From f51b49c6758f897c58498cd06c851ef17dd760c2 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 25 Aug 2022 17:16:52 +0200 Subject: tmpfiles: copy PCR sig/pkey from initrd /.extra/ into /run/ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Now that sd-stub will place the PCR signature and its public key in the initrd's /.extra/ directory, let's copy it from there into /run/ from userspace. This is done because /.extra/ is on the initrd's tmpfs which will be emptied during the initrd → host transition. Since we want these two files to survive we'll copy them – if they exist – into /run/ where they will survive the transition. Thus, with this last change the files will have safely propagated from their PE sections into files in /run/ where userspace can find them The paths in /run/ happen to be the exact ones that systemd-cryptenroll/systemd-cryptsetup/systemd-creds look for them. --- tmpfiles.d/systemd.conf.in | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'tmpfiles.d') diff --git a/tmpfiles.d/systemd.conf.in b/tmpfiles.d/systemd.conf.in index e23e102782..d267a6b2e6 100644 --- a/tmpfiles.d/systemd.conf.in +++ b/tmpfiles.d/systemd.conf.in @@ -64,3 +64,9 @@ d /var/lib/systemd/coredump 0755 root root 3d d /var/lib/private 0700 root root - d /var/log/private 0700 root root - d /var/cache/private 0700 root root - + +{% if ENABLE_EFI %} +# Copy sd-stub provided PCR signature and and public key file from initrd into /run/, so that it will survive the initrd stage +C /run/systemd/tpm2-pcr-signature.json 0444 root root - /.extra/tpm2-pcr-signature.json +C /run/systemd/tpm2-pcr-public-key.pem 0444 root root - /.extra/tpm2-pcr-public-key.pem +{% endif %} -- cgit v1.2.1