alg);
                 if (r < 0)

diff --git a/src/pcrextend/pcrextend.c b/src/pcrextend/pcrextend.c
index c319ddd0f8847f5235d59ff538ab62f675fd27fa..c0b111a0964e6796ce3de48881c4363c9bed800d 100644 (file)
--- a/src/pcrextend/pcrextend.c
+++ b/src/pcrextend/pcrextend.c
@@ -531,7 +531,7 @@ static int run(int argc, char *argv[]) {
         if (arg_event_type >= 0)
                 event = arg_event_type;
 
-        if (arg_graceful && !tpm2_is_fully_supported()) {
+        if (arg_graceful && !tpm2_is_mostly_supported()) {
                 log_notice("No complete TPM2 support detected, exiting gracefully.");
                 return EXIT_SUCCESS;
         }

diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index 9c093181c7b3347658eea86708c929ed4c7903b5..8071629c170868d872e2c982da6d86c7b1449436 100644 (file)
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -894,7 +894,7 @@ int encrypt_credential_and_warn(
                  * container tpm2_support will detect this, and will return a different flag combination of
                  * TPM2_SUPPORT_FULL, effectively skipping the use of TPM2 when inside one. */
 
-                try_tpm2 = tpm2_is_fully_supported();
+                try_tpm2 = tpm2_is_mostly_supported();
                 if (!try_tpm2)
                         log_debug("System lacks TPM2 support or running in a container, not attempting to use TPM2.");
         } else

diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h
index 841f33b8deaa3a88624bdf513686b52e8de34f69..2f5d8632de5d298364c369c0b25bb96db844f83d 100644 (file)
--- a/src/shared/tpm2-util.h
+++ b/src/shared/tpm2-util.h
@@ -496,6 +496,7 @@ typedef enum Tpm2Support {
 
         /* Combined flags for generic (i.e. not tool-specific) support */
         TPM2_SUPPORT_FULL         = TPM2_SUPPORT_API|TPM2_SUPPORT_LIBTSS2_ALL,
+        TPM2_SUPPORT_SOFTWARE     = TPM2_SUPPORT_FULL & ~TPM2_SUPPORT_FIRMWARE, /* Same, just without PC firmware support */
 } Tpm2Support;
 
 Tpm2Support tpm2_support_full(Tpm2Support mask);
@@ -505,6 +506,9 @@ static inline Tpm2Support tpm2_support(void) {
 static inline bool tpm2_is_fully_supported(void) {
         return tpm2_support() == TPM2_SUPPORT_FULL;
 }
+static inline bool tpm2_is_mostly_supported(void) {
+        return (tpm2_support() & TPM2_SUPPORT_SOFTWARE) == TPM2_SUPPORT_SOFTWARE;
+}
 
 int verb_has_tpm2_generic(bool quiet);
 

diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c
index d243f199e99b287ec480eaa544ba62337be425b2..92a4bfa12a615e59932bec2fd12e09f31c761dd1 100644 (file)
--- a/src/tpm2-setup/tpm2-setup.c
+++ b/src/tpm2-setup/tpm2-setup.c
@@ -516,7 +516,7 @@ static int run(int argc, char *argv[]) {
         if (r <= 0)
                 return r;
 
-        if (arg_graceful && !tpm2_is_fully_supported()) {
+        if (arg_graceful && !tpm2_is_mostly_supported()) {
                 log_notice("No complete TPM2 support detected, exiting gracefully.");
                 return EXIT_SUCCESS;
         }