Merge pull request #17836 from poettering/tpm2-condition

Add ConditionSecurity=tpm2
2020-12-03 20:13:45 +01:00 · 2020-12-03 20:13:45 +01:00 · e267d76f73
parent 6dd16814a5 699c0f2d30
commit e267d76f73
3 changed files with 20 additions and 5 deletions
--- a/2
+++ b/2
@ -113,8 +113,6 @@ Features:
 * systemd-firstboot: make sure to always use chase_symlinks() before
  reading/writing files

-* add ConditionSecurity=tpm2
-
 * Remove any support for booting without /usr pre-mounted in the initrd entirely.
  Update INITRD_INTERFACE.md accordingly.

--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@ -1257,9 +1257,9 @@
          <listitem><para><varname>ConditionSecurity=</varname> may be used to check whether the given
          security technology is enabled on the system. Currently, the recognized values are
          <literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>,
-          <literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal> and
-          <literal>uefi-secureboot</literal>. The test may be negated by prepending an exclamation
-          mark.</para>
+          <literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal>,
+          <literal>uefi-secureboot</literal> and <literal>tpm2</literal>. The test may be negated by prepending
+          an exclamation mark.</para>
          </listitem>
        </varlistentry>

--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@ -480,6 +480,21 @@ static int condition_test_ac_power(Condition *c, char **env) {
        return (on_ac_power() != 0) == !!r;
 }

+static int has_tpm2(void) {
+        int r;
+
+        /* Checks whether the system has at least one TPM2 resource manager device, i.e. at least one "tpmrm"
+         * class device */
+
+        r = dir_is_empty("/sys/class/tpmrm");
+        if (r == -ENOENT)
+                return false;
+        if (r < 0)
+                return log_debug_errno(r, "Failed to determine whether system has TPM2 support: %m");
+
+        return !r;
+}
+
 static int condition_test_security(Condition *c, char **env) {
        assert(c);
        assert(c->parameter);
@ -499,6 +514,8 @@ static int condition_test_security(Condition *c, char **env) {
                return mac_tomoyo_use();
        if (streq(c->parameter, "uefi-secureboot"))
                return is_efi_secure_boot();
+        if (streq(c->parameter, "tpm2"))
+                return has_tpm2();

        return false;
 }