1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

Merge pull request #30686 from poettering/uki-measured-check-imply-tpm2

efi-loader: when detecting if we are booted in UKI measured boot mode, imply a check for TPM2
This commit is contained in:
Mike Yuan 2024-01-03 18:39:22 +08:00 committed by GitHub
commit f6ce1ad033
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 4 additions and 5 deletions

View File

@ -1,6 +1,7 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "alloc-util.h"
#include "efi-api.h"
#include "efi-loader.h"
#include "env-util.h"
#include "parse-util.h"
@ -247,8 +248,8 @@ int efi_measured_uki(int log_level) {
if (cached >= 0)
return cached;
/* Checks if we are booted on a kernel with sd-stub which measured the kernel into PCR 11. Or in
* other words, if we are running on a TPM enabled UKI.
/* Checks if we are booted on a kernel with sd-stub which measured the kernel into PCR 11 on a TPM2
* chip. Or in other words, if we are running on a TPM enabled UKI. (TPM 1.2 situations are ignored.)
*
* Returns == 0 and > 0 depending on the result of the test. Returns -EREMOTE if we detected a stub
* being used, but it measured things into a different PCR than we are configured for in
@ -261,7 +262,7 @@ int efi_measured_uki(int log_level) {
if (r != -ENXIO)
log_debug_errno(r, "Failed to parse $SYSTEMD_FORCE_MEASURE, ignoring: %m");
if (!is_efi_boot())
if (!efi_has_tpm2())
return (cached = 0);
r = efi_get_variable_string(EFI_LOADER_VARIABLE(StubPcrKernelImage), &pcr_string);

View File

@ -14,7 +14,6 @@ DefaultDependencies=no
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
ConditionSecurity=measured-uki
ConditionSecurity=tpm2
ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem
[Service]

View File

@ -16,7 +16,6 @@ After=systemd-tpm2-setup-early.service systemd-remount-fs.service
Before=sysinit.target shutdown.target
RequiresMountsFor=/var/lib/systemd/tpm2-srk-public-key.pem
ConditionSecurity=measured-uki
ConditionSecurity=tpm2
ConditionPathExists=!/etc/initrd-release
[Service]