By default swtpm runs with four banks: SHA1, SHA256, SHA384, SHA512.
This means all data that is part of the boot will be hashed four times,
which slows everything down.
Let's restrict things to SHA256 only, which is the one that really
matters. SHA1 is no up to today's standards anyway, and noone really
consumes the other two, hence no point in enabling this.
To disable the banks we need to call swtpm_setup with --pcr-banks. Do
so.
}
void socket_service_pair_done(SocketServicePair *p) {
+ assert(p);
+
+ p->exec_start_pre = strv_free(p->exec_start_pre);
p->exec_start = strv_free(p->exec_start);
p->exec_stop_post = strv_free(p->exec_stop_post);
p->unit_name_prefix = mfree(p->unit_name_prefix);
return bus_log_create_error(r);
}
+ if (p->exec_start_pre) {
+ r = message_add_commands(m, "ExecStartPre", &p->exec_start_pre, 1);
+ if (r < 0)
+ return r;
+ }
+
r = message_add_commands(m, "ExecStart", &p->exec_start, 1);
if (r < 0)
return r;
#include "macro.h"
typedef struct SocketServicePair {
+ char **exec_start_pre;
char **exec_start;
char **exec_stop_post;
char *unit_name_prefix;
if (!ssp.listen_address)
return log_oom();
+ _cleanup_free_ char *swtpm_setup = NULL;
+ r = find_executable("swtpm_setup", &swtpm_setup);
+ if (r < 0)
+ return log_error_errno(r, "Failed to find swtpm_setup binary: %m");
+
+ ssp.exec_start_pre = strv_new(swtpm_setup, "--tpm-state", state_dir, "--tpm2", "--pcr-banks", "sha256");
+ if (!ssp.exec_start_pre)
+ return log_oom();
+
ssp.exec_start = strv_new(swtpm, "socket", "--tpm2", "--tpmstate");
if (!ssp.exec_start)
return log_oom();