tmpfiles: add separate fragment for stuff we copy from .extra/ into /run/systemd

Let's move copying out the PCR signature/key into its own tmpfiles
snippet.

And then let's add support for copying out the profile + os-release
information systemd-stub now places in the invoked initrd.

That way these four pieces of information are available even after the
initrd→host transition.

diff --git a/tmpfiles.d/20-systemd-stub.conf.in b/tmpfiles.d/20-systemd-stub.conf.in
new file mode 100644 (file)
index 0000000..910d943
--- /dev/null
+++ b/tmpfiles.d/20-systemd-stub.conf.in
@@ -0,0 +1,19 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+# Copy systemd-stub provided metadata such as PCR signature and public key file
+# from initrd into /run/, so that it will survive the initrd stage
+
+C /run/systemd/stub/profile 0444 root root - /.extra/profile
+C /run/systemd/stub/os-release 0444 root root - /.extra/os-release
+
+{% if ENABLE_TPM %}
+C /run/systemd/tpm2-pcr-signature.json 0444 root root - /.extra/tpm2-pcr-signature.json
+C /run/systemd/tpm2-pcr-public-key.pem 0444 root root - /.extra/tpm2-pcr-public-key.pem
+{% endif %}

diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build
index 8d05abcfc143da7fbe7d40cf24efe61dc75145c1..52611357c2ba1fdf8809f16b267222321e66a7ff 100644 (file)
--- a/tmpfiles.d/meson.build
+++ b/tmpfiles.d/meson.build
@@ -29,15 +29,17 @@ foreach pair : files
         endif
 endforeach
 
-in_files = [['etc.conf',                      ''],
-            ['legacy.conf',                   'HAVE_SYSV_COMPAT'],
-            ['static-nodes-permissions.conf', ''],
-            ['systemd.conf',                  ''],
-            ['var.conf',                      ''],
-            ['20-systemd-userdb.conf',        'ENABLE_SSH_USERDB_CONFIG'],
-            ['20-systemd-ssh-generator.conf', 'ENABLE_SSH_PROXY_CONFIG'],
-            ['20-systemd-shell-extra.conf',   'LINK_SHELL_EXTRA_DROPIN'],
-           ]
+in_files = [
+        ['20-systemd-shell-extra.conf',   'LINK_SHELL_EXTRA_DROPIN'],
+        ['20-systemd-ssh-generator.conf', 'ENABLE_SSH_PROXY_CONFIG'],
+        ['20-systemd-stub.conf',          'ENABLE_EFI'],
+        ['20-systemd-userdb.conf',        'ENABLE_SSH_USERDB_CONFIG'],
+        ['etc.conf',                      ''],
+        ['legacy.conf',                   'HAVE_SYSV_COMPAT'],
+        ['static-nodes-permissions.conf', ''],
+        ['systemd.conf',                  ''],
+        ['var.conf',                      ''],
+]
 
 foreach pair : in_files
         if not enable_tmpfiles

diff --git a/tmpfiles.d/systemd.conf.in b/tmpfiles.d/systemd.conf.in
index d36f0694af58c75b06f60ba8a0625f8b184d7bee..815fb2dd4089c897c2086184308051a6022a4aaf 100644 (file)
--- a/tmpfiles.d/systemd.conf.in
+++ b/tmpfiles.d/systemd.conf.in
@@ -65,9 +65,3 @@ d /var/lib/systemd/ephemeral-trees 0755 root root 0
 d /var/lib/private 0700 root root -
 d /var/log/private 0700 root root -
 d /var/cache/private 0700 root root -
-
-{% if ENABLE_EFI %}
-# Copy sd-stub provided PCR signature and public key file from initrd into /run/, so that it will survive the initrd stage
-C /run/systemd/tpm2-pcr-signature.json 0444 root root - /.extra/tpm2-pcr-signature.json
-C /run/systemd/tpm2-pcr-public-key.pem 0444 root root - /.extra/tpm2-pcr-public-key.pem
-{% endif %}