Yu Watanabe [Tue, 8 Aug 2023 17:40:21 +0000 (02:40 +0900)]
fstab-generator: update cache in fstab_enabled_full() based on the parsed result of fstab=
Currently, fstab-generator does not use fstab file parsers in
fstab-util.c. So, this is not necessary. Just for a possible
optimization in the case the parsers used in the future.
Yu Watanabe [Tue, 8 Aug 2023 17:30:33 +0000 (02:30 +0900)]
fstab-util: introduce fstab_enabled() helper function
And refuse to parse fstab when 'fstab=no' is specified in the kernel
command line.
When 'fstab=no' is specified in the kernel command line, fstab-generator
does not parse fstab and will not create e.g. /boot or /efi mount entry
even if fstab contains entries for the mount points. However, gpt-auto
generator may parse fstab file, and adjust or ignore mounts for EFI or
XBOOTLDR partitions based on the fstab file.
This makes gpt-auto also ignore fstab entries if 'fstab=no' is set in
the kernel command line.
The commit b42482af904ae0b94a6e4501ec595448f0ba1c06 dropped
'--exclude-prefix=/dev' from systemd-tmpfiles-setup.service. So, the
possibly later invocation of the service changes the permission set by
udevd.
As commmented in the head of this file, settings should be consistent
with udev rules. Only missing entry here is vfio. Let's re-add the
entry for the device.
Fabian Vogt [Tue, 8 Aug 2023 10:52:53 +0000 (12:52 +0200)]
units/initrd-parse-etc.service: Conflict with emergency.target
If emergency.target is started while initrd-parse-etc.service/start is queued,
the initrd-parse-etc job did not get canceled. In parallel to the emergency
units, it eventually runs the service, which starts initrd-cleanup.service,
which in turn isolates initrd-switch-root.target. This stops the emergency
units and effectively starts the initrd boot process again, which likely
fails again like the initial attempt. The system is thus stuck in an endless
loop, never really reaching emergency.target.
With this conflict added, starting emergency.target automatically cancels
initrd-parse-etc.service/start, avoiding the loop.
Ronan Pigott [Tue, 8 Aug 2023 08:30:28 +0000 (01:30 -0700)]
zsh: reintroduce pattern argument to uncached verbs
The systemctl completion previously made use of PREFIX as a pattern
argument to list-unit-files and list-units. This had the problem of
erroneously filtering the results that were stored in the cache, and
erroneously filtering results that might have been requested according
to the users configuration (e.g. _correct completer, certain
matcher-lists or tag-orders, etc.).
Unfortunately, the runtime of list-unit-files increases when no pattern
argument is provided, and systemctl show, used to filter those units,
can become unacceptably slow when provided with too many units to
describe.
Let's re-introduce the pattern argument to list-unit-files and
list-units where necessary in order to alleviate these bottlenecks
without poisining the cache. A 'use-pattern' style is introduced that
may be used to disable this behavior if it is undesired. We can still
expect that certain completions, like `systemctl start <TAB>` will be
slow, like before. To fix this we will need systemd to learn a more
efficient way of filtering the units than parsing systemctl show.
Ronan Pigott [Mon, 7 Aug 2023 19:13:23 +0000 (12:13 -0700)]
zsh: use sys_really_all_units for non-template names
The systemctl invocations used for these completions match the ones used
for the _sys_really_all_units parameter, so we should really just use
the cached parameter rather than recomputing the result.
Jan Macku [Mon, 7 Aug 2023 13:11:00 +0000 (15:11 +0200)]
ci(lint): exclude `.in` files from ShellCheck lint
Exclude all `.in` files because they may contain unsupported syntax, and
they have to be preprocessed first. For example:
```sh
Error: SHELLCHECK_WARNING:
./src/rpm/systemd-update-helper.in:130:37: warning[SC1083]: This { is literal. Check expression (missing ;/\n?) or quote it.
```
Related to: https://github.com/systemd/systemd/pull/28521
Daan De Meyer [Mon, 7 Aug 2023 13:23:49 +0000 (15:23 +0200)]
repart: Extend check for read-only verity partitions
Let's check for verity signature partitions as well. Let's also
check the configured verity mode, which is another way to indicate
verity partitions aside from the type UUID.
Like the cmdline file we look for a devicetree file in
$KERNEL_INSTALL_CONF_ROOT, /etc/kernel and /usr/lib/kernel. If it is
present we look for the specified device tree that comes with the kernel
we're adding and install it into $ENTRY_DIR_ABS and add a devicetree
stanza to the loader entry.
