Skip to content

Commit 9540f8e

Browse files
committed
FSS rotation after first boot
Signed-off-by: Julius Koskela <julius.koskela@unikie.com>
1 parent e7a6401 commit 9540f8e

File tree

2 files changed

+15
-28
lines changed

2 files changed

+15
-28
lines changed

modules/common/logging/fss.nix

Lines changed: 14 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,9 @@
3737
# Operational Notes:
3838
# -----------------
3939
# 1. First Boot (per component):
40-
# - journal-fss-setup.service runs before systemd-journald
40+
# - journal-fss-setup.service runs after systemd-journald is ready
4141
# - Generates sealing keys with configured seal interval
42+
# - Rotates journal to start using FSS keys immediately
4243
# - Extracts verification key to cfg.keyPath/<hostname>/verification-key
4344
# - Each component creates its own subdirectory with independent keys
4445
# - CRITICAL: Backup all verification-keys to secure offline storage
@@ -157,6 +158,14 @@ let
157158
exit 1
158159
fi
159160
161+
# Rotate journal to start using FSS keys immediately
162+
# Per systemd documentation, rotation is required after --setup-keys
163+
# to create a new journal file that uses the FSS keys
164+
echo "Rotating journal to enable sealing..."
165+
if ! journalctl --rotate; then
166+
echo "Warning: Journal rotation failed - sealing may not start until next natural rotation"
167+
fi
168+
160169
# Create sentinel file to prevent re-initialization
161170
touch "$INIT_FILE"
162171
chmod 0644 "$INIT_FILE"
@@ -414,24 +423,18 @@ in
414423
];
415424

416425
# One-shot service to generate FSS keys on first boot
426+
# Runs after journald is ready, then rotates journal to enable sealing
417427
systemd.services.journal-fss-setup = {
418428
description = "Setup Forward Secure Sealing keys for systemd journal";
419429
documentation = [ "man:journalctl(1)" ];
420430

421-
wantedBy = [ "sysinit.target" ];
422-
before = [
423-
"systemd-journald.service"
424-
"systemd-journal-flush.service"
425-
];
426-
after = [ "local-fs.target" ];
431+
wantedBy = [ "multi-user.target" ];
432+
after = [ "systemd-journald.service" ];
433+
wants = [ "systemd-journald.service" ];
427434

428435
unitConfig = {
429-
# Prevent implicit After=basic.target which creates ordering cycle
430-
DefaultDependencies = false;
431436
# Only run if not already initialized
432437
ConditionPathExists = "!${cfg.keyPath}/initialized";
433-
# Ensure journal directory is ready and writable
434-
ConditionPathIsReadWrite = "/var/log/journal";
435438
};
436439

437440
serviceConfig = {
@@ -441,22 +444,6 @@ in
441444
};
442445
};
443446

444-
# Make journald sockets wait for FSS setup before starting
445-
# This ensures FSS keys are configured before any journal entries are written.
446-
# Adding After= to the socket units themselves is required because:
447-
# - journald sockets have DefaultDependencies=no
448-
# - Before= on our service doesn't create a dependency from socket to service
449-
# - Only explicit After= on the socket creates proper ordering
450-
systemd.sockets."systemd-journald" = {
451-
after = [ "journal-fss-setup.service" ];
452-
wants = [ "journal-fss-setup.service" ];
453-
};
454-
455-
systemd.sockets."systemd-journald-dev-log" = {
456-
after = [ "journal-fss-setup.service" ];
457-
wants = [ "journal-fss-setup.service" ];
458-
};
459-
460447
# Service to verify journal integrity
461448
systemd.services.journal-fss-verify = {
462449
description = "Verify systemd journal integrity using Forward Secure Sealing";

tests/logging/test_scripts/fss-test.nix

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,7 @@ writeShellApplication {
174174
175175
# Test 6: Check verification timer
176176
info "Test 6: Checking verification timer..."
177-
if systemctl list-unit-files | grep -q "journal-fss-verify.timer"; then
177+
if systemctl list-unit-files 2>/dev/null | grep -q "journal-fss-verify.timer"; then
178178
if systemctl is-active --quiet journal-fss-verify.timer; then
179179
pass "journal-fss-verify.timer is active"
180180
NEXT_RUN=$(systemctl list-timers journal-fss-verify --no-pager 2>/dev/null | grep journal-fss-verify | awk '{print $1, $2}' || echo "unknown")

0 commit comments

Comments
 (0)