mirrors/systemd
0
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-23 10:13:34 +08:00
Code Issues Packages Projects Releases Wiki Activity

pcrphase: rename binary to pcrextend

Browse Source 
The tool initially just measured the boot phase, but was subsequently
extended to measure file system and machine IDs, too. At AllSystemsGo
there were request to add more, and make the tool generically
accessible.

Hence, let's rename the binary (but not the pcrphase services), to make
clear the tool is not just measureing the boot phase, but a lot of other
things too.

The tool is located in /usr/lib/ and still relatively new, hence let's
just rename the binary and be done with it, while keeping the unit names
stable.

While we are at it, also move the tool out of src/boot/ and into its own
src/pcrextend/ dir, since it's not really doing boot related stuff
anymore.
This commit is contained in:
Lennart Poettering 2023-09-25 10:38:01 +02:00
parent 7f048f0ed0
commit 32295fa08f
16 changed files with 45 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
TODO
View File

@ -144,7 +144,7 @@ Features:
* automatically mount one virtiofs during early boot phase to /run/host/,
similar to how we do that for nspawn, based on some clear tag.
* make systemd-pcrphase accessible via varlink so that clients can measure
* make systemd-pcrextend accessible via varlink so that clients can measure
things reasonably freely, and get a proper entry in the TPM event log we
maintain, correctly synchronized

2
docs/ENVIRONMENT.md
View File

@ -536,7 +536,7 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \
* `$SYSTEMD_CATALOG_SOURCES` path to the catalog database input source
directory to use for `journalctl --update-catalog`.
`systemd-pcrphase`, `systemd-cryptsetup`:
`systemd-pcrextend`, `systemd-cryptsetup`:
* `$SYSTEMD_FORCE_MEASURE=1` — If set, force measuring of resources (which are
marked for measurement) even if not booted on a kernel equipped with

4
man/rules/meson.build
View File

@ -1005,10 +1005,10 @@ manpages = [
['systemd-path', '1', [], ''],
['systemd-pcrphase.service',
'8',
['systemd-pcrfs-root.service',
['systemd-pcrextend',
'systemd-pcrfs-root.service',
'systemd-pcrfs@.service',
'systemd-pcrmachine.service',
'systemd-pcrphase',
'systemd-pcrphase-initrd.service',
'systemd-pcrphase-sysinit.service'],
'ENABLE_BOOTLOADER'],

3
man/systemd-measure.xml
View File

@ -191,7 +191,8 @@
<listitem><para>Controls which boot phases to calculate expected PCR 11 values for. This takes a
series of colon-separated strings that encode boot "paths" for entering a specific phase of the boot
process. Each of the specified strings is measured by the
<filename>systemd-pcrphase-initrd.service</filename> and
<filename>systemd-pcrphase-initrd.service</filename>,
<filename>systemd-pcrphase-sysinit.service</filename>, and
<citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
into PCR 11 during different milestones of the boot process. This switch may be specified multiple
times to calculate PCR values for multiple boot phases at once. If not used defaults to

6
man/systemd-pcrphase.service.xml
View File

@ -23,7 +23,7 @@
<refname>systemd-pcrmachine.service</refname>
<refname>systemd-pcrfs-root.service</refname>
<refname>systemd-pcrfs@.service</refname>
<refname>systemd-pcrphase</refname>
<refname>systemd-pcrextend</refname>
<refpurpose>Measure boot phase into TPM2 PCR 11, machine ID and file system identity into PCR 15</refpurpose>
</refnamediv>
@ -34,7 +34,7 @@
<para><filename>systemd-pcrmachine.service</filename></para>
<para><filename>systemd-pcrfs-root.service</filename></para>
<para><filename>systemd-pcrfs@.service</filename></para>
<para><filename>/usr/lib/systemd/systemd-pcrphase</filename> <optional><replaceable>STRING</replaceable></optional></para>
<para><filename>/usr/lib/systemd/systemd-pcrextend</filename> <optional><replaceable>STRING</replaceable></optional></para>
</refsynopsisdiv>
<refsect1>
@ -134,7 +134,7 @@
<refsect1>
<title>Options</title>
<para>The <filename>/usr/lib/systemd/system-pcrphase</filename> executable may also be invoked from the
<para>The <filename>/usr/lib/systemd/system-pcrextend</filename> executable may also be invoked from the
command line, where it expects the word to extend into PCR 11, as well as the following switches:</para>
<variablelist>

1
meson.build
View File

@ -2158,6 +2158,7 @@ subdir('src/nss-systemd')
subdir('src/oom')
subdir('src/partition')
subdir('src/path')
subdir('src/pcrextend')
subdir('src/portable')
subdir('src/pstore')
subdir('src/quotacheck')

