Mike Yuan [Thu, 29 Dec 2022 06:51:06 +0000 (14:51 +0800)]
systemctl: enable: overwrite broken alias symlinks
When switching to an alternative alias provider,
the previous one might have been uninstalled or so.
It should be fine for us to overwrite them directly.
Luca Boccassi [Wed, 28 Dec 2022 16:27:37 +0000 (17:27 +0100)]
man: note that DynamicUser=yes is incompatible with D-Bus
Due to policy checks against system users this cannot currently work, and it is non-obvious.
In the future it might be implemented if support is added to dbus-broker/dbus-daemon, e.g.:
resolvectl: don't filter loopback DNS server from global DNS server list
"resolvectl status" shows per-link DNS servers separately from global
ones. When querying the global list, it will contain both per-link and
global servers however. Thus, to not show duplicate info we filter all
entries that actually have a non-zero ifindex set (under the assumption
that that's a per-link server).
This doesn't work if people configured 127.0.0.1 as global server
though, as we'll add ifindex 1 to it since 6e32414a66ff8dbcef233981a7066684d903ee9f unconditionally even for global
servers.
Let's address that by excluding entries with ifindex 1 from suppression.
This is safe as resolved ignores loopback ifaces, hence never will have
per-link servers on ifindex 1.
Note that this splits up the "with_ifindex" parameter into a second
parameter "only_global", since they semantically do two different
things. One controls whether we shall expect/parse an ifindex dbus
field. The other controls whether we shall filter all ifindex values set
!= 0. These are effectively always used in conjunction hence making them
the same actually worked. However this is utterly confusing I think,
which as I guess is resulting in the confusion around #25796 (which
removes the whole check)
This renames systemd-boot-system-token.service to
systemd-boot-random-seed.service and conditions it less strictly.
Previously, the job of the service was to write a "system token" EFI
variable if it was missing. It called "bootctl --graceful random-seed"
for that. With this change we condition it more liberally: instead of
calling it only when the "system token" EFI variable isn't set, we call
it whenever a boot loader interface compatible boot loader is used. This
means, previously it was invoked on the first boot only: now it is
invoked at every boot.
This doesn#t change the command that is invoked. That's because
previously already the "bootctl --graceful random-seed" did two things:
set the system token if not set yet *and* refresh the random seed in the
ESP. Previousy we put the focus on the former, now we shift the focus to
the latter.
With this simple change we can replace the logic f913c784ad4c93894fd6cb2590738113dff5a694 added, but from a service that
can run much later and doesn't keep the ESP pinned.
random-seed: don't refresh EFI random seed from random-seed.c anymore
The ESP is simply not mounted early enough for this. We want that the
regular random seed handling runs as early as we possibly could, but we
don't want to delay this until the ESP is actually mounted.
Hence, let's remove this from random-seed.c here. A follow-up commit
will then add this back in, in a separate service which just calls
"bootctl random-seed".
bootctl: rework random seed logic to use open_mkdir_at() and openat()
This doesn't really fix anything, but in general we should put stronger
emphasis on operating via dir fds rather than paths more (in particular
when writing files as opposed to consuming them).
resolved: downgrade inability to send varlink reply error message
Previously, if a client disconnected after sending a lookup request but
before waiting for the reply we'd log at LOG_ERR level. That's
confusing, since it's entirely OK for the client to lose interest.
msizanoen1 [Tue, 27 Dec 2022 04:57:12 +0000 (11:57 +0700)]
udev: match device tags in rules using current device tags
This ensures that udev scripts using `TAG-="..."` and expecting later
udev rules to honor it will work properly. An use case is removing the
`uaccess` tag from a device without overriding the original file and
ensuring that `73-seat-uaccess.rules` won't run the uaccess builtin later.
It seems that using this protocol on some firmwares to forcibly
initialize console devices may break handles (already opened file
handles and the device handle itself) that we rely on to access the
boot filesystem, making it impossible to load the selected entry.
