sd-journal: downgrade log message "Unused data (entry_offset==0)"
This happens when journal is rotated after a data is written but before
an entry that linked to the data is not written yet.
This is neither data corruption, nor program error. Let's downgrade the
log level.
Previously, the path is obtained from the fd, but it is closed in
sd_event_loop() to unpin the filesystem.
So, let's save the path when the event source is created, and make
sd_event_source_get_inotify_path() simply read it.
man: correct where we look for auxiliary partitions
We look for the root fs on the device of the booted ESP, and for the
other partitions on the device of the root fs. On EFI systems this
generally boils down to the same, but there are cases where this doesn't
hold, hence document this properly.
Alberto Planas [Tue, 2 Apr 2024 14:18:30 +0000 (16:18 +0200)]
pcrlock: add make_pcrlock_record_from_stream
To hash long files (like initrd) add the funcion
make_pcrlock_record_from_stream, that will read a long file (or stdin)
to generate the digests of multiple hashes, redading block by block.
Use this new function in verb_lock_raw and verb_lock_kernel_initrd.
This commit adds support for loading, measuring and handling a ".ucode"
UKI section. This section is functionally an initrd, intended for
microcode updates. As such it will always be passed to the kernel first.
Luca Boccassi [Wed, 21 Feb 2024 20:00:29 +0000 (20:00 +0000)]
portable: support vpick
Resolve at attach/detach/inspect time, so that the image is pinned and requires
re-attaching on update, given files are extracted from it so just passing
img.v/ to RootImage= is not enough to get a portable image updated
CentOS/Fedora use annobin which will complain if FORTIFY_SOURCE=0
is used so we disable those checks to avoid the warnings.
We also make sure that when we query the compilation flags so we can
add more, we set _fortify_level=0 and undefine _lto_flags so that we
don't get those flags in the result.
sd-radv: allow to modify RA header elements without stopping sd-radv
This also makes too large retransmit time handled gracefully,
as even if a too large value is specified, usec_to_be32_msec() in
radv_send_router() will handle it gracefully anyway.
Note, networkd still refuses such invalid values. Hence, this does not
change any effective behavior.
Mike Yuan [Tue, 16 Apr 2024 17:32:27 +0000 (01:32 +0800)]
systemctl-start-unit: Subscribe() is unnecessary if we RefUnit explicitly
Subscribe() enables full signal delivery on API bus. But aside from
that, if a unit/job is explicitly Ref()'d, manager also emits the
signal. See bus_foreach_bus() for details.
bus-wait-for-units refs every unit to wait for, so there's no need
to Subscribe() on top of that. In verb_clean_or_freeze() Subscribe()
is not called either.
Nick Rosbrook [Thu, 18 Apr 2024 16:01:42 +0000 (12:01 -0400)]
copy: ignore -EOPNOTSUPP from copy_file_range()
According to copy_file_range (2), errno will be set to EOPNOTSUPP when
the file system does not support copy_file_range(). Since there is
already fallback logic in place here for other kinds of errors, add
-EOPNOTSUPP to the list of ignored errors.
pcrlock: rework --recovery-pin= to take three different arguments
This reworkds --recovery-pin= from a parameter that takes a boolean to
an enum supporting one of "hide", "show", "query".
If "hide" (default behaviour) we'll generate a recovery pin
automatically, but never show it, and thus just seal it and good.
If "show" we'll generate a recovery pin automatically, but display it in
the output, so the user can write it down.
If "query" we'll ask the user for a recovery pin, and not automatically
generate any.
For compatibility the old boolean behaviour is kept.
With this you can now do "systemd-pcrlock make-policy
--recovery-pin=show" to set up the first policy, write down the recovery
PIN. Later, if the PCR prediction didn't work out one day you can then
do "systemd-pcrlock make-policy --recovery-pin=query" and enter the
recovery key and write a new policy.
pcrlock: generate recovery PINs via make_recovery_key()
We already have infrastructure for generating nice recovery keys, for
the usual cryptenroll recovery keys. Let's reuse them here, as they are
nicer to read and type than the base64 encoded randomness we so far
used.
Previously valid recovery keys remain valid, in their original format.
For future enrollments we'll however have nicer, easier recovery keys to
deal with.
tpm2-util: now that we don't use PolicyAuthValue anymore, let's not set an authValue anymore for the policy nvindex
We have now switched from PolicyAuthValue to PolicySigned to control
access to the policy nvindex to. This means there's no point in setting
an authValue on the nvindex anymore, hence drop this.
pcrlock: switch access policy for nvindex to store policy in from PolicyAuthValue to PolicySigned (with an HMAC-SHA256 key)
So far the nvindex to store the pcrlock policy in was protected via a
PolicyAuthValue policy (i.e. with a simple PIN set on the nvindex).
That's a bad idea however, as it means an attacker can simply remove and
re-create the nvindex and the "name" of the nvindex does not change,
thus defeating the logic. (This is because the authValue is *not* part
of the "name" of an nvindex!).
Fix this by switching from PolicyAuthValue to PolicySigned with an
HMAC-SHA256 key. Behaviour is very similar: however, the PIN is now part
of of the access policy hash, which *is* part of the "name" of an
nvindex. Thus, if an attacker removes and recreates the nvindex it has
to provide the same PIN again or the "name" of the nvindex will change.
Mission accomplished.
I'd like to thank Chris Coulson for finding this issue (and helping me
address it). Thank you!
tpm2-util: load external key into NULL hierarchy if private key is provided
If we load an external key into the TPM we must do so in the NULL
hierarchy. An external key after all is one that is not wrapped by any
hierarchy's seed.
Just some renaming. I found the old name a bit confusing since it sounds
as if this would get the pin from somewhere, but it really doesn't. It
just converts a PIN into an auth_value, and I think saying so explicitly
makes things easier to grok.
Richard Maw [Sat, 3 Feb 2024 14:56:42 +0000 (14:56 +0000)]
mkosi: Extend default device timeout to 20 seconds
A moderately heavily loaded system booting an image without a rootfs
may timeout before the root device appears.
20 seconds is enough for a VM with 2 CPUs and 2GB RAM.