system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-09-30 05:15:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

analyze: move "has-tpm2" from systemd-creds to systemd-analyze

Browse source 
The verb s not really specific to credential management, it was always a
bit misplaced. Hence move it to systemd-analyze, where we already have
some general TPM related verbs such as "srk" and "pcrs"
This commit is contained in:
Lennart Poettering 2024-05-31 12:00:00 +02:00 committed by Daan De Meyer
parent d258b1c60c
commit 58e359604f
10 changed files with 103 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
man/systemd-analyze.xml
View file

@ -177,6 +177,11 @@
<arg choice="plain">image-policy</arg> <arg choice="plain">image-policy</arg>
<arg choice="plain" rep="repeat"><replaceable>POLICY</replaceable></arg> <arg choice="plain" rep="repeat"><replaceable>POLICY</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>systemd-analyze</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
<arg choice="plain">has-tpm2</arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>systemd-analyze</command> <command>systemd-analyze</command>
<arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt" rep="repeat">OPTIONS</arg>
@ -948,6 +953,35 @@ default ignore - -</programlisting>
</example> </example>
</refsect2> </refsect2>
<refsect2>
<title><command>systemd-analyze has-tpm2</command></title>
<para>Reports whether the system is equipped with a usable TPM2 device. If a TPM2 device has been
discovered, is supported, and is being used by firmware, by the OS kernel drivers and by userspace
(i.e. systemd) this prints <literal>yes</literal> and exits with exit status zero. If no such device is
discovered/supported/used, prints <literal>no</literal>. Otherwise prints
<literal>partial</literal>. In either of these two cases exits with non-zero exit status. It also shows
five lines indicating separately whether firmware, drivers, the system, the kernel and libraries
discovered/support/use TPM2.</para>
<para>Note, this checks for TPM 2.0 devices only, and does not consider TPM 1.2 at all.</para>
<para>Combine with <option>--quiet</option> to suppress the output.</para>
<example>
<title>Example Output</title>
<programlisting>yes
+firmware
+driver
+system
+subsystem
+libraries</programlisting>
</example>
<xi:include href="version-info.xml" xpointer="v257"/>
</refsect2>
<refsect2> <refsect2>
<title><command>systemd-analyze pcrs <optional><replaceable>PCR</replaceable></optional></command></title> <title><command>systemd-analyze pcrs <optional><replaceable>PCR</replaceable></optional></command></title>
@ -1653,6 +1687,12 @@ io.systemd.credential:vmm.notify_socket=vsock-stream:2:254570042
<constant>12</constant>, <constant>0</constant>, <constant>11</constant> is returned if the second <constant>12</constant>, <constant>0</constant>, <constant>11</constant> is returned if the second
version string is respectively larger, equal, or smaller to the first. In the three-argument form, version string is respectively larger, equal, or smaller to the first. In the three-argument form,
<constant>0</constant> or <constant>1</constant> if the condition is respectively true or false.</para> <constant>0</constant> or <constant>1</constant> if the condition is respectively true or false.</para>
<para>In case of the <command>has-tpm2</command> command returns 0 if a TPM2 device is discovered,
supported and used by firmware, driver, and userspace (i.e. systemd). Otherwise returns the OR
combination of the value 1 (in case firmware support is missing), 2 (in case driver support is missing)
and 4 (in case userspace support is missing). If no TPM2 support is available at all, value 7 is hence
returned.</para>
</refsect1> </refsect1>
<xi:include href="common-variables.xml" /> <xi:include href="common-variables.xml" />

