From 1ee6570843fec3e7a6a6911777c359b0547848ca Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 19 Sep 2024 05:25:48 +0900 Subject: [PATCH] tpm2-util: do not load tpm2 libraries when not interested in the existence of the libraries For example, 'bootctl status' only interested in if the efi has TPM2 support and a TPM2 driver is loaded. Hence, not necessary to load libtss2. --- src/boot/bootctl-status.c | 3 +-- src/shared/condition.c | 2 +- src/shared/tpm2-util.c | 16 +++++++++------- src/shared/tpm2-util.h | 5 ++++- 4 files changed, 15 insertions(+), 11 deletions(-) diff --git a/src/boot/bootctl-status.c b/src/boot/bootctl-status.c index 58c6527ab81..61d76dd6795 100644 --- a/src/boot/bootctl-status.c +++ b/src/boot/bootctl-status.c @@ -411,7 +411,6 @@ int verb_status(int argc, char *argv[], void *userdata) { _cleanup_free_ char *fw_type = NULL, *fw_info = NULL, *loader = NULL, *loader_path = NULL, *stub = NULL, *stub_path = NULL, *current_entry = NULL, *oneshot_entry = NULL, *default_entry = NULL; uint64_t loader_features = 0, stub_features = 0; - Tpm2Support s; int have; (void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(LoaderFirmwareType), &fw_type); @@ -440,7 +439,7 @@ int verb_status(int argc, char *argv[], void *userdata) { else printf("\n"); - s = tpm2_support(); + Tpm2Support s = tpm2_support_full(TPM2_SUPPORT_FIRMWARE|TPM2_SUPPORT_DRIVER); printf(" TPM2 Support: %s%s%s\n", FLAGS_SET(s, TPM2_SUPPORT_FIRMWARE|TPM2_SUPPORT_DRIVER) ? ansi_highlight_green() : (s & (TPM2_SUPPORT_FIRMWARE|TPM2_SUPPORT_DRIVER)) != 0 ? ansi_highlight_red() : ansi_highlight_yellow(), diff --git a/src/shared/condition.c b/src/shared/condition.c index 2e231dfdff5..da5c6f6309c 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -667,7 +667,7 @@ static int has_tpm2(void) { * * Note that we don't check if we ourselves are built with TPM2 support here! */ - return FLAGS_SET(tpm2_support(), TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_FIRMWARE); + return FLAGS_SET(tpm2_support_full(TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_FIRMWARE), TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_FIRMWARE); } static int condition_test_security(Condition *c, char **env) { diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 38e4da40127..9f5618c1626 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -7872,11 +7872,11 @@ int tpm2_sym_mode_from_string(const char *mode) { return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown symmetric mode name '%s'", mode); } -Tpm2Support tpm2_support(void) { +Tpm2Support tpm2_support_full(Tpm2Support mask) { Tpm2Support support = TPM2_SUPPORT_NONE; int r; - if (detect_container() <= 0) { + if (((mask & (TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_DRIVER)) != 0) && detect_container() <= 0) { /* Check if there's a /dev/tpmrm* device via sysfs. If we run in a container we likely just * got the host sysfs mounted. Since devices are generally not virtualized for containers, * let's assume containers never have a TPM, at least for now. */ @@ -7893,18 +7893,20 @@ Tpm2Support tpm2_support(void) { support |= TPM2_SUPPORT_SUBSYSTEM; } - if (efi_has_tpm2()) + if (FLAGS_SET(mask, TPM2_SUPPORT_FIRMWARE) && efi_has_tpm2()) support |= TPM2_SUPPORT_FIRMWARE; #if HAVE_TPM2 support |= TPM2_SUPPORT_SYSTEM; - r = dlopen_tpm2(); - if (r >= 0) - support |= TPM2_SUPPORT_LIBRARIES; + if (FLAGS_SET(mask, TPM2_SUPPORT_LIBRARIES)) { + r = dlopen_tpm2(); + if (r >= 0) + support |= TPM2_SUPPORT_LIBRARIES; + } #endif - return support; + return support & mask; } int verb_has_tpm2_generic(bool quiet) { diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index e25c0661941..06836976181 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -461,7 +461,10 @@ typedef enum Tpm2Support { TPM2_SUPPORT_FULL = TPM2_SUPPORT_FIRMWARE|TPM2_SUPPORT_DRIVER|TPM2_SUPPORT_SYSTEM|TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_LIBRARIES, } Tpm2Support; -Tpm2Support tpm2_support(void); +Tpm2Support tpm2_support_full(Tpm2Support mask); +static inline Tpm2Support tpm2_support(void) { + return tpm2_support_full(TPM2_SUPPORT_FULL); +} static inline bool tpm2_is_fully_supported(void) { return tpm2_support() == TPM2_SUPPORT_FULL; } -- 2.47.3