From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 11 Feb 2021 22:10:07 +0000 (+0100)
Subject: efi-loader: add efi_has_tpm2() helper
X-Git-Tag: v248-rc1~151^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d0ddaf587f23f68c9c34bd88b272d63ca098dd0d;p=thirdparty%2Fsystemd.git

efi-loader: add efi_has_tpm2() helper

The helper checks if the UEFI firmware is hooked up to a TPM2 chip. This
is useful to know in trusted boot scenarios, in particular during early
boot in auto-enroll scenarios where we want to know whether TPM2 is
available or not, and the Linux drivers are not loaded yet, and where it
might or not be worth waiting for it.
---

diff --git a/src/shared/efi-loader.c b/src/shared/efi-loader.c
index 20f70da31a8..2aab39c32d5 100644
--- a/src/shared/efi-loader.c
+++ b/src/shared/efi-loader.c
@@ -783,6 +783,29 @@ int efi_loader_update_entry_one_shot_cache(char **cache, struct stat *cache_stat
         return 0;
 }
 
+bool efi_has_tpm2(void) {
+        static int cache = -1;
+
+        /* Returns whether the system has a TPM2 chip which is known to the EFI firmware. */
+
+        if (cache < 0) {
+
+                /* First, check if we are on an EFI boot at all. */
+                if (!is_efi_boot())
+                        cache = false;
+                else {
+                        /* Then, check if the ACPI table "TPM2" exists, which is the TPM2 event log table, see:
+                         * https://trustedcomputinggroup.org/wp-content/uploads/TCG_ACPIGeneralSpecification_v1.20_r8.pdf
+                         * This table exists whenever the firmware is hooked up to TPM2. */
+                        cache = access("/sys/firmware/acpi/tables/TPM2", F_OK) >= 0;
+                        if (!cache && errno != ENOENT)
+                                log_debug_errno(errno, "Unable to test whether /sys/firmware/acpi/tables/TPM2 exists, assuming it doesn't: %m");
+                }
+        }
+
+        return cache;
+}
+
 #endif
 
 bool efi_loader_entry_name_valid(const char *s) {
diff --git a/src/shared/efi-loader.h b/src/shared/efi-loader.h
index 76217947362..bc5769bb6b2 100644
--- a/src/shared/efi-loader.h
+++ b/src/shared/efi-loader.h
@@ -29,6 +29,8 @@ int efi_loader_get_features(uint64_t *ret);
 int efi_loader_get_config_timeout_one_shot(usec_t *ret);
 int efi_loader_update_entry_one_shot_cache(char **cache, struct stat *cache_stat);
 
+bool efi_has_tpm2(void);
+
 #else
 
 static inline int efi_reboot_to_firmware_supported(void) {
@@ -91,6 +93,10 @@ static inline int efi_loader_update_entry_one_shot_cache(char **cache, struct st
         return -EOPNOTSUPP;
 }
 
+static inline bool efi_has_tpm2(void) {
+        return false;
+}
+
 #endif
 
 bool efi_loader_entry_name_valid(const char *s);