25
man/systemd-creds.xml
View file

@ -177,22 +177,6 @@
<xi:include href="version-info.xml" xpointer="v250"/></listitem> <xi:include href="version-info.xml" xpointer="v250"/></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><command>has-tpm2</command></term>
<listitem><para>Reports whether the system is equipped with a TPM2 device usable for protecting
credentials. If a TPM2 device has been discovered, is supported, and is being used by firmware,
by the OS kernel drivers and by userspace (i.e. systemd) this prints <literal>yes</literal> and exits
with exit status zero. If no such device is discovered/supported/used, prints
<literal>no</literal>. Otherwise prints <literal>partial</literal>. In either of these two cases
exits with non-zero exit status. It also shows four lines indicating separately whether firmware,
drivers, the system and the kernel discovered/support/use TPM2.</para>
<para>Combine with <option>--quiet</option> to suppress the output.</para>
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
</varlistentry>
<xi:include href="standard-options.xml" xpointer="help" /> <xi:include href="standard-options.xml" xpointer="help" />
<xi:include href="standard-options.xml" xpointer="version" /> <xi:include href="standard-options.xml" xpointer="version" />
</variablelist> </variablelist>
@ -445,8 +429,7 @@
<term><option>--quiet</option></term> <term><option>--quiet</option></term>
<term><option>-q</option></term> <term><option>-q</option></term>
<listitem><para>When used with <command>has-tpm2</command> suppresses the output, and only returns an <listitem><para>Suppress additional output.</para>
exit status indicating support for TPM2.</para>
<xi:include href="version-info.xml" xpointer="v251"/></listitem> <xi:include href="version-info.xml" xpointer="v251"/></listitem>
</varlistentry> </varlistentry>
@ -461,12 +444,6 @@
<title>Exit status</title> <title>Exit status</title>
<para>On success, 0 is returned.</para> <para>On success, 0 is returned.</para>
<para>In case of the <command>has-tpm2</command> command returns 0 if a TPM2 device is discovered,
supported and used by firmware, driver, and userspace (i.e. systemd). Otherwise returns the OR
combination of the value 1 (in case firmware support is missing), 2 (in case driver support is missing)
and 4 (in case userspace support is missing). If no TPM2 support is available at all, value 7 is hence
returned.</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

9
src/analyze/analyze-has-tpm2.c Normal file
View file

@ -0,0 +1,9 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "analyze.h"
#include "analyze-has-tpm2.h"
#include "tpm2-util.h"
int verb_has_tpm2(int argc, char **argv, void *userdata) {
return verb_has_tpm2_generic(arg_quiet);
}

4
src/analyze/analyze-has-tpm2.h Normal file
View file

@ -0,0 +1,4 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
int verb_has_tpm2(int argc, char *argv[], void *userdata);

3
src/analyze/analyze.c
View file

@ -26,6 +26,7 @@
#include "analyze-exit-status.h" #include "analyze-exit-status.h"
#include "analyze-fdstore.h" #include "analyze-fdstore.h"
#include "analyze-filesystems.h" #include "analyze-filesystems.h"
#include "analyze-has-tpm2.h"
#include "analyze-image-policy.h" #include "analyze-image-policy.h"
#include "analyze-inspect-elf.h" #include "analyze-inspect-elf.h"
#include "analyze-log-control.h" #include "analyze-log-control.h"
@ -253,6 +254,7 @@ static int help(int argc, char *argv[], void *userdata) {
"\n%3$sExecutable Analysis:%4$s\n" "\n%3$sExecutable Analysis:%4$s\n"
" inspect-elf FILE... Parse and print ELF package metadata\n" " inspect-elf FILE... Parse and print ELF package metadata\n"
"\n%3$sTPM Operations:%4$s\n" "\n%3$sTPM Operations:%4$s\n"
" has-tpm2 Report whether TPM2 support is available\n"
" pcrs [PCR...] Show TPM2 PCRs and their names\n" " pcrs [PCR...] Show TPM2 PCRs and their names\n"
" srk [>FILE] Write TPM2 SRK (to FILE)\n" " srk [>FILE] Write TPM2 SRK (to FILE)\n"
"\n%3$sOptions:%4$s\n" "\n%3$sOptions:%4$s\n"
@ -700,6 +702,7 @@ static int run(int argc, char *argv[]) {
{ "malloc", VERB_ANY, VERB_ANY, 0, verb_malloc }, { "malloc", VERB_ANY, VERB_ANY, 0, verb_malloc },
{ "fdstore", 2, VERB_ANY, 0, verb_fdstore }, { "fdstore", 2, VERB_ANY, 0, verb_fdstore },
{ "image-policy", 2, 2, 0, verb_image_policy }, { "image-policy", 2, 2, 0, verb_image_policy },
{ "has-tpm2", VERB_ANY, 1, 0, verb_has_tpm2 },
{ "pcrs", VERB_ANY, VERB_ANY, 0, verb_pcrs }, { "pcrs", VERB_ANY, VERB_ANY, 0, verb_pcrs },
{ "srk", VERB_ANY, 1, 0, verb_srk }, { "srk", VERB_ANY, 1, 0, verb_srk },
{ "architectures", VERB_ANY, VERB_ANY, 0, verb_architectures }, { "architectures", VERB_ANY, VERB_ANY, 0, verb_architectures },

