1
0
mirror of https://github.com/systemd/systemd synced 2025-10-05 16:03:15 +02:00
Files
systemd/units/systemd-pcrphase.service.in
Lennart Poettering 8b21bbd6f0 pcrextend: whenever we fail to extend PCRs, reboot immediately
PCR extensions are supposed to be useful for "destroying" the ability to
access TPM bound secrets. Hence, if for some reason we fail to extend a
PCR, it's safer to just reboot, instead of going on without the
extension, leaving secrets potentially accessible which should not be
accessible.

Note that the services exit gracefully if no TPM is found, hence this
should not be triggered on TPM-less systems. However, this enforces that
if there is a TPM that is accessible to Linux and that works properly,
the PCR measurement must complete too.

Inspired by this thread:

https://lists.freedesktop.org/archives/systemd-devel/2025-March/051244.html
2025-03-31 21:13:33 +09:00

24 lines
790 B
SYSTEMD

# SPDX-License-Identifier: LGPL-2.1-or-later
#
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=TPM PCR Barrier (User)
Documentation=man:systemd-pcrphase.service(8)
After=remote-fs.target remote-cryptsetup.target tpm2.target
Before=systemd-user-sessions.service
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
FailureAction=reboot-force
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful ready
ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful shutdown