shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-06 13:17:44 +03:00
Code

creds-util: merge the TPM2 detection for initrd

Browse Source 
This patch merge the TPM2 detection paths when we are inside and outside
an initrd.

Signed-off-by: Alberto Planas <aplanas@suse.com>
(cherry picked from commit e37dfcec52)
This commit is contained in:
Alberto Planas 2023-01-16 13:35:49 +01:00 committed by Zbigniew Jędrzejewski-Szmek
parent 4f420958f9
commit 78ffc39f9e
1 changed files with 2 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/shared/creds-util.c
View File

@ -608,7 +608,7 @@ int encrypt_credential_and_warn(
#if HAVE_TPM2 #if HAVE_TPM2
bool try_tpm2; bool try_tpm2;
if (sd_id128_equal(with_key, _CRED_AUTO)) { if (sd_id128_in_set(with_key, _CRED_AUTO, _CRED_AUTO_INITRD)) {
/* If automatic mode is selected lets see if a TPM2 it is present. If we are running in a /* If automatic mode is selected lets see if a TPM2 it is present. If we are running in a
* container tpm2_support will detect this, and will return a different flag combination of * container tpm2_support will detect this, and will return a different flag combination of
* TPM2_SUPPORT_FULL, effectively skipping the use of TPM2 when inside one. */ * TPM2_SUPPORT_FULL, effectively skipping the use of TPM2 when inside one. */
@ -616,13 +616,6 @@ int encrypt_credential_and_warn(
try_tpm2 = tpm2_support() == TPM2_SUPPORT_FULL; try_tpm2 = tpm2_support() == TPM2_SUPPORT_FULL;
if (!try_tpm2) if (!try_tpm2)
log_debug("System lacks TPM2 support or running in a container, not attempting to use TPM2."); log_debug("System lacks TPM2 support or running in a container, not attempting to use TPM2.");
} else if (sd_id128_equal(with_key, _CRED_AUTO_INITRD)) {
/* If automatic mode for initrds is selected, we'll use the TPM2 key if the firmware does it,
* otherwise we'll use a fixed key */
try_tpm2 = efi_has_tpm2();
if (!try_tpm2)
log_debug("Firmware lacks TPM2 support, not attempting to use TPM2.");
} else } else
try_tpm2 = sd_id128_in_set(with_key, try_tpm2 = sd_id128_in_set(with_key,
CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_TPM2_HMAC,
@ -663,7 +656,7 @@ int encrypt_credential_and_warn(
&tpm2_primary_alg); &tpm2_primary_alg);
if (r < 0) { if (r < 0) {
if (sd_id128_equal(with_key, _CRED_AUTO_INITRD)) if (sd_id128_equal(with_key, _CRED_AUTO_INITRD))
log_warning("Firmware reported a TPM2 being present and used, but we didn't manage to talk to it. Credential will be refused if SecureBoot is enabled."); log_warning("TPM2 present and used, but we didn't manage to talk to it. Credential will be refused if SecureBoot is enabled.");
else if (!sd_id128_equal(with_key, _CRED_AUTO)) else if (!sd_id128_equal(with_key, _CRED_AUTO))
return r; return r;