From 8b21bbd6f0fb9898ed31472ef9f4e204da984890 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 11 Mar 2025 17:28:47 +0100 Subject: [PATCH] pcrextend: whenever we fail to extend PCRs, reboot immediately PCR extensions are supposed to be useful for "destroying" the ability to access TPM bound secrets. Hence, if for some reason we fail to extend a PCR, it's safer to just reboot, instead of going on without the extension, leaving secrets potentially accessible which should not be accessible. Note that the services exit gracefully if no TPM is found, hence this should not be triggered on TPM-less systems. However, this enforces that if there is a TPM that is accessible to Linux and that works properly, the PCR measurement must complete too. Inspired by this thread: https://lists.freedesktop.org/archives/systemd-devel/2025-March/051244.html --- units/systemd-pcrfs-root.service.in | 1 + units/systemd-pcrfs@.service.in | 1 + units/systemd-pcrmachine.service.in | 1 + units/systemd-pcrphase-factory-reset.service.in | 1 + units/systemd-pcrphase-initrd.service.in | 1 + units/systemd-pcrphase-storage-target-mode.service.in | 1 + units/systemd-pcrphase-sysinit.service.in | 1 + units/systemd-pcrphase.service.in | 1 + 8 files changed, 8 insertions(+) diff --git a/units/systemd-pcrfs-root.service.in b/units/systemd-pcrfs-root.service.in index 5b40a91ca6..f774c4c8bf 100644 --- a/units/systemd-pcrfs-root.service.in +++ b/units/systemd-pcrfs-root.service.in @@ -16,6 +16,7 @@ After=tpm2.target systemd-pcrmachine.service Before=shutdown.target ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrfs@.service.in b/units/systemd-pcrfs@.service.in index 203d7b9782..3d18fe4d30 100644 --- a/units/systemd-pcrfs@.service.in +++ b/units/systemd-pcrfs@.service.in @@ -17,6 +17,7 @@ After=%i.mount tpm2.target systemd-pcrfs-root.service Before=shutdown.target ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrmachine.service.in b/units/systemd-pcrmachine.service.in index 65caf2ed49..ea2561ef79 100644 --- a/units/systemd-pcrmachine.service.in +++ b/units/systemd-pcrmachine.service.in @@ -16,6 +16,7 @@ After=tpm2.target Before=sysinit.target shutdown.target ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrphase-factory-reset.service.in b/units/systemd-pcrphase-factory-reset.service.in index 6267336b30..5dbcb0f53f 100644 --- a/units/systemd-pcrphase-factory-reset.service.in +++ b/units/systemd-pcrphase-factory-reset.service.in @@ -15,6 +15,7 @@ Conflicts=shutdown.target After=tpm2.target Before=shutdown.target factory-reset.target ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrphase-initrd.service.in b/units/systemd-pcrphase-initrd.service.in index 6fcf94de76..5aba32128c 100644 --- a/units/systemd-pcrphase-initrd.service.in +++ b/units/systemd-pcrphase-initrd.service.in @@ -16,6 +16,7 @@ After=tpm2.target Before=sysinit.target cryptsetup-pre.target cryptsetup.target shutdown.target initrd-switch-root.target systemd-sysext.service ConditionPathExists=/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrphase-storage-target-mode.service.in b/units/systemd-pcrphase-storage-target-mode.service.in index 2502ac8902..52b53e5b81 100644 --- a/units/systemd-pcrphase-storage-target-mode.service.in +++ b/units/systemd-pcrphase-storage-target-mode.service.in @@ -16,6 +16,7 @@ After=tpm2.target Before=shutdown.target ConditionPathExists=/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrphase-sysinit.service.in b/units/systemd-pcrphase-sysinit.service.in index 8c0c0c82a2..4a01279159 100644 --- a/units/systemd-pcrphase-sysinit.service.in +++ b/units/systemd-pcrphase-sysinit.service.in @@ -16,6 +16,7 @@ After=sysinit.target tpm2.target Before=basic.target shutdown.target ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot diff --git a/units/systemd-pcrphase.service.in b/units/systemd-pcrphase.service.in index 04ace12e14..43459a2fcc 100644 --- a/units/systemd-pcrphase.service.in +++ b/units/systemd-pcrphase.service.in @@ -14,6 +14,7 @@ After=remote-fs.target remote-cryptsetup.target tpm2.target Before=systemd-user-sessions.service ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki +FailureAction=reboot-force [Service] Type=oneshot