PCR extensions are supposed to be useful for "destroying" the ability to
access TPM bound secrets. Hence, if for some reason we fail to extend a
PCR, it's safer to just reboot, instead of going on without the
extension, leaving secrets potentially accessible which should not be
accessible.
Note that the services exit gracefully if no TPM is found, hence this
should not be triggered on TPM-less systems. However, this enforces that
if there is a TPM that is accessible to Linux and that works properly,
the PCR measurement must complete too.
Inspired by this thread:
https://lists.freedesktop.org/archives/systemd-devel/2025-March/051244.html
Before=shutdown.target
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
+FailureAction=reboot-force
[Service]
Type=oneshot
Before=shutdown.target
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
+FailureAction=reboot-force
[Service]
Type=oneshot
Before=sysinit.target shutdown.target
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
+FailureAction=reboot-force
[Service]
Type=oneshot
After=tpm2.target
Before=shutdown.target factory-reset.target
ConditionSecurity=measured-uki
+FailureAction=reboot-force
[Service]
Type=oneshot
Before=sysinit.target cryptsetup-pre.target cryptsetup.target shutdown.target initrd-switch-root.target systemd-sysext.service
ConditionPathExists=/etc/initrd-release
ConditionSecurity=measured-uki
+FailureAction=reboot-force
[Service]
Type=oneshot
Before=shutdown.target
ConditionPathExists=/etc/initrd-release
ConditionSecurity=measured-uki
+FailureAction=reboot-force
[Service]
Type=oneshot
Before=basic.target shutdown.target
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
+FailureAction=reboot-force
[Service]
Type=oneshot
Before=systemd-user-sessions.service
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
+FailureAction=reboot-force
[Service]
Type=oneshot
projects / thirdparty / systemd.git / commitdiff
