47 lines
2.0 KiB
Diff
47 lines
2.0 KiB
Diff
From 31f0c1b06bfd90d52009b59b9a4bf26c297790a7 Mon Sep 17 00:00:00 2001
|
|
From: Lennart Poettering <lennart@poettering.net>
|
|
Date: Mon, 14 Nov 2022 17:26:49 +0100
|
|
Subject: [PATCH] tpm2-util: force default TCTI to be "device" with parameter
|
|
"/dev/tpmrm0"
|
|
|
|
Apparently some distros default to tss-abmrd. Let's bypass that and
|
|
always go to the kernel resource manager.
|
|
|
|
abmrd cannot really work for us, since we want to access the TPM already
|
|
in earliest boot i.e. in environments the abmrd service is not available
|
|
in.
|
|
|
|
Fixes: #25352
|
|
(cherry picked from commit 34906680afe60d724ea435b79b9b830a4bf2e7e9)
|
|
|
|
Related: #2138081
|
|
---
|
|
src/shared/tpm2-util.c | 13 ++++++++++++-
|
|
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
|
|
index 65e8d48347..9d73316146 100644
|
|
--- a/src/shared/tpm2-util.c
|
|
+++ b/src/shared/tpm2-util.c
|
|
@@ -152,8 +152,19 @@ int tpm2_context_init(const char *device, struct tpm2_context *ret) {
|
|
if (r < 0)
|
|
return log_error_errno(r, "TPM2 support not installed: %m");
|
|
|
|
- if (!device)
|
|
+ if (!device) {
|
|
device = secure_getenv("SYSTEMD_TPM2_DEVICE");
|
|
+ if (device)
|
|
+ /* Setting the env var to an empty string forces tpm2-tss' own device picking
|
|
+ * logic to be used. */
|
|
+ device = empty_to_null(device);
|
|
+ else
|
|
+ /* If nothing was specified explicitly, we'll use a hardcoded default: the "device" tcti
|
|
+ * driver and the "/dev/tpmrm0" device. We do this since on some distributions the tpm2-abrmd
|
|
+ * might be used and we really don't want that, since it is a system service and that creates
|
|
+ * various ordering issues/deadlocks during early boot. */
|
|
+ device = "device:/dev/tpmrm0";
|
|
+ }
|
|
|
|
if (device) {
|
|
const char *param, *driver, *fn;
|