pcrphase: rename binary to pcrextend

The tool initially just measured the boot phase, but was subsequently extended to measure file system and machine IDs, too. At AllSystemsGo there were request to add more, and make the tool generically accessible. Hence, let's rename the binary (but not the pcrphase services), to make clear the tool is not just measureing the boot phase, but a lot of other things too. The tool is located in /usr/lib/ and still relatively new, hence let's just rename the binary and be done with it, while keeping the unit names stable. While we are at it, also move the tool out of src/boot/ and into its own src/pcrextend/ dir, since it's not really doing boot related stuff anymore.
author: Lennart Poettering <lennart@poettering.net> 2023-09-25 10:38:01 +0200
committer: Lennart Poettering <lennart@poettering.net> 2023-09-25 17:17:20 +0200
commit: 32295fa08f35d8c0b86c5faa03d7c818d3a9353f (patch)
tree: d3699903066a58b1a9b8640a89c617e37b210db9
parent: test: enable debug logs for the user instances as well (diff)
download: systemd-32295fa08f35d8c0b86c5faa03d7c818d3a9353f.tar.xz
systemd-32295fa08f35d8c0b86c5faa03d7c818d3a9353f.zip
16 files changed, 45 insertions, 39 deletions
diff --git a/TODO b/TODO
index e1c031addc..4d25289339 100644
--- a/TODO
+++ b/TODO
@@ -144,7 +144,7 @@ Features:
 * automatically mount one virtiofs during early boot phase to /run/host/,
   similar to how we do that for nspawn, based on some clear tag.
 
-* make systemd-pcrphase accessible via varlink so that clients can measure
+* make systemd-pcrextend accessible via varlink so that clients can measure
   things reasonably freely, and get a proper entry in the TPM event log we
   maintain, correctly synchronized
 
diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
index bbbef25159..7517d15fda 100644
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@@ -536,7 +536,7 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \
 * `$SYSTEMD_CATALOG_SOURCES` – path to the catalog database input source
   directory to use for `journalctl --update-catalog`.
 
-`systemd-pcrphase`, `systemd-cryptsetup`:
+`systemd-pcrextend`, `systemd-cryptsetup`:
 
 * `$SYSTEMD_FORCE_MEASURE=1` — If set, force measuring of resources (which are
   marked for measurement) even if not booted on a kernel equipped with
diff --git a/man/rules/meson.build b/man/rules/meson.build
index 2884cc32b4..5f840f5afd 100644
--- a/man/rules/meson.build
+++ b/man/rules/meson.build
@@ -1005,10 +1005,10 @@ manpages = [
  ['systemd-path', '1', [], ''],
  ['systemd-pcrphase.service',
   '8',
-  ['systemd-pcrfs-root.service',
+  ['systemd-pcrextend',
+   'systemd-pcrfs-root.service',
    'systemd-pcrfs@.service',
    'systemd-pcrmachine.service',
-   'systemd-pcrphase',
    'systemd-pcrphase-initrd.service',
    'systemd-pcrphase-sysinit.service'],
   'ENABLE_BOOTLOADER'],
diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
index 3568fb5435..55ec696d8c 100644
--- a/man/systemd-measure.xml
+++ b/man/systemd-measure.xml
@@ -191,7 +191,8 @@
         <listitem><para>Controls which boot phases to calculate expected PCR 11 values for. This takes a
         series of colon-separated strings that encode boot "paths" for entering a specific phase of the boot
         process. Each of the specified strings is measured by the
-        <filename>systemd-pcrphase-initrd.service</filename> and
+        <filename>systemd-pcrphase-initrd.service</filename>,
+        <filename>systemd-pcrphase-sysinit.service</filename>, and
         <citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
         into PCR 11 during different milestones of the boot process. This switch may be specified multiple
         times to calculate PCR values for multiple boot phases at once. If not used defaults to
diff --git a/man/systemd-pcrphase.service.xml b/man/systemd-pcrphase.service.xml
index f6e7bba9d1..93d27019cb 100644
--- a/man/systemd-pcrphase.service.xml
+++ b/man/systemd-pcrphase.service.xml
@@ -23,7 +23,7 @@
     <refname>systemd-pcrmachine.service</refname>
     <refname>systemd-pcrfs-root.service</refname>
     <refname>systemd-pcrfs@.service</refname>
-    <refname>systemd-pcrphase</refname>
+    <refname>systemd-pcrextend</refname>
     <refpurpose>Measure boot phase into TPM2 PCR 11, machine ID and file system identity into PCR 15</refpurpose>
   </refnamediv>
 
