diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-08-25 17:16:52 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2022-09-09 11:31:04 +0200 |
| commit | f51b49c6758f897c58498cd06c851ef17dd760c2 (patch) | |
| tree | ab78bd6ca005dd962a3f514083b8266c39c40574 /tmpfiles.d | |
| parent | 23002b45b121740cfe9237489778ecc5d97f520a (diff) | |
| download | systemd-f51b49c6758f897c58498cd06c851ef17dd760c2.tar.gz | |
tmpfiles: copy PCR sig/pkey from initrd /.extra/ into /run/
Now that sd-stub will place the PCR signature and its public key in
the initrd's /.extra/ directory, let's copy it from there into /run/
from userspace. This is done because /.extra/ is on the initrd's tmpfs
which will be emptied during the initrd → host transition. Since we want
these two files to survive we'll copy them – if they exist – into /run/
where they will survive the transition.
Thus, with this last change the files will have safely propagated from
their PE sections into files in /run/ where userspace can find them
The paths in /run/ happen to be the exact ones that
systemd-cryptenroll/systemd-cryptsetup/systemd-creds look for them.
Diffstat (limited to 'tmpfiles.d')
| -rw-r--r-- | tmpfiles.d/systemd.conf.in | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/tmpfiles.d/systemd.conf.in b/tmpfiles.d/systemd.conf.in index e23e102782..d267a6b2e6 100644 --- a/tmpfiles.d/systemd.conf.in +++ b/tmpfiles.d/systemd.conf.in @@ -64,3 +64,9 @@ d /var/lib/systemd/coredump 0755 root root 3d d /var/lib/private 0700 root root - d /var/log/private 0700 root root - d /var/cache/private 0700 root root - + +{% if ENABLE_EFI %} +# Copy sd-stub provided PCR signature and and public key file from initrd into /run/, so that it will survive the initrd stage +C /run/systemd/tpm2-pcr-signature.json 0444 root root - /.extra/tpm2-pcr-signature.json +C /run/systemd/tpm2-pcr-public-key.pem 0444 root root - /.extra/tpm2-pcr-public-key.pem +{% endif %} |