mirror of
https://github.com/morgan9e/systemd
synced 2026-04-14 00:14:32 +09:00
867e64737a
We do this in a separate service (rather than inside of systemd-tpm2-setup), since we want failures of this measurement to result in an instant reboot, like for most our measurements. Failures to initialize nvpcrs, or allocate an SRK are somewhat OK (and more likely), as long as this separator communicates clearly where they have to have taken place, if they worked.
25 lines
860 B
SYSTEMD
25 lines
860 B
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=TPM PCR NvPCR Initialization Separator
|
|
Documentation=man:systemd-pcrnvdone.service(8)
|
|
DefaultDependencies=no
|
|
Conflicts=shutdown.target
|
|
After=systemd-tpm2-setup-early.service systemd-tpm2-setup.service
|
|
Before=sysinit.target shutdown.target
|
|
ConditionSecurity=measured-uki
|
|
ConditionPathExists=!/etc/initrd-release
|
|
FailureAction=reboot-force
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
RemainAfterExit=yes
|
|
ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --pcr=kernel-initrd --event-type=nvpcr-separator nvpcr-separator
|