From: Lennart Poettering <lennart@amutable.com>
Date: Mon, 9 Mar 2026 17:51:49 +0000 (+0100)
Subject: tree-wide: relax TPM available checks for many cases
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ca03d178a077a7705c58619fcc83fb3b90845fdb;p=thirdparty%2Fsystemd.git

tree-wide: relax TPM available checks for many cases

In many cases it's essential to know if the firmware supports a TPM, but
in others we should accept it if the firmware doesn't have TPM support,
in particular if we want to run the OS with a software TPM.

Hence, add tpm2_is_mostly_supported() as function similar to
tpm2_is_fully_supported(), with the only difference that the former
doesn't insist on a firmware supported TPM. Then, change a number of
users over to this (but not all).
---

diff --git a/src/analyze/analyze-nvpcrs.c b/src/analyze/analyze-nvpcrs.c
index 68e7acb33ac..56b5c9a2049 100644
--- a/src/analyze/analyze-nvpcrs.c
+++ b/src/analyze/analyze-nvpcrs.c
@@ -56,7 +56,7 @@ int verb_nvpcrs(int argc, char *argv[], uintptr_t _data, void *userdata) {
         _cleanup_(table_unrefp) Table *table = NULL;
         int r;
 
-        bool have_tpm2 = tpm2_is_fully_supported();
+        bool have_tpm2 = tpm2_is_mostly_supported();
 
         if (!have_tpm2)
                 log_notice("System lacks full TPM2 support, not showing NvPCR state.");
diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c
index f98f4a8d50f..7e3ddde800b 100644
--- a/src/analyze/analyze-pcrs.c
+++ b/src/analyze/analyze-pcrs.c
@@ -101,8 +101,8 @@ int verb_pcrs(int argc, char *argv[], uintptr_t _data, void *userdata) {
         const char *alg = NULL;
         int r;
 
-        if (!tpm2_is_fully_supported())
-                log_notice("System lacks full TPM2 support, not showing PCR state.");
+        if (!tpm2_is_mostly_supported())
+                log_notice("System lacks sufficient TPM2 support, not showing PCR state.");
         else {
                 r = get_pcr_alg(&alg);
                 if (r < 0)
diff --git a/src/pcrextend/pcrextend.c b/src/pcrextend/pcrextend.c
index c319ddd0f88..c0b111a0964 100644
--- a/src/pcrextend/pcrextend.c
+++ b/src/pcrextend/pcrextend.c
@@ -531,7 +531,7 @@ static int run(int argc, char *argv[]) {
         if (arg_event_type >= 0)
                 event = arg_event_type;
 
-        if (arg_graceful && !tpm2_is_fully_supported()) {
+        if (arg_graceful && !tpm2_is_mostly_supported()) {
                 log_notice("No complete TPM2 support detected, exiting gracefully.");
                 return EXIT_SUCCESS;
         }
diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index 9c093181c7b..8071629c170 100644
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -894,7 +894,7 @@ int encrypt_credential_and_warn(
                  * container tpm2_support will detect this, and will return a different flag combination of
                  * TPM2_SUPPORT_FULL, effectively skipping the use of TPM2 when inside one. */
 
-                try_tpm2 = tpm2_is_fully_supported();
+                try_tpm2 = tpm2_is_mostly_supported();
                 if (!try_tpm2)
                         log_debug("System lacks TPM2 support or running in a container, not attempting to use TPM2.");
         } else
diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h
index 841f33b8dea..2f5d8632de5 100644
--- a/src/shared/tpm2-util.h
+++ b/src/shared/tpm2-util.h
@@ -496,6 +496,7 @@ typedef enum Tpm2Support {
 
         /* Combined flags for generic (i.e. not tool-specific) support */
         TPM2_SUPPORT_FULL         = TPM2_SUPPORT_API|TPM2_SUPPORT_LIBTSS2_ALL,
+        TPM2_SUPPORT_SOFTWARE     = TPM2_SUPPORT_FULL & ~TPM2_SUPPORT_FIRMWARE, /* Same, just without PC firmware support */
 } Tpm2Support;
 
 Tpm2Support tpm2_support_full(Tpm2Support mask);
@@ -505,6 +506,9 @@ static inline Tpm2Support tpm2_support(void) {
 static inline bool tpm2_is_fully_supported(void) {
         return tpm2_support() == TPM2_SUPPORT_FULL;
 }
+static inline bool tpm2_is_mostly_supported(void) {
+        return (tpm2_support() & TPM2_SUPPORT_SOFTWARE) == TPM2_SUPPORT_SOFTWARE;
+}
 
 int verb_has_tpm2_generic(bool quiet);
 
diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c
index d243f199e99..92a4bfa12a6 100644
--- a/src/tpm2-setup/tpm2-setup.c
+++ b/src/tpm2-setup/tpm2-setup.c
@@ -516,7 +516,7 @@ static int run(int argc, char *argv[]) {
         if (r <= 0)
                 return r;
 
-        if (arg_graceful && !tpm2_is_fully_supported()) {
+        if (arg_graceful && !tpm2_is_mostly_supported()) {
                 log_notice("No complete TPM2 support detected, exiting gracefully.");
                 return EXIT_SUCCESS;
         }