1
src/analyze/meson.build
View file

@ -14,6 +14,7 @@ systemd_analyze_sources = files(
'analyze-exit-status.c', 'analyze-exit-status.c',
'analyze-fdstore.c', 'analyze-fdstore.c',
'analyze-filesystems.c', 'analyze-filesystems.c',
'analyze-has-tpm2.c',
'analyze-image-policy.c', 'analyze-image-policy.c',
'analyze-inspect-elf.c', 'analyze-inspect-elf.c',
'analyze-log-control.c', 'analyze-log-control.c',

34
src/creds/creds.c
View file

@ -7,6 +7,7 @@
#include "sd-varlink.h" #include "sd-varlink.h"
#include "build.h" #include "build.h"
#include "build-path.h"
#include "bus-polkit.h" #include "bus-polkit.h"
#include "creds-util.h" #include "creds-util.h"
#include "dirent-util.h" #include "dirent-util.h"
@ -690,35 +691,10 @@ static int verb_setup(int argc, char **argv, void *userdata) {
} }
static int verb_has_tpm2(int argc, char **argv, void *userdata) { static int verb_has_tpm2(int argc, char **argv, void *userdata) {
Tpm2Support s; if (!arg_quiet)
log_notice("The 'systemd-creds %1$s' command has been replaced by 'systemd-analyze %1$s'. Redirecting invocation.", argv[optind]);
s = tpm2_support(); return verb_has_tpm2_generic(arg_quiet);
if (!arg_quiet) {
if (s == TPM2_SUPPORT_FULL)
puts("yes");
else if (s == TPM2_SUPPORT_NONE)
puts("no");
else
puts("partial");
printf("%sfirmware\n"
"%sdriver\n"
"%ssystem\n"
"%ssubsystem\n"
"%slibraries\n",
plus_minus(s & TPM2_SUPPORT_FIRMWARE),
plus_minus(s & TPM2_SUPPORT_DRIVER),
plus_minus(s & TPM2_SUPPORT_SYSTEM),
plus_minus(s & TPM2_SUPPORT_SUBSYSTEM),
plus_minus(s & TPM2_SUPPORT_LIBRARIES));
}
/* Return inverted bit flags. So that TPM2_SUPPORT_FULL becomes EXIT_SUCCESS and the other values
* become some reasonable values 17. i.e. the flags we return here tell what is missing rather than
* what is there, acknowledging the fact that for process exit statuses it is customary to return
* zero (EXIT_FAILURE) when all is good, instead of all being bad. */
return ~s & TPM2_SUPPORT_FULL;
} }
static int verb_help(int argc, char **argv, void *userdata) { static int verb_help(int argc, char **argv, void *userdata) {
@ -739,7 +715,6 @@ static int verb_help(int argc, char **argv, void *userdata) {
" ciphertext credential file\n" " ciphertext credential file\n"
" decrypt INPUT [OUTPUT] Decrypt ciphertext credential file and write to\n" " decrypt INPUT [OUTPUT] Decrypt ciphertext credential file and write to\n"
" plaintext credential file\n" " plaintext credential file\n"
" has-tpm2 Report whether TPM2 support is available\n"
" -h --help Show this help\n" " -h --help Show this help\n"
" --version Show package version\n" " --version Show package version\n"
"\n%3$sOptions:%4$s\n" "\n%3$sOptions:%4$s\n"
@ -774,7 +749,6 @@ static int verb_help(int argc, char **argv, void *userdata) {
" --user Select user-scoped credential encryption\n" " --user Select user-scoped credential encryption\n"
" --uid=UID Select user for scoped credentials\n" " --uid=UID Select user for scoped credentials\n"
" --allow-null Allow decrypting credentials with empty key\n" " --allow-null Allow decrypting credentials with empty key\n"
" -q --quiet Suppress output for 'has-tpm2' verb\n"
"\nSee the %2$s for details.\n", "\nSee the %2$s for details.\n",
program_invocation_short_name, program_invocation_short_name,
link, link,

32
src/shared/tpm2-util.c
View file

@ -7907,6 +7907,38 @@ Tpm2Support tpm2_support(void) {
return support; return support;
} }
int verb_has_tpm2_generic(bool quiet) {
Tpm2Support s;
s = tpm2_support();
if (!quiet) {
if (s == TPM2_SUPPORT_FULL)
puts("yes");
else if (s == TPM2_SUPPORT_NONE)
puts("no");
else
puts("partial");
printf("%sfirmware\n"
"%sdriver\n"
"%ssystem\n"
"%ssubsystem\n"
"%slibraries\n",
plus_minus(s & TPM2_SUPPORT_FIRMWARE),
plus_minus(s & TPM2_SUPPORT_DRIVER),
plus_minus(s & TPM2_SUPPORT_SYSTEM),
plus_minus(s & TPM2_SUPPORT_SUBSYSTEM),
plus_minus(s & TPM2_SUPPORT_LIBRARIES));
}
/* Return inverted bit flags. So that TPM2_SUPPORT_FULL becomes EXIT_SUCCESS and the other values
* become some reasonable values 17. i.e. the flags we return here tell what is missing rather than
* what is there, acknowledging the fact that for process exit statuses it is customary to return
* zero (EXIT_FAILURE) when all is good, instead of all being bad. */
return ~s & TPM2_SUPPORT_FULL;
}
#if HAVE_TPM2 #if HAVE_TPM2
static void tpm2_pcr_values_apply_default_hash_alg(Tpm2PCRValue *pcr_values, size_t n_pcr_values) { static void tpm2_pcr_values_apply_default_hash_alg(Tpm2PCRValue *pcr_values, size_t n_pcr_values) {
TPMI_ALG_HASH default_hash = 0; TPMI_ALG_HASH default_hash = 0;

2
src/shared/tpm2-util.h
View file

@ -463,6 +463,8 @@ typedef enum Tpm2Support {
Tpm2Support tpm2_support(void); Tpm2Support tpm2_support(void);
int verb_has_tpm2_generic(bool quiet);
int tpm2_parse_pcr_argument(const char *arg, Tpm2PCRValue **ret_pcr_values, size_t *ret_n_pcr_values); int tpm2_parse_pcr_argument(const char *arg, Tpm2PCRValue **ret_pcr_values, size_t *ret_n_pcr_values);
int tpm2_parse_pcr_argument_append(const char *arg, Tpm2PCRValue **ret_pcr_values, size_t *ret_n_pcr_values); int tpm2_parse_pcr_argument_append(const char *arg, Tpm2PCRValue **ret_pcr_values, size_t *ret_n_pcr_values);
int tpm2_parse_pcr_argument_to_mask(const char *arg, uint32_t *mask); int tpm2_parse_pcr_argument_to_mask(const char *arg, uint32_t *mask);

7
test/units/TEST-65-ANALYZE.sh
View file

@ -965,6 +965,13 @@ systemd-analyze condition --instance=tmp --unit=systemd-growfs@.service
systemd-analyze verify --instance=tmp --man=no systemd-growfs@.service systemd-analyze verify --instance=tmp --man=no systemd-growfs@.service
systemd-analyze security --instance=tmp systemd-growfs@.service systemd-analyze security --instance=tmp systemd-growfs@.service
systemd-analyze has-tpm2 ||:
if systemd-analyze has-tpm2 -q ; then
echo "have tpm2"
else
echo "have no tpm2"
fi
systemd-analyze log-level info systemd-analyze log-level info
touch /testok touch /testok