From: Lennart Poettering <lennart@amutable.com>
Date: Tue, 10 Mar 2026 07:07:25 +0000 (+0100)
Subject: pcrlock: deal with firmwares which understand TPM but where no TPM is available
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=96bb950ffa8b606518b104a109ed7f0c1bfb2bce;p=thirdparty%2Fsystemd.git

pcrlock: deal with firmwares which understand TPM but where no TPM is available

This is a potentially common case in VMs: firmwares might know the
concept of TPMs, but the hardware is not enabled in the specific VM.
Let's handle this case nicely.
---

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 47a6a309ddb..05ea7c47be2 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -2899,6 +2899,8 @@ int tpm2_get_best_pcr_bank(
                 log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable or EFI support is unavailable, we have to guess the used PCR banks.");
         } else if (efi_banks == UINT32_MAX)
                 log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to indicate that the GetActivePcrBanks() API is not available in the firmware. We have to guess the used PCR banks.");
+        else if (efi_banks == 0)
+                log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to zero to indicate that TPM support is not available in the firmware. We'll have to guess the used PCR banks.");
         else {
                 if (BIT_SET(efi_banks, TPM2_ALG_SHA256))
                         *ret = TPM2_ALG_SHA256;
@@ -3008,6 +3010,8 @@ int tpm2_get_good_pcr_banks(
                 log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable or EFI support is unavailable, we have to guess the used PCR banks.");
         } else if (efi_banks == UINT32_MAX)
                 log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to indicate that the GetActivePcrBanks() API is not available in the firmware. We have to guess the used PCR banks.");
+        else if (efi_banks == 0)
+                log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to zero to indicate that TPM support is not available in the firmware. We'll have to guess the used PCR banks.");
         else {
                 FOREACH_ARRAY(hash, tpm2_hash_algorithms, TPM2_N_HASH_ALGORITHMS) {
                         if (!BIT_SET(efi_banks, *hash))