mirror of
https://github.com/systemd/systemd
synced 2024-10-15 12:34:37 +00:00
tpm2: move measurement log to /run/log/ (from /var/log/)
I have no idea what went on in my mind when I used a path in /var/ for the tpm2 event log we now keep for userspace measurements. The measurements are only valid for the current boot, hence should not be persisted (in particular as they cannot be rotated, hence should not grow without bounds). Fix that, simply move from /var/log/ to /run/log/.
This commit is contained in:
parent
4444564a95
commit
9551aa707d
|
@ -209,10 +209,10 @@
|
|||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><filename>/var/log/systemd/tpm2-measure.log</filename></term>
|
||||
<term><filename>/run/log/systemd/tpm2-measure.log</filename></term>
|
||||
|
||||
<listitem><para>Measurements are logged into an event log file maintained in
|
||||
<filename>/var/log/systemd/tpm2-measure.log</filename>, which contains a <ulink
|
||||
<filename>/run/log/systemd/tpm2-measure.log</filename>, which contains a <ulink
|
||||
url="https://www.rfc-editor.org/rfc/rfc7464.html">JSON-SEQ</ulink> series of objects that follow the
|
||||
general structure of the <ulink
|
||||
url="https://trustedcomputinggroup.org/resource/canonical-event-log-format/">TCG Common Event Log
|
||||
|
|
|
@ -4305,7 +4305,7 @@ static const char* tpm2_userspace_event_type_table[_TPM2_USERSPACE_EVENT_TYPE_MA
|
|||
DEFINE_STRING_TABLE_LOOKUP(tpm2_userspace_event_type, Tpm2UserspaceEventType);
|
||||
|
||||
const char *tpm2_userspace_log_path(void) {
|
||||
return secure_getenv("SYSTEMD_MEASURE_LOG_USERSPACE") ?: "/var/log/systemd/tpm2-measure.log";
|
||||
return secure_getenv("SYSTEMD_MEASURE_LOG_USERSPACE") ?: "/run/log/systemd/tpm2-measure.log";
|
||||
}
|
||||
|
||||
static int tpm2_userspace_log_open(void) {
|
||||
|
|
|
@ -264,8 +264,8 @@ if [[ -x "$SD_PCREXTEND" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; t
|
|||
rm -f /tmp/oldpcr15 /tmp/newpcr15
|
||||
|
||||
# Check that the event log record was properly written:
|
||||
test "$(jq --seq --slurp '.[0].pcr' < /var/log/systemd/tpm2-measure.log)" == "$(printf '\x1e15')"
|
||||
test "$(jq --seq --slurp --raw-output '.[0].digests[1].digest' < /var/log/systemd/tpm2-measure.log) *stdin" == "$(echo -n "machine-id:994013bf23864ee7992eab39a96dd3bb" | openssl dgst -hex -sha256 -r)"
|
||||
test "$(jq --seq --slurp '.[0].pcr' < /run/log/systemd/tpm2-measure.log)" == "$(printf '\x1e15')"
|
||||
test "$(jq --seq --slurp --raw-output '.[0].digests[1].digest' < /run/log/systemd/tpm2-measure.log) *stdin" == "$(echo -n "machine-id:994013bf23864ee7992eab39a96dd3bb" | openssl dgst -hex -sha256 -r)"
|
||||
|
||||
# And similar for the boot phase measurement into PCR 11
|
||||
tpm2_pcrread sha256:11 -Q -o /tmp/oldpcr11
|
||||
|
@ -276,10 +276,10 @@ if [[ -x "$SD_PCREXTEND" ]] && tpm_has_pcr sha256 11 && tpm_has_pcr sha256 15; t
|
|||
<(cat /tmp/oldpcr11 <(echo -n "foobar" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)
|
||||
|
||||
# Check the event log for the 2nd record
|
||||
jq --seq --slurp < /var/log/systemd/tpm2-measure.log
|
||||
jq --seq --slurp < /run/log/systemd/tpm2-measure.log
|
||||
|
||||
test "$(jq --seq --slurp .[1].pcr < /var/log/systemd/tpm2-measure.log)" == "$(printf '\x1e11')"
|
||||
test "$(jq --seq --slurp --raw-output .[1].digests[0].digest < /var/log/systemd/tpm2-measure.log) *stdin" == "$(echo -n "foobar" | openssl dgst -hex -sha256 -r)"
|
||||
test "$(jq --seq --slurp .[1].pcr < /run/log/systemd/tpm2-measure.log)" == "$(printf '\x1e11')"
|
||||
test "$(jq --seq --slurp --raw-output .[1].digests[0].digest < /run/log/systemd/tpm2-measure.log) *stdin" == "$(echo -n "foobar" | openssl dgst -hex -sha256 -r)"
|
||||
|
||||
rm -f /tmp/oldpcr11 /tmp/newpcr11
|
||||
else
|
||||
|
|
Loading…
Reference in a new issue