core: add ConditionSecurity=tpm2 support

poettering · poettering · commit bce334a31ce5 · 2020-12-03T12:03:58.000+01:00
diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
@@ -1257,9 +1257,9 @@
           <listitem><para><varname>ConditionSecurity=</varname> may be used to check whether the given
           security technology is enabled on the system. Currently, the recognized values are
           <literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>,
-          <literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal> and
-          <literal>uefi-secureboot</literal>. The test may be negated by prepending an exclamation
-          mark.</para>
+          <literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal>,
+          <literal>uefi-secureboot</literal> and <literal>tpm2</literal>. The test may be negated by prepending
+          an exclamation mark.</para>
           </listitem>
         </varlistentry>
 
diff --git a/src/shared/condition.c b/src/shared/condition.c
@@ -480,6 +480,21 @@ static int condition_test_ac_power(Condition *c, char **env) {
         return (on_ac_power() != 0) == !!r;
 }
 
+static int has_tpm2(void) {
+        int r;
+
+        /* Checks whether the system has at least one TPM2 resource manager device, i.e. at least one "tpmrm"
+         * class device */
+
+        r = dir_is_empty("/sys/class/tpmrm");
+        if (r == -ENOENT)
+                return false;
+        if (r < 0)
+                return log_debug_errno(r, "Failed to determine whether system has TPM2 support: %m");
+
+        return !r;
+}
+
 static int condition_test_security(Condition *c, char **env) {
         assert(c);
         assert(c->parameter);
@@ -499,6 +514,8 @@ static int condition_test_security(Condition *c, char **env) {
                 return mac_tomoyo_use();
         if (streq(c->parameter, "uefi-secureboot"))
                 return is_efi_secure_boot();
+        if (streq(c->parameter, "tpm2"))
+                return has_tpm2();
 
         return false;
 }
