Enable TPM by default with SetCredentialEncrypted

2026-03-06 15:02:31 -08:00 · 2023-02-22 00:02:31 +11:00
parent 024951fb22
commit d59025698f
2 changed files with 17 additions and 7 deletions
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4213,14 +4213,21 @@ int unit_patch_contexts(Unit *u) {
                        }

                        /* If there are encrypted credentials we might need to access the TPM. */
-                        ExecLoadCredential *cred;
-                        HASHMAP_FOREACH(cred, ec->load_credentials)
-                                if (cred->encrypted) {
-                                        r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw");
-                                        if (r < 0)
-                                                return r;
+                        bool allow_tpm = false;
+                        ExecLoadCredential *load_cred;
+                        ExecSetCredential *set_cred;
+                        HASHMAP_FOREACH(load_cred, ec->load_credentials)
+                                if ((allow_tpm |= load_cred->encrypted))
                                        break;
-                                }
+                        HASHMAP_FOREACH(set_cred, ec->set_credentials)
+                                if ((allow_tpm |= set_cred->encrypted))
+                                        break;
+
+                        if (allow_tpm) {
+                                r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw");
+                                if (r < 0)
+                                        return r;
+                        }
                }
        }

--- a/test/units/testsuite-70.sh
+++ b/test/units/testsuite-70.sh
@@ -211,7 +211,10 @@ fi
 # Ensure that sandboxing doesn't stop creds from being accessible
 echo "test" > /tmp/testdata
 systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2
+# LoadCredentialEncrypted
 systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata
+# SetCredentialEncrypted
+systemd-run -p PrivateDevices=yes -p SetCredentialEncrypted=testdata.encrypted:"$(cat /tmp/testdata.encrypted)" --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata
 rm /tmp/testdata

 echo OK >/testok