]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b493502)
units: measure "factory-reset" into PCR 11 when we request factory reset 36543/head
authorLennart Poettering <lennart@poettering.net>
Thu, 27 Feb 2025 11:41:57 +0000 (12:41 +0100)
committerLennart Poettering <lennart@poettering.net>
Thu, 27 Feb 2025 12:20:23 +0000 (13:20 +0100)
Let's make sure that the moment where factory reset is requested is
visible in the TPM PCR state, so that access to secrets is terminated.

This is particulary interesting when the system is booted with
systemd.unit=factory-reset.target on the kernel command line, requesting
a factory reset on the following boot. The preparations done in
userspace should already lose access to the TPM in that case.

units/meson.build patch | blob | blame | history
units/systemd-pcrphase-factory-reset.service.in [new file with mode: 0644] patch | blob

diff --git a/units/meson.build b/units/meson.build
index 7c4650511cd5452f0c705d544e7329701550224e..bd7f5a0724cbc2783b3273ead485e04cf22547a5 100644 (file)
--- a/units/meson.build
+++ b/units/meson.build
@@ -532,6 +532,11 @@ units = [
           'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'],
           'symlinks' : ['sysinit.target.wants/'],
         },
+        {
+          'file' : 'systemd-pcrphase-factory-reset.service.in',
+          'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'],
+          'symlinks' : ['factory-reset.target.wants/'],
+        },
         {
           'file' : 'systemd-pcrphase-initrd.service.in',
           'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2', 'ENABLE_INITRD'],
diff --git a/units/systemd-pcrphase-factory-reset.service.in b/units/systemd-pcrphase-factory-reset.service.in
new file mode 100644 (file)
index 0000000..6267336
--- /dev/null
+++ b/units/systemd-pcrphase-factory-reset.service.in
@@ -0,0 +1,22 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=TPM PCR Barrier (Factory Reset)
+Documentation=man:systemd-pcrphase-factory-reset.service(8)
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=tpm2.target
+Before=shutdown.target factory-reset.target
+ConditionSecurity=measured-uki
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful factory-reset
Unnamed repository; edit this file 'description' to name the repository.