From: Aidan Dang Date: Tue, 21 Feb 2023 13:02:31 +0000 (+1100) Subject: Enable TPM by default with SetCredentialEncrypted X-Git-Tag: v254-rc1~1209 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d59025698f6261aa65ac074a3b46e8babed0d05d;p=thirdparty%2Fsystemd.git Enable TPM by default with SetCredentialEncrypted --- diff --git a/src/core/unit.c b/src/core/unit.c index be7b19877f4..8cd1e0370dd 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -4213,14 +4213,21 @@ int unit_patch_contexts(Unit *u) { } /* If there are encrypted credentials we might need to access the TPM. */ - ExecLoadCredential *cred; - HASHMAP_FOREACH(cred, ec->load_credentials) - if (cred->encrypted) { - r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw"); - if (r < 0) - return r; + bool allow_tpm = false; + ExecLoadCredential *load_cred; + ExecSetCredential *set_cred; + HASHMAP_FOREACH(load_cred, ec->load_credentials) + if ((allow_tpm |= load_cred->encrypted)) break; - } + HASHMAP_FOREACH(set_cred, ec->set_credentials) + if ((allow_tpm |= set_cred->encrypted)) + break; + + if (allow_tpm) { + r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw"); + if (r < 0) + return r; + } } } diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh index 3499d6160f2..a8d3d2422b9 100755 --- a/test/units/testsuite-70.sh +++ b/test/units/testsuite-70.sh @@ -211,7 +211,10 @@ fi # Ensure that sandboxing doesn't stop creds from being accessible echo "test" > /tmp/testdata systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2 +# LoadCredentialEncrypted systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata +# SetCredentialEncrypted +systemd-run -p PrivateDevices=yes -p SetCredentialEncrypted=testdata.encrypted:"$(cat /tmp/testdata.encrypted)" --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata rm /tmp/testdata echo OK >/testok