ryantimwilson / rpms / systemd

Forked from rpms/systemd a month ago
Clone
2aacef
From 31f0c1b06bfd90d52009b59b9a4bf26c297790a7 Mon Sep 17 00:00:00 2001
2aacef
From: Lennart Poettering <lennart@poettering.net>
2aacef
Date: Mon, 14 Nov 2022 17:26:49 +0100
2aacef
Subject: [PATCH] tpm2-util: force default TCTI to be "device" with parameter
2aacef
 "/dev/tpmrm0"
2aacef
2aacef
Apparently some distros default to tss-abmrd. Let's bypass that and
2aacef
always go to the kernel resource manager.
2aacef
2aacef
abmrd cannot really work for us, since we want to access the TPM already
2aacef
in earliest boot i.e. in environments the abmrd service is not available
2aacef
in.
2aacef
2aacef
Fixes: #25352
2aacef
(cherry picked from commit 34906680afe60d724ea435b79b9b830a4bf2e7e9)
2aacef
2aacef
Related: #2138081
2aacef
---
2aacef
 src/shared/tpm2-util.c | 13 ++++++++++++-
2aacef
 1 file changed, 12 insertions(+), 1 deletion(-)
2aacef
2aacef
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
2aacef
index 65e8d48347..9d73316146 100644
2aacef
--- a/src/shared/tpm2-util.c
2aacef
+++ b/src/shared/tpm2-util.c
2aacef
@@ -152,8 +152,19 @@ int tpm2_context_init(const char *device, struct tpm2_context *ret) {
2aacef
         if (r < 0)
2aacef
                 return log_error_errno(r, "TPM2 support not installed: %m");
2aacef
 
2aacef
-        if (!device)
2aacef
+        if (!device) {
2aacef
                 device = secure_getenv("SYSTEMD_TPM2_DEVICE");
2aacef
+                if (device)
2aacef
+                        /* Setting the env var to an empty string forces tpm2-tss' own device picking
2aacef
+                         * logic to be used. */
2aacef
+                        device = empty_to_null(device);
2aacef
+                else
2aacef
+                        /* If nothing was specified explicitly, we'll use a hardcoded default: the "device" tcti
2aacef
+                         * driver and the "/dev/tpmrm0" device. We do this since on some distributions the tpm2-abrmd
2aacef
+                         * might be used and we really don't want that, since it is a system service and that creates
2aacef
+                         * various ordering issues/deadlocks during early boot. */
2aacef
+                        device = "device:/dev/tpmrm0";
2aacef
+        }
2aacef
 
2aacef
         if (device) {
2aacef
                 const char *param, *driver, *fn;