Daan De Meyer [Wed, 5 Feb 2025 11:42:39 +0000 (12:42 +0100)]
repart: Don't fail when we're unable to read file attributes
We're getting EOVERFLOW when reading file attributes trying to get
mkosi running in a docker container (don't ask). I have a suspicion
this is coming from fuse-overlayfs. Anyway, since the file attributes
stuff is supposed to be purely optional, let's not fail when we can't
read file attributes for whatever reason.
Yu Watanabe [Wed, 5 Feb 2025 00:14:51 +0000 (09:14 +0900)]
network/routing-policy-rule: fix compare func
Previously, when comparing an existing and requested routing policy
rules, `all` flag was unset, thus the from and to addresses in the two
rules were not compared. Hence, a new request with from and/or to
addresses might be considered as it already exists even the addresses of
existing one were different from the newly requested one.
All existing rules have valid family, i.e. AF_INET or AF_INET6. And,
all requesting rules with from and/or to addresses also have a valid
family. Hence, even `all` flag is unset, the addresses can be and must
be compared in that case.
Daan De Meyer [Tue, 4 Feb 2025 19:46:11 +0000 (20:46 +0100)]
test: Move external packages section down and reword a little
This is advanced level stuff that regular contributors don't care
about in the slightest, so move it further down. Also reword the
section a little while we're at it.
Daan De Meyer [Tue, 4 Feb 2025 19:21:36 +0000 (20:21 +0100)]
test: Drop -Dremote=enabled instructions from readme
The test commands now use mkosi sandbox which always makes sure the
required dependencies for systemd-journal-remote are enabled so no
need to reconfigure meson explicitly anymore.
Daan De Meyer [Tue, 4 Feb 2025 08:24:26 +0000 (09:24 +0100)]
ukify/measure: Revert changes to use SizeOfImage from Linux PE binary
With 19812661f1f65ebe777d1626b5abf6475faababc, we make sure at runtime
in the stub itself that SizeOfImage from the Linux EFISTUB PE binary is
taken into account, so there's no need to take this into account in ukify
itself. By reverting the ukify change, we again ensure that Misc_VirtualSize
reflects the actual size of the Linux EFISTUB PE binary in the .linux section
which lots of tooling depends on. It also makes sure we don't measure a bunch
of extra zeroes in the stub which should fix systemd-pcrlock measurements as
well.
Daan De Meyer [Tue, 4 Feb 2025 10:42:42 +0000 (11:42 +0100)]
sysupdate: Update example mode to 644 instead of 444
The UKI file has to be writable to be able to do boot counting in
the UEFI firmware which involves renaming the file by writing to
the file metadata which requires the file to be writable in the FAT
filesystem.
docs: Update CPE fields in package metadata spec (#36251)
Update osCPE field example to use cpe 2.3 format, as is in active use by
AmazonLinux 2023 for example.
Add appCPE field example to document the upstream application CPE for
the applicable CVEs. Often distribution source package names are
different from the upstream CPE. For example adding/removing "lib"
prefix, or adding version stream "-3" suffix. This typically leads to
guessing or fuzzy matching. Adding appCPE in such cases can help to
disambiguate (or collate) correct application CPEs; especially beyond
the lifetime of osCPE support timeframes. This also will help a lot with
packaging multiple alternative source packages of the same software
(e.g. nginx-full nginx-core); different version streams (e.g.
openssl-1.1, openssl-3); or alternative builds of upstream software with
largely the same CVEs with multiple version streams (e.g.
openjdk-{22,17,11..}, corretto-{22,17,11..}, temurin-{22,17,11..}, etc).
Update osCPE field example to use cpe 2.3 format, as is in active use by
AmazonLinux 2023 for example.
Add appCPE field example to document the upstream application CPE for the
applicable CVEs. Often distribution source package names are different from the
upstream CPE. For example adding/removing "lib" prefix, or adding version
stream "-3" suffix. This typically leads to guessing or fuzzy matching. Adding
appCPE in such cases can help to disambiguate (or collate) correct application
CPEs; especially beyond the lifetime of osCPE support timeframes.
ukify: Calculate section size more correctly (#36215)
We should only use Misc_VirtualSize if it's smaller than SizeOfRawData,
since in that case it'll be the non-aligned section size. Otherwise we
have to use SizeOfRawData to get the size on disk.
