Frantisek Sumsal [Mon, 13 Nov 2023 19:35:29 +0000 (20:35 +0100)]
test: skip --tpm2-device-key= tests with older OpenSSL
--tpm2-device-key= requires OpenSSL >= 3 with KDF-SS, so let's skip the
test if we're running with older OpenSSL.
+ systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs=12:sha256=F5A5FD42D16A20302798EF6ED309979B43003D2320D9F0E8EA9831A92759FB4B /tmp/systemd-cryptsetup-H8y.IMAGE
Failed to find TPM2 pcrlock policy file 'pcrlock.json': No such file or directory
Allocating context for crypt device /tmp/systemd-cryptsetup-H8y.IMAGE.
Trying to open and read device /tmp/systemd-cryptsetup-H8y.IMAGE with direct-io.
Trying to open device /tmp/systemd-cryptsetup-H8y.IMAGE without direct-io.
Initialising device-mapper backend library.
Trying to load LUKS2 crypt type from device /tmp/systemd-cryptsetup-H8y.IMAGE.
Crypto backend (OpenSSL 1.1.1k FIPS 25 Mar 2021) initialized in cryptsetup library version 2.3.7.
Detected kernel Linux 4.18.0-521.el8.ppc64le ppc64le.
...
Failed to find TPM PCR public key file 'tpm2-pcr-public-key.pem': No such file or directory
Failed to read TPM2 PCR public key, proceeding without: No such file or directory
Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle
libtss2-esys too old, does not include Esys_TR_GetTpmHandle.
Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle
libtss2-esys too old, does not include Esys_TR_GetTpmHandle.
PolicyPCR calculated digest: 9a1f511fb94f030eb21d0332ef2739727bf0ead4ec26a204d15b09cdeb4b2555
Calculating sealed object.
Calculating encrypted seed for sealed object.
Calculating encrypted seed for ECC sealed object.
Calculating KDFe().
KDF-SS requires openssl >= 3.
Could not calculate KDFe: Operation not supported
Could not calculate encrypted seed: Operation not supported
Failed to seal to TPM2: Operation not supported
Luca Boccassi [Fri, 10 Nov 2023 00:22:21 +0000 (00:22 +0000)]
executor: lazily load SELinux
Loading the SELinux DB on every invocation can be slow and
takes 2ms-10ms, so do not initialize it unconditionally, but
wait for the first use. On a mkosi Fedora rawhide image, this
cuts the number of loads in half.
Florian Schmaus [Fri, 10 Nov 2023 10:44:09 +0000 (11:44 +0100)]
cgroup: add support for memory.swap.current
In systemctl-show we only show current swap if ever swapped or non-zero. This
reduces the noise on swapless systems, that would otherwise always show a swap
value that never has the chance to become non-zero. It further reduces the
noise for services that never swapped.
Clayton Craft [Fri, 27 Oct 2023 19:50:50 +0000 (12:50 -0700)]
boot: load device tree even if no original config exists
Firmware may not have loaded a devicetree, for example if the device
shipped with windows and exclusively supports ACPI.
We should always load the specified devicetree regardless of firmware
state to enable booting on platforms where Linux only supports DT.
Note: in _cleanup, the orig. config is NULL in this case, and passing
NULL to InstallConfigurationTable is permitted by the EFI spec.
See: https://uefi.org/specs/UEFI/2.10/07_Services_Boot_Services.html
Fixes #24059
Co-authored-by: Daniel Thompson <daniel.thompson@linaro.org>
Frantisek Sumsal [Fri, 10 Nov 2023 15:38:01 +0000 (16:38 +0100)]
fuzz: pass -Dc_args=/-Dcpp_args= to fuzzer targets
Prompted by #29972, because right now it's practically impossible to pass
-fno-sanitize=function to the fuzzer targets without some extensive
sed'ing.
This splits both c_args and cpp_args to separate arguments for
tools/meson-build.sh, because the other way would be to use `eval`, so
the space-separated but quoted strings passed to these options are not
split where they shouldn't, and I'd rather avoid using `eval` if
possible.
Also, this switches the positional arguments we pass to `meson setup`,
as they were in incorrect order (docs say it should be buildir followed
by sourcedir); meson is apparently clever enough to figure this out and
switch the arguments around if necessary, so it didn't complain.
