From: Lennart Poettering Date: Mon, 25 Sep 2023 08:38:01 +0000 (+0200) Subject: pcrphase: rename binary to pcrextend X-Git-Tag: v255-rc1~441^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=32295fa08f35d8c0b86c5faa03d7c818d3a9353f;p=thirdparty%2Fsystemd.git pcrphase: rename binary to pcrextend The tool initially just measured the boot phase, but was subsequently extended to measure file system and machine IDs, too. At AllSystemsGo there were request to add more, and make the tool generically accessible. Hence, let's rename the binary (but not the pcrphase services), to make clear the tool is not just measureing the boot phase, but a lot of other things too. The tool is located in /usr/lib/ and still relatively new, hence let's just rename the binary and be done with it, while keeping the unit names stable. While we are at it, also move the tool out of src/boot/ and into its own src/pcrextend/ dir, since it's not really doing boot related stuff anymore. --- diff --git a/TODO b/TODO index e1c031addcc..4d25289339b 100644 --- a/TODO +++ b/TODO @@ -144,7 +144,7 @@ Features: * automatically mount one virtiofs during early boot phase to /run/host/, similar to how we do that for nspawn, based on some clear tag. -* make systemd-pcrphase accessible via varlink so that clients can measure +* make systemd-pcrextend accessible via varlink so that clients can measure things reasonably freely, and get a proper entry in the TPM event log we maintain, correctly synchronized diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md index bbbef251594..7517d15fdab 100644 --- a/docs/ENVIRONMENT.md +++ b/docs/ENVIRONMENT.md @@ -536,7 +536,7 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \ * `$SYSTEMD_CATALOG_SOURCES` – path to the catalog database input source directory to use for `journalctl --update-catalog`. -`systemd-pcrphase`, `systemd-cryptsetup`: +`systemd-pcrextend`, `systemd-cryptsetup`: * `$SYSTEMD_FORCE_MEASURE=1` — If set, force measuring of resources (which are marked for measurement) even if not booted on a kernel equipped with diff --git a/man/rules/meson.build b/man/rules/meson.build index 2884cc32b41..5f840f5afdf 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -1005,10 +1005,10 @@ manpages = [ ['systemd-path', '1', [], ''], ['systemd-pcrphase.service', '8', - ['systemd-pcrfs-root.service', + ['systemd-pcrextend', + 'systemd-pcrfs-root.service', 'systemd-pcrfs@.service', 'systemd-pcrmachine.service', - 'systemd-pcrphase', 'systemd-pcrphase-initrd.service', 'systemd-pcrphase-sysinit.service'], 'ENABLE_BOOTLOADER'], diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml index 3568fb54350..55ec696d8c5 100644 --- a/man/systemd-measure.xml +++ b/man/systemd-measure.xml @@ -191,7 +191,8 @@ Controls which boot phases to calculate expected PCR 11 values for. This takes a series of colon-separated strings that encode boot "paths" for entering a specific phase of the boot process. Each of the specified strings is measured by the - systemd-pcrphase-initrd.service and + systemd-pcrphase-initrd.service, + systemd-pcrphase-sysinit.service, and systemd-pcrphase.service8 into PCR 11 during different milestones of the boot process. This switch may be specified multiple times to calculate PCR values for multiple boot phases at once. If not used defaults to diff --git a/man/systemd-pcrphase.service.xml b/man/systemd-pcrphase.service.xml index f6e7bba9d1f..93d27019cb9 100644 --- a/man/systemd-pcrphase.service.xml +++ b/man/systemd-pcrphase.service.xml @@ -23,7 +23,7 @@ systemd-pcrmachine.service systemd-pcrfs-root.service systemd-pcrfs@.service - systemd-pcrphase + systemd-pcrextend Measure boot phase into TPM2 PCR 11, machine ID and file system identity into PCR 15 @@ -34,7 +34,7 @@ systemd-pcrmachine.service systemd-pcrfs-root.service systemd-pcrfs@.service - /usr/lib/systemd/systemd-pcrphase STRING + /usr/lib/systemd/systemd-pcrextend STRING @@ -134,7 +134,7 @@ Options - The /usr/lib/systemd/system-pcrphase executable may also be invoked from the + The /usr/lib/systemd/system-pcrextend executable may also be invoked from the command line, where it expects the word to extend into PCR 11, as well as the following switches: diff --git a/meson.build b/meson.build index bf25bcba43e..381e2a8c4e1 100644 --- a/meson.build +++ b/meson.build @@ -2158,6 +2158,7 @@ subdir('src/nss-systemd') subdir('src/oom') subdir('src/partition') subdir('src/path') +subdir('src/pcrextend') subdir('src/portable') subdir('src/pstore') subdir('src/quotacheck') diff --git a/src/boot/meson.build b/src/boot/meson.build index fdccb2a428a..43ff3a59828 100644 --- a/src/boot/meson.build +++ b/src/boot/meson.build @@ -64,21 +64,6 @@ executables += [ 'sources' : files('measure.c'), 'dependencies' : libopenssl, }, - libexec_template + { - 'name' : 'systemd-pcrphase', - 'conditions' : [ - 'HAVE_BLKID', - 'ENABLE_BOOTLOADER', - 'HAVE_OPENSSL', - 'HAVE_TPM2', - ], - 'sources' : files('pcrphase.c'), - 'dependencies' : [ - libblkid, - libopenssl, - tpm2, - ], - }, libexec_template + { 'name' : 'systemd-boot-check-no-failures', 'sources' : files('boot-check-no-failures.c'), diff --git a/src/pcrextend/meson.build b/src/pcrextend/meson.build new file mode 100644 index 00000000000..05c53508068 --- /dev/null +++ b/src/pcrextend/meson.build @@ -0,0 +1,19 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +executables += [ + libexec_template + { + 'name' : 'systemd-pcrextend', + 'conditions' : [ + 'HAVE_BLKID', + 'ENABLE_BOOTLOADER', + 'HAVE_OPENSSL', + 'HAVE_TPM2', + ], + 'sources' : files('pcrextend.c'), + 'dependencies' : [ + libblkid, + libopenssl, + tpm2, + ], + }, +] diff --git a/src/boot/pcrphase.c b/src/pcrextend/pcrextend.c similarity index 98% rename from src/boot/pcrphase.c rename to src/pcrextend/pcrextend.c index 8e57c827a72..74021374d32 100644 --- a/src/boot/pcrphase.c +++ b/src/pcrextend/pcrextend.c @@ -35,14 +35,14 @@ static int help(int argc, char *argv[], void *userdata) { _cleanup_free_ char *link = NULL; int r; - r = terminal_urlify_man("systemd-pcrphase", "8", &link); + r = terminal_urlify_man("systemd-pcrextend", "8", &link); if (r < 0) return log_oom(); printf("%1$s [OPTIONS...] WORD\n" "%1$s [OPTIONS...] --file-system=PATH\n" "%1$s [OPTIONS...] --machine-id\n" - "\n%5$sMeasure boot phase into TPM2 PCR 11.%6$s\n" + "\n%5$sExtend a TPM2 PCR with boot phase, machine ID, or file system ID.%6$s\n" "\n%3$sOptions:%4$s\n" " -h --help Show this help\n" " --version Print version\n" diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh index 6480c46bf8c..3c534235730 100755 --- a/test/units/testsuite-70.sh +++ b/test/units/testsuite-70.sh @@ -5,7 +5,7 @@ set -o pipefail SD_CRYPTSETUP="/usr/lib/systemd/systemd-cryptsetup" SD_MEASURE="/usr/lib/systemd/systemd-measure" -SD_PCRPHASE="/usr/lib/systemd/systemd-pcrphase" +SD_PCREXTEND="/usr/lib/systemd/systemd-pcrextend" export SYSTEMD_LOG_LEVEL=debug cryptsetup_has_token_plugin_support() { @@ -249,12 +249,12 @@ else echo "$SD_MEASURE or PCR sysfs files not found, skipping signed PCR policy test case" fi -if [[ -x "$SD_PCRPHASE" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; then +if [[ -x "$SD_PCREXTEND" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; then # Let's measure the machine ID tpm2_pcrread sha256:15 -Q -o /tmp/oldpcr15 mv /etc/machine-id /etc/machine-id.save echo 994013bf23864ee7992eab39a96dd3bb >/etc/machine-id - SYSTEMD_FORCE_MEASURE=1 "$SD_PCRPHASE" --machine-id + SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" --machine-id