systemd-report-sign-tsm@.service, systemd-report-sign-tsm.socket, systemd-report-sign-tsm — Sign system reports with a confidential-computing attestation report
systemd-report-sign-tsm@.service
systemd-report-sign-tsm.socket
/usr/lib/systemd/systemd-report-sign-tsm
systemd-report-sign-tsm@.service is a system service that signs system reports
generated by
systemd-report(1). It is
a signing backend for the --sign= logic of that tool: it implements the
io.systemd.Report.Signer.Sign() Varlink method and is reached via a socket linked into
the /run/systemd/report.sign/ directory, named tsm.
The service is socket-activated (one instance per connection) via
systemd-report-sign-tsm.socket. Rather than signing with a local key, it obtains a
hardware-backed attestation report from the platform's Trusted Security Module (TSM) through the kernel's
configfs-TSM interface at /sys/kernel/config/tsm/report/. The digest passed to it is
embedded into the report as its run-time provided data ("inblob"), cryptographically
binding the attestation report to the system report being signed.
The returned signature carries the binary attestation report (the "outblob"), the
name of the TSM provider that generated it (for example "sev_guest" for AMD SEV-SNP or
"tdx_guest" for Intel TDX), and, where the provider supplies them, supplemental
certificate ("auxblob") and manifest ("manifestblob") data. A verifier
selects the appropriate validation logic based on the provider field.
This backend is only functional inside a confidential virtual machine whose kernel exposes the configfs-TSM interface (such as AMD SEV-SNP or Intel TDX guests). On systems where the interface is unavailable the signing operation is reported as unsupported and the mechanism is skipped. The service keeps no persistent state.