Let's just rely on the word splitting done by bash instead of messing
with that ourselves, as it's just adding extra complexity to appease one
ShellCheck check. Also, this apparently never worked for the nspawn
stuff anyway, since I forgot to set $IFS to an appropriate value, so it
always put all arguments from $KERNEL_APPEND into a single array item
with an extra newline, which then made systemd sad:
~# readarray arr <<< "foo bar baz"; for i in "${arr[@]}"; do echo "'$i'"; done
'foo bar baz
'
~# make -C test/TEST-45-TIMEDATE/ clean setup run BUILD_DIR=$PWD/build TEST_NO_QEMU=1 KERNEL_APPEND="systemd.log_level=console"
...
~# journalctl -o short-monotonic --no-hostname --file /var/tmp/systemd-tests/systemd-test.XaDX67/system.journal --grep "Failed to parse" -p info --no-pager
[551138.986882] systemd-tmpfiles[21]: Failed to parse log level 'console
[551138.987179] systemd-remount-fs[20]: Failed to parse log level 'console
[551138.993125] systemd-sysusers[23]: Failed to parse log level 'console
[551138.998685] journalctl[29]: Failed to parse log level 'console
analyze: add "srk" verb to extract current srk from TPM2 chip
This is pretty low-level functionality, hence placed in systemd-analyze.
This is useful for working with systemd-cryptenroll --tpm2-device-key=,
as it acquires the SRK without requiring the full tpm2-tss tool set.
tpm2-setup: also save the SRK to the file system in TPM2_PUBLIC format
We already save it in PEM format, also store it TPM2_PUBLIC format next
to it. This is useful for usage with systemd-cryptenroll's
--tpm2-device-key= switch.
The tpm2_tpm2b_public_from_pem() invocation only makes sense when we
succeed to load the file from disk, hence we might do this together and
safe a conditionalization.
tpm2-util: move loading of TPM2B_PUBLIC from disk into tpm2-util.c
No change in behaviour, let's just move this over so that we can reuse
this in repart later (and don't have to export the ugly `sym_` function
pointer for it)
Daan De Meyer [Thu, 9 Nov 2023 11:10:53 +0000 (12:10 +0100)]
repart: Fix size round up/round down
Currently, we round minimum sizes up and maximum size down, whereas
it should be the opposite as the current approach means that if the
same size is used for min and max, the min size will end up bigger
than the max size after rounding.
Florian Schmaus [Thu, 9 Nov 2023 07:59:59 +0000 (08:59 +0100)]
core: fix array size in unit_log_resources()
In 0531bded79dc ("core: include peak memory in unit_log_resources()") new log
messages where added, however the size of the according arrays to hold the
messages was not adjusted.
Fixes: 0531bded79dc ("core: include peak memory in unit_log_resources()")
test: use Type=notify together with `busctl monitor`
Let's use the newly gained feature of `busctl` and start is as a
Type=notify unit, which should make sure the unit is started only after
`busctl` is on the bus listening for messages.
This should help with a race spotted in CIs, where we continued too
early after starting `busctl monitor` and miss the emitted signals:
This is pretty much the same stuff as `resolvectl monitor` does, and
allows us to run `busctl monitor` in a Type=notify unit which ensures
that `busctl` is really listening for messages once the unit is marked
as started.
Currently test_setpriority_closest assumes that setting RLIMIT_NICE to 30 will
fail if the process is unprivileged. If it succeeds, it assumes that the
process is privileged and setresuid and setresgid will succeed.
However, if RLIMIT_NICE is already >= 30, then setrlimit will succeed even if
the process is unprivileged. Guard against that by checking for permission
errors in setresuid and setresgid and skipping the full test if so.
Felix Dörre [Fri, 18 Aug 2023 08:00:40 +0000 (10:00 +0200)]
journalctl: verify sealed log epochs are continuous
Currently empty epochs are not sealed. This allows an attacker to truncate
a sealed log and continue it without any problems showing when verifying the
log.
This partially addresses CVE-2023-31438. One way to extend this change to
address CVE-2023-31438 completely, would be to verify that there is exactly
one seal per epoch (and not sealing when the epoch has not ended yet).
the change also adds a journal-file flag: HEADER_COMPATIBLE_SEALED_CONTINUOUS
this flag indicates that a journal file is sealed continuously and decides whether
any missing crypto epochs should trigger a warning or an error.
Mike Yuan [Wed, 8 Nov 2023 17:10:06 +0000 (01:10 +0800)]
fd-util: refuse O_CREAT in fd_reopen
O_CREAT doesn't make sense for fd_reopen, since we're
working on an already opened fd. Also, in fd_reopen
we don't handle the mode parameter of open(2), which
means we may get runtime error like #29938.