mv /etc/machine-id.save /etc/machine-id tpm2_pcrread sha256:15 -Q -o /tmp/newpcr15 @@ -270,7 +270,7 @@ if [[ -x "$SD_PCRPHASE" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; th # And similar for the boot phase measurement into PCR 11 tpm2_pcrread sha256:11 -Q -o /tmp/oldpcr11 - SYSTEMD_FORCE_MEASURE=1 "$SD_PCRPHASE" foobar + SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" foobar tpm2_pcrread sha256:11 -Q -o /tmp/newpcr11 diff /tmp/newpcr11 \ @@ -284,7 +284,7 @@ if [[ -x "$SD_PCRPHASE" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; th rm -f /tmp/oldpcr11 /tmp/newpcr11 else - echo "$SD_PCRPHASE or PCR sysfs files not found, skipping PCR extension test case" + echo "$SD_PCREXTEND or PCR sysfs files not found, skipping PCR extension test case" fi # Ensure that sandboxing doesn't stop creds from being accessible diff --git a/units/systemd-pcrfs-root.service.in b/units/systemd-pcrfs-root.service.in index da3438c576c..d7941fc1f65 100644 --- a/units/systemd-pcrfs-root.service.in +++ b/units/systemd-pcrfs-root.service.in @@ -21,4 +21,4 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4 [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful --file-system=/ +ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --file-system=/ diff --git a/units/systemd-pcrfs@.service.in b/units/systemd-pcrfs@.service.in index 59a3ece3c5c..9ada988f5bd 100644 --- a/units/systemd-pcrfs@.service.in +++ b/units/systemd-pcrfs@.service.in @@ -22,4 +22,4 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4 [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful --file-system=%f +ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --file-system=%f diff --git a/units/systemd-pcrmachine.service.in b/units/systemd-pcrmachine.service.in index 544edb4b7b2..9088a66acff 100644 --- a/units/systemd-pcrmachine.service.in +++ b/units/systemd-pcrmachine.service.in @@ -20,4 +20,4 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4 [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful --machine-id +ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --machine-id diff --git a/units/systemd-pcrphase-initrd.service.in b/units/systemd-pcrphase-initrd.service.in index 69dcbceaac7..357c7c58696 100644 --- a/units/systemd-pcrphase-initrd.service.in +++ b/units/systemd-pcrphase-initrd.service.in @@ -20,5 +20,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4 [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful enter-initrd -ExecStop={{LIBEXECDIR}}/systemd-pcrphase --graceful leave-initrd +ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful enter-initrd +ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful leave-initrd diff --git a/units/systemd-pcrphase-sysinit.service.in b/units/systemd-pcrphase-sysinit.service.in index 55fae49aa86..5ca986fdf73 100644 --- a/units/systemd-pcrphase-sysinit.service.in +++ b/units/systemd-pcrphase-sysinit.service.in @@ -21,5 +21,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4 [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful sysinit -ExecStop={{LIBEXECDIR}}/systemd-pcrphase --graceful final +ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful sysinit +ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful final diff --git a/units/systemd-pcrphase.service.in b/units/systemd-pcrphase.service.in index c5170cec93b..88d41c2c5d5 100644 --- a/units/systemd-pcrphase.service.in +++ b/units/systemd-pcrphase.service.in @@ -19,5 +19,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4 [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful ready -ExecStop={{LIBEXECDIR}}/systemd-pcrphase --graceful shutdown +ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful ready +ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful shutdown