morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 08:25:20 +09:00
Code Issues Packages Projects Releases Wiki Activity

gpt-auto-generator: enable TPM2 unlocking in gpt-auto-generator

Browse Source 
If we detect a TPM, let's also unlock the disk with it, if it has an
enrollment for that.

Fixes: #30176
This commit is contained in:
Lennart Poettering
2023-11-24 14:35:43 +01:00
committed by Luca Boccassi
parent 499d32655f
commit 0d5f59a248
1 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/gpt-auto-generator/gpt-auto-generator.c
View File

@@ -100,19 +100,22 @@ static int add_cryptsetup(
return log_oom();
}
r = efi_measured_uki(LOG_WARNING);
if (r > 0)
/* Enable TPM2 based unlocking automatically, if we have a TPM. See #30176. */
if (!strextend_with_separator(&options, ",", "tpm2-device=auto"))
return log_oom();
if (measure) {
/* We only measure the root volume key into PCR 15 if we are booted with sd-stub (i.e. in a
* UKI), and sd-stub measured the UKI. We do this in order not to step into people's own PCR
* assignment, under the assumption that people who are fine to use sd-stub with its PCR
* assignments are also OK with our PCR 15 use here. */
r = efi_measured_uki(LOG_WARNING);
if (r == 0)
log_debug("Will not measure volume key of volume '%s', not booted via systemd-stub with measurements enabled.", id);
else if (r > 0) {
if (r > 0)
if (!strextend_with_separator(&options, ",", "tpm2-measure-pcr=yes"))
return log_oom();
}
if (r == 0)
log_debug("Will not measure volume key of volume '%s', not booted via systemd-stub with measurements enabled.", id);
}
r = generator_write_cryptsetup_service_section(f, id, what, NULL, options);