stub: pick up confexts from the ESP as well

This does what we do for system extension also for configuration extension. This is complicated by the fact that we previously looked for <uki-binary>.d/*.raw for system extensions. We want to measure sysexts and confexts to different PCRs (13 vs. 12) hence we must distinguish them, but *.raw would match both kinds. This commit solves this via the following mechanism: we'll load confexts from *.confext.raw and sysexts from *.raw but will then enclude *.confext.raw from the latter. This preserves compatibility but allows us to somewhat reasonable distinguish both types of images. The documentation is updated not going into this detail though, and instead now claims that sysexts shall be *.sysext.raw and confexts *.confext.raw even though we actually are more lenient than this. This is simply to push people towards using the longer, more descriptive suffixes. I added an XML comment () about this to the docs, so that whenever somebody notices the difference between code and docs understands why and leaves it that way.
author: Lennart Poettering <lennart@poettering.net> 2023-11-08 19:02:03 +0100
committer: Lennart Poettering <lennart@poettering.net> 2024-01-03 10:38:34 +0100
commit: 39e0c237f19be47d24c1ca4372808686e175d11a (patch)
tree: 46d3404d04ddf14a1d6c95519aad4baa0aa8a0b4 /man/systemd-stub.xml
parent: fundamental: prefer byte swap builtins over byte swapping manually (diff)
download: systemd-39e0c237f19be47d24c1ca4372808686e175d11a.tar.xz
systemd-39e0c237f19be47d24c1ca4372808686e175d11a.zip
1 files changed, 54 insertions, 12 deletions
diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml
index 5b47d752ca..e489a138d6 100644
--- a/man/systemd-stub.xml
+++ b/man/systemd-stub.xml
@@ -32,6 +32,8 @@
       <member><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.addon.efi</filename></member>
       <member><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.cred</filename></member>
       <member><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.raw</filename></member>
+      <member><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.sysext.raw</filename></member>
+      <member><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.confext.raw</filename></member>
       <member><filename><replaceable>ESP</replaceable>/loader/addons/*.addon.efi</filename></member>
       <member><filename><replaceable>ESP</replaceable>/loader/credentials/*.cred</filename></member>
     </simplelist></para>
@@ -153,14 +155,28 @@
       details on encrypted credentials. The generated <command>cpio</command> archive is measured into TPM
       PCR 12 (if a TPM is present).</para></listitem>
 
-      <listitem><para>Similarly, files <filename><replaceable>foo</replaceable>.efi.extra.d/*.raw</filename>
-      are packed up in a <command>cpio</command> archive and placed in the <filename>/.extra/sysext/</filename>
-      directory in the initrd file hierarchy. This is supposed to be used to pass additional system extension
-      images to the initrd. See
+      <listitem><para>Similarly, files
+      <filename><replaceable>foo</replaceable>.efi.extra.d/*.sysext.raw</filename> are packed up in a
+      <command>cpio</command> archive and placed in the <filename>/.extra/sysext/</filename> directory in the
+      initrd file hierarchy. This is supposed to be used to pass additional system extension images to the
+      initrd. See
       <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
       details on system extension images. The generated <command>cpio</command> archive containing these
       system extension images is measured into TPM PCR 13 (if a TPM is present).</para></listitem>
 
+      <!-- Note: the actual suffix we look for for sysexts is just *.raw (not *.sysext.raw), for
+           compatibility reasons with old versions. But we want people to name their system extensions
+           properly, hence we document the *.sysext.raw suffix only. -->
+
+      <listitem><para>Similarly, files
+      <filename><replaceable>foo</replaceable>.efi.extra.d/*.confext.raw</filename> are packed up in a
+      <command>cpio</command> archive and placed in the <filename>/.extra/confext/</filename> directory in
+      the initrd file hierarchy. This is supposed to be used to pass additional configuration extension
+      images to the initrd. See
+      <citerefentry><refentrytitle>systemd-confext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
+      details on configuration extension images. The generated <command>cpio</command> archive containing
+      these system extension images is measured into TPM PCR 12 (if a TPM is present).</para></listitem>
+
       <listitem><para>Similarly, files
       <filename><replaceable>foo</replaceable>.efi.extra.d/*.addon.efi</filename> are loaded and verified as
       PE binaries, and a <literal>.cmdline</literal> section is parsed from them. Addons are supposed to be
@@ -218,9 +234,10 @@
 
