* automatically mount one virtiofs during early boot phase to /run/host/,
similar to how we do that for nspawn, based on some clear tag.
-* make systemd-pcrphase accessible via varlink so that clients can measure
+* make systemd-pcrextend accessible via varlink so that clients can measure
things reasonably freely, and get a proper entry in the TPM event log we
maintain, correctly synchronized
* `$SYSTEMD_CATALOG_SOURCES` – path to the catalog database input source
directory to use for `journalctl --update-catalog`.
-`systemd-pcrphase`, `systemd-cryptsetup`:
+`systemd-pcrextend`, `systemd-cryptsetup`:
* `$SYSTEMD_FORCE_MEASURE=1` — If set, force measuring of resources (which are
marked for measurement) even if not booted on a kernel equipped with
['systemd-path', '1', [], ''],
['systemd-pcrphase.service',
'8',
- ['systemd-pcrfs-root.service',
+ ['systemd-pcrextend',
+ 'systemd-pcrfs-root.service',
'systemd-pcrfs@.service',
'systemd-pcrmachine.service',
- 'systemd-pcrphase',
'systemd-pcrphase-initrd.service',
'systemd-pcrphase-sysinit.service'],
'ENABLE_BOOTLOADER'],
<listitem><para>Controls which boot phases to calculate expected PCR 11 values for. This takes a
series of colon-separated strings that encode boot "paths" for entering a specific phase of the boot
process. Each of the specified strings is measured by the
- <filename>systemd-pcrphase-initrd.service</filename> and
+ <filename>systemd-pcrphase-initrd.service</filename>,
+ <filename>systemd-pcrphase-sysinit.service</filename>, and
<citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
into PCR 11 during different milestones of the boot process. This switch may be specified multiple
times to calculate PCR values for multiple boot phases at once. If not used defaults to
<refname>systemd-pcrmachine.service</refname>
<refname>systemd-pcrfs-root.service</refname>
<refname>systemd-pcrfs@.service</refname>
- <refname>systemd-pcrphase</refname>
+ <refname>systemd-pcrextend</refname>
<refpurpose>Measure boot phase into TPM2 PCR 11, machine ID and file system identity into PCR 15</refpurpose>
</refnamediv>
<para><filename>systemd-pcrmachine.service</filename></para>
<para><filename>systemd-pcrfs-root.service</filename></para>
<para><filename>systemd-pcrfs@.service</filename></para>
- <para><filename>/usr/lib/systemd/systemd-pcrphase</filename> <optional><replaceable>STRING</replaceable></optional></para>
+ <para><filename>/usr/lib/systemd/systemd-pcrextend</filename> <optional><replaceable>STRING</replaceable></optional></para>
</refsynopsisdiv>
<refsect1>
<refsect1>
<title>Options</title>
- <para>The <filename>/usr/lib/systemd/system-pcrphase</filename> executable may also be invoked from the
+ <para>The <filename>/usr/lib/systemd/system-pcrextend</filename> executable may also be invoked from the
command line, where it expects the word to extend into PCR 11, as well as the following switches:</para>
<variablelist>
subdir('src/oom')
subdir('src/partition')
subdir('src/path')
+subdir('src/pcrextend')
subdir('src/portable')
subdir('src/pstore')
subdir('src/quotacheck')
'sources' : files('measure.c'),
'dependencies' : libopenssl,
},
- libexec_template + {
- 'name' : 'systemd-pcrphase',
- 'conditions' : [
- 'HAVE_BLKID',
- 'ENABLE_BOOTLOADER',
- 'HAVE_OPENSSL',
- 'HAVE_TPM2',
- ],
- 'sources' : files('pcrphase.c'),
- 'dependencies' : [
- libblkid,
- libopenssl,
- tpm2,
- ],
- },
libexec_template + {
'name' : 'systemd-boot-check-no-failures',
'sources' : files('boot-check-no-failures.c'),
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+executables += [
+ libexec_template + {
+ 'name' : 'systemd-pcrextend',
+ 'conditions' : [
+ 'HAVE_BLKID',
+ 'ENABLE_BOOTLOADER',
+ 'HAVE_OPENSSL',
+ 'HAVE_TPM2',
+ ],
+ 'sources' : files('pcrextend.c'),
+ 'dependencies' : [
+ libblkid,
+ libopenssl,
+ tpm2,
+ ],
+ },
+]
_cleanup_free_ char *link = NULL;
int r;
- r = terminal_urlify_man("systemd-pcrphase", "8", &link);
+ r = terminal_urlify_man("systemd-pcrextend", "8", &link);
if (r < 0)
return log_oom();
printf("%1$s [OPTIONS...] WORD\n"
"%1$s [OPTIONS...] --file-system=PATH\n"
"%1$s [OPTIONS...] --machine-id\n"
- "\n%5$sMeasure boot phase into TPM2 PCR 11.%6$s\n"
+ "\n%5$sExtend a TPM2 PCR with boot phase, machine ID, or file system ID.%6$s\n"
"\n%3$sOptions:%4$s\n"
" -h --help Show this help\n"
" --version Print version\n"
SD_CRYPTSETUP="/usr/lib/systemd/systemd-cryptsetup"
SD_MEASURE="/usr/lib/systemd/systemd-measure"
-SD_PCRPHASE="/usr/lib/systemd/systemd-pcrphase"
+SD_PCREXTEND="/usr/lib/systemd/systemd-pcrextend"
export SYSTEMD_LOG_LEVEL=debug
cryptsetup_has_token_plugin_support() {
echo "$SD_MEASURE or PCR sysfs files not found, skipping signed PCR policy test case"
fi
-if [[ -x "$SD_PCRPHASE" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; then
+if [[ -x "$SD_PCREXTEND" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; then
# Let's measure the machine ID
tpm2_pcrread sha256:15 -Q -o /tmp/oldpcr15
mv /etc/machine-id /etc/machine-id.save
echo 994013bf23864ee7992eab39a96dd3bb >/etc/machine-id
- SYSTEMD_FORCE_MEASURE=1 "$SD_PCRPHASE" --machine-id
+ SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" --machine-id
mv /etc/machine-id.save /etc/machine-id
tpm2_pcrread sha256:15 -Q -o /tmp/newpcr15
# And similar for the boot phase measurement into PCR 11
tpm2_pcrread sha256:11 -Q -o /tmp/oldpcr11
- SYSTEMD_FORCE_MEASURE=1 "$SD_PCRPHASE" foobar
+ SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" foobar
tpm2_pcrread sha256:11 -Q -o /tmp/newpcr11
diff /tmp/newpcr11 \
rm -f /tmp/oldpcr11 /tmp/newpcr11
else
- echo "$SD_PCRPHASE or PCR sysfs files not found, skipping PCR extension test case"
+ echo "$SD_PCREXTEND or PCR sysfs files not found, skipping PCR extension test case"
fi
# Ensure that sandboxing doesn't stop creds from being accessible
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful --file-system=/
+ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --file-system=/
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful --file-system=%f
+ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --file-system=%f
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful --machine-id
+ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --machine-id
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful enter-initrd
-ExecStop={{LIBEXECDIR}}/systemd-pcrphase --graceful leave-initrd
+ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful enter-initrd
+ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful leave-initrd
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful sysinit
-ExecStop={{LIBEXECDIR}}/systemd-pcrphase --graceful final
+ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful sysinit
+ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful final
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart={{LIBEXECDIR}}/systemd-pcrphase --graceful ready
-ExecStop={{LIBEXECDIR}}/systemd-pcrphase --graceful shutdown
+ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful ready
+ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful shutdown
projects / thirdparty / systemd.git / commitdiff
