tmpfiles: copy PCR sig/pkey from initrd /.extra/ into /run/

Now that sd-stub will place the PCR signature and its public key in
the initrd's /.extra/ directory, let's copy it from there into /run/
from userspace. This is done because /.extra/ is on the initrd's tmpfs
which will be emptied during the initrd → host transition. Since we want
these two files to survive we'll copy them – if they exist – into /run/
where they will survive the transition.

Thus, with this last change the files will have safely propagated from
their PE sections into files in /run/ where userspace can find them

The paths in /run/ happen to be the exact ones that
systemd-cryptenroll/systemd-cryptsetup/systemd-creds look for them.

diff --git a/tmpfiles.d/systemd.conf.in b/tmpfiles.d/systemd.conf.in
index e23e10278239828bebc78b3d1bb33ea9dfc93c4a..d267a6b2e657699f6e529f4ff5053f6bab444e94 100644 (file)
--- a/tmpfiles.d/systemd.conf.in
+++ b/tmpfiles.d/systemd.conf.in
@@ -64,3 +64,9 @@ d /var/lib/systemd/coredump 0755 root root 3d
 d /var/lib/private 0700 root root -
 d /var/log/private 0700 root root -
 d /var/cache/private 0700 root root -
+
+{% if ENABLE_EFI %}
+# Copy sd-stub provided PCR signature and and public key file from initrd into /run/, so that it will survive the initrd stage
+C /run/systemd/tpm2-pcr-signature.json 0444 root root - /.extra/tpm2-pcr-signature.json
+C /run/systemd/tpm2-pcr-public-key.pem 0444 root root - /.extra/tpm2-pcr-public-key.pem
+{% endif %}