     <para>Also note that the Linux kernel will measure all initrds it receives into TPM PCR 9. This means
     every type of initrd will be measured two or three times: the initrd embedded in the kernel image will be
-    measured to PCR 4, PCR 9 and PCR 11; the initrd synthesized from credentials will be measured to both PCR
-    9 and PCR 12; the initrd synthesized from system extensions will be measured to both PCR 4 and PCR
-    9. Let's summarize the OS resources and the PCRs they are measured to:</para>
+    measured to PCR 4, PCR 9 and PCR 11; the initrd synthesized from credentials (and the one synthesized
+    from configuration extensions) will be measured to both PCR 9 and PCR 12; the initrd synthesized from
+    system extensions will be measured to both PCR 4 and PCR 9. Let's summarize the OS resources and the PCRs
+    they are measured to:</para>
 
     <table>
       <title>OS Resource PCR Summary</title>
@@ -291,6 +308,11 @@
             <entry>System Extensions (synthesized initrd from companion files)</entry>
             <entry>9 + 13</entry>
           </row>
+
+          <row>
+            <entry>Configuration Extensions (synthesized initrd from companion files)</entry>
+            <entry>9 + 12</entry>
+          </row>
         </tbody>
       </tgroup>
     </table>
@@ -371,13 +393,24 @@
       <varlistentry>
         <term><varname>StubPcrInitRDSysExts</varname></term>
 
-        <listitem><para>The PCR register index the systemd extensions for the initrd, which are picked up
-        from the file system the kernel image is located on. Formatted as decimal ASCII string (e.g.
+        <listitem><para>The PCR register index the system extensions for the initrd, which are picked up from
+        the file system the kernel image is located on. Formatted as decimal ASCII string (e.g.
         <literal>13</literal>). This variable is set if a measurement was successfully completed, and remains
         unset otherwise.</para>
 
         <xi:include href="version-info.xml" xpointer="v252"/></listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><varname>StubPcrInitRDConfExts</varname></term>
+
+        <listitem><para>The PCR register index the configuration extensions for the initrd, which are picked
+        up from the file system the kernel image is located on. Formatted as decimal ASCII string (e.g.
+        <literal>12</literal>). This variable is set if a measurement was successfully completed, and remains
+        unset otherwise.</para>
+
+        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
+      </varlistentry>
     </variablelist>
 
     <para>Note that some of the variables above may also be set by the boot loader. The stub will only set
@@ -422,15 +455,24 @@
       </varlistentry>
 
       <varlistentry>
-        <term><filename>/.extra/sysext/*.raw</filename></term>
-        <listitem><para>System extension image files (suffix <literal>.raw</literal>) that are placed next to
-        the unified kernel image (as described above) are copied into the
+        <term><filename>/.extra/sysext/*.sysext.raw</filename></term>
+        <listitem><para>System extension image files (suffix <literal>.sysext.raw</literal>) that are placed
+        next to the unified kernel image (as described above) are copied into the
         <filename>/.extra/sysext/</filename> directory in the initrd execution environment.</para>
 
         <xi:include href="version-info.xml" xpointer="v252"/></listitem>
       </varlistentry>
 
       <varlistentry>
+        <term><filename>/.extra/confext/*.confext.raw</filename></term>
+        <listitem><para>Configuration extension image files (suffix <literal>.confext.raw</literal>) that are
+        placed next to the unified kernel image (as described above) are copied into the
+        <filename>/.extra/confext/</filename> directory in the initrd execution environment.</para>
+
+        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><filename>/.extra/tpm2-pcr-signature.json</filename></term>
         <listitem><para>The TPM2 PCR signature JSON object included in the <literal>.pcrsig</literal> PE
         section of the unified kernel image is copied into the
author	Lennart Poettering <lennart@poettering.net>	2023-11-08 19:02:03 +0100
committer	Lennart Poettering <lennart@poettering.net>	2024-01-03 10:38:34 +0100
commit	39e0c237f19be47d24c1ca4372808686e175d11a (patch)
tree	46d3404d04ddf14a1d6c95519aad4baa0aa8a0b4 /man/systemd-stub.xml
parent	fundamental: prefer byte swap builtins over byte swapping manually (diff)
download	systemd-39e0c237f19be47d24c1ca4372808686e175d11a.tar.xz systemd-39e0c237f19be47d24c1ca4372808686e175d11a.zip