From 340d979af338c43756925d265c74cca62412ab59 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 27 Sep 2023 12:08:41 +0200
Subject: [PATCH] condition: add ConditionSecurity=measured-uki

We have various services that should only run in a measured UKI
environment. Let's add an explicit high-level check for that.
---
 man/systemd.unit.xml   | 66 ++++++++++++++++++++++++++++++++++++++----
 src/shared/condition.c |  3 ++
 2 files changed, 64 insertions(+), 5 deletions(-)

diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index ae470ee96e8..fa867dba1ac 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -1479,11 +1479,67 @@
           <term><varname>ConditionSecurity=</varname></term>
 
           <listitem><para><varname>ConditionSecurity=</varname> may be used to check whether the given
-          security technology is enabled on the system. Currently, the recognized values are
-          <literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>,
-          <literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal>,
-          <literal>uefi-secureboot</literal>, <literal>tpm2</literal> and <literal>cvm</literal>.
-          The test may be negated by prepending an exclamation mark.</para>
+          security technology is enabled on the system. Currently, the following values are recognized:</para>
+
+          <table>
+            <title>Recognized security technologies</title>
+
+            <tgroup cols='2'>
+              <colspec colname='value'/>
+              <colspec colname='description'/>
+
+              <thead>
+                <row>
+                  <entry>Value</entry>
+                  <entry>Description</entry>
+                </row>
+              </thead>
+              <tbody>
+                <row>
+                  <entry>selinux</entry>
+                  <entry>SELinux MAC</entry>
+                </row>
+                <row>
+                  <entry>apparmor</entry>
+                  <entry>AppArmor MAC</entry>
+                </row>
+                <row>
+                  <entry>tomoyo</entry>
+                  <entry>Tomoyo MAC</entry>
+                </row>
+                <row>
+                  <entry>smack</entry>
+                  <entry>SMACK MAC</entry>
+                </row>
+                <row>
+                  <entry>ima</entry>
+                  <entry>Integrity Measurement Architecture (IMA)</entry>
+                </row>
+                <row>
+                  <entry>audit</entry>
+                  <entry>Linux Audit Framework</entry>
+                </row>
+                <row>
+                  <entry>uefi-secureboot</entry>
+                  <entry>UEFI SecureBoot</entry>
+                </row>
+                <row>
+                  <entry>tpm2</entry>
+                  <entry>Trusted Platform Module 2.0 (TPM2)</entry>
+                </row>
+                <row>
+                  <entry>cvm</entry>
+                  <entry>Confidential virtual machine (SEV/TDX)</entry>
+                </row>
+                <row>
+                  <entry>measured-uki</entry>
+                  <entry>Unified Kernel Image with PCR 11 Measurements, as per <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>. <xi:include href="version-info.xml" xpointer="v255"/></entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </table>
+
+          <para>The test may be negated by prepending an exclamation mark.</para>
 
           <xi:include href="version-info.xml" xpointer="v244"/>
           </listitem>
diff --git a/src/shared/condition.c b/src/shared/condition.c
index 06fcd71be58..d3446e8a9da 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -28,6 +28,7 @@
 #include "cpu-set-util.h"
 #include "creds-util.h"
 #include "efi-api.h"
+#include "efi-loader.h"
 #include "env-file.h"
 #include "env-util.h"
 #include "extract-word.h"
@@ -692,6 +693,8 @@ static int condition_test_security(Condition *c, char **env) {
                 return has_tpm2();
         if (streq(c->parameter, "cvm"))
                 return detect_confidential_virtualization() > 0;
+        if (streq(c->parameter, "measured-uki"))
+                return efi_measured_uki(LOG_DEBUG);
 
         return false;
 }