Ani Sinha [Fri, 8 Nov 2024 06:31:51 +0000 (12:01 +0530)]
uki: introduce support for a .efifw section
UKIs can be used to bundle uefi firmwares that can be measured and
used on a confidential computing environment. There can be more than one
firmware blob bundle, each one for a specific platform. Also firmware images
can themselves be containers like IGVM files that can in turn bundle the
actual firmware blob. This change is specifically for uefi firmwares, not
IGVM container files.
This change adds support to introduce a .efifw section in UKI that can be
used for firmware blobs/images. There can be multiple such sections and each
section can contain a single firmware image.
The matching .hwids entry for a specific platform can be used to select the
most appropriate firmware blob.
ukify tool has been also changed to support addition of a firmware image
in UKI.
Since firmware gets measured automatically, we do not need to measure it
separately as a part of the UKI.
dns-domain: accept encoded domain names without terminating zero label
Commit 1be9b30a3b17 ("dhcp6: use dns_name_from_wire_format") introduced a
stricter validation of domains received via DHCPv6, by using function
dns_name_from_wire_format() which rejects the domain when it is missing the
terminating zero label. According to RFC 4704 § 4.2, DHCPv6 servers should
always add the zero label:
To send a fully qualified domain name, the Domain Name field is set
to the DNS-encoded domain name including the terminating zero-length
label. To send a partial name, the Domain Name field is set to the
DNS-encoded domain name without the terminating zero-length label.
[...]
Servers SHOULD send the complete fully qualified domain name in
Client FQDN options.
In practice, there is at least on common DHCPv6 server implementation (dnsmasq)
that sends the FQDN option without the ending zero-length label; after
upgrading to the new systemd, the client cannot parse the option and therefore
the machine doesn't get the hostname provided by dnsmasq.
This commit restores the old behavior that considers a domain valid even when
it's missing the terminating zero label.
Here's a quick reproducer:
--8<--
ip link add veth0 type veth peer name veth1
ip netns add ns1
ip link set veth1 netns ns1
ip link set veth0 address 00:11:22:33:44:55
ip link set veth0 up
ip -n ns1 link set veth1 up
ip -n ns1 address add dev veth1 fd01::1/64
Luca Boccassi [Thu, 30 Jan 2025 14:57:15 +0000 (14:57 +0000)]
cryptenroll/repart/creds: no longer default to binding against literal PCR 7 (#36200)
PCR 7 covers the SecureBoot policy, in particular "dbx", i.e. the
denylist of bad actors. That list is pretty much as frequently updated
as firmware these days (as fwupd took over automatic updating). This
means literal PCR 7 policies are problematic: they likely break soon,
and are as brittle as any other literal PCR policies.
hence, pick safer defaults, i.e. exclude PCR 7 from the default mask.
This means the mask is now empty.
Generally, people should really switch to signed PCR policies covering
PCR 11, in combination with systemd-pcrlock for the other PCRs.
Andrew Sayers [Wed, 29 Jan 2025 13:13:04 +0000 (13:13 +0000)]
Reduce priority of "cleared HibernateLocation" message
This message appears when a computer hibernates, then awakens, then reboots,
and everything goes OK. It's a normal progress message the user doesn't need
to know about, but it distracts them from important startup messages and could
even train them to ignore the warning when the procedure fails.
cryptenroll/repart/creds: no longer default to binding against literal PCR 7
PCR 7 covers the SecureBoot policy, in particular "dbx", i.e. the
denylist of bad actors. That list is pretty much as frequently updated
as firmware these days (as fwupd took over automatic updating). This
means literal PCR 7 policies are problematic: they likely break soon,
and are as brittle as any other literal PCR policies.
hence, pick safer defaults, i.e. exclude PCR 7 from the default mask.
This means the mask is now empty.
Generally, people should really switch to signed PCR policies covering
PCR 11, in combination with systemd-pcrlock for the other PCRs.
Devilish Spirits [Wed, 29 Jan 2025 20:54:27 +0000 (21:54 +0100)]
Fix inversion of timesyncd_usec/epoch_usec variables in clock-warp.c
In clock_apply_epoch() function, the /usr/lib/clock-epoch timestamp was set to timesyncd_usec instead of epoch_usec and vice-versa which produced a misleading log message about the clock source systemd used for early clock sanitization. This trivial commit fix the mistake.
