From 519bad6c2c23d3c2dc9558878becb485f3ae9057 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 23 Feb 2024 17:23:06 +0100
Subject: [PATCH] vmspawn: disable all PCR banks but SHA256

By default swtpm runs with four banks: SHA1, SHA256, SHA384, SHA512.
This means all data that is part of the boot will be hashed four times,
which slows everything down.

Let's restrict things to SHA256 only, which is the one that really
matters. SHA1 is no up to today's standards anyway, and noone really
consumes the other two, hence no point in enabling this.

To disable the banks we need to call swtpm_setup with --pcr-banks. Do
so.
---
 src/vmspawn/vmspawn-scope.c | 9 +++++++++
 src/vmspawn/vmspawn-scope.h | 1 +
 src/vmspawn/vmspawn.c       | 9 +++++++++
 3 files changed, 19 insertions(+)

diff --git a/src/vmspawn/vmspawn-scope.c b/src/vmspawn/vmspawn-scope.c
index 676dee05927..ff986b09d65 100644
--- a/src/vmspawn/vmspawn-scope.c
+++ b/src/vmspawn/vmspawn-scope.c
@@ -175,6 +175,9 @@ static int message_add_commands(sd_bus_message *m, const char *exec_type, char *
 }
 
 void socket_service_pair_done(SocketServicePair *p) {
+        assert(p);
+
+        p->exec_start_pre = strv_free(p->exec_start_pre);
         p->exec_start = strv_free(p->exec_start);
         p->exec_stop_post = strv_free(p->exec_stop_post);
         p->unit_name_prefix = mfree(p->unit_name_prefix);
@@ -268,6 +271,12 @@ int start_socket_service_pair(sd_bus *bus, const char *scope, SocketServicePair
                         return bus_log_create_error(r);
         }
 
+        if (p->exec_start_pre) {
+                r = message_add_commands(m, "ExecStartPre", &p->exec_start_pre, 1);
+                if (r < 0)
+                        return r;
+        }
+
         r = message_add_commands(m, "ExecStart", &p->exec_start, 1);
         if (r < 0)
                 return r;
diff --git a/src/vmspawn/vmspawn-scope.h b/src/vmspawn/vmspawn-scope.h
index b807c3b2030..74c75117f08 100644
--- a/src/vmspawn/vmspawn-scope.h
+++ b/src/vmspawn/vmspawn-scope.h
@@ -8,6 +8,7 @@
 #include "macro.h"
 
 typedef struct SocketServicePair {
+        char **exec_start_pre;
         char **exec_start;
         char **exec_stop_post;
         char *unit_name_prefix;
diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c
index 9d8c063e98e..a07136ed2fc 100644
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@@ -679,6 +679,15 @@ static int start_tpm(
         if (!ssp.listen_address)
                 return log_oom();
 
+        _cleanup_free_ char *swtpm_setup = NULL;
+        r = find_executable("swtpm_setup", &swtpm_setup);
+        if (r < 0)
+                return log_error_errno(r, "Failed to find swtpm_setup binary: %m");
+
+        ssp.exec_start_pre = strv_new(swtpm_setup, "--tpm-state", state_dir, "--tpm2", "--pcr-banks", "sha256");
+        if (!ssp.exec_start_pre)
+                return log_oom();
+
         ssp.exec_start = strv_new(swtpm, "socket", "--tpm2", "--tpmstate");
         if (!ssp.exec_start)
                 return log_oom();
-- 
2.47.3