pcrphase: add two additional phases

This adds two more phases to the PCR boot phase logic: "sysinit" +
"final".

The "sysinit" one is placed between sysinit.target and basic.target.
It's good to have a milestone in this place, since this is after all
file systems/LUKS volumes are in place (which sooner or later should
result in measurements of their own) and before services are started
(where we should be able to rely on them to be complete).

This is particularly useful to make certain secrets available for
mounting secondary file systems, but making them unavailable later.

This breaks API in a way (as measurements during runtime will change),
but given that the pcrphase stuff wasn't realeased yet should be OK.

man/rules/meson.build

@@ -971,7 +971,9 @@ manpages = [
  ['systemd-path', '1', [], ''],
  ['systemd-pcrphase.service',
   '8',
-  ['systemd-pcrphase', 'systemd-pcrphase-initrd.service'],
+  ['systemd-pcrphase',
+   'systemd-pcrphase-initrd.service',
+   'systemd-pcrphase-sysinit.service'],
   'HAVE_GNU_EFI'],
  ['systemd-portabled.service', '8', ['systemd-portabled'], 'ENABLE_PORTABLED'],
  ['systemd-pstore.service', '8', ['systemd-pstore'], 'ENABLE_PSTORE'],

man/systemd-measure.xml

@@ -170,12 +170,13 @@
         into PCR 11 during different milestones of the boot process. This switch may be specified multiple
         times to calculate PCR values for multiple boot phases at once. If not used defaults to
         <literal>enter-initrd</literal>, <literal>enter-initrd:leave-initrd</literal>,
-        <literal>enter-initrd:leave-initrd:ready</literal>, i.e. calculates expected PCR values for the boot
-        phase in the initrd, during early boot, and during system runtime, but excluding the phases before
-        the initrd or when shutting down. This setting is honoured both by <command>calculate</command> and
-        <command>sign</command>. When used with the latter it's particularly useful for generating PCR
-        signatures that can only be used for unlocking resources during specific parts of the boot
-        process.</para>
+        <literal>enter-initrd:leave-initrd:sysinit</literal>,
+        <literal>enter-initrd:leave-initrd:sysinit:ready</literal>, i.e. calculates expected PCR values for
+        the boot phase in the initrd, during early boot, during later boot, and during system runtime, but
+        excluding the phases before the initrd or when shutting down. This setting is honoured both by
+        <command>calculate</command> and <command>sign</command>. When used with the latter it's particularly
+        useful for generating PCR signatures that can only be used for unlocking resources during specific
+        parts of the boot process.</para>
 
         <para>For further details about PCR boot phases, see
         <citerefentry><refentrytitle>systemd-pcrphase.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para></listitem>

man/systemd-pcrphase.service.xml

@@ -18,9 +18,10 @@
 
   <refnamediv>
     <refname>systemd-pcrphase.service</refname>
+    <refname>systemd-pcrphase-sysinit.service</refname>
     <refname>systemd-pcrphase-initrd.service</refname>
     <refname>systemd-pcrphase</refname>
-    <refpurpose>Mark current boot process as successful</refpurpose>
+    <refpurpose>Measure boot phase into TPM2 PCR 11</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
@@ -32,9 +33,10 @@
   <refsect1>
     <title>Description</title>
 
-    <para><filename>systemd-pcrphase.service</filename> and
+    <para><filename>systemd-pcrphase.service</filename>,
+    <filename>systemd-pcrphase-sysinit.service</filename> and
     <filename>systemd-pcrphase-initrd.service</filename> are system services that measure specific strings
-    into TPM2 PCR 11 during boot.</para>
+    into TPM2 PCR 11 during boot at various milestones of the boot process.</para>
 
     <para>These services require
     <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> to be
@@ -56,6 +58,11 @@
       barrier between kernel/initrd code and host OS code. (This string is extended at stop of
       <filename>systemd-pcrphase-initrd.service</filename>.)</para></listitem>
 
