From df637af4607243a3b314c8d3a60be37d4b81d856 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 23 Mar 2023 18:22:43 +0100
Subject: [PATCH] pid1: allowlist all tpm devices for a unit when encrypted
 creds are needed

We might be configured to use some ther device than /dev/tpmrm0, hence
allow them all by allowlisting the tpm char device class as a whole.
---
 src/core/unit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/core/unit.c b/src/core/unit.c
index 70f270e8747..a9dffdf2b9e 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4217,7 +4217,7 @@ int unit_patch_contexts(Unit *u) {
 
                         /* If there are encrypted credentials we might need to access the TPM. */
                         if (exec_context_has_encrypted_credentials(ec)) {
-                                r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw");
+                                r = cgroup_add_device_allow(cc, "char-tpm", "rw");
                                 if (r < 0)
                                         return r;
                         }
-- 
2.47.3