diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-10-14 20:53:42 +0200 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2022-10-17 12:09:43 +0200 |
| commit | 047273e6e8a044e2a7e9471fc3737ef9ebb9bc39 (patch) | |
| tree | 6b9c422c3d0278ea88eec37c265da7d3f20cbf9b /units | |
| parent | 961549ab4163c0873b72e6e40cb72b11ac493fd7 (diff) | |
| download | systemd-047273e6e8a044e2a7e9471fc3737ef9ebb9bc39.tar.gz | |
pcrphase: add two additional phases
This adds two more phases to the PCR boot phase logic: "sysinit" +
"final".
The "sysinit" one is placed between sysinit.target and basic.target.
It's good to have a milestone in this place, since this is after all
file systems/LUKS volumes are in place (which sooner or later should
result in measurements of their own) and before services are started
(where we should be able to rely on them to be complete).
This is particularly useful to make certain secrets available for
mounting secondary file systems, but making them unavailable later.
This breaks API in a way (as measurements during runtime will change),
but given that the pcrphase stuff wasn't realeased yet should be OK.
Diffstat (limited to 'units')
| -rw-r--r-- | units/meson.build | 2 | ||||
| -rw-r--r-- | units/systemd-pcrphase-sysinit.service.in | 25 | ||||
| -rw-r--r-- | units/systemd-pcrphase.service.in | 2 |
3 files changed, 28 insertions, 1 deletions
diff --git a/units/meson.build b/units/meson.build index 90a364a40c..25e9209b4d 100644 --- a/units/meson.build +++ b/units/meson.build @@ -262,6 +262,8 @@ in_units = [ ['user@.service', ''], ['systemd-pcrphase-initrd.service', 'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2 ENABLE_INITRD', 'initrd.target.wants/'], + ['systemd-pcrphase-sysinit.service', 'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2', + 'sysinit.target.wants/'], ['systemd-pcrphase.service', 'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2', 'sysinit.target.wants/'], ] diff --git a/units/systemd-pcrphase-sysinit.service.in b/units/systemd-pcrphase-sysinit.service.in new file mode 100644 index 0000000000..6b5ba7d878 --- /dev/null +++ b/units/systemd-pcrphase-sysinit.service.in @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=TPM2 PCR Barrier (Initialization) +Documentation=man:systemd-pcrphase-sysinit.service(8) +DefaultDependencies=no +Conflicts=shutdown.target +After=sysinit.target +Before=basic.target shutdown.target +AssertPathExists=!/etc/initrd-release +ConditionSecurity=tpm2 +ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase sysinit +ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase final diff --git a/units/systemd-pcrphase.service.in b/units/systemd-pcrphase.service.in index 1ef8ed6e6a..ce469befa8 100644 --- a/units/systemd-pcrphase.service.in +++ b/units/systemd-pcrphase.service.in @@ -8,7 +8,7 @@ # (at your option) any later version. [Unit] -Description=TPM2 PCR Barrier (Host) +Description=TPM2 PCR Barrier (User) Documentation=man:systemd-pcrphase.service(8) After=remote-fs.target remote-cryptsetup.target Before=systemd-user-sessions.service |