From 04959faa632272a8fc9cdac3121b2e4af721c1b6 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Sun, 16 Oct 2022 23:25:04 +0200 Subject: generators: optionally, measure file systems at boot If we use gpt-auto-generator, automatically measure root fs and /var. Otherwise, add x-systemd.measure option to request this. --- units/meson.build | 2 ++ units/systemd-pcrfs-root.service.in | 24 ++++++++++++++++++++++++ units/systemd-pcrfs@.service.in | 25 +++++++++++++++++++++++++ 3 files changed, 51 insertions(+) create mode 100644 units/systemd-pcrfs-root.service.in create mode 100644 units/systemd-pcrfs@.service.in (limited to 'units') diff --git a/units/meson.build b/units/meson.build index 62ce438a3f..d59796b62b 100644 --- a/units/meson.build +++ b/units/meson.build @@ -267,6 +267,8 @@ in_units = [ 'sysinit.target.wants/'], ['systemd-pcrmachine.service', 'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2', 'sysinit.target.wants/'], + ['systemd-pcrfs-root.service', ''], + ['systemd-pcrfs@.service', ''], ['systemd-growfs-root.service', ''], ['systemd-growfs@.service', ''], ] diff --git a/units/systemd-pcrfs-root.service.in b/units/systemd-pcrfs-root.service.in new file mode 100644 index 0000000000..b0da413bb4 --- /dev/null +++ b/units/systemd-pcrfs-root.service.in @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=TPM2 PCR Root File System Measurement +Documentation=man:systemd-pcrfs-root.service(8) +DefaultDependencies=no +Conflicts=shutdown.target +After=systemd-pcrmachine.service +Before=shutdown.target +AssertPathExists=!/etc/initrd-release +ConditionSecurity=tpm2 +ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase --file-system=/ diff --git a/units/systemd-pcrfs@.service.in b/units/systemd-pcrfs@.service.in new file mode 100644 index 0000000000..ec1ff118c3 --- /dev/null +++ b/units/systemd-pcrfs@.service.in @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=TPM2 PCR File System Measurement of %f +Documentation=man:systemd-pcrfs@.service(8) +DefaultDependencies=no +BindsTo=%i.mount +Conflicts=shutdown.target +After=%i.mount systemd-pcrfs-root.service +Before=shutdown.target +AssertPathExists=!/etc/initrd-release +ConditionSecurity=tpm2 +ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase --file-system=%f -- cgit v1.2.1