From: Lennart Poettering Date: Sat, 28 Nov 2020 19:33:53 +0000 (+0100) Subject: core: add ConditionSecurity=tpm2 support X-Git-Tag: v248-rc1~586^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bce334a31ce59f63e79192542c0c1313714b663d;p=thirdparty%2Fsystemd.git core: add ConditionSecurity=tpm2 support --- diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index b7dbbe309ee..2fdc0d58323 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1257,9 +1257,9 @@ ConditionSecurity= may be used to check whether the given security technology is enabled on the system. Currently, the recognized values are selinux, apparmor, tomoyo, - ima, smack, audit and - uefi-secureboot. The test may be negated by prepending an exclamation - mark. + ima, smack, audit, + uefi-secureboot and tpm2. The test may be negated by prepending + an exclamation mark. diff --git a/src/shared/condition.c b/src/shared/condition.c index b2ec690bc3b..41d3a16391f 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -480,6 +480,21 @@ static int condition_test_ac_power(Condition *c, char **env) { return (on_ac_power() != 0) == !!r; } +static int has_tpm2(void) { + int r; + + /* Checks whether the system has at least one TPM2 resource manager device, i.e. at least one "tpmrm" + * class device */ + + r = dir_is_empty("/sys/class/tpmrm"); + if (r == -ENOENT) + return false; + if (r < 0) + return log_debug_errno(r, "Failed to determine whether system has TPM2 support: %m"); + + return !r; +} + static int condition_test_security(Condition *c, char **env) { assert(c); assert(c->parameter); @@ -499,6 +514,8 @@ static int condition_test_security(Condition *c, char **env) { return mac_tomoyo_use(); if (streq(c->parameter, "uefi-secureboot")) return is_efi_secure_boot(); + if (streq(c->parameter, "tpm2")) + return has_tpm2(); return false; }