git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Tue, 26 Sep 2023 19:25:53 +0000 (21:25 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Fri, 29 Sep 2023 17:36:04 +0000 (19:36 +0200)
commit	2e64cb71b9c0160c335d8e52954149e078bba2fb
tree	6009b2b90b9f5a7e88c65d2a8ff3084b634ea26c	tree \| snapshot
parent	baab1b3faa387ebbb469067168197b109259c79d	commit \| diff

tpm2-setup: add new early boot tool for initializing the SRK

This adds an explicit service for initializing the TPM2 SRK. This is
implicitly also done by systemd-cryptsetup, hence strictly speaking
redundant, but doing this early has the benefit that we can parallelize
this in a nicer way. This also write a copy of the SRK public key in PEM
format to /run/ + /var/lib/, thus pinning the disk image to the TPM.
Making the SRK public key is also useful for allowing easy offline
encryption for a specific TPM.

Sooner or later we should probably grow what this service does, the
above is just the first step. For example, the service should probably
offer the ability to reset the TPM (clear the owner hierarchy?) on a
factory reset, if such a policy is needed. And we might want to install
some default AK (?).

Fixes: #27986
Also see: #22637

man/rules/meson.build		diff \| blob \| blame \| history
man/systemd-tpm2-setup.service.xml	[new file with mode: 0644]	blob
meson.build		diff \| blob \| blame \| history
src/shared/generator.c		diff \| blob \| blame \| history
src/shared/tpm2-util.c		diff \| blob \| blame \| history
src/shared/tpm2-util.h		diff \| blob \| blame \| history
src/tpm2-setup/meson.build	[new file with mode: 0644]	blob
src/tpm2-setup/tpm2-setup.c	[new file with mode: 0644]	blob
test/units/testsuite-70.sh		diff \| blob \| blame \| history
units/meson.build		diff \| blob \| blame \| history
units/systemd-tpm2-setup-early.service.in	[new file with mode: 0644]	blob
units/systemd-tpm2-setup.service.in	[new file with mode: 0644]	blob