cdown [Thu, 22 Jan 2026 12:16:49 +0000 (04:16 -0800)]
boot: Fix UKI boot for kernels with non-zero ImageBase
The current code incorrectly subtracts ImageBase from section
VirtualAddress values when loading sections into memory. This is based
on a misunderstanding of the PE specification.
VirtualAddress in section headers is the address of the first byte of
the section relative to the image base when the section is loaded into
memory. In other words, VirtualAddress is already an RVA measured from
the image base, it is definitely NOT an absolute address that needs to
be adjusted.
So when loading a PE image into a newly allocated buffer, sections
should be copied to buffer + VirtualAddress, regardless of what
ImageBase says. The ImageBase field merely indicates the *preferred*
load address, it does not affect how section RVAs are interpreted.
This happens to not cause issues when ImageBase was 0 (since
VirtualAddress - 0 = VirtualAddress), which is why this bug went
undetected on modern kernels. However, it fails with kernels that have
non-zero ImageBase values.
So let's remove the nonsensical VirtualAddress < ImageBase check, and
remove the ImageBase subtractions from section loading offsets. This
lets all kernel UKIs work properly again.
os-release: add a new FANCY_NAME= field to /etc/os-release, similar to PRETTY_NAME, that may carry ansi sequences + more unicode chars (#40367)
It's sometimes useful include non-ascii unicode chars in an os name, and
give it some ansi coloring. Since we usualy don't want to show that,
introduce a new field for it, and show it at boot and in thostnamectl
only, with safe fallbacks if colors/emojis are not available.
format-table: add new string cell type that accepts ANSI sequences
For various usecases it's useful that we can embed ANSI sequences in
cells of tables. For example, I hope we can eventually switch "systemctl
status" output to use the table formatter, and multiple of its fields
contain ANSI sequences (since they pack multiple different pieces
information into the same field, and highlight parts of it to
communicate relevance of distinct parts).
Add a distinct cell type for this, which gets special processing when we
output to a terminal that doesn't support ANSI sequences, and to JSON:
we strip the sequences.
Yu Watanabe [Tue, 20 Jan 2026 09:04:33 +0000 (18:04 +0900)]
network/dhcp4: send release message before stopping the client
Otherwise, the socket is already closed and sending release will be
anyway skipped.
With this patch, release message is sent before stopping the client.
```
Jan 20 18:29:41 systemd[1]: Stopping systemd-networkd.service - Network Management...
Jan 20 18:29:41 systemd-networkd[3821255]: wlp59s0: DHCPv4 client: RELEASE
Jan 20 18:29:41 systemd-networkd[3821255]: wlp59s0: DHCPv4 client: STOPPED
Jan 20 18:29:41 systemd-networkd[3821255]: wlp59s0: DHCP lease lost
```
Daan De Meyer [Tue, 2 Dec 2025 10:17:13 +0000 (11:17 +0100)]
portable: Enable unpriv operation
This does not yet support directory images properly
as systemd itself does not support unpriv directory
images properly yet.
The user profiles are a copy of the system profiles but without
DynamicUser=yes (can't be used by user managers) and without
ProtectHome=yes (this masks /home which breaks StateDirectory= which
is lcoated inside /home)
Vunny Sodhi [Wed, 21 Jan 2026 10:27:55 +0000 (12:27 +0200)]
pam_systemd_home: Use PAM_TEXT_INFO for token prompts
The prompts asking the user to physically authenticate
or confirm presence on a security token are informational
requests for action, not error conditions.
This commit changes the message type to PAM_TEXT_INFO,
which is more appropriate for guiding the user through
the authentication process.
shared/fdset: add detailed debug logging to fdset_new_fill()
Currently, when fdset_new_fill() fails to open /proc/self/fd or
encounters an error while processing individual file descriptors
(such as fcntl or fstat failures), it returns a silent error code.
For debugging rarely reproducible failures it becomes difficult to
know the exact cause of failure
This commit updates the function to use log_debug_errno() for all
error paths and hence provides better visibility into why FD collection
failed, including the path of the problematic FD (via fd_get_path)
and its inode type.
Daan De Meyer [Tue, 20 Jan 2026 21:41:40 +0000 (22:41 +0100)]
mountfsd: Add relaxExtensionReleaseChecks
We currently pass this around as a mount option in pid1, which means
privileges are required by mountfsd to mount images that make use of it.
Add an explicit argument for it in varlink instead and remove it client
side from the mount options to remove the need for privileges.
