From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Mon, 28 Jul 2025 00:55:27 +0000 (+0100)
Subject: test: do not fail TEST-70-TPM2 when secure boot is enabled
X-Git-Tag: v257.8~47
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2a2cbc4927f09944f65a8daff1348914269c95da;p=thirdparty%2Fsystemd.git

test: do not fail TEST-70-TPM2 when secure boot is enabled

[  183.037401] TEST-70-TPM2.sh[2876]: + systemd-creds decrypt --name=pcrlock.arch /tmp/fakexbootldr/loader/credentials/pcrlock.arch.cred
[  183.054755] TEST-70-TPM2.sh[3003]: Found container virtualization none.
[  183.083789] TEST-70-TPM2.sh[3003]: Reading EFI variable /sys/firmware/efi/efivars/LoaderTpm2ActivePcrBanks-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
[  183.094377] TEST-70-TPM2.sh[3003]: Detected slow EFI variable read access on LoaderTpm2ActivePcrBanks-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f: 55.799ms
[  183.095353] TEST-70-TPM2.sh[3003]: Reading EFI variable /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c.
[  183.099653] TEST-70-TPM2.sh[3003]: Credential uses fixed key for fallback use when TPM2 is absent — but TPM2 is present, and SecureBoot is enabled, refusing.

(cherry picked from commit add7a4a9f20467f12d9a791b5907c59e9d223d24)
---

diff --git a/test/units/TEST-70-TPM2.pcrlock.sh b/test/units/TEST-70-TPM2.pcrlock.sh
index 38274991db7..93226e26a48 100755
--- a/test/units/TEST-70-TPM2.pcrlock.sh
+++ b/test/units/TEST-70-TPM2.pcrlock.sh
@@ -155,7 +155,11 @@ test -f "$CREDENTIAL_FILE"
 CREDENTIAL_NAME=${CREDENTIAL_FILE#/tmp/fakexbootldr/loader/credentials/}
 CREDENTIAL_NAME=${CREDENTIAL_NAME%.cred}
 
-systemd-creds decrypt --name="$CREDENTIAL_NAME" "$CREDENTIAL_FILE"
+# If SB is enabled then this will fail as it's not locked but TPM2 is enabled
+if cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1'); then
+    ALLOW_NULL=--allow-null
+fi
+systemd-creds decrypt "${ALLOW_NULL:-}" --name="$CREDENTIAL_NAME" "$CREDENTIAL_FILE"
 ln -s "$CREDENTIAL_FILE" /tmp/fakexbootldr/loader/credentials/"$CREDENTIAL_NAME"
 test -f /tmp/fakexbootldr/loader/credentials/"$CREDENTIAL_NAME"