]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 273267c)
units: Run systemd-pcrnvdone in initrd
authorValentin David <me@valentindavid.com>
Wed, 3 Jun 2026 20:10:49 +0000 (22:10 +0200)
committerLuca Boccassi <luca.boccassi@gmail.com>
Thu, 4 Jun 2026 10:23:59 +0000 (11:23 +0100)
The measurement that systemd-pcrnvdone corresponds to
`src/pcrlock/pcrlock.d/770-nvpcr-separator.pcrlock`, and 770 is supposed to
happen in the initrd (which ends at 800).

docs/TPM2_PCR_MEASUREMENTS.md patch | blob | blame | history
units/systemd-pcrnvdone.service.in patch | blob | blame | history

diff --git a/docs/TPM2_PCR_MEASUREMENTS.md b/docs/TPM2_PCR_MEASUREMENTS.md
index 8045cbe4cd46105538f5f35979a5539e8307066e..faa918f6319f6b62188906e58c17aa04af24e550 100644 (file)
--- a/docs/TPM2_PCR_MEASUREMENTS.md
+++ b/docs/TPM2_PCR_MEASUREMENTS.md
@@ -265,7 +265,7 @@ on-the-fly by `systemd-stub`).
 
 ### PCR 9, NvPCR Initializations
 
-The `systemd-tpm2-setup.service` service initializes any NvPCRs defined via
+The `systemd-tpm2-setup-early.service` service initializes any NvPCRs defined via
 `*.nvpcr` files. For each initialized NvPCR it will measure an event into PCR
 9.
 
@@ -341,8 +341,8 @@ single-line JSON. Example string:
 
 ### PCR 9, NvPCR initialization separator
 
-After completion of `systemd-tpm2-setup.service` (which initializes all NvPCRs
-and measures their initial state) at arly boot the `systemd-pcrnvdone.service`
+After completion of `systemd-tpm2-setup-early.service` (which initializes all NvPCRs
+and measures their initial state) at early boot the `systemd-pcrnvdone.service`
 service will measure a separator event into PCR 9, isolating the early-boot
 NvPCR initializations from any later additions.
 
diff --git a/units/systemd-pcrnvdone.service.in b/units/systemd-pcrnvdone.service.in
index bbd0e66e605ce5d09f00223f78f1f94c65ebe4e7..154589d1267bf2df199114c9a99f717118299050 100644 (file)
--- a/units/systemd-pcrnvdone.service.in
+++ b/units/systemd-pcrnvdone.service.in
@@ -11,11 +11,12 @@
 Description=TPM PCR NvPCR Initialization Separator
 Documentation=man:systemd-pcrnvdone.service(8)
 DefaultDependencies=no
-Conflicts=shutdown.target
-After=systemd-tpm2-setup-early.service systemd-tpm2-setup.service
-Before=sysinit.target cryptsetup-pre.target cryptsetup.target shutdown.target
+Conflicts=shutdown.target initrd-switch-root.target
+After=tpm2.target
+After=systemd-tpm2-setup-early.service
+Before=sysinit.target cryptsetup-pre.target cryptsetup.target shutdown.target initrd-switch-root.target
 ConditionSecurity=measured-os
-ConditionPathExists=!/etc/initrd-release
+ConditionPathExists=/etc/initrd-release
 FailureAction=reboot-force
 
 [Service]
Unnamed repository; edit this file 'description' to name the repository.