From bce334a31ce59f63e79192542c0c1313714b663d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Sat, 28 Nov 2020 20:33:53 +0100 Subject: [PATCH] core: add ConditionSecurity=tpm2 support --- man/systemd.unit.xml | 6 +++--- src/shared/condition.c | 17 +++++++++++++++++ 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index b7dbbe309e..2fdc0d5832 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1257,9 +1257,9 @@ ConditionSecurity= may be used to check whether the given security technology is enabled on the system. Currently, the recognized values are selinux, apparmor, tomoyo, - ima, smack, audit and - uefi-secureboot. The test may be negated by prepending an exclamation - mark. + ima, smack, audit, + uefi-secureboot and tpm2. The test may be negated by prepending + an exclamation mark. diff --git a/src/shared/condition.c b/src/shared/condition.c index b2ec690bc3..41d3a16391 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -480,6 +480,21 @@ static int condition_test_ac_power(Condition *c, char **env) { return (on_ac_power() != 0) == !!r; } +static int has_tpm2(void) { + int r; + + /* Checks whether the system has at least one TPM2 resource manager device, i.e. at least one "tpmrm" + * class device */ + + r = dir_is_empty("/sys/class/tpmrm"); + if (r == -ENOENT) + return false; + if (r < 0) + return log_debug_errno(r, "Failed to determine whether system has TPM2 support: %m"); + + return !r; +} + static int condition_test_security(Condition *c, char **env) { assert(c); assert(c->parameter); @@ -499,6 +514,8 @@ static int condition_test_security(Condition *c, char **env) { return mac_tomoyo_use(); if (streq(c->parameter, "uefi-secureboot")) return is_efi_secure_boot(); + if (streq(c->parameter, "tpm2")) + return has_tpm2(); return false; }