diff options
author | Lennart Poettering <lennart@poettering.net> | 2022-10-16 18:21:12 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2023-01-17 09:42:16 +0100 |
commit | 072c8f650519f47a575b1e39509599ace21e2c8f (patch) | |
tree | 5decf6ad528e389f69b66acdbd01610b9cf6aae0 /units | |
parent | 17984c55513fc18f9bd4878c37fa87d278ab1e1d (diff) | |
download | systemd-072c8f650519f47a575b1e39509599ace21e2c8f.tar.gz |
units: measure /etc/machine-id into PCR 15 during early boot
We want PCR 15 to be useful for binding per-system policy to. Let's
measure the machine ID into it, to ensure that every OS we can
distinguish will get a different PCR (even if the root disk encryption
key is already measured into it).
Diffstat (limited to 'units')
-rw-r--r-- | units/meson.build | 2 | ||||
-rw-r--r-- | units/systemd-pcrmachine.service.in | 23 |
2 files changed, 25 insertions, 0 deletions
diff --git a/units/meson.build b/units/meson.build index 69197f0c47..48b24f05c1 100644 --- a/units/meson.build +++ b/units/meson.build @@ -265,6 +265,8 @@ in_units = [ 'sysinit.target.wants/'], ['systemd-pcrphase.service', 'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2', 'sysinit.target.wants/'], + ['systemd-pcrmachine.service', 'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2', + 'sysinit.target.wants/'], ] add_wants = [] diff --git a/units/systemd-pcrmachine.service.in b/units/systemd-pcrmachine.service.in new file mode 100644 index 0000000000..e154a7eec1 --- /dev/null +++ b/units/systemd-pcrmachine.service.in @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=TPM2 PCR Machine ID Measurement +Documentation=man:systemd-pcrmachine.service(8) +DefaultDependencies=no +Conflicts=shutdown.target +Before=sysinit.target shutdown.target +AssertPathExists=!/etc/initrd-release +ConditionSecurity=tpm2 +ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase --machine-id |