Dan Streetman [Fri, 17 Feb 2023 17:59:18 +0000 (12:59 -0500)]
tpm2: add tpm2_get_legacy_template() and tpm2_get_srk_template()
Add functions to get either the 'legacy' or standard SRK template, for RSA or
ECC. The 'legacy' templates are those used with earlier code, where a transient
key was created to use for tpm sealing; the standard SRK is the persistent
shared key as defined in TCG guidance docs.
This also replaces tpm2_get_primary_template() with the new functions; that
function's use of flags is confusing and unnecessary.
Add tpm2_get_capability_handle() to query if a "TPM handle" (meaning, a
location/address in TPM storage) is populated in the TPM, and
tpm2_get_capability_handles() to query for a specific number of handles.
Add tpm2_esys_handle_from_tpm_handle() to create an "esys handle" (an opaque
reference for use with the TPM EAPI that represents a TPM handle address) for an
existing TPM handle.
Since the TPM handle already exists in the TPM, this also also requires
updating the cleanup code for Tpm2Handle objects to close the object (free its
resources only from the EAPI code, but leave the handle in the TPM) instead of
flush the object (which frees its EAPI resources and removes it from the TPM).
core: do not GC units/jobs that are in the D-Bus queue
Let's make sure that D-Bus messages are always sent out when pending,
before we might GC a unit/job.
This is kinda a follow-up for 8db998981a4fefd0122bcf5f965726b63c9045c2,
and a similar logic really applies: GC should only be done if we
processed everything else, generated evertyhing else and really don't
need it anymore.
This is a follow-up for 8db998981a4fefd0122bcf5f965726b63c9045c2, and
follows a similar logic: a pending OOM event really trumps everything:
we should not GC a unit while it is pending.
Dan Streetman [Wed, 17 May 2023 21:16:23 +0000 (17:16 -0400)]
tpm2: replace _cleanup_tpm2_* macros with _cleanup_()
Remove _cleanup_tpm2_context_ and _cleanup_tpm2_handle_ macros, replacing their
use with _cleanup_(tpm2_context_unrefp) and _cleanup_(tpm2_handle_freep),
respectively.
This removes documentation of SD_RESOLVED_REQUIRE_PRIMARY and
SD_RESOLVED_CLAMP_TTL, which are internal flags, and not usable from
outside of resolved. They are refused by D-Bus APIs, for a reason.
Various other fixes/clean-ups of the relevant docs (including reordering
of the flags docs by "grouping" rather than bit values).
Cyril Roelandt [Wed, 7 Jun 2023 12:33:19 +0000 (14:33 +0200)]
Fix zsh completion for "localectl set-locale"
When running:
$ localectl set-locale LC_MESSAGES=<TAB>
One is prompted with a list of locale fields instead of the list of
valid locales. This is because by calling "compset -P1 '*='", we modify
the $PREFIX special parameter before testing whether it contains an
equal sign. Therefore
if [[ -prefix 1 *\= ]]
is always false, and we always suggest a list of locale fields to the
user.
Balló György [Wed, 7 Jun 2023 11:33:18 +0000 (13:33 +0200)]
kbd-model-map: change the order of Hungarian keymaps
This changes the console layout from 'hu101' to 'hu' when the user calls 'localectl set-x11-keymap hu', because 'hu' is the expected layout instead of 'hu101' for most users.
Michal Sekletar [Wed, 31 May 2023 16:50:12 +0000 (18:50 +0200)]
pam: add call to pam_umask
Setting umask for user sessions via UMASK setting in /etc/login.defs is
a well-known feature. Let's make sure that user manager also runs with
this umask value.
The old syntax with linux + initrds as positional arguments is still accepted,
but a warning is emitted. We should remove the support for this after the
next release or so.
Adding a single verb by itself is not very useful, but opens the door to adding
other verbs.
Without this, the tests would generally be skipped, since we haven't made a
release with the addon stub yet. But even if the file is there, we always want
to test the freshly-built item.
Daan De Meyer [Mon, 5 Jun 2023 11:15:04 +0000 (13:15 +0200)]
repart: Do online encryption when loop devices are available
Online encryption is much faster then offline encryption when using
cryptsetup. To take advantage of this, when loop devices are available,
let's use online encryption instead off offline encryption to encrypt
partitions.
