<para>If the system was booted via
<citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> and the
stub reported to userspace that the kernel image was measured to a TPM2 PCR, then any discovered root and
- <filename>/var/</filename> volume identifiers (and volume encryption key in case it is encrypted) will be
- automatically measured into PCR 15 on activation, via
- <citerefentry><refentrytitle>systemd-pcrfs@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+ <filename>/var/</filename> volume identifiers (and volume encryption keys, in case they are encrypted)
+ will be automatically measured into PCR 15 on activation, via
+ <citerefentry><refentrytitle>systemd-pcrfs@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Moreover,
+ information about the LUKS key slot used to unlock the volume is measured into NvPCR
+ <literal>cryptsetup</literal>. Finally, if the root or <filename>/usr/</filename> partition is protected
+ via Verity its root hash and the serial/issuer of the key used for the provided root hash signature (if
+ any) are measured into the NvPCR <literal>verity</literal>.</para>
<para>Mount constraint metadata contained in the file systems is validated by pulling in
<citerefentry><refentrytitle>systemd-validatefs@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
const char *id,
const char *data_what,
const char *hash_what,
- const char *mount_opts) {
+ const char *mount_opts,
+ MountPointFlags flags) {
#if HAVE_LIBCRYPTSETUP
int r;
"After=%1$s %2$s\n",
dd, dh);
+ _cleanup_free_ char *options =
+ strdup("root-hash-signature=auto"); /* auto means: derive signature from udev property ID_DISSECT_PART_ROOTHASH_SIG */
+ if (!options)
+ return log_oom();
+
+ if (FLAGS_SET(flags, MOUNT_MEASURE)) {
+ r = efi_measured_uki(LOG_WARNING);
+ if (r > 0 && !strextend_with_separator(&options, ",", "tpm2-measure-nvpcr=yes"))
+ return log_oom();
+ if (r == 0)
+ log_debug("Will not measure root hash/signature of volume '%s', not booted via systemd-stub with measurements enabled.", id);
+ }
+
r = generator_write_veritysetup_service_section(
f,
id,
data_what,
hash_what,
/* roothash= */ NULL, /* NULL means: derive root hash from udev property ID_DISSECT_PART_ROOTHASH */
- "root-hash-signature=auto"); /* auto means: derive signature from udev property ID_DISSECT_PART_ROOTHASH_SIG */
+ options);
if (r < 0)
return r;
"root",
"/dev/disk/by-designator/root-verity-data",
"/dev/disk/by-designator/root-verity",
- arg_root_options);
+ arg_root_options,
+ MOUNT_MEASURE);
if (r < 0)
return r;
}
"usr",
"/dev/disk/by-designator/usr-verity-data",
"/dev/disk/by-designator/usr-verity",
- arg_usr_options);
+ arg_usr_options,
+ MOUNT_MEASURE);
if (r < 0)
return r;
}
projects / thirdparty / systemd.git / commitdiff