It might be possible to get a new handle by querying for the device
handle by using its device path after calling into this protocol, but
this is untested. The firmware might also be so buggy that accessing
devices after using this protocol is impossible.
It seems prudent to revert this for now until some reliable way is found
to initialize console devices without introducing huge boot delays. Any
users on firmware where console devices cannot be accessed would have to
rely on disabling fastboot.
../src/basic/cgroup-util.c: In function ‘skip_session’:
../src/basic/cgroup-util.c:1241:32: error: incompatible types when returning type ‘_Bool’ but ‘const char *’ was expected
1241 | return false;
This is a small cleanup removing the need for the spurious
*ret_shutdown_verb argument on invoke_main_loop() while moving
the MANAGER_OBJECTIVE::shutdown_verb string mapping local to
where it actually gets added to the shutdown argv in
become_shutdown().
This also eliminates the need for the several clearings of
*ret_shutdown_argv, and the streq() branches of shutdown_verb in
favor of plain equality tests against the objective value.
Jan Janssen [Sun, 1 Jan 2023 10:32:55 +0000 (11:32 +0100)]
ukify: Fix section offset calculation
objcopy seems to expect that the offset passed to --change-section-vma
is absolute instead of relative to ImageBase. If this is not accounted
for an invalid image is created that cannot be loaded:
Daan De Meyer [Mon, 2 Jan 2023 13:53:47 +0000 (14:53 +0100)]
ukify: Require specifying --tools for each tools directory
Instead of consuming N arguments as tools directories, let's always
only consume one argument per specification of --tools. This avoids
issues where the linux image and initrd are interpreted as tools
directories.
Ludwig Nussel [Wed, 28 Dec 2022 13:00:35 +0000 (14:00 +0100)]
machined: pass shell command line to polkit
Pass the joined arguments to polkit as command_line property like
pkexec does. Obviously not exactly perfect as it lacks quoting. Good
enough for polkit rules to check whether a program was called with
or without arguments though.
Jia Zhang [Sun, 25 Dec 2022 04:29:11 +0000 (12:29 +0800)]
boot: don't convert the trailing newline in mangle_stub_cmdline()
It is pretty convenient to add .cmdline using /proc/cmdline like
this:
--add-section .cmdline=/proc/cmdline --change-section-vma .cmdline=0x25000
However, it always returns a trailing newline, and stub will
convert it to a whitespace by mangle_stub_cmdline() in next boot.
Thus the resulting /proc/cmdline would contain a trailing
whitespace. When /proc/cmdline is used to generate .cmdline again,
the resulting UKI is mangled.
To address this kind of inconvenience, mangle_stub_cmdline() should
skip converting the trailing newline, and try to chomp all the
trailing whitespaces.
The text said /dev/tty* as a whole was the VT subsystem and that VT is
not supported in containers.
But that's not accurate as /dev/tty* will match /dev/tty too and that
one device node is special and is not related to VT: it always points to
the current process own controlling tty, regardless what that is.
units: pull in loop.ko and dm-mod.ko before repart
We want to make use of that when formatting file systems, hence let's
pull in these modules explicitly.
(This is necessary because we are an early boot service that might run
before systemd-tmpfiles-dev.service, which creates /dev/loop-control and
/dev/mapper/control.)
Alternatively we could just order ourselves after
systemd-tmpfiles-dev.service, but I think there's value in adding an
explicit minimal ordering here, since we know what we'll need.
Jia Zhang [Fri, 23 Dec 2022 09:23:36 +0000 (17:23 +0800)]
measure: fix the failures of compare_reported_pcr_nr()
EFI_LOADER_VARIABLE() already applies to the stringify to construct the
path of EFI variable in efivars, so it is wrong to enclose the name of
EFI variable with the quotes. Otherwise, the following errors are
reported.