@@ -34,7 +34,7 @@
     <para><filename>systemd-pcrmachine.service</filename></para>
     <para><filename>systemd-pcrfs-root.service</filename></para>
     <para><filename>systemd-pcrfs@.service</filename></para>
-    <para><filename>/usr/lib/systemd/systemd-pcrphase</filename> <optional><replaceable>STRING</replaceable></optional></para>
+    <para><filename>/usr/lib/systemd/systemd-pcrextend</filename> <optional><replaceable>STRING</replaceable></optional></para>
   </refsynopsisdiv>
 
   <refsect1>
@@ -134,7 +134,7 @@
   <refsect1>
     <title>Options</title>
 
-    <para>The <filename>/usr/lib/systemd/system-pcrphase</filename> executable may also be invoked from the
+    <para>The <filename>/usr/lib/systemd/system-pcrextend</filename> executable may also be invoked from the
     command line, where it expects the word to extend into PCR 11, as well as the following switches:</para>
 
     <variablelist>
diff --git a/meson.build b/meson.build
index bf25bcba43..381e2a8c4e 100644
--- a/meson.build
+++ b/meson.build
@@ -2158,6 +2158,7 @@ subdir('src/nss-systemd')
 subdir('src/oom')
 subdir('src/partition')
 subdir('src/path')
+subdir('src/pcrextend')
 subdir('src/portable')
 subdir('src/pstore')
 subdir('src/quotacheck')
diff --git a/src/boot/meson.build b/src/boot/meson.build
index fdccb2a428..43ff3a5982 100644
--- a/src/boot/meson.build
+++ b/src/boot/meson.build
@@ -65,21 +65,6 @@ executables += [
                 'dependencies' : libopenssl,
         },
         libexec_template + {
-                'name' : 'systemd-pcrphase',
-                'conditions' : [
-                        'HAVE_BLKID',
-                        'ENABLE_BOOTLOADER',
-                        'HAVE_OPENSSL',
-                        'HAVE_TPM2',
-                ],
-                'sources' : files('pcrphase.c'),
-                'dependencies' : [
-                        libblkid,
-                        libopenssl,
-                        tpm2,
-                ],
-        },
-        libexec_template + {
                 'name' : 'systemd-boot-check-no-failures',
                 'sources' : files('boot-check-no-failures.c'),
         },
diff --git a/src/pcrextend/meson.build b/src/pcrextend/meson.build
new file mode 100644
index 0000000000..05c5350806
--- /dev/null
+++ b/src/pcrextend/meson.build
@@ -0,0 +1,19 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+executables += [
+        libexec_template + {
+                'name' : 'systemd-pcrextend',
+                'conditions' : [
+                        'HAVE_BLKID',
+                        'ENABLE_BOOTLOADER',
+                        'HAVE_OPENSSL',
+                        'HAVE_TPM2',
+                ],
+                'sources' : files('pcrextend.c'),
+                'dependencies' : [
+                        libblkid,
+                        libopenssl,
+                        tpm2,
+                ],
+        },
+]
diff --git a/src/boot/pcrphase.c b/src/pcrextend/pcrextend.c
index 8e57c827a7..74021374d3 100644
--- a/src/boot/pcrphase.c
+++ b/src/pcrextend/pcrextend.c
@@ -35,14 +35,14 @@ static int help(int argc, char *argv[], void *userdata) {
         _cleanup_free_ char *link = NULL;
         int r;
 
-        r = terminal_urlify_man("systemd-pcrphase", "8", &link);
+        r = terminal_urlify_man("systemd-pcrextend", "8", &link);
         if (r < 0)
                 return log_oom();
 
         printf("%1$s  [OPTIONS...] WORD\n"
                "%1$s  [OPTIONS...] --file-system=PATH\n"
                "%1$s  [OPTIONS...] --machine-id\n"
-               "\n%5$sMeasure boot phase into TPM2 PCR 11.%6$s\n"
+               "\n%5$sExtend a TPM2 PCR with boot phase, machine ID, or file system ID.%6$s\n"
                "\n%3$sOptions:%4$s\n"
                "  -h --help              Show this help\n"
                "     --version           Print version\n"
diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh
index 6480c46bf8..3c53423573 100755
--- a/test/units/testsuite-70.sh
+++ b/test/units/testsuite-70.sh
@@ -5,7 +5,7 @@ set -o pipefail
 
 SD_CRYPTSETUP="/usr/lib/systemd/systemd-cryptsetup"
 SD_MEASURE="/usr/lib/systemd/systemd-measure"
-SD_PCRPHASE="/usr/lib/systemd/systemd-pcrphase"
+SD_PCREXTEND="/usr/lib/systemd/systemd-pcrextend"
 export SYSTEMD_LOG_LEVEL=debug
 
 cryptsetup_has_token_plugin_support() {
@@ -249,12 +249,12 @@ else
     echo "$SD_MEASURE or PCR sysfs files not found, skipping signed PCR policy test case"
 fi
 
