tpm2: stop the software TPM before the ESP is unmounted on shutdown

swtpm keeps its state on the ESP (--tpmstate=dir=) and thus holds it
busy for as long as it runs, but nothing ensured it was stopped before
the ESP was unmounted on shutdown, leaving boot.mount failing to
unmount.

Two things were missing:

- systemd-tpm2-swtpm.service has DefaultDependencies=no, which strips
  the implicit shutdown.target membership, so it was torn down late
  rather than stopped in an ordered manner. Add
  Conflicts=/Before=shutdown.target, as the sibling
  systemd-tpm2-setup{,-early}.service units already do.

- The generator only ordered the service
  After=boot.automount/efi.automount. Ordering after the .automount
  units is enough for start-up, but only an ordering against the actual
  .mount units makes the service stop (releasing the ESP) before the
  file system is unmounted. Add boot.mount/efi.mount to the After= line;
  this is a no-op at start-up, as the mount has no job of its own there
  (it is triggered on access via the automount).

Signed-off-by: Paul Meyer <katexochen0@gmail.com>

diff --git a/src/tpm2-setup/tpm2-generator.c b/src/tpm2-setup/tpm2-generator.c
index 65f450daaffb97e382c01fc970e452bb9ffcaa60..5a4a88bf9f42863f83dcd359f664b5d955c5501e 100644 (file)
--- a/src/tpm2-setup/tpm2-generator.c
+++ b/src/tpm2-setup/tpm2-generator.c
@@ -114,14 +114,18 @@ static int generate_swtpm_symlink(Tpm2Support support) {
         else
                 /* Order (but not pull in) the regular ESP automount so that swtpm has a place to store its
                  * data. Note that it might be mounted to two different places depending on the existence of
-                 * XBOOTLDR, hence order after both. */
+                 * XBOOTLDR, hence order after both. We also order after the .mount units (not just the
+                 * .automount units): ordering after the automount is enough for start-up, but only an
+                 * ordering against the actual mount unit ensures swtpm is stopped (releasing the ESP) before
+                 * the file system is unmounted on shutdown. This is a no-op at start-up, as the mount has no
+                 * job of its own there (it is triggered on access via the automount). */
                 r = write_drop_in(
                                 arg_dest,
                                 "systemd-tpm2-swtpm.service",
                                 50, "esp",
                                 "# Automatically generated by systemd-tpm2-generator\n\n"
                                 "[Unit]\n"
-                                "After=boot.automount efi.automount\n");
+                                "After=boot.automount efi.automount boot.mount efi.mount\n");
         if (r < 0)
                 return log_error_errno(r, "Failed to hook ESP mount before systemd-tpm2-swtpm.service: %m");
 

diff --git a/units/systemd-tpm2-swtpm.service.in b/units/systemd-tpm2-swtpm.service.in
index 10856f70d9e9fed69abc9f1479ea00c9ecc45dd1..5ca946248c439573d712b29ed6637f4ed822c7d0 100644 (file)
--- a/units/systemd-tpm2-swtpm.service.in
+++ b/units/systemd-tpm2-swtpm.service.in
@@ -11,10 +11,11 @@
 Description=Fallback Software TPM
 Documentation=man:systemd-tpm2-swtpm.service(8)
 DefaultDependencies=no
+Conflicts=shutdown.target
 After=systemd-sysusers.service
 Wants=modprobe@tpm_vtpm_proxy.service
 After=modprobe@tpm_vtpm_proxy.service
-Before=tpm2.target sysinit.target
+Before=tpm2.target sysinit.target shutdown.target
 
 [Service]
 Type=notify