1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

condition: add ConditionSecurity=measured-uki

We have various services that should only run in a measured UKI
environment. Let's add an explicit high-level check for that.
This commit is contained in:
Lennart Poettering 2023-09-27 12:08:41 +02:00
parent be8f478c0f
commit 340d979af3
2 changed files with 64 additions and 5 deletions

View File

@ -1479,11 +1479,67 @@
<term><varname>ConditionSecurity=</varname></term>
<listitem><para><varname>ConditionSecurity=</varname> may be used to check whether the given
security technology is enabled on the system. Currently, the recognized values are
<literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>,
<literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal>,
<literal>uefi-secureboot</literal>, <literal>tpm2</literal> and <literal>cvm</literal>.
The test may be negated by prepending an exclamation mark.</para>
security technology is enabled on the system. Currently, the following values are recognized:</para>
<table>
<title>Recognized security technologies</title>
<tgroup cols='2'>
<colspec colname='value'/>
<colspec colname='description'/>
<thead>
<row>
<entry>Value</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry>selinux</entry>
<entry>SELinux MAC</entry>
</row>
<row>
<entry>apparmor</entry>
<entry>AppArmor MAC</entry>
</row>
<row>
<entry>tomoyo</entry>
<entry>Tomoyo MAC</entry>
</row>
<row>
<entry>smack</entry>
<entry>SMACK MAC</entry>
</row>
<row>
<entry>ima</entry>
<entry>Integrity Measurement Architecture (IMA)</entry>
</row>
<row>
<entry>audit</entry>
<entry>Linux Audit Framework</entry>
</row>
<row>
<entry>uefi-secureboot</entry>
<entry>UEFI SecureBoot</entry>
</row>
<row>
<entry>tpm2</entry>
<entry>Trusted Platform Module 2.0 (TPM2)</entry>
</row>
<row>
<entry>cvm</entry>
<entry>Confidential virtual machine (SEV/TDX)</entry>
</row>
<row>
<entry>measured-uki</entry>
<entry>Unified Kernel Image with PCR 11 Measurements, as per <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>. <xi:include href="version-info.xml" xpointer="v255"/></entry>
</row>
</tbody>
</tgroup>
</table>
<para>The test may be negated by prepending an exclamation mark.</para>
<xi:include href="version-info.xml" xpointer="v244"/>
</listitem>

View File

@ -28,6 +28,7 @@
#include "cpu-set-util.h"
#include "creds-util.h"
#include "efi-api.h"
#include "efi-loader.h"
#include "env-file.h"
#include "env-util.h"
#include "extract-word.h"
@ -692,6 +693,8 @@ static int condition_test_security(Condition *c, char **env) {
return has_tpm2();
if (streq(c->parameter, "cvm"))
return detect_confidential_virtualization() > 0;
if (streq(c->parameter, "measured-uki"))
return efi_measured_uki(LOG_DEBUG);
return false;
}