mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-08 21:17:47 +03:00
pcrphase: gracefully exit if TPM2 support is incomplete
If everything points to the fact that TPM2 should work, but then the
driver fails to initialize we should handle this gracefully and not
cause failing services all over the place.
Fixes: #25700
(cherry picked from commit 0318d54539
)
This commit is contained in:
parent
c6f2f5a90d
commit
2d495affef
@ -131,6 +131,14 @@
|
|||||||
all suitable TPM2 devices currently discovered.</para></listitem>
|
all suitable TPM2 devices currently discovered.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>--graceful</option></term>
|
||||||
|
|
||||||
|
<listitem><para>If no TPM2 firmware, kernel subsystem, kernel driver or device support is found, exit
|
||||||
|
with exit status 0 (i.e. indicate success). If this is not specified any attempt to measure without a
|
||||||
|
TPM2 device will cause the invocation to fail.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<xi:include href="standard-options.xml" xpointer="help" />
|
<xi:include href="standard-options.xml" xpointer="help" />
|
||||||
<xi:include href="standard-options.xml" xpointer="version" />
|
<xi:include href="standard-options.xml" xpointer="version" />
|
||||||
|
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
#include "tpm-pcr.h"
|
#include "tpm-pcr.h"
|
||||||
#include "tpm2-util.h"
|
#include "tpm2-util.h"
|
||||||
|
|
||||||
|
static bool arg_graceful = false;
|
||||||
static char *arg_tpm2_device = NULL;
|
static char *arg_tpm2_device = NULL;
|
||||||
static char **arg_banks = NULL;
|
static char **arg_banks = NULL;
|
||||||
|
|
||||||
@ -33,6 +34,7 @@ static int help(int argc, char *argv[], void *userdata) {
|
|||||||
" --version Print version\n"
|
" --version Print version\n"
|
||||||
" --bank=DIGEST Select TPM bank (SHA1, SHA256)\n"
|
" --bank=DIGEST Select TPM bank (SHA1, SHA256)\n"
|
||||||
" --tpm2-device=PATH Use specified TPM2 device\n"
|
" --tpm2-device=PATH Use specified TPM2 device\n"
|
||||||
|
" --graceful Exit gracefully if no TPM2 device is found\n"
|
||||||
"\nSee the %2$s for details.\n",
|
"\nSee the %2$s for details.\n",
|
||||||
program_invocation_short_name,
|
program_invocation_short_name,
|
||||||
link,
|
link,
|
||||||
@ -49,6 +51,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
ARG_VERSION = 0x100,
|
ARG_VERSION = 0x100,
|
||||||
ARG_BANK,
|
ARG_BANK,
|
||||||
ARG_TPM2_DEVICE,
|
ARG_TPM2_DEVICE,
|
||||||
|
ARG_GRACEFUL,
|
||||||
};
|
};
|
||||||
|
|
||||||
static const struct option options[] = {
|
static const struct option options[] = {
|
||||||
@ -56,6 +59,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
{ "version", no_argument, NULL, ARG_VERSION },
|
{ "version", no_argument, NULL, ARG_VERSION },
|
||||||
{ "bank", required_argument, NULL, ARG_BANK },
|
{ "bank", required_argument, NULL, ARG_BANK },
|
||||||
{ "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
|
{ "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
|
||||||
|
{ "graceful", no_argument, NULL, ARG_GRACEFUL },
|
||||||
{}
|
{}
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -103,6 +107,10 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
case ARG_GRACEFUL:
|
||||||
|
arg_graceful = true;
|
||||||
|
break;
|
||||||
|
|
||||||
case '?':
|
case '?':
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
@ -172,6 +180,11 @@ static int run(int argc, char *argv[]) {
|
|||||||
if (isempty(word))
|
if (isempty(word))
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "String to measure cannot be empty, refusing.");
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "String to measure cannot be empty, refusing.");
|
||||||
|
|
||||||
|
if (arg_graceful && tpm2_support() != TPM2_SUPPORT_FULL) {
|
||||||
|
log_notice("No complete TPM2 support detected, exiting gracefully.");
|
||||||
|
return EXIT_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
length = strlen(word);
|
length = strlen(word);
|
||||||
|
|
||||||
/* Skip logic if sd-stub is not used, after all PCR 11 might have a very different purpose then. */
|
/* Skip logic if sd-stub is not used, after all PCR 11 might have a very different purpose then. */
|
||||||
|
@ -20,5 +20,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
|
|||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase enter-initrd
|
ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase --graceful enter-initrd
|
||||||
ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase leave-initrd
|
ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase --graceful leave-initrd
|
||||||
|
@ -21,5 +21,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
|
|||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase sysinit
|
ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase --graceful sysinit
|
||||||
ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase final
|
ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase --graceful final
|
||||||
|
@ -19,5 +19,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
|
|||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase ready
|
ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase --graceful ready
|
||||||
ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase shutdown
|
ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase --graceful shutdown
|
||||||
|
Loading…
Reference in New Issue
Block a user