15
src/boot/meson.build
View File

@ -64,21 +64,6 @@ executables += [
'sources' : files('measure.c'),
'dependencies' : libopenssl,
},
libexec_template + {
'name' : 'systemd-pcrphase',
'conditions' : [
'HAVE_BLKID',
'ENABLE_BOOTLOADER',
'HAVE_OPENSSL',
'HAVE_TPM2',
],
'sources' : files('pcrphase.c'),
'dependencies' : [
libblkid,
libopenssl,
tpm2,
],
},
libexec_template + {
'name' : 'systemd-boot-check-no-failures',
'sources' : files('boot-check-no-failures.c'),

19
src/pcrextend/meson.build Normal file
View File

@ -0,0 +1,19 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
executables += [
libexec_template + {
'name' : 'systemd-pcrextend',
'conditions' : [
'HAVE_BLKID',
'ENABLE_BOOTLOADER',
'HAVE_OPENSSL',
'HAVE_TPM2',
],
'sources' : files('pcrextend.c'),
'dependencies' : [
libblkid,
libopenssl,
tpm2,
],
},
]

4
src/boot/pcrphase.c → src/pcrextend/pcrextend.c
View File

@ -35,14 +35,14 @@ static int help(int argc, char *argv[], void *userdata) {
_cleanup_free_ char *link = NULL;
int r;
r = terminal_urlify_man("systemd-pcrphase", "8", &link);
r = terminal_urlify_man("systemd-pcrextend", "8", &link);
if (r < 0)
return log_oom();
printf("%1$s [OPTIONS...] WORD\n"
"%1$s [OPTIONS...] --file-system=PATH\n"
"%1$s [OPTIONS...] --machine-id\n"
"\n%5$sMeasure boot phase into TPM2 PCR 11.%6$s\n"
"\n%5$sExtend a TPM2 PCR with boot phase, machine ID, or file system ID.%6$s\n"
"\n%3$sOptions:%4$s\n"
" -h --help Show this help\n"
" --version Print version\n"

10
test/units/testsuite-70.sh
View File

@ -5,7 +5,7 @@ set -o pipefail
SD_CRYPTSETUP="/usr/lib/systemd/systemd-cryptsetup"
SD_MEASURE="/usr/lib/systemd/systemd-measure"
SD_PCRPHASE="/usr/lib/systemd/systemd-pcrphase"
SD_PCREXTEND="/usr/lib/systemd/systemd-pcrextend"
export SYSTEMD_LOG_LEVEL=debug
cryptsetup_has_token_plugin_support() {
@ -249,12 +249,12 @@ else
echo "$SD_MEASURE or PCR sysfs files not found, skipping signed PCR policy test case"
fi
if [[ -x "$SD_PCRPHASE" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; then
if [[ -x "$SD_PCREXTEND" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; then
# Let's measure the machine ID
tpm2_pcrread sha256:15 -Q -o /tmp/oldpcr15
mv /etc/machine-id /etc/machine-id.save
echo 994013bf23864ee7992eab39a96dd3bb >/etc/machine-id
SYSTEMD_FORCE_MEASURE=1 "$SD_PCRPHASE" --machine-id
SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" --machine-id
mv /etc/machine-id.save /etc/machine-id
tpm2_pcrread sha256:15 -Q -o /tmp/newpcr15
@ -270,7 +270,7 @@ if [[ -x "$SD_PCRPHASE" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; th
# And similar for the boot phase measurement into PCR 11
tpm2_pcrread sha256:11 -Q -o /tmp/oldpcr11
SYSTEMD_FORCE_MEASURE=1 "$SD_PCRPHASE" foobar
SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" foobar
tpm2_pcrread sha256:11 -Q -o /tmp/newpcr11
diff /tmp/newpcr11 \
@ -284,7 +284,7 @@ if [[ -x "$SD_PCRPHASE" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; th
rm -f /tmp/oldpcr11 /tmp/newpcr11
else
echo "$SD_PCRPHASE or PCR sysfs files not found, skipping PCR extension test case"
echo "$SD_PCREXTEND or PCR sysfs files not found, skipping PCR extension test case"
fi
# Ensure that sandboxing doesn't stop creds from being accessible

2
units/systemd-pcrfs-root.service.in
View File

@ -21,4 +21,4 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful --file-system=/
ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --file-system=/

2
units/systemd-pcrfs@.service.in
View File

@ -22,4 +22,4 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful --file-system=%f
ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --file-system=%f

2
units/systemd-pcrmachine.service.in
View File

@ -20,4 +20,4 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful --machine-id
ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --machine-id

4
units/systemd-pcrphase-initrd.service.in
View File

@ -20,5 +20,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful enter-initrd
ExecStop={{LIBEXECDIR}}/systemd-pcrphase --graceful leave-initrd
ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful enter-initrd
ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful leave-initrd

4
units/systemd-pcrphase-sysinit.service.in
View File

@ -21,5 +21,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful sysinit
ExecStop={{LIBEXECDIR}}/systemd-pcrphase --graceful final
ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful sysinit
ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful final

4
units/systemd-pcrphase.service.in
View File

@ -19,5 +19,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful ready
ExecStop={{LIBEXECDIR}}/systemd-pcrphase --graceful shutdown
ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful ready
ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful shutdown