The online encryption logic is the same logic as was removed in 48a09a8fff480aab9a68e95e95cc37f6b1438751, except that it's now
integrated with PartitionTarget to ensure that logic outside of
partition_target_encrypt() has to minimally change regardless of
whether we're doing online or offline encryption.
Daan De Meyer [Thu, 1 Jun 2023 11:56:05 +0000 (13:56 +0200)]
fs-util: Allow passing NULL path to xopenat()
We recently codified in the coding style that for openat() style APIs,
an empty path can be passed both as the empty string and as NULL, so
let's make sure we follow that style in xopenat().
generators: change TimeoutSec=0 to TimeoutSec=infinity
With these settings we intend to turn off timeouts for possibly
interactive/slow commands. The officially documented way to turn off the
time-outs is to setting them to infinity. So far we set them to zero
here though.
This lead to some confusiong, for example #18224. Let's fix this by
uniformly spelling out TimeoutSec=infinity.
This doesn't change behaviour. It just makes our generated files match
what we document, without relying on historic compat support.
Dan Streetman [Fri, 17 Feb 2023 17:59:18 +0000 (12:59 -0500)]
tpm2: verify symmetric parms in tpm2_context_new()
This adds tpm2_get_capability_algs(), tpm2_supports_alg(), and
tpm2_test_parms(). These functions allow verifying that the TPM supports
specific algs and parameters.
When creating a new context, this checks if the TPM supports the symmetric algs
we use. If the TPM does not support the symmetric algs and parameters we
require, we log and return error.
This adds a function to query specific capabilities from the TPM. That is then
used in a function to query the allocation of PCRs in the TPM, i.e. which PCR
banks and indexes are available, and caches the PCR allocation when the TPM
context is created.
Turns out we can, apart from just building the module, "shove" it into
the SELinux database in a chroot as well. This brings quite significant
time savings, as the SELinux db rebuild takes 2 - 5 minutes in a VM
without acceleration (and takes currently ~half of the runtime of the test
in the C8S job).
cgls/cgtop: spell field/column "CGroup" rather than "Control Group"
In the documentation we usually spell the concept "control group".
Internally in code we usually call it "cgroup" or "CGroup". In systemctl output we
called the field "CGroup" so far, i.e. a capitalized version of the
internal name. This is of course very unsystematic. Let's clean this up
a bit: let's now say:
* in docs, continue to spell it out "control groups"
* in brief output call it "CGroup"
* internally call it "cgroup" or "CGroup"
99-systemd.rules.in: guard systemd-backlight udev rules by ENABLE_BACKLIGHT
Linux kernel will, as documented in drivers/video/backlight/backlight.c,
report changes to a backlights brightness as a uevent (ACTION=change).
systemd-udev will consume the uevent, match on this rule and try to
activate the systemd-backlight service for the backlight. BUT when
systemd is not compiled with backlight support, this will lead to
failure that is reported in the journal.
Since the failure to activate systemd-backlight and subsequent failure
log entry happens on every backlight brightness change, we found the
resulting logspam during regular operation excessive and came up with
this patch to mitigate it.
The conditional is also extended to "*kbd_backlight" match, since
even though we did not investigate to see if the logspam would be
similar, the unconditional match to activate systemd-backlight here
would also not make sense when the feature is not compiled in.
Signed-off-by: Simon Braunschmidt <simon.braunschmidt@iba-group.com>
The linter is imperfect, but it is useful as a very quick
check for typos and other silly mistakes. Add a few annotations
and do one small change to make it think the code is perfect.
Daan De Meyer [Mon, 5 Jun 2023 13:29:47 +0000 (15:29 +0200)]
test: Test --offline= in TEST-58-REPART
Instead of using a privileged and unprivileged user to test the
offline and online logic of systemd-repart, let's always run repart
as root and use the --offline= argument to specify repart to use
either the offline or online logic.
ac-power: add --low switch to systemd-ac-power tool
This allows checking from shell scripts whether the system is in a low
battery state. It just exposed the code we anyway have in a directly
accessible way.
Stefan Roesch [Tue, 28 Feb 2023 20:39:35 +0000 (12:39 -0800)]
add support for KSM
This adds support for KSM (kernel samepage merging). It adds a new
boolean parameter called MemoryKSM to enable the feature. The feature
can only be enabled with newer kernels.