From 6eb3098e57881895e62fc811f714c2aa4ecfcf8f Mon Sep 17 00:00:00 2001
From: Mikko Rapeli <mikko.rapeli@linaro.org>
Date: Fri, 20 Dec 2024 16:04:35 +0200
Subject: [PATCH] systemd: enable TPM support

Enable "tpm2" support if "tpm2" is in DISTRO_FEATURES.
Also enable cryptsetup, openssl and repart features which
are needed to use TPM device to encrypt filesystems with
systemd configuration. See:

https://www.freedesktop.org/software/systemd/man/latest/systemd-repart.html#--tpm2-device=

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../recipes-core/systemd/systemd_%.bbappend     | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 meta-tpm/recipes-core/systemd/systemd_%.bbappend

diff --git a/meta-tpm/recipes-core/systemd/systemd_%.bbappend b/meta-tpm/recipes-core/systemd/systemd_%.bbappend
new file mode 100644
index 0000000..82b79ba
--- /dev/null
+++ b/meta-tpm/recipes-core/systemd/systemd_%.bbappend
@@ -0,0 +1,17 @@
+PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'tpm2', '', d)}"
+
+# for encrypted filesystems
+PACKAGECONFIG:append = " \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'cryptsetup cryptsetup-plugins efi openssl repart', '', d)} \
+"
+
+# ukify.py and systemd-measure don't work in cross compile environment without
+# a tpm2 device, thus switch from measured-uki (new in v256) back to tpm2 
+# (default before v256).
+# TODO: use swtpm-native to calculate TPM measurements
+do_install:append() {
+    if "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'true', 'false', d)}"; then
+        sed -i -e "s/^ConditionSecurity=measured-uki/ConditionSecurity=tpm2/g" \
+            $( grep -rl ^ConditionSecurity=measured-uki ${D} )
+    fi
+}