Unfortunately it seems there is no common consensus on where to install
device tree blobs, so we have to look in a few different places for it.
This macros wraps the call to daemon-reexec in all user managers. It would be
called for example from systemd %post right after the call to systemctl
daemon-reexec.
This will be used in the Fedora systemd package to fix a long-standing FIXME.
Tested via building and reinstalling the systemd package with the patches.
Enqueues restart jobs for all units that have the 'needs-restart'
mark, and reload jobs for units that have the 'needs-reload' mark.
When a unit marked for reload does not support reload, restart will
be queued.
The new macros allow a reload to be issued instead of a restart.
Based on the discussion on fedora-devel:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/IJSUGIEJNYZZRE53FF4YFUEBRHRAVIXR/
Tested using dummy package https://github.com/keszybz/rpm-test-reload.
manager: fix reloading in reload-or-restart --marked
bus_unit_queue_job_one has two callers:
- bus_unit_queue_job which would do the appropriate transormations
to turn JOB_TRY_RESTART into JOB_TRY_RELOAD,
- and method_enqueue_marked_jobs which did not.
In effect, method_enqueue_marked_jobs() would queue restart jobs for
units which has Markers= needs-reload or needs-restart.
When the chunk of code which does the transformations is moved from
bus_unit_queue_job to bus_unit_queue_job_one, there is no change for
bus_unit_queue_job, and method_enqueue_marked_jobs is fixed.
The additional checks that are done seem reasonable to do from
method_enqueue_marked_jobs: we shouldn't be restarting units which are
configured to not allow that, or force unwanted start of dbus-broker.
60-ukify.install would only work with initrd provided by command line
arguements. Fixed to look for both microcode and initrd is found in
$KERNEL_INSTALL_STAGING_AREA which is placed by initrd generator like
mkinitcpio
ukify: don't panic when prepending to an undefined list
Handle the case when all the arguments are passed in through a
configuration file:
$ cat ukify.conf
[UKI]
Linux = /boot/vmlinuz-linux
Initrd = /boot/initramfs-linux.img
Before:
$ src/ukify/ukify.py --config ukify.conf build
Traceback (most recent call last):
File "/root/systemd/src/ukify/ukify.py", line 1604, in <module>
main()
File "/root/systemd/src/ukify/ukify.py", line 1590, in main
opts = parse_args()
^^^^^^^^^^^^
File "/root/systemd/src/ukify/ukify.py", line 1584, in parse_args
apply_config(opts)
File "/root/systemd/src/ukify/ukify.py", line 1431, in apply_config
item.apply_config(namespace, section_name, group, key, value)
File "/root/systemd/src/ukify/ukify.py", line 1123, in apply_config
self.config_push(namespace, group, dest, value)
File "/root/systemd/src/ukify/ukify.py", line 1019, in config_list_prepend
setattr(namespace, dest, value + old)
~~~~~~^~~~~
TypeError: can only concatenate list (not "NoneType") to list
After:
$ src/ukify/ukify.py --config ukify.conf build
Kernel version not specified, starting autodetection 😖.
Found uname version: 6.4.7-arch1-3
Wrote unsigned vmlinuz-linux.unsigned.efi
Dan Streetman [Fri, 4 Aug 2023 20:12:05 +0000 (16:12 -0400)]
tpm2: use ELEMENTSOF() instead of sizeof() for TPML_PCR_SELECTION pcrSelections field
The count field indicates the number of elements in the pcrSelections field,
and the size of each elements is greater than 1 byte, so using sizeof() is
incorrect when verifying the count field is valid; instead ELEMENTSOF() should
be used.
Caught by coverity check: https://github.com/systemd/systemd/pull/26331#pullrequestreview-1556629586
Luca Boccassi [Fri, 4 Aug 2023 12:34:00 +0000 (13:34 +0100)]
portablectl: fix regression when using --force without extension parameters
c18f4eb9e96836a made it possible to use --force with various verbs, by
going through the newer D-Bus methods. Except it didn't, as it regressed
during PR review refactorings, and nobody noticed because there were no
tests for it. Fix it, and add tests.
Dan Streetman [Fri, 14 Jul 2023 22:36:20 +0000 (18:36 -0400)]
man: update systemd-cryptenroll man page with details on --tpm2-pcrs format change
The previous commit extended the accepted format of --tpm2-pcrs to allow
specifying the hash algorithm (i.e. PCR bank) and hash digest value, this
updates the man page with those changes.
