git.ipfire.org Git - thirdparty/systemd.git/commit

]> git.ipfire.org Git - thirdparty/systemd.git/commit

projects / thirdparty / systemd.git / commit

author	Lennart Poettering <lennart@amutable.com>
	Mon, 9 Mar 2026 17:53:09 +0000 (18:53 +0100)
committer	Lennart Poettering <lennart@amutable.com>
	Thu, 26 Mar 2026 15:11:34 +0000 (16:11 +0100)
commit	cd911bec6eec21a2cc775c98bf599ea38cb1fa1f
tree	72857aed8f263de62f9cd0d0f00a014139e648bd	tree \| snapshot
parent	ca03d178a077a7705c58619fcc83fb3b90845fdb	commit \| diff

core: introduce ConditionSecurity=measured-os

So far we always conditioned our TPM magic on the UKI having detected
TPM support in the firmware. This is a bit limiting when we want to
support a software TPM that is not visible to the firmware. Hence let's
split this up, and add a separate control that can be set via the kernel
command line. However, as before, let's by default inherit the firmare
TPM discovery state into it, to retain the current behaviour unless
overriden.

With this in place, boot with "systemd.tpm2_measured_os=1
systemd.tpm2_software_fallback=1" on the kernel cmdline to get the swtpm
fallback and then a measured OS based on it.

25 files changed:

man/kernel-command-line.xml		diff \| blob \| blame \| history
man/systemd.unit.xml		diff \| blob \| blame \| history
src/bootctl/bootctl-status.c		diff \| blob \| blame \| history
src/cryptsetup/cryptsetup.c		diff \| blob \| blame \| history
src/fstab-generator/fstab-generator.c		diff \| blob \| blame \| history
src/gpt-auto-generator/gpt-auto-generator.c		diff \| blob \| blame \| history
src/hibernate-resume/hibernate-resume-generator.c		diff \| blob \| blame \| history
src/pcrextend/pcrextend.c		diff \| blob \| blame \| history
src/shared/condition.c		diff \| blob \| blame \| history
src/shared/efi-loader.c		diff \| blob \| blame \| history
src/shared/efi-loader.h		diff \| blob \| blame \| history
units/systemd-pcrextend.socket		diff \| blob \| blame \| history
units/systemd-pcrfs-root.service.in		diff \| blob \| blame \| history
units/systemd-pcrfs@.service.in		diff \| blob \| blame \| history
units/systemd-pcrmachine.service.in		diff \| blob \| blame \| history
units/systemd-pcrnvdone.service.in		diff \| blob \| blame \| history
units/systemd-pcrphase-factory-reset.service.in		diff \| blob \| blame \| history
units/systemd-pcrphase-initrd.service.in		diff \| blob \| blame \| history
units/systemd-pcrphase-storage-target-mode.service.in		diff \| blob \| blame \| history
units/systemd-pcrphase-sysinit.service.in		diff \| blob \| blame \| history
units/systemd-pcrphase.service.in		diff \| blob \| blame \| history
units/systemd-pcrproduct.service.in		diff \| blob \| blame \| history
units/systemd-tpm2-clear.service.in		diff \| blob \| blame \| history
units/systemd-tpm2-setup-early.service.in		diff \| blob \| blame \| history
units/systemd-tpm2-setup.service.in		diff \| blob \| blame \| history

Unnamed repository; edit this file 'description' to name the repository.

RSS Atom