sd-journal: Don't compare hashes from different journal files
In sd_journal_enumerate_fields(), we check if we've already handled
a field by checking if we can find it in any of the already processed
journal files. We do this by calling
journal_file_find_field_object_with_hash(), which compares the size,
payload and hash of the given field against all fields in a journal file,
trying to find a match. However, since we now use per file hash functions,
hashes for the same fields will differ between different journal files,
meaning we'll never find an actual match.
To fix the issue(), let's use journal_file_find_field_object() when one
or more of the files we're comparing is using per file keyed hashes.
journal_file_find_field_object() only takes the field payload and size
as arguments and calculates the hash itself using the hash function from
the journal file we're searching in.
This is an effort to compile a somewhat complete list how PCRs are
actually used on Linux systems these days. It contains data from: the
UEFI PC spec, the shim, the IMA, grub documentation.
I validated these PCRs to some level in the sources.
The grub specific stuff I only added in comments, since I was too lazy
too validate it (also, meh, grub).
It also gives people a hint on which PCR to bind to (and maybe kind of
an explanation of our default choice).
core: replace IPAddressAccessItem with struct in_addr_prefix
Previously, if a unit file which contains n IPAddressAllow/Deny= lines,
then the computational order of parsing the file was O(n^3), as
ip_address_access_reduce(), whose order is O(n^2), is called for each line.
By replacing in_addr_prefix related functions, now the computational
order is O(n log n).
The right long term fix is to extend the kernel to expose the SMBIOS BIOS
Characteristics properly via /sys/class/dmi, but until this happens (and
for backwards compatibility when it does), we need a plan B.
This change implements such a workaround by falling back to using the
instance type from DMI and looking at the ".metal" string present on
metal instances.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Let's log every time we use uninitialized PCRs when unsealing a secret
via TPM2. This indicates a firmware issue usually, and is something we
shouldn't just show when enrolling but also show every time we unseal,
so that the fact that the selected PCR policy is pretty much pointless
is repeatedly shown.
tpm2: support RSA primary keys as fallback if TPM2 devices don't support ECC
Previously, we hardcoded use of ECC as primary keys, since they are much
faster (i.e. saving multiple seconds) to do TPM2 operations with. Alas,
not all TPM2 chips appear to support ECC. Bummer.
Let's hence add a fallback logic: if we can't create an ECC primary key,
use an RSA key, and store that fact away.
AFIU the security guarantees should be roughly the same, it's just that
RSA primary keys is so much slower to work with than ECC.
The primary key algorithm is used is stored in the JSON header of LUKS
disks, in a new field. If the field is absent we assume to use ECC, to
provide full compatibility with old systemd versions.
The primary key algorithm is stored in a new field in the credentials
file format (in fact, a previously unused zero space is used), too.
Hopefully, this should ensure that TPM2 support will "just work" on more
systems.
cryptenroll allows to specify a custom TPM driver separated from
parameters with colon e.g. `systemd-cryptenroll --tpm2-device=swtpm:`
tells to load swtpm tss driver and use it as a device.
Unfortunately it does not work, swtpm driver init() fails with
```
debug:tcti:src/tss2-tcti/tcti-swtpm.c:570:Tss2_Tcti_Swtpm_Init() Dup'd conf string to: 0x562f91cbc000
debug:tcti:src/util/key-value-parse.c:85:parse_key_value_string() parsing key/value: swtpm:
WARNING:tcti:src/util/key-value-parse.c:50:parse_key_value() key / value string is invalid
Failed to initialize TCTI context: tcti:A parameter has a bad value
```
It turns out that cryptenroll suppose to use the driver name internally
and strip it before passing the rest of parameters to init() function.
Without doing it swtpm receives incorrect key-value property and gets
confused.
Fix it by passing the correct parameter (without driver name) to the
init() function.
network: always call address ready callback if address is ready
The address ready callback is used for cleaning up old addresses or
routes acquired by e.g. DHCP. However, the callback was called only
when the address was previously not ready. So, maybe, unnecessary
addresses or routes may not be cleared.
Also, this makes the callback is called slightly earlier. As it may
remove several addresses or routes, and possibly changes the link state.
core: Parse log environment settings again after applying manager environment
Currently, SYSTEMD_LOG_LEVEL set in the ManagerEnvironment property in system.conf
or user.conf doesn't affect the manager's logging level. Parsing the logging environment
variables again after pushing the manager environment into the process environment
block makes sure any new environment changes also get taken into account for logging.
dissect-image: tighten checks on root + /usr/ combinations
Our code logic doesn't support images with two verity partitions at the
moment, hence refuse this early (with ENOTUNIQ)
Also, go even further and refuse any combinations of verity enabled root
with verity-less /usr, simplify because that is unsafe and defeats the
point of verity. (i.e. we want to give the guarantee that for
auto-discovered verity magic we guarantee that the data afterwards
available in /usr is safe).