Dan Streetman [Wed, 12 Jul 2023 21:35:54 +0000 (17:35 -0400)]
tpm2: move policy calculation out of tpm2_seal()
Move the calculation of the sealed object policy hash out of the tpm2_seal()
function. Instead, callers of tpm2_seal() can directly call
tpm2_calculate_sealing_policy() and then provide the policy hash to
tpm2_seal().
Add function to create openssl pkey from ECC curve and point, and function to
get curve id and x/y point from existing ECC pkey. Also add function to create
new ECC key for specified curve.
Also add DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_MACRO() to handle case when func() is
a macro, not a function symbol; specifically in this case it is used for
OPENSSL_free() which is a macro.
Add function to generate an EVP_PKEY for a specific 'n' and 'e', and function
to get 'n' and 'e' values from existing RSA public key. Also add a function to
generate a new RSA key with a specified number of bits.
Dan Streetman [Thu, 13 Jul 2023 02:36:37 +0000 (22:36 -0400)]
tpm2: change tpm2_parse_pcr_argument() parameters to parse to Tpm2PCRValue array
In order to allow users to specify expected PCR values, change the
tpm2_parse_pcr_argument() to parse the text argument into an array of
Tpm2PCRValue objects, which provide not only the selected PCR indexes, but also
(optionally) the hash algorithm and hash value for each PCR index.
Dan Streetman [Thu, 13 Jul 2023 02:14:18 +0000 (22:14 -0400)]
tpm2: change tpm2_calculate_policy_pcr(), tpm2_calculate_sealing_policy() to use Tpm2PCRValue array
An array of Tpm2PCRValue objects effectively replaces a TPML_PCR_SELECTION
object combined with an array of (properly ordered) TPM2B_DIGEST objects.
Also update tpm2_calculate_sealing_policy() pin parameter to boolean use_pin,
since the function does not need to know the pin value, only if a pin is being
used.
Dan Streetman [Fri, 14 Jul 2023 15:38:11 +0000 (11:38 -0400)]
tpm2: move declared functions in header lower down
Move some function declarations lower down, below the Tpm2Context and
Tpm2Handle typedefs; later commits will reference the typedefs in some of the
functions, so the typedefs need to come first in the header.
This only moves the declarations, none of the declarations are modified.
Dan Streetman [Wed, 12 Jul 2023 01:23:36 +0000 (21:23 -0400)]
tpm2: add Tpm2PCRValue struct and associated functions
Add a new struct that can represent a PCR index, hash, and value all
together. This replaces code (e.g. the tpm2_pcr_read() parameters) that
required using both a TPML_PCR_SELECTION as well as array of TPM2B_DIGEST
entries, which was difficult to correlate the selection hash/index to each
digest.
Daan De Meyer [Fri, 4 Aug 2023 08:40:30 +0000 (10:40 +0200)]
mkosi: Make sure our systemd build always overrides the distros
Currently, we install the systemd install tree in the base image and
then build the initrd and final images from the base image. This means
if that any systemd package is pulled in during the initrd or final
image builds, it will override our version.
To fix this, we stop installing our build of systemd in the base image,
and store it in the output directory instead. That allows us to refer to
it using ExtraTrees= in the final and initrd image builds to install it
after all the distro packages have been installed, ensuring our version
always takes priority.
Dan Streetman [Thu, 3 Aug 2023 18:44:57 +0000 (14:44 -0400)]
tpm2: use CreatePrimary() to create primary keys instead of Create()
Older versions used CreatePrimary() to create a transient primary key to use
when creating a sealed data object. That was changed in v254 to use Create()
instead, which should result in the same transient key, but it seems some
hardware TPMs refuse to allow using Create() to generate primary keys.
This reverts to using CreatePrimary() to create primary key.
Mike Yuan [Thu, 3 Aug 2023 13:42:00 +0000 (21:42 +0800)]
vconsole: support KEYMAP=kernel for preserving kernel keymap
Follow-up for #26089 and #28505
Currently, if default-keymap is not empty, there's no way
to ask vconsole-setup to retain the kernel keymap. Let's
accept a special value "kernel" for that purpose.
Addresses the problem mentioned in https://github.com/systemd/systemd/pull/28505#issuecomment-1663681665
projects / thirdparty / systemd.git / log
