When I call 'acpi-update.py' after those changes, the resulting .hwdb files are
the same except for two additions that appeared in the meantime. I don't think
it makes sense to update them again, because the ma-*.txt files changed and we
don't want to store big blobs unnecessarilly.
A non-breaking space is used between "PCR" and the number. I did
search&replace on the whole file, so that when people select&paste
later, they are more likely to use the same format.
Frantisek Sumsal [Wed, 15 Nov 2023 12:56:50 +0000 (13:56 +0100)]
sd-bus: don't treat invalid user/machine as a programming error
$ SYSTEMD_LOG_LEVEL=debug machinectl status --machine=@
Assertion 'r > 0' failed at src/libsystemd/sd-bus/sd-bus.c:1694, function sd_bus_open_system_machine(). Ignoring.
Frantisek Sumsal [Wed, 15 Nov 2023 12:38:02 +0000 (13:38 +0100)]
sd-journal: don't treat invalid match as a programming error
Don't use assert_runtime() when we get an invalid match string, since
that's a runtime error:
$ SYSTEMD_LOG_LEVEL=debug coredumpctl info =
...
Adding match: =
Assertion 'match_is_valid(data, size)' failed at src/libsystemd/sd-journal/sd-journal.c:240, function sd_journal_add_match(). Ignoring.
Failed to add match "=": Invalid argument
gpt-auto-generator: don't eat up errors of generator_enable_remount_fs_service()
I cannot see a reason why we should ignore this error, so let's not. We
use RET_GATHER() on the returns anyway, i.e. collect errors but
continue, so it makes sense to collect this one too.
gpt-auto-generator: drop in_initrd() check in add_partition_root_rw()
This call is never called in the initrd, hence we can drop the extra
check, as it is redundant. Let's keep it as an assert() though, as a
form of code-enforced documentation.
Luca Boccassi [Tue, 14 Nov 2023 21:26:10 +0000 (21:26 +0000)]
Update po files
These are all newline breaks, but some meson tool changed at some
point that causes all of these changes to happen, and they have
started to appear when Weblate sends translations update, making
them very hard to review as they are mostly adding these breaks.
Update all files once and for all so that new translations PRs are
easier to review.
Luca Boccassi [Tue, 14 Nov 2023 20:46:12 +0000 (20:46 +0000)]
hwdb: PNP/ACPI lists on uefi.org are now in CSV format
Adjust the parsing as it's no longer HTML files. Some IDs end with
whitespace, without being quoted, which seems like a mistake as they
weren't before, so strip the ID columns before applying them.
Frantisek Sumsal [Tue, 14 Nov 2023 11:53:51 +0000 (12:53 +0100)]
test: make TEST-06-SELINUX work with the refpolicy and beef it up a bit
Currently the test works only with policy shipped by Fedora, which makes
it pretty much useless in most of our CIs. Let's drop the custom module
and make the test more generic, so it works with the refpolicy as well,
which should allow us to run it on Arch and probably even in Ubuntu CI.
Luca Boccassi [Mon, 13 Nov 2023 19:26:33 +0000 (19:26 +0000)]
selinux: fix loading policy at early boot
First, check for the cached enabled/disabled, as that's what all the
label functions used to do. Then, if initialization is not done yet,
do not cause the label functions to bail out, as it's expected to
happen at early boot.
Among other things, fixes:
systemd[1]: Failed to compute init label, ignoring.
Frantisek Sumsal [Mon, 13 Nov 2023 19:35:29 +0000 (20:35 +0100)]
test: skip --tpm2-device-key= tests with older OpenSSL
--tpm2-device-key= requires OpenSSL >= 3 with KDF-SS, so let's skip the
test if we're running with older OpenSSL.
+ systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs=12:sha256=F5A5FD42D16A20302798EF6ED309979B43003D2320D9F0E8EA9831A92759FB4B /tmp/systemd-cryptsetup-H8y.IMAGE
Failed to find TPM2 pcrlock policy file 'pcrlock.json': No such file or directory
Allocating context for crypt device /tmp/systemd-cryptsetup-H8y.IMAGE.
Trying to open and read device /tmp/systemd-cryptsetup-H8y.IMAGE with direct-io.
Trying to open device /tmp/systemd-cryptsetup-H8y.IMAGE without direct-io.
