From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 22 Apr 2024 12:47:58 +0000 (+0200)
Subject: tpm2-setup-early: order against pcrphase-initrd
X-Git-Tag: v256-rc1~70^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a6e9c37f5e7ecaac81f028bff6b7e206484960e6;p=thirdparty%2Fsystemd.git

tpm2-setup-early: order against pcrphase-initrd

Right now systemd-tpm2-setup-early and systemd-pcrphase-initrd.service
are not ordered against each other. However, they require the same slow
resource to operate: the TPM2. If we allow them to access the device
simultaneously, the kernel resource manager like has to save/restore TPM
state while they operate, slowing things down further.

hence, let's avoid all this mess, and just order them against each other
so that the shared resource is first used in full by one and then by the
other.

I opted to order systemd-pcrphase-initrd before
systemd-tpm2-setup-early, since there's value in having the former as
early as possible in userspace, to be a good marker for the transition
from kernel to first userspace. I can see no benefit in the opposite
order however.
---

diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in
index 9574ffd2895..9982c84aba0 100644
--- a/units/systemd-tpm2-setup-early.service.in
+++ b/units/systemd-tpm2-setup-early.service.in
@@ -12,10 +12,10 @@ Description=Early TPM SRK Setup
 Documentation=man:systemd-tpm2-setup.service(8)
 DefaultDependencies=no
 Conflicts=shutdown.target
+After=tpm2.target systemd-pcrphase-initrd.service
 Before=sysinit.target shutdown.target
 ConditionSecurity=measured-uki
 ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem
-After=tpm2.target
 
 [Service]
 Type=oneshot