diff --git a/units/meson.build b/units/meson.build index 51ae9cee5dc..e7bfb7f838f 100644 --- a/units/meson.build +++ b/units/meson.build @@ -477,6 +477,34 @@ units = [ 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'], 'symlinks' : ['sysinit.target.wants/'], }, + { + 'file' : 'systemd-pcrlock-make-policy.service.in', + 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'], + }, + { + 'file' : 'systemd-pcrlock-secureboot-policy.service.in', + 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'], + }, + { + 'file' : 'systemd-pcrlock-secureboot-authority.service.in', + 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'], + }, + { + 'file' : 'systemd-pcrlock-file-system.service.in', + 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'], + }, + { + 'file' : 'systemd-pcrlock-machine-id.service.in', + 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'], + }, + { + 'file' : 'systemd-pcrlock-firmware-code.service.in', + 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'], + }, + { + 'file' : 'systemd-pcrlock-firmware-config.service.in', + 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'], + }, { 'file' : 'systemd-portabled.service.in', 'conditions' : ['ENABLE_PORTABLED'], diff --git a/units/systemd-pcrlock-file-system.service.in b/units/systemd-pcrlock-file-system.service.in new file mode 100644 index 00000000000..d68a42e09a6 --- /dev/null +++ b/units/systemd-pcrlock-file-system.service.in @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Lock File Systems to TPM2 PCR Policy +Documentation=man:systemd-pcrlock(8) +DefaultDependencies=no +Conflicts=shutdown.target +Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service +ConditionPathExists=!/etc/initrd-release +ConditionSecurity=measured-uki + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{LIBEXECDIR}}/systemd-pcrlock lock-file-system + +[Install] +WantedBy=sysinit.target diff --git a/units/systemd-pcrlock-firmware-code.service.in b/units/systemd-pcrlock-firmware-code.service.in new file mode 100644 index 00000000000..a24f2ba015f --- /dev/null +++ b/units/systemd-pcrlock-firmware-code.service.in @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Lock Firmware Code to TPM2 PCR Policy +Documentation=man:systemd-pcrlock(8) +DefaultDependencies=no +Conflicts=shutdown.target +After=systemd-tpm2-setup.service +Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service +ConditionPathExists=!/etc/initrd-release +ConditionSecurity=measured-uki + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{LIBEXECDIR}}/systemd-pcrlock lock-firmware-code + +[Install] +WantedBy=sysinit.target diff --git a/units/systemd-pcrlock-firmware-config.service.in b/units/systemd-pcrlock-firmware-config.service.in new file mode 100644 index 00000000000..64e63f86a68 --- /dev/null +++ b/units/systemd-pcrlock-firmware-config.service.in @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Lock Firmware Configuration to TPM2 PCR Policy +Documentation=man:systemd-pcrlock(8) +DefaultDependencies=no +Conflicts=shutdown.target +After=systemd-tpm2-setup.service +Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service +ConditionPathExists=!/etc/initrd-release +ConditionSecurity=measured-uki + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{LIBEXECDIR}}/systemd-pcrlock lock-firmware-config + +[Install] +WantedBy=sysinit.target diff --git a/units/systemd-pcrlock-machine-id.service.in b/units/systemd-pcrlock-machine-id.service.in new file mode 100644 index 00000000000..0ff22c586e3 --- /dev/null +++ b/units/systemd-pcrlock-machine-id.service.in @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Lock Machine ID to TPM2 PCR Policy +Documentation=man:systemd-pcrlock(8) +DefaultDependencies=no +Conflicts=shutdown.target +Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service +ConditionPathExists=!/etc/initrd-release +ConditionSecurity=measured-uki + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{LIBEXECDIR}}/systemd-pcrlock lock-machine-id + +[Install] +WantedBy=sysinit.target diff --git a/units/systemd-pcrlock-make-policy.service.in b/units/systemd-pcrlock-make-policy.service.in new file mode 100644 index 00000000000..4127cc7c614 --- /dev/null +++ b/units/systemd-pcrlock-make-policy.service.in @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Make TPM2 PCR Policy +Documentation=man:systemd-pcrlock(8) +DefaultDependencies=no +Conflicts=shutdown.target +After=systemd-tpm2-setup.service +Before=sysinit.target shutdown.target +ConditionPathExists=!/etc/initrd-release +ConditionSecurity=measured-uki + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{LIBEXECDIR}}/systemd-pcrlock make-policy --location=770 + +[Install] +WantedBy=sysinit.target diff --git a/units/systemd-pcrlock-secureboot-authority.service.in b/units/systemd-pcrlock-secureboot-authority.service.in new file mode 100644 index 00000000000..a8d55bad3c0 --- /dev/null +++ b/units/systemd-pcrlock-secureboot-authority.service.in @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Lock UEFI SecureBoot Authority to TPM2 PCR Policy +Documentation=man:systemd-pcrlock(8) +DefaultDependencies=no +Conflicts=shutdown.target +After=systemd-tpm2-setup.service +Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service +ConditionPathExists=!/etc/initrd-release +ConditionSecurity=measured-uki + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{LIBEXECDIR}}/systemd-pcrlock lock-secureboot-authority + +[Install] +WantedBy=sysinit.target diff --git a/units/systemd-pcrlock-secureboot-policy.service.in b/units/systemd-pcrlock-secureboot-policy.service.in new file mode 100644 index 00000000000..10e603c1b6c --- /dev/null +++ b/units/systemd-pcrlock-secureboot-policy.service.in @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Lock UEFI SecureBoot Policy to TPM2 PCR Policy +Documentation=man:systemd-pcrlock(8) +DefaultDependencies=no +Conflicts=shutdown.target +After=systemd-tpm2-setup.service +Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service +ConditionPathExists=!/etc/initrd-release +ConditionSecurity=measured-uki + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{LIBEXECDIR}}/systemd-pcrlock lock-secureboot-policy + +[Install] +WantedBy=sysinit.target