Daan De Meyer [Wed, 29 Jan 2025 13:44:27 +0000 (14:44 +0100)]
ukify: Calculate section size more correctly
We should only use Misc_VirtualSize if it's smaller than SizeOfRawData,
since in that case it'll be the non-aligned section size. Otherwise we
have to use SizeOfRawData to get the size on disk.
userdb: move filter of user/group records to the varlink server side (#36133)
In v257 userdbctl gained support for filtering user records with fuzzy
matching and some other parameters. It was done on the client side only.
This PR adds server-side matching, by exendting the generic userdb
varlink api.
The api is generic any may have many other implementors, hence care is
taken to fallback to exclusively client side filtering in case the
service does not support the new parameters.
In fact I even opted to not actually implement server-side filtering in
any services but systemd-userdbd.service, because it's probably not too
much an optimization in relevant services (we might want to revisit this
later). By implementing it in userdbd the primary entrypoint for userdb
is however covered: the multiplexer interface which provides a single
interface for the multitude of backends. Or in other words: the
multiplexer itself supports server-side filtering even if its own
backends don't, and will hide this neatly away.
One nice side effect from not implementing server side filtering for all
our backends is that the fallback codepaths are comprehensively tested.
Note that this adds some unit tests but not new integration test for all
this, as the filtering tests for userdbctl already existed before, we
just move their implementation from the client to the server side.
Yu Watanabe [Tue, 28 Jan 2025 19:16:20 +0000 (04:16 +0900)]
network: bridge: add support for configuring locked ports (#36150)
"Recently" (as of 5.18) the Linux kernel gained the ability of locking
bridge ports to restrict network access to authenticated hosts only.
This is implemented by disabling automated learning and dropping
incoming traffic from unknown hosts. User space is then expected to add
fdb entries for authenticated hosts. Once a fdb entry exist, traffic for
that host will be forwarded as expected.
This was later extended with "Mac Authentication Bypass", where the
locking was extended to fdb entries. In this mode the kernel adds fdb
entries again automatically, but they are locked by default.
To properly configure this, add two network options and one netdev
option:
* `LinkLocalLearning=` to prevent the kernel from creating unlocked
entries based on link-local traffic, which would bypass any
authentication. Needed when enabling learning on a locked port.
* `Locked=` to allow setting a bridge port to locked.
* `MACAuthenticationBypass=` to allow enabling Mac Authentication
Bypass on a port. Requires learning to be enabled on the port as well
(and consequently `LinkLocalLearning` disabled on the bridge).
An authenticator (e.g. hostapd) is still needed to do the actual
authentication, the kernel only provides the access control.
Luca Boccassi [Tue, 28 Jan 2025 17:33:39 +0000 (17:33 +0000)]
wait-online: add initial support for waiting for DNS (#34640)
Add a new flag, `--dns`, to systemd-networkd-wait-online to allow
waiting for DNS to be configured. The `--dns` flag respects the `--ipv4`
and `--ipv6` flags, as well as `--interface=` and `--any`.
Daan De Meyer [Tue, 28 Jan 2025 08:38:26 +0000 (09:38 +0100)]
ukify: Add --sign-profile
Let's allow configuring which UKI profiles we generate signed PCR
measurements for since there are various types of profiles for
which we do not want to generate signed PCR measurements so that they
can not unlock the encrypted rootfs.
Nick Rosbrook [Thu, 19 Sep 2024 19:59:50 +0000 (15:59 -0400)]
wait-online: add support for waiting for DNS configuration
Add a new flag to systemd-networkd-wait-online, --dns, to allow waiting
for DNS to be configured.
DNS is considered configured when at least one DNS server is accessible.
If a link has the property DefaultRoute=yes (either by explicit
configuration, or because there are no routing-only domains), or if the
search domain '.' is configured, wait for link-specific DNS to be
configured. Otherwise, global DNS servers may be considered.
Jonas Gorski [Fri, 24 Jan 2025 12:15:06 +0000 (13:15 +0100)]
network: bridge: add support for IFLA_BRPORT_MAB
Since linux commit a35ec8e38cdd1766f29924ca391a01de20163931 ("bridge:
Add MAC Authentication Bypass (MAB) support"), included since v6.2, it
is possible to enable MAC Authentication Bypass for bridge ports. In
this mode the locked port learns again, but the learned fdb entries are
locked, allowing user space to unlock hosts based seen MAC addresses.