Reading EFI variable /sys/firmware/efi/efivars/StubFeatures-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
Reading EFI variable /sys/firmware/efi/efivars/"StubPcrKernelImage"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
open("/sys/firmware/efi/efivars/"StubPcrKernelImage"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f") failed: No such file or directory
Reading EFI variable /sys/firmware/efi/efivars/"StubPcrKernelParameters"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
open("/sys/firmware/efi/efivars/"StubPcrKernelParameters"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f") failed: No such file or directory
Reading EFI variable /sys/firmware/efi/efivars/"StubPcrInitRDSysExts"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
open("/sys/firmware/efi/efivars/"StubPcrInitRDSysExts"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f") failed: No such file or directory
dissect-image: optionally, reference dissected partition device nodes by diskseq
This is useful to make the dissection logic at boot a bit safer, as we
can reference device nodes by diskseq.
This locks down dissection a bit, since it makes it harder to swap out
the backing device between the time we dissected and validated it, until
we actually mounted it.
This is not complete though, as /bin/mount would have to verify the
diskseq after opening the diskseq symlink again.
Peter Cai [Sun, 18 Dec 2022 01:33:05 +0000 (20:33 -0500)]
cryptenroll: Implement support for unlocking via FIDO2 tokens
This allows FIDO2 users to wipe out password slots and still be able to
enroll new key slots via systemd-cryptenroll. Note that when the user
wants to both unlock with a FIDO2 token and enroll a new FIDO2 token,
they cannot be set to automatic discovery. This is to safeguard against
confusion, because there will be multiple tokens connected to the system
when doing so -- and we require users to explicitly confirm which one to
use for unlocking and which one to use for enrollment.
Peter Cai [Sun, 18 Dec 2022 01:28:51 +0000 (20:28 -0500)]
cryptsetup-fido2: Remove plain mode parameters from `acquire_fido2_key_auto()`
`acquire_fido2_key_auto()` will not be used in PLAIN mode, and
parameters such as the salt will be acquired from the LUKS header.
Parameters intended for PLAIN mode are useless in
`acquire_fido2_key_auto()`.
Daan De Meyer [Mon, 19 Dec 2022 14:29:43 +0000 (15:29 +0100)]
ukify: Prefer using llvm-objcopy instead of objcopy
llvm-objcopy works on stubs built for foreign architectures whereas
objcopy doesn't so let's prefer using llvm-objcopy instead of objcopy.
llvm-objcopy automatically sets the virtual address and doesn't provide
an option to set it manually so we only add --change-section-vma when
using objcopy
The default section flags differ between llvm-objcopy and objcopy
so we add a default for the section flags so we make sure all sections
are read-only data unless specified otherwise.
When we dissect images automatically, let's be a bit more conservative
with the file system types we are willing to mount: only mount common
file systems automatically.
Explicit mounts requested by admins should always be OK, but when we do
automatic mounts, let's not permit barely maintained, possibly legacy
file systems.
The list for now covers the four common writable and two common
read-only file systems. Sooner or later we might want to add more to the
list.
Also, it might make sense to eventually make this configurable via the
image dissection policy logic.
Yu Watanabe [Thu, 22 Dec 2022 00:40:37 +0000 (09:40 +0900)]
wait-online: exit with success when all interfaces are ready or unmanaged
Previously, when neither '--any' nor '--interface' options specified,
at least one of the interfaces must be in configured state.
This patch makes wait-online exit with success even if all interfaces
are in unmanaged state.
This may break backward compatibility in a rare situation. But in most
cases, this typically not change anything, as at least one interface
is managed by networkd.service when it is enabled.
This is mostly for making wait-online gracefully handle the case that
networkd.service and wait-online.service are enabled by mistake. In such
situation, all interfaces are typically not managed.
string-util: rework empty_to_null() to not change "const" qualifier of input
This changes the definition from enpty_to_null() so that we are still
typesafe (i.e. only accept strings) but do not drop (or add) any const
to the returned string that wasn't also on the input.