diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-10-17 14:50:56 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2023-01-17 09:42:16 +0100 |
| commit | 6c51b49ce0892ff923233a6031add4877100f5b0 (patch) | |
| tree | 454025e5aa2a5bf4dd3d4461d91f1e007e87eb50 /src/gpt-auto-generator | |
| parent | generators: optionally, measure file systems at boot (diff) | |
| download | systemd-6c51b49ce0892ff923233a6031add4877100f5b0.tar.xz systemd-6c51b49ce0892ff923233a6031add4877100f5b0.zip | |
tpm2: add common helper for checking if we are running on UKI with TPM measurements
Let's introduce a common implementation of a function that checks
whether we are booted on a kernel with systemd-stub that has TPM PCR
measurements enabled. Do our own userspace measurements only if we
detect that.
PCRs are scarce and most likely there are projects which already make
use of them in other ways. Hence, instead of blindly stepping into their
territory let's conditionalize things so that people have to explicitly
buy into our PCR assignments before we start measuring things into them.
Specifically bind everything to an UKI that reported measurements.
This was previously already implemented in systemd-pcrphase, but with
this change we expand this to all tools that process PCR measurement
settings.
The env var to override the check is renamed to SYSTEMD_FORCE_MEASURE,
to make it more generic (since we'll use it at multiple places now).
This is not a compat break, since the original env var for that was not
included in any stable release yet.
Diffstat (limited to 'src/gpt-auto-generator')
| -rw-r--r-- | src/gpt-auto-generator/gpt-auto-generator.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c index 63bb2a3cbb..9b11318017 100644 --- a/src/gpt-auto-generator/gpt-auto-generator.c +++ b/src/gpt-auto-generator/gpt-auto-generator.c @@ -102,11 +102,11 @@ static int add_cryptsetup( * assignment, under the assumption that people who are fine to use sd-stub with its PCR * assignments are also OK with our PCR 15 use here. */ - r = efi_get_variable(EFI_LOADER_VARIABLE(StubPcrKernelImage), NULL, NULL, NULL); /* we don't actually care which PCR the UKI used for itself */ - if (r == -ENOENT) - log_debug_errno(r, "Will not measure volume key of volume '%s', because not booted via systemd-stub with measurements enabled.", id); - else if (r < 0) - log_debug_errno(r, "Failed to determine whether booted via systemd-stub with measurements enabled, ignoring: %m"); + r = efi_stub_measured(); + if (r < 0) + log_warning_errno(r, "Failed to determine whether booted via systemd-stub with measurements enabled, ignoring: %m"); + else if (r == 0) + log_debug("Will not measure volume key of volume '%s', because not booted via systemd-stub with measurements enabled.", id); else if (!strextend_with_separator(&options, ",", "tpm2-measure-pcr=yes")) return log_oom(); } |