['systemd-path', '1', [], ''],
['systemd-pcrphase.service',
'8',
- ['systemd-pcrphase', 'systemd-pcrphase-initrd.service'],
+ ['systemd-pcrphase',
+ 'systemd-pcrphase-initrd.service',
+ 'systemd-pcrphase-sysinit.service'],
'HAVE_GNU_EFI'],
['systemd-portabled.service', '8', ['systemd-portabled'], 'ENABLE_PORTABLED'],
['systemd-pstore.service', '8', ['systemd-pstore'], 'ENABLE_PSTORE'],
into PCR 11 during different milestones of the boot process. This switch may be specified multiple
times to calculate PCR values for multiple boot phases at once. If not used defaults to
<literal>enter-initrd</literal>, <literal>enter-initrd:leave-initrd</literal>,
- <literal>enter-initrd:leave-initrd:ready</literal>, i.e. calculates expected PCR values for the boot
- phase in the initrd, during early boot, and during system runtime, but excluding the phases before
- the initrd or when shutting down. This setting is honoured both by <command>calculate</command> and
- <command>sign</command>. When used with the latter it's particularly useful for generating PCR
- signatures that can only be used for unlocking resources during specific parts of the boot
- process.</para>
+ <literal>enter-initrd:leave-initrd:sysinit</literal>,
+ <literal>enter-initrd:leave-initrd:sysinit:ready</literal>, i.e. calculates expected PCR values for
+ the boot phase in the initrd, during early boot, during later boot, and during system runtime, but
+ excluding the phases before the initrd or when shutting down. This setting is honoured both by
+ <command>calculate</command> and <command>sign</command>. When used with the latter it's particularly
+ useful for generating PCR signatures that can only be used for unlocking resources during specific
+ parts of the boot process.</para>
<para>For further details about PCR boot phases, see
<citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para></listitem>
<refnamediv>
<refname>systemd-pcrphase.service</refname>
+ <refname>systemd-pcrphase-sysinit.service</refname>
<refname>systemd-pcrphase-initrd.service</refname>
<refname>systemd-pcrphase</refname>
- <refpurpose>Mark current boot process as successful</refpurpose>
+ <refpurpose>Measure boot phase into TPM2 PCR 11</refpurpose>
</refnamediv>
<refsynopsisdiv>
<refsect1>
<title>Description</title>
- <para><filename>systemd-pcrphase.service</filename> and
+ <para><filename>systemd-pcrphase.service</filename>,
+ <filename>systemd-pcrphase-sysinit.service</filename> and
<filename>systemd-pcrphase-initrd.service</filename> are system services that measure specific strings
- into TPM2 PCR 11 during boot.</para>
+ into TPM2 PCR 11 during boot at various milestones of the boot process.</para>
<para>These services require
<citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> to be
barrier between kernel/initrd code and host OS code. (This string is extended at stop of
<filename>systemd-pcrphase-initrd.service</filename>.)</para></listitem>
+ <listitem><para><literal>sysinit</literal> is extended into PCR 11 when basic system initialization is
+ complete (which includes local file systems have been mounted), and the system begins starting regular
+ system services. (This string is extended at start of
+ <filename>systemd-pcrphase-sysinit.service</filename>.)</para></listitem>
+
<listitem><para><literal>ready</literal> is extended into PCR 11 during later boot-up, after remote
file systems have been activated (i.e. after <filename>remote-fs.target</filename>), but before users
are permitted to log in (i.e. before <filename>systemd-user-sessions.service</filename>). It is
log in and where they are allowed to log in. (This string is extended at start of
<filename>systemd-pcrphase.service</filename>.)</para></listitem>
- <listitem><para><literal>shutdown</literal> is extended into PCR 11 during system shutdown. It is
+ <listitem><para><literal>shutdown</literal> is extended into PCR 11 when system shutdown begins. It is
supposed to act as barrier between the time the system is fully up and running and where it is about to
shut down. (This string is extended at stop of
<filename>systemd-pcrphase.service</filename>.)</para></listitem>
+
+ <listitem><para><literal>final</literal> is extended into PCR 11 at the end of system shutdown. It is
+ supposed to act as barrier between the time the service manager still runs and when it transitions into
+ the final boot phase where service management is not available anymore. (This string is extended at
+ stop of <filename>systemd-pcrphase-sysinit.service</filename>.)</para></listitem>
+
</orderedlist>
<para>During a regular system lifecycle, the strings <literal>enter-initrd</literal> →
- <literal>leave-initrd</literal> → <literal>ready</literal> → <literal>shutdown</literal> are extended into
- PCR 11, one after the other.</para>
+ <literal>leave-initrd</literal> → <literal>sysinit</literal> → <literal>ready</literal> →
+ <literal>shutdown</literal> → <literal>final</literal> are extended into PCR 11, one after the
+ other.</para>
<para>Specific phases of the boot process may be referenced via the series of strings measured, separated
by colons (the "boot path"). For example, the boot path for the regular system runtime is
- <literal>enter-initrd:leave-initrd:ready</literal>, while the one for the initrd is just
+ <literal>enter-initrd:leave-initrd:sysinit:ready</literal>, while the one for the initrd is just
<literal>enter-initrd</literal>. The boot path for the the boot phase before the initrd, is an empty
string; because that's hard to pass around a single colon (<literal>:</literal>) may be used
- instead. Note that the aforementioned four strings are just the default strings and individual systems
+ instead. Note that the aforementioned six strings are just the default strings and individual systems
might measure other strings at other times, and thus implement different and more fine-grained boot
phases to bind policy to.</para>
if (strv_extend_strv(&arg_phase,
STRV_MAKE("enter-initrd",
"enter-initrd:leave-initrd",
- "enter-initrd:leave-initrd:ready"),
+ "enter-initrd:leave-initrd:sysinit",
+ "enter-initrd:leave-initrd:sysinit:ready"),
/* filter_duplicates= */ false) < 0)
return log_oom();
} else {
['user@.service', ''],
['systemd-pcrphase-initrd.service', 'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2 ENABLE_INITRD',
'initrd.target.wants/'],
+ ['systemd-pcrphase-sysinit.service', 'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2',
+ 'sysinit.target.wants/'],
['systemd-pcrphase.service', 'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2',
'sysinit.target.wants/'],
]
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=TPM2 PCR Barrier (Initialization)
+Documentation=man:systemd-pcrphase-sysinit.service(8)
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=sysinit.target
+Before=basic.target shutdown.target
+AssertPathExists=!/etc/initrd-release
+ConditionSecurity=tpm2
+ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase sysinit
+ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase final
# (at your option) any later version.
[Unit]
-Description=TPM2 PCR Barrier (Host)
+Description=TPM2 PCR Barrier (User)
Documentation=man:systemd-pcrphase.service(8)
After=remote-fs.target remote-cryptsetup.target
Before=systemd-user-sessions.service
projects / thirdparty / systemd.git / commitdiff