+      <listitem><para><literal>sysinit</literal> is extended into PCR 11 when basic system initialization is
+      complete (which includes local file systems have been mounted), and the system begins starting regular
+      system services. (This string is extended at start of
+      <filename>systemd-pcrphase-sysinit.service</filename>.)</para></listitem>
+
       <listitem><para><literal>ready</literal> is extended into PCR 11 during later boot-up, after remote
       file systems have been activated (i.e. after <filename>remote-fs.target</filename>), but before users
       are permitted to log in (i.e. before <filename>systemd-user-sessions.service</filename>). It is
@@ -63,22 +70,29 @@
       log in and where they are allowed to log in. (This string is extended at start of
       <filename>systemd-pcrphase.service</filename>.)</para></listitem>
 
-      <listitem><para><literal>shutdown</literal> is extended into PCR 11 during system shutdown. It is
+      <listitem><para><literal>shutdown</literal> is extended into PCR 11 when system shutdown begins. It is
       supposed to act as barrier between the time the system is fully up and running and where it is about to
       shut down. (This string is extended at stop of
       <filename>systemd-pcrphase.service</filename>.)</para></listitem>
+
+      <listitem><para><literal>final</literal> is extended into PCR 11 at the end of system shutdown. It is
+      supposed to act as barrier between the time the service manager still runs and when it transitions into
+      the final boot phase where service management is not available anymore. (This string is extended at
+      stop of <filename>systemd-pcrphase-sysinit.service</filename>.)</para></listitem>
+
     </orderedlist>
 
     <para>During a regular system lifecycle, the strings <literal>enter-initrd</literal> →
-    <literal>leave-initrd</literal> → <literal>ready</literal> → <literal>shutdown</literal> are extended into
-    PCR 11, one after the other.</para>
+    <literal>leave-initrd</literal> → <literal>sysinit</literal> → <literal>ready</literal> →
+    <literal>shutdown</literal> → <literal>final</literal> are extended into PCR 11, one after the
+    other.</para>
 
     <para>Specific phases of the boot process may be referenced via the series of strings measured, separated
     by colons (the "boot path"). For example, the boot path for the regular system runtime is
-    <literal>enter-initrd:leave-initrd:ready</literal>, while the one for the initrd is just
+    <literal>enter-initrd:leave-initrd:sysinit:ready</literal>, while the one for the initrd is just
     <literal>enter-initrd</literal>. The boot path for the the boot phase before the initrd, is an empty
     string; because that's hard to pass around a single colon (<literal>:</literal>) may be used
-    instead. Note that the aforementioned four strings are just the default strings and individual systems
+    instead. Note that the aforementioned six strings are just the default strings and individual systems
     might measure other strings at other times, and thus implement different and more fine-grained boot
     phases to bind policy to.</para>
 

src/boot/measure.c

@@ -281,7 +281,8 @@ static int parse_argv(int argc, char *argv[]) {
                 if (strv_extend_strv(&arg_phase,
                                      STRV_MAKE("enter-initrd",
                                                "enter-initrd:leave-initrd",
-                                               "enter-initrd:leave-initrd:ready"),
+                                               "enter-initrd:leave-initrd:sysinit",
+                                               "enter-initrd:leave-initrd:sysinit:ready"),
                                      /* filter_duplicates= */ false) < 0)
                         return log_oom();
         } else {

units/meson.build

@@ -262,6 +262,8 @@ in_units = [
         ['user@.service',                        ''],
         ['systemd-pcrphase-initrd.service',      'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2 ENABLE_INITRD',
          'initrd.target.wants/'],
+        ['systemd-pcrphase-sysinit.service',     'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2',
+         'sysinit.target.wants/'],
         ['systemd-pcrphase.service',             'HAVE_GNU_EFI HAVE_OPENSSL HAVE_TPM2',
          'sysinit.target.wants/'],
 ]

units/systemd-pcrphase-sysinit.service.in

@@ -0,0 +1,25 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=TPM2 PCR Barrier (Initialization)
+Documentation=man:systemd-pcrphase-sysinit.service(8)
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=sysinit.target
+Before=basic.target shutdown.target
+AssertPathExists=!/etc/initrd-release
+ConditionSecurity=tpm2
+ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase sysinit
+ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase final

units/systemd-pcrphase.service.in

@@ -8,7 +8,7 @@
 #  (at your option) any later version.
 
 [Unit]
-Description=TPM2 PCR Barrier (Host)
+Description=TPM2 PCR Barrier (User)
 Documentation=man:systemd-pcrphase.service(8)
 After=remote-fs.target remote-cryptsetup.target
 Before=systemd-user-sessions.service