diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-10-17 14:50:56 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2023-01-17 09:42:16 +0100 |
| commit | 6c51b49ce0892ff923233a6031add4877100f5b0 (patch) | |
| tree | 454025e5aa2a5bf4dd3d4461d91f1e007e87eb50 /src/fstab-generator | |
| parent | 04959faa632272a8fc9cdac3121b2e4af721c1b6 (diff) | |
| download | systemd-6c51b49ce0892ff923233a6031add4877100f5b0.tar.gz | |
tpm2: add common helper for checking if we are running on UKI with TPM measurements
Let's introduce a common implementation of a function that checks
whether we are booted on a kernel with systemd-stub that has TPM PCR
measurements enabled. Do our own userspace measurements only if we
detect that.
PCRs are scarce and most likely there are projects which already make
use of them in other ways. Hence, instead of blindly stepping into their
territory let's conditionalize things so that people have to explicitly
buy into our PCR assignments before we start measuring things into them.
Specifically bind everything to an UKI that reported measurements.
This was previously already implemented in systemd-pcrphase, but with
this change we expand this to all tools that process PCR measurement
settings.
The env var to override the check is renamed to SYSTEMD_FORCE_MEASURE,
to make it more generic (since we'll use it at multiple places now).
This is not a compat break, since the original env var for that was not
included in any stable release yet.
Diffstat (limited to 'src/fstab-generator')
| -rw-r--r-- | src/fstab-generator/fstab-generator.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c index 4b763bc247..ed34e0a32f 100644 --- a/src/fstab-generator/fstab-generator.c +++ b/src/fstab-generator/fstab-generator.c @@ -8,6 +8,7 @@ #include "bus-error.h" #include "bus-locator.h" #include "chase-symlinks.h" +#include "efi-loader.h" #include "fd-util.h" #include "fileio.h" #include "fstab-util.h" @@ -529,9 +530,16 @@ static int add_mount( } if (flags & MOUNT_PCRFS) { - r = generator_hook_up_pcrfs(dest, where, target_unit); + r = efi_stub_measured(); if (r < 0) - return r; + log_warning_errno(r, "Failed to detect if we are running on a kernel image with TPM measurement enabled, assuming not: %m"); + else if (r == 0) + log_debug("Kernel stub did not measure kernel image into PCR, skipping userspace measurement, too."); + else { + r = generator_hook_up_pcrfs(dest, where, target_unit); + if (r < 0) + return r; + } } if (!FLAGS_SET(flags, MOUNT_AUTOMOUNT)) { |