tpm2-setup-early: order against pcrphase-initrd

Right now systemd-tpm2-setup-early and systemd-pcrphase-initrd.service
are not ordered against each other. However, they require the same slow
resource to operate: the TPM2. If we allow them to access the device
simultaneously, the kernel resource manager like has to save/restore TPM
state while they operate, slowing things down further.

hence, let's avoid all this mess, and just order them against each other
so that the shared resource is first used in full by one and then by the
other.

I opted to order systemd-pcrphase-initrd before
systemd-tpm2-setup-early, since there's value in having the former as
early as possible in userspace, to be a good marker for the transition
from kernel to first userspace. I can see no benefit in the opposite
order however.

diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in
index 9574ffd2895fe98d103b1f5848b2eb015a037342..9982c84aba086284be30b82f2d5adb48022b212a 100644 (file)
--- a/units/systemd-tpm2-setup-early.service.in
+++ b/units/systemd-tpm2-setup-early.service.in
@@ -12,10 +12,10 @@ Description=Early TPM SRK Setup
 Documentation=man:systemd-tpm2-setup.service(8)
 DefaultDependencies=no
 Conflicts=shutdown.target
+After=tpm2.target systemd-pcrphase-initrd.service
 Before=sysinit.target shutdown.target
 ConditionSecurity=measured-uki
 ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem
-After=tpm2.target
 
 [Service]
 Type=oneshot