condition: add ConditionSecurity=measured-uki

We have various services that should only run in a measured UKI environment. Let's add an explicit high-level check for that.
2024-07-21 18:24:38 +00:00 · 2023-09-27 12:08:41 +02:00 · 2023-09-27 12:08:41 +02:00 · 340d979af3
parent be8f478c0f
commit 340d979af3
2 changed files with 64 additions and 5 deletions
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@ -1479,11 +1479,67 @@
          <term><varname>ConditionSecurity=</varname></term>

          <listitem><para><varname>ConditionSecurity=</varname> may be used to check whether the given
-          security technology is enabled on the system. Currently, the recognized values are
-          <literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>,
-          <literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal>,
-          <literal>uefi-secureboot</literal>, <literal>tpm2</literal> and <literal>cvm</literal>.
-          The test may be negated by prepending an exclamation mark.</para>
+          security technology is enabled on the system. Currently, the following values are recognized:</para>
+
+          <table>
+            <title>Recognized security technologies</title>
+
+            <tgroup cols='2'>
+              <colspec colname='value'/>
+              <colspec colname='description'/>
+
+              <thead>
+                <row>
+                  <entry>Value</entry>
+                  <entry>Description</entry>
+                </row>
+              </thead>
+              <tbody>
+                <row>
+                  <entry>selinux</entry>
+                  <entry>SELinux MAC</entry>
+                </row>
+                <row>
+                  <entry>apparmor</entry>
+                  <entry>AppArmor MAC</entry>
+                </row>
+                <row>
+                  <entry>tomoyo</entry>
+                  <entry>Tomoyo MAC</entry>
+                </row>
+                <row>
+                  <entry>smack</entry>
+                  <entry>SMACK MAC</entry>
+                </row>
+                <row>
+                  <entry>ima</entry>
+                  <entry>Integrity Measurement Architecture (IMA)</entry>
+                </row>
+                <row>
+                  <entry>audit</entry>
+                  <entry>Linux Audit Framework</entry>
+                </row>
+                <row>
+                  <entry>uefi-secureboot</entry>
+                  <entry>UEFI SecureBoot</entry>
+                </row>
+                <row>
+                  <entry>tpm2</entry>
+                  <entry>Trusted Platform Module 2.0 (TPM2)</entry>
+                </row>
+                <row>
+                  <entry>cvm</entry>
+                  <entry>Confidential virtual machine (SEV/TDX)</entry>
+                </row>
+                <row>
+                  <entry>measured-uki</entry>
+                  <entry>Unified Kernel Image with PCR 11 Measurements, as per <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>. <xi:include href="version-info.xml" xpointer="v255"/></entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </table>
+
+          <para>The test may be negated by prepending an exclamation mark.</para>

          <xi:include href="version-info.xml" xpointer="v244"/>
          </listitem>
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@ -28,6 +28,7 @@
 #include "cpu-set-util.h"
 #include "creds-util.h"
 #include "efi-api.h"
+#include "efi-loader.h"
 #include "env-file.h"
 #include "env-util.h"
 #include "extract-word.h"
@ -692,6 +693,8 @@ static int condition_test_security(Condition *c, char **env) {
                return has_tpm2();
        if (streq(c->parameter, "cvm"))
                return detect_confidential_virtualization() > 0;
+        if (streq(c->parameter, "measured-uki"))
+                return efi_measured_uki(LOG_DEBUG);

        return false;
 }