tpm2: move measurement log to /run/log/ (from /var/log/)

I have no idea what went on in my mind when I used a path in /var/ for
the tpm2 event log we now keep for userspace measurements. The
measurements are only valid for the current boot, hence should not be
persisted (in particular as they cannot be rotated, hence should not
grow without bounds).

Fix that, simply move from /var/log/ to /run/log/.

diff --git a/man/systemd-pcrphase.service.xml b/man/systemd-pcrphase.service.xml
index fe7b58933bffffeb2a204463a6f9fa276fd5ddc9..ca037584cf420a30b91c5941a8428cef6fd8c9b3 100644 (file)
--- a/man/systemd-pcrphase.service.xml
+++ b/man/systemd-pcrphase.service.xml
@@ -209,10 +209,10 @@
 
     <variablelist>
       <varlistentry>
-        <term><filename>/var/log/systemd/tpm2-measure.log</filename></term>
+        <term><filename>/run/log/systemd/tpm2-measure.log</filename></term>
 
         <listitem><para>Measurements are logged into an event log file maintained in
-        <filename>/var/log/systemd/tpm2-measure.log</filename>, which contains a <ulink
+        <filename>/run/log/systemd/tpm2-measure.log</filename>, which contains a <ulink
         url="https://www.rfc-editor.org/rfc/rfc7464.html">JSON-SEQ</ulink> series of objects that follow the
         general structure of the <ulink
         url="https://trustedcomputinggroup.org/resource/canonical-event-log-format/">TCG Common Event Log

diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index c78d6ae65af9553a24d187b56bf9b473c0bd381e..9cab153e45f24d99dde69acd840c815574188bf1 100644 (file)
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -4305,7 +4305,7 @@ static const char* tpm2_userspace_event_type_table[_TPM2_USERSPACE_EVENT_TYPE_MA
 DEFINE_STRING_TABLE_LOOKUP(tpm2_userspace_event_type, Tpm2UserspaceEventType);
 
 const char *tpm2_userspace_log_path(void) {
-        return secure_getenv("SYSTEMD_MEASURE_LOG_USERSPACE") ?: "/var/log/systemd/tpm2-measure.log";
+        return secure_getenv("SYSTEMD_MEASURE_LOG_USERSPACE") ?: "/run/log/systemd/tpm2-measure.log";
 }
 
 static int tpm2_userspace_log_open(void) {

diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh
index faa9db7cdd06e36626a9a2603c1c2185234c8b87..7f7183da08b50aa655dbc4dd371865c169b54a14 100755 (executable)
--- a/test/units/testsuite-70.sh
+++ b/test/units/testsuite-70.sh
@@ -264,8 +264,8 @@ if [[ -x "$SD_PCREXTEND" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; t
     rm -f /tmp/oldpcr15 /tmp/newpcr15
 
     # Check that the event log record was properly written:
-    test "$(jq --seq --slurp '.[0].pcr' < /var/log/systemd/tpm2-measure.log)" == "$(printf '\x1e15')"
-    test "$(jq --seq --slurp --raw-output '.[0].digests[1].digest' < /var/log/systemd/tpm2-measure.log) *stdin" == "$(echo -n "machine-id:994013bf23864ee7992eab39a96dd3bb" | openssl dgst -hex -sha256 -r)"
+    test "$(jq --seq --slurp '.[0].pcr' < /run/log/systemd/tpm2-measure.log)" == "$(printf '\x1e15')"
+    test "$(jq --seq --slurp --raw-output '.[0].digests[1].digest' < /run/log/systemd/tpm2-measure.log) *stdin" == "$(echo -n "machine-id:994013bf23864ee7992eab39a96dd3bb" | openssl dgst -hex -sha256 -r)"
 
     # And similar for the boot phase measurement into PCR 11
     tpm2_pcrread sha256:11 -Q -o /tmp/oldpcr11
@@ -276,10 +276,10 @@ if [[ -x "$SD_PCREXTEND" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; t
         <(cat /tmp/oldpcr11 <(echo -n "foobar" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)
 
     # Check the event log for the 2nd record
-    jq --seq --slurp < /var/log/systemd/tpm2-measure.log
+    jq --seq --slurp < /run/log/systemd/tpm2-measure.log
 
-    test "$(jq --seq --slurp .[1].pcr < /var/log/systemd/tpm2-measure.log)" == "$(printf '\x1e11')"
-    test "$(jq --seq --slurp --raw-output .[1].digests[0].digest < /var/log/systemd/tpm2-measure.log) *stdin" == "$(echo -n "foobar" | openssl dgst -hex -sha256 -r)"
+    test "$(jq --seq --slurp .[1].pcr < /run/log/systemd/tpm2-measure.log)" == "$(printf '\x1e11')"
+    test "$(jq --seq --slurp --raw-output .[1].digests[0].digest < /run/log/systemd/tpm2-measure.log) *stdin" == "$(echo -n "foobar" | openssl dgst -hex -sha256 -r)"
 
     rm -f /tmp/oldpcr11 /tmp/newpcr11
 else