From: Lennart Poettering Date: Wed, 11 Feb 2026 15:29:59 +0000 (+0100) Subject: gpt-auto-generator: enable nvpcr logic by default X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a450fab9c6c625739e7f5c8f5c4dbb88677a1fb3;p=thirdparty%2Fsystemd.git gpt-auto-generator: enable nvpcr logic by default Let's enable this kind of measurement by default if people buy into UKIs and stuff, just like volume key measurement is now enabled by default. --- diff --git a/man/systemd-gpt-auto-generator.xml b/man/systemd-gpt-auto-generator.xml index 398076abc73..e267fc95287 100644 --- a/man/systemd-gpt-auto-generator.xml +++ b/man/systemd-gpt-auto-generator.xml @@ -272,9 +272,13 @@ If the system was booted via systemd-stub7 and the stub reported to userspace that the kernel image was measured to a TPM2 PCR, then any discovered root and - /var/ volume identifiers (and volume encryption key in case it is encrypted) will be - automatically measured into PCR 15 on activation, via - systemd-pcrfs@.service8. + /var/ volume identifiers (and volume encryption keys, in case they are encrypted) + will be automatically measured into PCR 15 on activation, via + systemd-pcrfs@.service8. Moreover, + information about the LUKS key slot used to unlock the volume is measured into NvPCR + cryptsetup. Finally, if the root or /usr/ partition is protected + via Verity its root hash and the serial/issuer of the key used for the provided root hash signature (if + any) are measured into the NvPCR verity. Mount constraint metadata contained in the file systems is validated by pulling in systemd-validatefs@.service8 diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c index 9e20e23abfe..4fd92a6057f 100644 --- a/src/gpt-auto-generator/gpt-auto-generator.c +++ b/src/gpt-auto-generator/gpt-auto-generator.c @@ -190,7 +190,8 @@ static int add_veritysetup( const char *id, const char *data_what, const char *hash_what, - const char *mount_opts) { + const char *mount_opts, + MountPointFlags flags) { #if HAVE_LIBCRYPTSETUP int r; @@ -233,13 +234,26 @@ static int add_veritysetup( "After=%1$s %2$s\n", dd, dh); + _cleanup_free_ char *options = + strdup("root-hash-signature=auto"); /* auto means: derive signature from udev property ID_DISSECT_PART_ROOTHASH_SIG */ + if (!options) + return log_oom(); + + if (FLAGS_SET(flags, MOUNT_MEASURE)) { + r = efi_measured_uki(LOG_WARNING); + if (r > 0 && !strextend_with_separator(&options, ",", "tpm2-measure-nvpcr=yes")) + return log_oom(); + if (r == 0) + log_debug("Will not measure root hash/signature of volume '%s', not booted via systemd-stub with measurements enabled.", id); + } + r = generator_write_veritysetup_service_section( f, id, data_what, hash_what, /* roothash= */ NULL, /* NULL means: derive root hash from udev property ID_DISSECT_PART_ROOTHASH */ - "root-hash-signature=auto"); /* auto means: derive signature from udev property ID_DISSECT_PART_ROOTHASH_SIG */ + options); if (r < 0) return r; @@ -871,7 +885,8 @@ static int add_root_mount(void) { "root", "/dev/disk/by-designator/root-verity-data", "/dev/disk/by-designator/root-verity", - arg_root_options); + arg_root_options, + MOUNT_MEASURE); if (r < 0) return r; } @@ -952,7 +967,8 @@ static int add_usr_mount(void) { "usr", "/dev/disk/by-designator/usr-verity-data", "/dev/disk/by-designator/usr-verity", - arg_usr_options); + arg_usr_options, + MOUNT_MEASURE); if (r < 0) return r; }