pcrextend: whenever we fail to extend PCRs, reboot immediately

PCR extensions are supposed to be useful for "destroying" the ability to access TPM bound secrets. Hence, if for some reason we fail to extend a PCR, it's safer to just reboot, instead of going on without the extension, leaving secrets potentially accessible which should not be accessible. Note that the services exit gracefully if no TPM is found, hence this should not be triggered on TPM-less systems. However, this enforces that if there is a TPM that is accessible to Linux and that works properly, the PCR measurement must complete too. Inspired by this thread: https://lists.freedesktop.org/archives/systemd-devel/2025-March/051244.html
2025-10-06 00:13:24 +02:00 · 2025-03-11 17:28:47 +01:00
parent 1220625a81
commit 8b21bbd6f0
8 changed files with 8 additions and 0 deletions
--- a/units/systemd-pcrfs-root.service.in
+++ b/units/systemd-pcrfs-root.service.in
@@ -16,6 +16,7 @@ After=tpm2.target systemd-pcrmachine.service
 Before=shutdown.target
 ConditionPathExists=!/etc/initrd-release
 ConditionSecurity=measured-uki
 FailureAction=reboot-force
 [Service]
 Type=oneshot
--- a/units/systemd-pcrfs@.service.in
+++ b/units/systemd-pcrfs@.service.in
@@ -17,6 +17,7 @@ After=%i.mount tpm2.target systemd-pcrfs-root.service
 Before=shutdown.target
 ConditionPathExists=!/etc/initrd-release
 ConditionSecurity=measured-uki
 FailureAction=reboot-force
 [Service]
 Type=oneshot
--- a/units/systemd-pcrmachine.service.in
+++ b/units/systemd-pcrmachine.service.in
@@ -16,6 +16,7 @@ After=tpm2.target
 Before=sysinit.target shutdown.target
 ConditionPathExists=!/etc/initrd-release
 ConditionSecurity=measured-uki
 FailureAction=reboot-force
 [Service]
 Type=oneshot
--- a/units/systemd-pcrphase-factory-reset.service.in
+++ b/units/systemd-pcrphase-factory-reset.service.in
@@ -15,6 +15,7 @@ Conflicts=shutdown.target
 After=tpm2.target
 Before=shutdown.target factory-reset.target
 ConditionSecurity=measured-uki
 FailureAction=reboot-force
 [Service]
 Type=oneshot
--- a/units/systemd-pcrphase-initrd.service.in
+++ b/units/systemd-pcrphase-initrd.service.in
@@ -16,6 +16,7 @@ After=tpm2.target
 Before=sysinit.target cryptsetup-pre.target cryptsetup.target shutdown.target initrd-switch-root.target systemd-sysext.service
 ConditionPathExists=/etc/initrd-release
 ConditionSecurity=measured-uki
 FailureAction=reboot-force
 [Service]
 Type=oneshot
--- a/units/systemd-pcrphase-storage-target-mode.service.in
+++ b/units/systemd-pcrphase-storage-target-mode.service.in
@@ -16,6 +16,7 @@ After=tpm2.target
 Before=shutdown.target
 ConditionPathExists=/etc/initrd-release
 ConditionSecurity=measured-uki
 FailureAction=reboot-force
 [Service]
 Type=oneshot
--- a/units/systemd-pcrphase-sysinit.service.in
+++ b/units/systemd-pcrphase-sysinit.service.in
@@ -16,6 +16,7 @@ After=sysinit.target tpm2.target
 Before=basic.target shutdown.target
 ConditionPathExists=!/etc/initrd-release
 ConditionSecurity=measured-uki
 FailureAction=reboot-force
 [Service]
 Type=oneshot
--- a/units/systemd-pcrphase.service.in
+++ b/units/systemd-pcrphase.service.in
@@ -14,6 +14,7 @@ After=remote-fs.target remote-cryptsetup.target tpm2.target
 Before=systemd-user-sessions.service
 ConditionPathExists=!/etc/initrd-release
 ConditionSecurity=measured-uki
 FailureAction=reboot-force
 [Service]
 Type=oneshot