Enable TPM by default with SetCredentialEncrypted

(cherry picked from commit d59025698f6261aa65ac074a3b46e8babed0d05d)
2025-03-06 12:58:22 +03:00 · 2023-02-22 00:02:31 +11:00 · 2023-02-22 00:02:31 +11:00 · 0f4dbe6367
commit 0f4dbe6367
parent 8d8240bdf6
2 changed files with 17 additions and 7 deletions
--- a/src/core/unit.c
+++ b/src/core/unit.c
@ -4171,14 +4171,21 @@ int unit_patch_contexts(Unit *u) {
                        }

                        /* If there are encrypted credentials we might need to access the TPM. */
-                        ExecLoadCredential *cred;
-                        HASHMAP_FOREACH(cred, ec->load_credentials)
-                                if (cred->encrypted) {
-                                        r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw");
-                                        if (r < 0)
-                                                return r;
+                        bool allow_tpm = false;
+                        ExecLoadCredential *load_cred;
+                        ExecSetCredential *set_cred;
+                        HASHMAP_FOREACH(load_cred, ec->load_credentials)
+                                if ((allow_tpm |= load_cred->encrypted))
                                        break;
-                                }
+                        HASHMAP_FOREACH(set_cred, ec->set_credentials)
+                                if ((allow_tpm |= set_cred->encrypted))
+                                        break;
+
+                        if (allow_tpm) {
+                                r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw");
+                                if (r < 0)
+                                        return r;
+                        }
                }
        }

--- a/test/units/testsuite-70.sh
+++ b/test/units/testsuite-70.sh
@ -211,7 +211,10 @@ fi
 # Ensure that sandboxing doesn't stop creds from being accessible
 echo "test" > /tmp/testdata
 systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2
+# LoadCredentialEncrypted
 systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata
+# SetCredentialEncrypted
+systemd-run -p PrivateDevices=yes -p SetCredentialEncrypted=testdata.encrypted:"$(cat /tmp/testdata.encrypted)" --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata
 rm /tmp/testdata

 echo OK >/testok