units: measure /etc/machine-id into PCR 15 during early boot

We want PCR 15 to be useful for binding per-system policy to. Let's
measure the machine ID into it, to ensure that every OS we can
distinguish will get a different PCR (even if the root disk encryption
key is already measured into it).

diff --git a/units/meson.build b/units/meson.build
index 69197f0c47ce1cc532713f5495fdf59c43e4e280..48b24f05c125905454fb0b745c0df35bf8831f84 100644 (file)
--- a/units/meson.build
+++ b/units/meson.build
@@ -265,6 +265,8 @@ in_units = [
          'sysinit.target.wants/'],
         ['systemd-pcrphase.service',             'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2',
          'sysinit.target.wants/'],
+        ['systemd-pcrmachine.service',           'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2',
+         'sysinit.target.wants/'],
 ]
 
 add_wants = []

diff --git a/units/systemd-pcrmachine.service.in b/units/systemd-pcrmachine.service.in
new file mode 100644 (file)
index 0000000..e154a7e
--- /dev/null
+++ b/units/systemd-pcrmachine.service.in
@@ -0,0 +1,23 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=TPM2 PCR Machine ID Measurement
+Documentation=man:systemd-pcrmachine.service(8)
+DefaultDependencies=no
+Conflicts=shutdown.target
+Before=sysinit.target shutdown.target
+AssertPathExists=!/etc/initrd-release
+ConditionSecurity=tpm2
+ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase --machine-id