mirror of
https://github.com/morgan9e/systemd
synced 2026-04-15 00:47:10 +09:00
6eab4cd44c
It turns out checking sysfs is not 100% reliable to figure out whether the firmware had TPM2 support enabled or not. For example with EDK2 arm64, the default upstream build config bundles TPM2 support with SecureBoot support, so if the latter is disabled, TPM2 is also unavailable. But still, the ACPI TPM2 table is created just as if it was enabled. So /sys/firmware/acpi/tables/TPM2 exists and looks correct, but there are no measurements, neither the firmware nor the loader/stub can do them, and /sys/kernel/security/tpm0/binary_bios_measurements does not exist. The loader can use the apposite UEFI protocol to check, which is a more definitive answer. Given userspace can also make use of this information, export the bitmask with the list of active banks as-is. If it's not 0, then we can be sure a working TPM2 was available in EFI mode. Partially fixes https://github.com/systemd/systemd/issues/38071
36 KiB
36 KiB