picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #17836 from poettering/tpm2-condition 

Add ConditionSecurity=tpm2
This commit is contained in:
Lennart Poettering 2020-12-03 20:13:45 +01:00 committed by GitHub
parent 6dd16814a5 699c0f2d30
commit e267d76f73
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
TODO
View File

@ -113,8 +113,6 @@ Features:
* systemd-firstboot: make sure to always use chase_symlinks() before * systemd-firstboot: make sure to always use chase_symlinks() before
reading/writing files reading/writing files
* add ConditionSecurity=tpm2
* Remove any support for booting without /usr pre-mounted in the initrd entirely. * Remove any support for booting without /usr pre-mounted in the initrd entirely.
Update INITRD_INTERFACE.md accordingly. Update INITRD_INTERFACE.md accordingly.

6
man/systemd.unit.xml
View File

@ -1257,9 +1257,9 @@
<listitem><para><varname>ConditionSecurity=</varname> may be used to check whether the given <listitem><para><varname>ConditionSecurity=</varname> may be used to check whether the given
security technology is enabled on the system. Currently, the recognized values are security technology is enabled on the system. Currently, the recognized values are
<literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>, <literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>,
<literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal> and <literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal>,
<literal>uefi-secureboot</literal>. The test may be negated by prepending an exclamation <literal>uefi-secureboot</literal> and <literal>tpm2</literal>. The test may be negated by prepending
mark.</para> an exclamation mark.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

17
src/shared/condition.c
View File

@ -480,6 +480,21 @@ static int condition_test_ac_power(Condition *c, char **env) {
return (on_ac_power() != 0) == !!r; return (on_ac_power() != 0) == !!r;
} }
static int has_tpm2(void) {
int r;
/* Checks whether the system has at least one TPM2 resource manager device, i.e. at least one "tpmrm"
* class device */
r = dir_is_empty("/sys/class/tpmrm");
if (r == -ENOENT)
return false;
if (r < 0)
return log_debug_errno(r, "Failed to determine whether system has TPM2 support: %m");
return !r;
}
static int condition_test_security(Condition *c, char **env) { static int condition_test_security(Condition *c, char **env) {
assert(c); assert(c);
assert(c->parameter); assert(c->parameter);
@ -499,6 +514,8 @@ static int condition_test_security(Condition *c, char **env) {
return mac_tomoyo_use(); return mac_tomoyo_use();
if (streq(c->parameter, "uefi-secureboot")) if (streq(c->parameter, "uefi-secureboot"))
return is_efi_secure_boot(); return is_efi_secure_boot();
if (streq(c->parameter, "tpm2"))
return has_tpm2();
return false; return false;
} }