diff options
| author | Luca Boccassi <bluca@debian.org> | 2024-02-23 23:04:44 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-23 23:04:44 +0100 |
| commit | bb394133cb4c097660d367fe29ba5cb2e654a3eb (patch) | |
| tree | 9f2efca9434746b41df5bb0cfc711f2cb5e9a34f /src/vmspawn | |
| parent | ptyfwd: optionally prefix window title with colored dot (diff) | |
| parent | update TODO (diff) | |
| download | systemd-bb394133cb4c097660d367fe29ba5cb2e654a3eb.tar.xz systemd-bb394133cb4c097660d367fe29ba5cb2e654a3eb.zip | |
Merge pull request #31464 from poettering/vmspawn-limit-bank
vmspawn: disable all TPM PCR banks, except for SHA256
Diffstat (limited to 'src/vmspawn')
| -rw-r--r-- | src/vmspawn/vmspawn-scope.c | 9 | ||||
| -rw-r--r-- | src/vmspawn/vmspawn-scope.h | 1 | ||||
| -rw-r--r-- | src/vmspawn/vmspawn.c | 23 |
3 files changed, 28 insertions, 5 deletions
diff --git a/src/vmspawn/vmspawn-scope.c b/src/vmspawn/vmspawn-scope.c index 676dee0592..ff986b09d6 100644 --- a/src/vmspawn/vmspawn-scope.c +++ b/src/vmspawn/vmspawn-scope.c @@ -175,6 +175,9 @@ static int message_add_commands(sd_bus_message *m, const char *exec_type, char * } void socket_service_pair_done(SocketServicePair *p) { + assert(p); + + p->exec_start_pre = strv_free(p->exec_start_pre); p->exec_start = strv_free(p->exec_start); p->exec_stop_post = strv_free(p->exec_stop_post); p->unit_name_prefix = mfree(p->unit_name_prefix); @@ -268,6 +271,12 @@ int start_socket_service_pair(sd_bus *bus, const char *scope, SocketServicePair return bus_log_create_error(r); } + if (p->exec_start_pre) { + r = message_add_commands(m, "ExecStartPre", &p->exec_start_pre, 1); + if (r < 0) + return r; + } + r = message_add_commands(m, "ExecStart", &p->exec_start, 1); if (r < 0) return r; diff --git a/src/vmspawn/vmspawn-scope.h b/src/vmspawn/vmspawn-scope.h index b807c3b203..74c75117f0 100644 --- a/src/vmspawn/vmspawn-scope.h +++ b/src/vmspawn/vmspawn-scope.h @@ -8,6 +8,7 @@ #include "macro.h" typedef struct SocketServicePair { + char **exec_start_pre; char **exec_start; char **exec_stop_post; char *unit_name_prefix; diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c index 2cffd32a00..6c2d943daa 100644 --- a/src/vmspawn/vmspawn.c +++ b/src/vmspawn/vmspawn.c @@ -639,7 +639,12 @@ static int cmdline_add_vsock(char ***cmdline, int vsock_fd) { return 0; } -static int start_tpm(sd_bus *bus, const char *scope, const char *tpm, const char **ret_state_tempdir) { +static int start_tpm( + sd_bus *bus, + const char *scope, + const char *swtpm, + char **ret_state_tempdir) { + _cleanup_(rm_rf_physical_and_freep) char *state_dir = NULL; _cleanup_free_ char *scope_prefix = NULL; _cleanup_(socket_service_pair_done) SocketServicePair ssp = { @@ -649,7 +654,7 @@ static int start_tpm(sd_bus *bus, const char *scope, const char *tpm, const char assert(bus); assert(scope); - assert(tpm); + assert(swtpm); assert(ret_state_tempdir); r = unit_name_to_prefix(scope, &scope_prefix); @@ -674,7 +679,16 @@ static int start_tpm(sd_bus *bus, const char *scope, const char *tpm, const char if (!ssp.listen_address) return log_oom(); - ssp.exec_start = strv_new(tpm, "socket", "--tpm2", "--tpmstate"); + _cleanup_free_ char *swtpm_setup = NULL; + r = find_executable("swtpm_setup", &swtpm_setup); + if (r < 0) + return log_error_errno(r, "Failed to find swtpm_setup binary: %m"); + + ssp.exec_start_pre = strv_new(swtpm_setup, "--tpm-state", state_dir, "--tpm2", "--pcr-banks", "sha256"); + if (!ssp.exec_start_pre) + return log_oom(); + + ssp.exec_start = strv_new(swtpm, "socket", "--tpm2", "--tpmstate"); if (!ssp.exec_start) return log_oom(); @@ -691,7 +705,6 @@ static int start_tpm(sd_bus *bus, const char *scope, const char *tpm, const char return r; *ret_state_tempdir = TAKE_PTR(state_dir); - return 0; } @@ -1457,7 +1470,7 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) { } } - _cleanup_free_ const char *tpm_state_tempdir = NULL; + _cleanup_free_ char *tpm_state_tempdir = NULL; if (swtpm) { _cleanup_free_ char *escaped_state_dir = NULL; |