-if [[ -x "$SD_PCRPHASE" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; then
+if [[ -x "$SD_PCREXTEND" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; then
     # Let's measure the machine ID
     tpm2_pcrread sha256:15 -Q -o /tmp/oldpcr15
     mv /etc/machine-id /etc/machine-id.save
     echo 994013bf23864ee7992eab39a96dd3bb >/etc/machine-id
-    SYSTEMD_FORCE_MEASURE=1 "$SD_PCRPHASE" --machine-id
+    SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" --machine-id
     mv /etc/machine-id.save /etc/machine-id
     tpm2_pcrread sha256:15 -Q -o /tmp/newpcr15
 
@@ -270,7 +270,7 @@ if [[ -x "$SD_PCRPHASE" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; th
 
     # And similar for the boot phase measurement into PCR 11
     tpm2_pcrread sha256:11 -Q -o /tmp/oldpcr11
-    SYSTEMD_FORCE_MEASURE=1 "$SD_PCRPHASE" foobar
+    SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" foobar
     tpm2_pcrread sha256:11 -Q -o /tmp/newpcr11
 
     diff /tmp/newpcr11 \
@@ -284,7 +284,7 @@ if [[ -x "$SD_PCRPHASE" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; th
 
     rm -f /tmp/oldpcr11 /tmp/newpcr11
 else
-    echo "$SD_PCRPHASE or PCR sysfs files not found, skipping PCR extension test case"
+    echo "$SD_PCREXTEND or PCR sysfs files not found, skipping PCR extension test case"
 fi
 
 # Ensure that sandboxing doesn't stop creds from being accessible
diff --git a/units/systemd-pcrfs-root.service.in b/units/systemd-pcrfs-root.service.in
index da3438c576..d7941fc1f6 100644
--- a/units/systemd-pcrfs-root.service.in
+++ b/units/systemd-pcrfs-root.service.in
@@ -21,4 +21,4 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful --file-system=/
+ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --file-system=/
diff --git a/units/systemd-pcrfs@.service.in b/units/systemd-pcrfs@.service.in
index 59a3ece3c5..9ada988f5b 100644
--- a/units/systemd-pcrfs@.service.in
+++ b/units/systemd-pcrfs@.service.in
@@ -22,4 +22,4 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful --file-system=%f
+ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --file-system=%f
diff --git a/units/systemd-pcrmachine.service.in b/units/systemd-pcrmachine.service.in
index 544edb4b7b..9088a66acf 100644
--- a/units/systemd-pcrmachine.service.in
+++ b/units/systemd-pcrmachine.service.in
@@ -20,4 +20,4 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful --machine-id
+ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --machine-id
diff --git a/units/systemd-pcrphase-initrd.service.in b/units/systemd-pcrphase-initrd.service.in
index 69dcbceaac..357c7c5869 100644
--- a/units/systemd-pcrphase-initrd.service.in
+++ b/units/systemd-pcrphase-initrd.service.in
@@ -20,5 +20,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful enter-initrd
-ExecStop={{LIBEXECDIR}}/systemd-pcrphase --graceful leave-initrd
+ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful enter-initrd
+ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful leave-initrd
diff --git a/units/systemd-pcrphase-sysinit.service.in b/units/systemd-pcrphase-sysinit.service.in
index 55fae49aa8..5ca986fdf7 100644
--- a/units/systemd-pcrphase-sysinit.service.in
+++ b/units/systemd-pcrphase-sysinit.service.in
@@ -21,5 +21,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful sysinit
-ExecStop={{LIBEXECDIR}}/systemd-pcrphase --graceful final
+ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful sysinit
+ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful final
diff --git a/units/systemd-pcrphase.service.in b/units/systemd-pcrphase.service.in
index c5170cec93..88d41c2c5d 100644
--- a/units/systemd-pcrphase.service.in
+++ b/units/systemd-pcrphase.service.in
@@ -19,5 +19,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful ready
-ExecStop={{LIBEXECDIR}}/systemd-pcrphase --graceful shutdown
+ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful ready
+ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful shutdown
author	Lennart Poettering <lennart@poettering.net>	2023-09-25 10:38:01 +0200
committer	Lennart Poettering <lennart@poettering.net>	2023-09-25 17:17:20 +0200
commit	32295fa08f35d8c0b86c5faa03d7c818d3a9353f (patch)
tree	d3699903066a58b1a9b8640a89c617e37b210db9
parent	test: enable debug logs for the user instances as well (diff)
download	systemd-32295fa08f35d8c0b86c5faa03d7c818d3a9353f.tar.xz systemd-32295fa08f35d8c0b86c5faa03d7c818d3a9353f.zip