bekucera/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-09-10 22:52:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

units: measure the fact we enter storage target mode into TPM

Browse Source 
storagetm mode means we we are network accessible. let's lock down
access to TPM secrets in this case: let's measure a pcr "phase" string
into PCR 11.

This is good as it means that if we are exploited in this state FDE
secrets protected by TPM are likely to remain protected, since the PCR
values wouldn't allow access.
This commit is contained in:
Lennart Poettering
2025-02-27 12:33:36 +01:00
parent d9e41bfe02
commit b493502475
3 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
units/meson.build
View File

@@ -542,6 +542,11 @@ units = [
'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'], 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'],
'symlinks' : ['sysinit.target.wants/'], 'symlinks' : ['sysinit.target.wants/'],
}, },
{
'file' : 'systemd-pcrphase-storage-target-mode.service.in',
'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'],
'symlinks' : ['storage-target-mode.target.wants/'],
},
{ {
'file' : 'systemd-pcrphase.service.in', 'file' : 'systemd-pcrphase.service.in',
'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'], 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'],

24
units/systemd-pcrphase-storage-target-mode.service.in Normal file
View File

@@ -0,0 +1,24 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
#
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=TPM PCR Barrier (Storage Target Mode)
Documentation=man:systemd-pcrphase-storage-target-mode.service(8)
DefaultDependencies=no
Conflicts=shutdown.target
After=tpm2.target
Before=shutdown.target
ConditionPathExists=/etc/initrd-release
ConditionSecurity=measured-uki
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful storage-target-mode-start
ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful storage-target-mode-stop

2
units/systemd-storagetm.service.in
View File

@@ -13,7 +13,7 @@ Documentation=man:systemd-storagetm.service(8)
ConditionVirtualization=!container ConditionVirtualization=!container
DefaultDependencies=no DefaultDependencies=no
Wants=modprobe@nvmet_tcp.service modprobe@thunderbolt_net.service sys-kernel-config.mount Wants=modprobe@nvmet_tcp.service modprobe@thunderbolt_net.service sys-kernel-config.mount
After=modprobe@nvmet_tcp.service modprobe@thunderbolt_net.service sys-kernel-config.mount plymouth-start.service After=modprobe@nvmet_tcp.service modprobe@thunderbolt_net.service sys-kernel-config.mount plymouth-start.service systemd-pcrphase-storage-target-mode.service
Conflicts=shutdown.target Conflicts=shutdown.target
Before=shutdown.target Before=shutdown.target
FailureAction=reboot FailureAction=reboot