efi-loader: add efi_has_tpm2() helper

The helper checks if the UEFI firmware is hooked up to a TPM2 chip. This is useful to know in trusted boot scenarios, in particular during early boot in auto-enroll scenarios where we want to know whether TPM2 is available or not, and the Linux drivers are not loaded yet, and where it might or not be worth waiting for it.
2025-03-10 00:58:20 +03:00 · 2021-02-11 23:10:07 +01:00 · 2021-02-11 23:10:07 +01:00 · d0ddaf587f
commit d0ddaf587f
parent 5b4c163002
2 changed files with 29 additions and 0 deletions
--- a/src/shared/efi-loader.c
+++ b/src/shared/efi-loader.c
@ -783,6 +783,29 @@ int efi_loader_update_entry_one_shot_cache(char **cache, struct stat *cache_stat
        return 0;
 }

+bool efi_has_tpm2(void) {
+        static int cache = -1;
+
+        /* Returns whether the system has a TPM2 chip which is known to the EFI firmware. */
+
+        if (cache < 0) {
+
+                /* First, check if we are on an EFI boot at all. */
+                if (!is_efi_boot())
+                        cache = false;
+                else {
+                        /* Then, check if the ACPI table "TPM2" exists, which is the TPM2 event log table, see:
+                         * https://trustedcomputinggroup.org/wp-content/uploads/TCG_ACPIGeneralSpecification_v1.20_r8.pdf
+                         * This table exists whenever the firmware is hooked up to TPM2. */
+                        cache = access("/sys/firmware/acpi/tables/TPM2", F_OK) >= 0;
+                        if (!cache && errno != ENOENT)
+                                log_debug_errno(errno, "Unable to test whether /sys/firmware/acpi/tables/TPM2 exists, assuming it doesn't: %m");
+                }
+        }
+
+        return cache;
+}
+
 #endif

 bool efi_loader_entry_name_valid(const char *s) {
--- a/src/shared/efi-loader.h
+++ b/src/shared/efi-loader.h
@ -29,6 +29,8 @@ int efi_loader_get_features(uint64_t *ret);
 int efi_loader_get_config_timeout_one_shot(usec_t *ret);
 int efi_loader_update_entry_one_shot_cache(char **cache, struct stat *cache_stat);

+bool efi_has_tpm2(void);
+
 #else

 static inline int efi_reboot_to_firmware_supported(void) {
@ -91,6 +93,10 @@ static inline int efi_loader_update_entry_one_shot_cache(char **cache, struct st
        return -EOPNOTSUPP;
 }

+static inline bool efi_has_tpm2(void) {
+        return false;
+}
+
 #endif

 bool efi_loader_entry_name_valid(const char *s);