We already check whether we discovered a /usr verity partition without a
/usr partition when initially mangling the partitions, a bunch of lines
further up, no need to repeat this here.
dissect-image: mangle discovered /usr/ partition data, even if we found a root partition
Previously, we'd clean up discovered /usr/ partition data only if we did
not find a root partition. Given that we allow combinations of root and
/usr partitions clean things up in both cases however.
dissect-image: refuse external verity data in partitioned mode
Our code doesn't support setting up verity with an external verity data
file unless we operate in non-partitioned mode. Let's refuse this
clearly and early if attempted anyway.
dissect-image: also derive read-only mode from fstype in non-partitioned mode
For the GPT partitioned logic we also consult the fstype to determine whether
a partition is read-only (i.e. squashfs is already read-only). For the
non-partitioned mode we didn't do that so far. Fix that.
Let's also pick more precise names for these helpers that are used for
the tabular output: one checks whether a partition is candidate for
verity at all, and the other checks if it is ready to be used for it.
Let's make this clearer in the name.
Let's make the booleans indicating verity state a bit more descriptive.
Let's rename:
can_verity → has_verity: because that's really what this about
whether verity data is included in the image. Whether we actually
can use it is a different story.
verity → verity_ready: this one should tell us if we have everything
need to actually set it up, hence explicitly say "ready to use" in
the name.
network: do not try to drop addresses or routes of unmanaged interfaces on carrier lost
Currently, link_stop_engines(), link_drop_config(), and link_drop_foreign_config()
do nothing when the interface is unmanaged. So this does not change anything.
But returning earlier should be clear and safer for protecting configs
on unmanaged interfaces.
The Bootloader Specification says "devicetree refers to the binary
device tree to use when executing the kernel..", but systemd-boot
didn't actually do anything when encountering this stanza until now.
Add support for loading, applying fixups if relevant, and installing the
new device tree before executing the kernel.
in order to uppercase the first letter of the user's real name. This is
a glib bug, because there is a different codepath that gets the pwd from
vanilla getpwnam instead of getpwnam_r as shown here. When the pwd
struct is returned by getpwnam, its fields point to static data owned by
glibc/NSS, and so it must not be modified by the caller. After much
debugging, Jamie Bainbridge has fixed this in https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2244
by making a copy of the data before modifying it, and that resolves all
problems for glib. Yay!
However, glib is crashing even when getpwnam_r is used instead of
getpwnam! According to getpwnam_r(3), the strings in the pwd struct are
supposed to be pointers into the buffer passed by the caller, so glib
should be able to safely edit it directly in this case, so long as it
doesn't try to increase the size of any of the strings.
Problem is various functions throughout nss-systemd.c return synthesized
records declared at the top of the file. These records are returned
directly and so contain pointers to static strings owned by
libsystemd-nss. systemd must instead copy all the strings into the
provided buffer.
This crash is reproducible if nss-systemd is listed first on the passwd
line in /etc/nsswitch.conf, and the application looks up one of the
synthesized user accounts "root" or "nobody", and finally the
application attempts to edit one of the strings in the returned struct.
All our synthesized records for the other struct types have the same
problem, so this commit fixes them all at once.
nss-systemd: pack pw_passwd result into supplied buffer
getpwnam_r() guarantees that the strings in the struct passwd that it
returns are pointers into the buffer allocated by the application and
passed to getpwnam_r(). This means applications may choose to modify the
strings in place, as long as the length of the strings is not increased.
So it's wrong for us to return a static string here, we really do have
to copy it into the application-provided buffer like we do for all the
other strings.
This is only a theoretical problem since it would be very weird for an
application to modify the pw_passwd field, but I spotted this when
investigating a similar crash caused by glib editing a different field.
See also:
Michal Sekletar [Wed, 8 Sep 2021 13:42:11 +0000 (15:42 +0200)]
sd-event: take ref on event loop object before dispatching event sources
Idea is that all public APIs should take reference on objects that get
exposed to user-provided callbacks. We take the reference as a
protection from callbacks dropping it. We used to do this also here in
sd_event_loop(). However, in cleanup portion of f814c871e6 this was
accidentally dropped.
The `dracut_install` is a misnomer, since the systemd integration test
suite is based on the original dracut's test suite, and not all the
references to dracut has been edited out. Let's fix that.
FIDO2 device access is serialised by libfido2 using flock().
Therefore, make sure to close a FIDO2 device once we are done
with it, or we risk opening it again at a later point and
deadlocking. Fixes #20664.