Initialising device-mapper backend library.
Trying to load LUKS2 crypt type from device /tmp/systemd-cryptsetup-H8y.IMAGE.
Crypto backend (OpenSSL 1.1.1k FIPS 25 Mar 2021) initialized in cryptsetup library version 2.3.7.
Detected kernel Linux 4.18.0-521.el8.ppc64le ppc64le.
...
Failed to find TPM PCR public key file 'tpm2-pcr-public-key.pem': No such file or directory
Failed to read TPM2 PCR public key, proceeding without: No such file or directory
Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle
libtss2-esys too old, does not include Esys_TR_GetTpmHandle.
Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle
libtss2-esys too old, does not include Esys_TR_GetTpmHandle.
PolicyPCR calculated digest: 9a1f511fb94f030eb21d0332ef2739727bf0ead4ec26a204d15b09cdeb4b2555
Calculating sealed object.
Calculating encrypted seed for sealed object.
Calculating encrypted seed for ECC sealed object.
Calculating KDFe().
KDF-SS requires openssl >= 3.
Could not calculate KDFe: Operation not supported
Could not calculate encrypted seed: Operation not supported
Failed to seal to TPM2: Operation not supported
storagetm: expose more useful metadata for nvme block devices
don't let the devices to be announced just as model "Linux". Let's instead
propagate the underlying block device's model. Also do something
reasonably smart for the serial and firmware version fields.
David Tardon [Mon, 13 Nov 2023 15:23:37 +0000 (16:23 +0100)]
udev: allow global properties in assignments
Before, handling of global properties (set on systemd-udevd by `udevadm
control -p FOO=foo`) was inconsistent. They were honored in ENV matches,
but not in any assignment. This meant that any use of $env{FOO} (where
FOO was a global property) expanded to an empty string.
Fixup for e87dec82bec6eff015b368b3c746810d684fc6af:
I misunderstood the format. It's actually CBOR, i.e. some binary format.
When trying to show show text we would first check if it's valid UTF-8,
so we would handle this gracefully, i.e. emit a warning and not print
the contents.
test-tpm2: skip RSA generating TPM2 tests on physical hw
The TPM2 tests that genreate an RSA primary key are fast on vtpms, but
very slow on physical TPMs, simply because TPMs aren't precisely fast
devices. It makes sense to keep the tests around however. Hence hide the
test behind the "slow test" logic by default – but only if we run on
physical hw, and keep them in place on VMs (where we'd expect a vtpm, if
any).
tests: add macro for generating function enter log message
The test-tpm2 test multiplexes a bunch of tests from a single
entrypoint test that creates the TPM2 connection. This means we only get
the nice log output which test we are looking for once for the
entrypoint.
Let's add a macro that allows it to nicely generate it for the inner
tests too and use it.
Let's add a new "plymouth-util.c" module with helpers for talking to
plymouth. We so far had three places for this, let's unify the code
doing this a bit.
The meson summary logic checks for ENABLE_* and HAVE_*, but we used a define
with no prefix. Let's make it ENABLE_… for consistency with other config
options. Obviously this also fixes the summary output.
core/unit: use assert for checking internal call sanity
The only way this could be called with an invalid value would be if
somebody forgot to initialize unit type. In such cases, it's better to
fail hard immediately.
Rename {dual,triple}_timestamp_get to {dual,triple}_timestamp_now
Those functions take a pointer to a timestamp and return a timestamp pointer,
so the reader would be justified to think that those are just getters. Rename
them to avoid confusion.
There are draft proposals to embed SBOM metadata in the .sbom section of PE
binaries [1], in the coSWID XML format. Some details of how this is actually
implemented might change, but it seems very likely that both section name and
it being text will stay. Let's show the section as text to make such binaries
easier to inspect. ([1] recommends using 'objcopy -j .sbom' which isn't
particularly readable.) Once there's more standarization of the actual
format, we can add pretty-printing and/or syntax highlighting.
Luca Boccassi [Fri, 10 Nov 2023 00:22:21 +0000 (00:22 +0000)]
executor: lazily load SELinux
Loading the SELinux DB on every invocation can be slow and
takes 2ms-10ms, so do not initialize it unconditionally, but
wait for the first use. On a mkosi Fedora rawhide image, this
cuts the number of loads in half.