This requires learning to be enabled on the port, and link-local
learning disabled for the bridge.
Add support to systemd-network for setting the new attribute for bridge
ports.
Jonas Gorski [Mon, 2 Dec 2024 10:54:09 +0000 (11:54 +0100)]
network: bridge: add support for IFLA_BRPORT_LOCKED
Since linux commit a21d9a670d81103db7f788de1a4a4a6e4b891a0b ("net:
bridge: Add support for bridge port in locked mode"), included since
v5.18, it is possible to set bridge ports to locked.
Locked ports do not learn automatically, and discard any traffic from
unknown source MACs. To allow traffic, the userspace authenticator is
expected to create fdb entries for authenticated hosts.
Add support to systemd-network for setting the new attribute for bridge
ports.
Jonas Gorski [Tue, 10 Dec 2024 15:45:20 +0000 (16:45 +0100)]
network: bridge: add support for NO_LL_LEARN
When using locked ports on a bridge link-local learning needs to be
disabled to prevent the kernel from learning and automatically unlocking
hosts based on link-local traffic.
So add support for enabling NO_LL_LEARN for bridges.
Adam Williamson [Fri, 10 Jan 2025 21:01:47 +0000 (13:01 -0800)]
kbd-model-map: add a georgian mapping
https://github.com/legionus/kbd/pull/127 adds a Georgian mapping
to kbd. console-setup already has one. Let's support it here, so
it's used for Georgian installs on distros that use this table.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Nick Rosbrook [Fri, 11 Oct 2024 18:44:44 +0000 (14:44 -0400)]
resolved: add SubscribeDNSConfiguration to varlink API
Add a new method to io.systemd.Resolve.Monitor that allows subscribing
to changes in the systemd-resolved DNS configuration. The new method
emits the full DNS configuration (one entry for global configuration,
and one entry for each interface), any time the configuration is
updated.
userdbd: implement server side filtering in the Multiplexer API
This impelements server side filtering in userdbd's multiplexer logic.
Note thta this means that even if some backend doesn't support it
natively the multiplexer will deal with it and apply the filtering as
necessary.
userdb: move UserDBMatch handling from userdbctl into generic userdb code to allow it to be done server side
This moves around the UserDBMatch handling, moves it out of userdbctl
and into generic userdb code, so that it can be passed to the server
side, to allow server side filtering.
This is preparation for one day allowing complex software to do such
filtering server side, and thus reducing the necessary traffic.
Right now no server side actually knows this, hence care is taken to
downgrade to the userdb varlink API as it was in v257 in case the new
options are not understood. This retains compatibility with any
implementation hence.
varlink: add new calls for server-side user record filtering to varlink IDL + to spec
This is preparation for adding server side filtering to the userdb
logic: it adds some fields for this to the userdb varlink API. This only
adds the IDL for it, no client will use it for now, no server implement
it. That's added in later commits.
Nick Rosbrook [Fri, 24 Jan 2025 20:42:38 +0000 (15:42 -0500)]
udev: add input/by-{id,path} symlinks for hidraw devices
Take some of the same rule structure from 60-persistent-input.rules, and
apply it to hidraw devices in 60-persistent-hidraw.rules.
Since one of the motivations for this is being able to easily reference
FIDO tokens, add a special case when ID_FIDO_TOKEN==1, and add 'fido'
to the symlink.
Nick Rosbrook [Thu, 14 Nov 2024 19:31:07 +0000 (14:31 -0500)]
resolved: add link_get_default_route helper
The dbus property getter for DefaultRoute does not simply check
link->default_route. Instead, if l->default_route is not explicitly
configured, it checks dns_scope_is_default_route(l->unicast_scope).
Add a link_get_default_route() helper with this logic so that it can be
used for consistency.
Nick Rosbrook [Tue, 15 Oct 2024 20:30:52 +0000 (16:30 -0400)]
resolved: add a helper to check if DNS server is accessible
We check this by opening a UDP socket and attempting to connect. We do
not send any traffic on it, but this will tell us if there are routes to
the DNS server.
No functional change. Make it more clear that these varlink connections
are subscribed to query results. This prepares for adding SubscribeDNS
to the varlink API.
projects / thirdparty / systemd.git / log
