From 8b21bbd6f0fb9898ed31472ef9f4e204da984890 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 11 Mar 2025 17:28:47 +0100 Subject: [PATCH] pcrextend: whenever we fail to extend PCRs, reboot immediately PCR extensions are supposed to be useful for "destroying" the ability to access TPM bound secrets. Hence, if for some reason we fail to extend a PCR, it's safer to just reboot, instead of going on without the extension, leaving secrets potentially accessible which should not be accessible. Note that the services exit gracefully if no TPM is found, hence this should not be triggered on TPM-less systems. However, this enforces that if there is a TPM that is accessible to Linux and that works properly, the PCR measurement must complete too. Inspired by this thread: https://lists.freedesktop.org/archives/systemd-devel/2025-March/051244.html --- units/systemd-pcrfs-root.service.in | 1 + units/systemd-pcrfs@.service.in | 1 + units/systemd-pcrmachine.service.in | 1 + units/systemd-pcrphase-factory-reset.service.in | 1 + units/systemd-pcrphase-initrd.service.in | 1 + units/systemd-pcrphase-storage-target-mode.service.in | 1 + units/systemd-pcrphase-sysinit.service.in | 1 + units/systemd-pcrphase.service.in | 1 + 8 files changed, 8 insertions(+) diff --git a/units/systemd-pcrfs-root.service.in b/units/systemd-pcrfs-root.service.in index 5b40a91ca64..f774c4c8bf6 100644 --- a/units/systemd-pcrfs-root.service.in +++ b/units/systemd-pcrfs-root.service.in @@ -16,6 +16,7 @@ After=tpm2.target systemd-pcrmachine.service Before=shutdown.target ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrfs@.service.in b/units/systemd-pcrfs@.service.in index 203d7b9782e..3d18fe4d30e 100644 --- a/units/systemd-pcrfs@.service.in +++ b/units/systemd-pcrfs@.service.in @@ -17,6 +17,7 @@ After=%i.mount tpm2.target systemd-pcrfs-root.service Before=shutdown.target ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrmachine.service.in b/units/systemd-pcrmachine.service.in index 65caf2ed492..ea2561ef79e 100644 --- a/units/systemd-pcrmachine.service.in +++ b/units/systemd-pcrmachine.service.in @@ -16,6 +16,7 @@ After=tpm2.target Before=sysinit.target shutdown.target ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrphase-factory-reset.service.in b/units/systemd-pcrphase-factory-reset.service.in index 6267336b303..5dbcb0f53f1 100644 --- a/units/systemd-pcrphase-factory-reset.service.in +++ b/units/systemd-pcrphase-factory-reset.service.in @@ -15,6 +15,7 @@ Conflicts=shutdown.target After=tpm2.target Before=shutdown.target factory-reset.target ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrphase-initrd.service.in b/units/systemd-pcrphase-initrd.service.in index 6fcf94de76c..5aba32128c0 100644 --- a/units/systemd-pcrphase-initrd.service.in +++ b/units/systemd-pcrphase-initrd.service.in @@ -16,6 +16,7 @@ After=tpm2.target Before=sysinit.target cryptsetup-pre.target cryptsetup.target shutdown.target initrd-switch-root.target systemd-sysext.service ConditionPathExists=/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrphase-storage-target-mode.service.in b/units/systemd-pcrphase-storage-target-mode.service.in index 2502ac89021..52b53e5b819 100644 --- a/units/systemd-pcrphase-storage-target-mode.service.in +++ b/units/systemd-pcrphase-storage-target-mode.service.in @@ -16,6 +16,7 @@ After=tpm2.target Before=shutdown.target ConditionPathExists=/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrphase-sysinit.service.in b/units/systemd-pcrphase-sysinit.service.in index 8c0c0c82a2c..4a01279159d 100644 --- a/units/systemd-pcrphase-sysinit.service.in +++ b/units/systemd-pcrphase-sysinit.service.in @@ -16,6 +16,7 @@ After=sysinit.target tpm2.target Before=basic.target shutdown.target ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrphase.service.in b/units/systemd-pcrphase.service.in index 04ace12e14d..43459a2fccb 100644 --- a/units/systemd-pcrphase.service.in +++ b/units/systemd-pcrphase.service.in @@ -14,6 +14,7 @@ After=remote-fs.target remote-cryptsetup.target tpm2.target Before=systemd-user-sessions.service ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot