From 9551aa707d464335a801719ed72701a79e8106fd Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 29 Sep 2023 11:59:40 +0200 Subject: [PATCH] tpm2: move measurement log to /run/log/ (from /var/log/) I have no idea what went on in my mind when I used a path in /var/ for the tpm2 event log we now keep for userspace measurements. The measurements are only valid for the current boot, hence should not be persisted (in particular as they cannot be rotated, hence should not grow without bounds). Fix that, simply move from /var/log/ to /run/log/. --- man/systemd-pcrphase.service.xml | 4 ++-- src/shared/tpm2-util.c | 2 +- test/units/testsuite-70.sh | 10 +++++----- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/man/systemd-pcrphase.service.xml b/man/systemd-pcrphase.service.xml index fe7b58933bf..ca037584cf4 100644 --- a/man/systemd-pcrphase.service.xml +++ b/man/systemd-pcrphase.service.xml @@ -209,10 +209,10 @@ - /var/log/systemd/tpm2-measure.log + /run/log/systemd/tpm2-measure.log Measurements are logged into an event log file maintained in - /var/log/systemd/tpm2-measure.log, which contains a /run/log/systemd/tpm2-measure.log, which contains a JSON-SEQ series of objects that follow the general structure of the TCG Common Event Log diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index c78d6ae65af..9cab153e45f 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -4305,7 +4305,7 @@ static const char* tpm2_userspace_event_type_table[_TPM2_USERSPACE_EVENT_TYPE_MA DEFINE_STRING_TABLE_LOOKUP(tpm2_userspace_event_type, Tpm2UserspaceEventType); const char *tpm2_userspace_log_path(void) { - return secure_getenv("SYSTEMD_MEASURE_LOG_USERSPACE") ?: "/var/log/systemd/tpm2-measure.log"; + return secure_getenv("SYSTEMD_MEASURE_LOG_USERSPACE") ?: "/run/log/systemd/tpm2-measure.log"; } static int tpm2_userspace_log_open(void) { diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh index faa9db7cdd0..7f7183da08b 100755 --- a/test/units/testsuite-70.sh +++ b/test/units/testsuite-70.sh @@ -264,8 +264,8 @@ if [[ -x "$SD_PCREXTEND" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; t rm -f /tmp/oldpcr15 /tmp/newpcr15 # Check that the event log record was properly written: - test "$(jq --seq --slurp '.[0].pcr' < /var/log/systemd/tpm2-measure.log)" == "$(printf '\x1e15')" - test "$(jq --seq --slurp --raw-output '.[0].digests[1].digest' < /var/log/systemd/tpm2-measure.log) *stdin" == "$(echo -n "machine-id:994013bf23864ee7992eab39a96dd3bb" | openssl dgst -hex -sha256 -r)" + test "$(jq --seq --slurp '.[0].pcr' < /run/log/systemd/tpm2-measure.log)" == "$(printf '\x1e15')" + test "$(jq --seq --slurp --raw-output '.[0].digests[1].digest' < /run/log/systemd/tpm2-measure.log) *stdin" == "$(echo -n "machine-id:994013bf23864ee7992eab39a96dd3bb" | openssl dgst -hex -sha256 -r)" # And similar for the boot phase measurement into PCR 11 tpm2_pcrread sha256:11 -Q -o /tmp/oldpcr11 @@ -276,10 +276,10 @@ if [[ -x "$SD_PCREXTEND" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; t <(cat /tmp/oldpcr11 <(echo -n "foobar" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256) # Check the event log for the 2nd record - jq --seq --slurp < /var/log/systemd/tpm2-measure.log + jq --seq --slurp < /run/log/systemd/tpm2-measure.log - test "$(jq --seq --slurp .[1].pcr < /var/log/systemd/tpm2-measure.log)" == "$(printf '\x1e11')" - test "$(jq --seq --slurp --raw-output .[1].digests[0].digest < /var/log/systemd/tpm2-measure.log) *stdin" == "$(echo -n "foobar" | openssl dgst -hex -sha256 -r)" + test "$(jq --seq --slurp .[1].pcr < /run/log/systemd/tpm2-measure.log)" == "$(printf '\x1e11')" + test "$(jq --seq --slurp --raw-output .[1].digests[0].digest < /run/log/systemd/tpm2-measure.log) *stdin" == "$(echo -n "foobar" | openssl dgst -hex -sha256 -r)" rm -f /tmp/oldpcr11 /tmp/newpcr11 else