Check the TPM measurement if TPM is present
Perform the TPM Measurement Check only if TPM is present. This commit
adds a new option to provide the sysfs TPM device tree path, which will
be used to verify TPM's presence. If the device tree path doesn't exist,
it indicates that TPM is not present.
Tested: Tested on a system with TPM device present and on system that
didn't have it present and verified expected behavior on both.
Change-Id: I108f05cc5bafd90cda5a82146b93e2371765b9aa
Signed-off-by: Lakshmi Yadlapati <lakshmiy@us.ibm.com>
diff --git a/meson.build b/meson.build
index e0eff96..245439e 100644
--- a/meson.build
+++ b/meson.build
@@ -62,6 +62,9 @@
'ONLY_RUN_APR_ON_POWER_LOSS', get_option('only-run-apr-on-power-loss'))
conf.set_quoted(
+ 'SYSFS_TPM_DEVICE_PATH', get_option('sysfs-tpm-device-path'))
+
+conf.set_quoted(
'SYSFS_TPM_MEASUREMENT_PATH', get_option('sysfs-tpm-measurement-path'))
conf.set10(
diff --git a/meson_options.txt b/meson_options.txt
index f34c174..2b809c2 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -131,6 +131,11 @@
description : 'Only run automatic restore policy due to loss of AC power.'
)
+option('sysfs-tpm-device-path', type : 'string',
+ value : '/sys/firmware/devicetree/base/ahb/apb/bus@1e78a000/i2c-bus@680/tpm@2e',
+ description : 'The sysfs path to the tpm device.',
+)
+
option('sysfs-tpm-measurement-path', type : 'string',
value : '/sys/class/tpm/tpm0/pcr-sha256/0',
description : 'The sysfs path to the tpm measurement value.',
diff --git a/secure_boot_check.cpp b/secure_boot_check.cpp
index edbd8ff..b9ad361 100644
--- a/secure_boot_check.cpp
+++ b/secure_boot_check.cpp
@@ -188,8 +188,11 @@
}
}
- // Check the TPM measurement
- checkTpmMeasurement();
+ // Check the TPM measurement if TPM is enabled
+ if (std::filesystem::exists(std::string(SYSFS_TPM_DEVICE_PATH)))
+ {
+ checkTpmMeasurement();
+ }
return 0;
}