You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
136 lines
5.7 KiB
136 lines
5.7 KiB
8 months ago
|
From 6b14fa7bcf40ba6dd289fbf7cda835d37d243dc5 Mon Sep 17 00:00:00 2001
|
||
|
From: Lennart Poettering <lennart@poettering.net>
|
||
|
Date: Thu, 15 Dec 2022 18:07:20 +0100
|
||
|
Subject: [PATCH] pcrphase: gracefully exit if TPM2 support is incomplete
|
||
|
|
||
|
If everything points to the fact that TPM2 should work, but then the
|
||
|
driver fails to initialize we should handle this gracefully and not
|
||
|
cause failing services all over the place.
|
||
|
|
||
|
Fixes: #25700
|
||
|
(cherry picked from commit 0318d54539fe168822447889ac0e858a10c55f74)
|
||
|
|
||
|
Related: RHEL-16182
|
||
|
---
|
||
|
man/systemd-pcrphase.service.xml | 8 ++++++++
|
||
|
src/boot/pcrphase.c | 13 +++++++++++++
|
||
|
units/systemd-pcrphase-initrd.service.in | 4 ++--
|
||
|
units/systemd-pcrphase-sysinit.service.in | 4 ++--
|
||
|
units/systemd-pcrphase.service.in | 4 ++--
|
||
|
5 files changed, 27 insertions(+), 6 deletions(-)
|
||
|
|
||
|
diff --git a/man/systemd-pcrphase.service.xml b/man/systemd-pcrphase.service.xml
|
||
|
index 9eda503e4c..9b7cc80b3a 100644
|
||
|
--- a/man/systemd-pcrphase.service.xml
|
||
|
+++ b/man/systemd-pcrphase.service.xml
|
||
|
@@ -131,6 +131,14 @@
|
||
|
all suitable TPM2 devices currently discovered.</para></listitem>
|
||
|
</varlistentry>
|
||
|
|
||
|
+ <varlistentry>
|
||
|
+ <term><option>--graceful</option></term>
|
||
|
+
|
||
|
+ <listitem><para>If no TPM2 firmware, kernel subsystem, kernel driver or device support is found, exit
|
||
|
+ with exit status 0 (i.e. indicate success). If this is not specified any attempt to measure without a
|
||
|
+ TPM2 device will cause the invocation to fail.</para></listitem>
|
||
|
+ </varlistentry>
|
||
|
+
|
||
|
<xi:include href="standard-options.xml" xpointer="help" />
|
||
|
<xi:include href="standard-options.xml" xpointer="version" />
|
||
|
|
||
|
diff --git a/src/boot/pcrphase.c b/src/boot/pcrphase.c
|
||
|
index f57d628e84..8e91e80e22 100644
|
||
|
--- a/src/boot/pcrphase.c
|
||
|
+++ b/src/boot/pcrphase.c
|
||
|
@@ -13,6 +13,7 @@
|
||
|
#include "tpm-pcr.h"
|
||
|
#include "tpm2-util.h"
|
||
|
|
||
|
+static bool arg_graceful = false;
|
||
|
static char *arg_tpm2_device = NULL;
|
||
|
static char **arg_banks = NULL;
|
||
|
|
||
|
@@ -34,6 +35,7 @@ static int help(int argc, char *argv[], void *userdata) {
|
||
|
" --version Print version\n"
|
||
|
" --bank=DIGEST Select TPM bank (SHA1, SHA256)\n"
|
||
|
" --tpm2-device=PATH Use specified TPM2 device\n"
|
||
|
+ " --graceful Exit gracefully if no TPM2 device is found\n"
|
||
|
"\nSee the %2$s for details.\n",
|
||
|
program_invocation_short_name,
|
||
|
link,
|
||
|
@@ -50,6 +52,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||
|
ARG_VERSION = 0x100,
|
||
|
ARG_BANK,
|
||
|
ARG_TPM2_DEVICE,
|
||
|
+ ARG_GRACEFUL,
|
||
|
};
|
||
|
|
||
|
static const struct option options[] = {
|
||
|
@@ -57,6 +60,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||
|
{ "version", no_argument, NULL, ARG_VERSION },
|
||
|
{ "bank", required_argument, NULL, ARG_BANK },
|
||
|
{ "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
|
||
|
+ { "graceful", no_argument, NULL, ARG_GRACEFUL },
|
||
|
{}
|
||
|
};
|
||
|
|
||
|
@@ -104,6 +108,10 @@ static int parse_argv(int argc, char *argv[]) {
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
+ case ARG_GRACEFUL:
|
||
|
+ arg_graceful = true;
|
||
|
+ break;
|
||
|
+
|
||
|
case '?':
|
||
|
return -EINVAL;
|
||
|
|
||
|
@@ -173,6 +181,11 @@ static int run(int argc, char *argv[]) {
|
||
|
if (isempty(word))
|
||
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "String to measure cannot be empty, refusing.");
|
||
|
|
||
|
+ if (arg_graceful && tpm2_support() != TPM2_SUPPORT_FULL) {
|
||
|
+ log_notice("No complete TPM2 support detected, exiting gracefully.");
|
||
|
+ return EXIT_SUCCESS;
|
||
|
+ }
|
||
|
+
|
||
|
length = strlen(word);
|
||
|
|
||
|
int b = getenv_bool("SYSTEMD_PCRPHASE_STUB_VERIFY");
|
||
|
diff --git a/units/systemd-pcrphase-initrd.service.in b/units/systemd-pcrphase-initrd.service.in
|
||
|
index c1ad5ef844..e437c7e1ce 100644
|
||
|
--- a/units/systemd-pcrphase-initrd.service.in
|
||
|
+++ b/units/systemd-pcrphase-initrd.service.in
|
||
|
@@ -20,5 +20,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
|
||
|
[Service]
|
||
|
Type=oneshot
|
||
|
RemainAfterExit=yes
|
||
|
-ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase enter-initrd
|
||
|
-ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase leave-initrd
|
||
|
+ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase --graceful enter-initrd
|
||
|
+ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase --graceful leave-initrd
|
||
|
diff --git a/units/systemd-pcrphase-sysinit.service.in b/units/systemd-pcrphase-sysinit.service.in
|
||
|
index 6b5ba7d878..a22fbbe935 100644
|
||
|
--- a/units/systemd-pcrphase-sysinit.service.in
|
||
|
+++ b/units/systemd-pcrphase-sysinit.service.in
|
||
|
@@ -21,5 +21,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
|
||
|
[Service]
|
||
|
Type=oneshot
|
||
|
RemainAfterExit=yes
|
||
|
-ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase sysinit
|
||
|
-ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase final
|
||
|
+ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase --graceful sysinit
|
||
|
+ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase --graceful final
|
||
|
diff --git a/units/systemd-pcrphase.service.in b/units/systemd-pcrphase.service.in
|
||
|
index ce469befa8..5ba437e5b1 100644
|
||
|
--- a/units/systemd-pcrphase.service.in
|
||
|
+++ b/units/systemd-pcrphase.service.in
|
||
|
@@ -19,5 +19,5 @@ ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-4
|
||
|
[Service]
|
||
|
Type=oneshot
|
||
|
RemainAfterExit=yes
|
||
|
-ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase ready
|
||
|
-ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase shutdown
|
||
|
+ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrphase --graceful ready
|
||
|
+ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrphase --graceful shutdown
|