DaanDeMeyer [Tue, 23 Dec 2025 21:08:09 +0000 (22:08 +0100)]
test: Set SYSTEMD_NSS_LOG_LEVEL=info
Currently, our test logs are flooded with useless NSS varlink debug
logs coming from nss-systemd talking to each varlink userdb service
individually. Let's set SYSTEMD_NSS_LOG_LEVEL=info to get rid of these
verbose logs.
DaanDeMeyer [Tue, 23 Dec 2025 21:06:31 +0000 (22:06 +0100)]
nss-util: Add support for $SYSTEMD_NSS_LOG_LEVEL
When setting SYSTEMD_LOG_LEVEL=debug and debugging a tool that happens
to do NSS lookups, the resulting logs from varlink are obnoxiously
verbose. Let's parse a separate log level environment variable in NSS
to allow overriding the log level for NSS specifically so these noisy
logs can be silenced.
Daan De Meyer [Wed, 21 Jan 2026 10:25:36 +0000 (11:25 +0100)]
mkosi: Install libucontext in Arch/Fedora images
Split out of #39771
We don't use make use of libucontext yet but merging this early makes
sure my mkosi cached images don't get invalidated every time I switch
between my other work and the fiber branch.
sysupdate: add simple "freshness" validation to systemd-sysupdate
In order to make "freeze" attacks against the update logic harder let's
add the ability to encode a "Best Before" date into SHA256SUMS directory
listings: if the current time is already beyond that time, we'll ignore
the SHA256SUMS as "stale" and fail the upgrade. Or in other words: the
freeze attack will now result in a client-side error eventually, instead
of success state.
The best before data is encoded in an optional pseudo-file listed in SHA256SUMS:
any file named BEST-BEFORE-YYYY-MM-DD.
Yu Watanabe [Tue, 20 Jan 2026 09:41:11 +0000 (18:41 +0900)]
stat-util: make proc_mounted() not update errno
Typically, proc_mounted() is used in error handling. Hence, it is better
to make it not update the original errno.
Currently, there are two places that returns wrong error code:
- pidref_get_capability() in src/basic/capability-util.c
```c
_cleanup_fclose_ FILE *f = fopen(path, "re");
if (!f) {
if (errno == ENOENT && proc_mounted() == 0)
return -ENOSYS;
return -errno;
}
```
- fdset_new_fill() in src/shared/fdset.c
```c
d = opendir("/proc/self/fd");
if (!d) {
if (errno == ENOENT && proc_mounted() == 0)
return -ENOSYS;
return -errno;
}
```
Rather than fixing them, let's make proc_mounted() not update errno,
otherwise we may make a similar failure in a future.
safforddr [Tue, 13 Jan 2026 18:27:20 +0000 (13:27 -0500)]
tpm2: allow use of recoverable sealing keys
In some use cases it is desirable to use a recoverable (ie duplicatable)
sealing key. Currently objects have the attribute TPMA_OBJECT_FIXEDTPM
and TPMA_OBJECT_FIXEDPARENT hard coded, which will not work with a
recoverable sealing key. This patch sets the object's attributes from
the sealing key's attributes, so that both types of sealing keys will work.
Introduce 'fixate-volume-key' option to repart/cryptsetup to pin the exact LUKS volume key hash (#40343)
Add an option to generate the expected volume key hash for LUKS volumes
by systemd-repart
and put it to crypttab, make systemd-cryptsetup check it upon attaching.
The format of the hash
matches what's currently being measured to TPM2 PCR with
tpm2-measure-pcr=.
sd-varlink: ensure that "any" actually means "any but null"
The new "any" type was implemented by accident that it actually meant
"any but null" – unless marked as "any?" in which case it actually meant
truly any, including null. The spec change in
https://github.com/varlink/varlink.github.io/pull/43 otoh suggested that
"any" really means anything, and "any?" apparently too.
I think the implementation in code makes more sense than the spec change
however, hence let's add some checks/tests to ensure the behaviour of
the code is made explicitly and cared for.
I will prep a spec change to make the spec follow the code on this too.
Nick Rosbrook [Mon, 19 Jan 2026 18:29:52 +0000 (13:29 -0500)]
resolve: include current DNS server in JSON again
The current_dns_server_json object in dns_configuration_json_append() is
always NULL, because the logic to dump the current DNS server to JSON
was removed by mistake in a re-factoring commit. Add that logic back.
Fixes c6b6ac63ea ("resolve: drop unnecessary preparation of empty arrays").
Vitaly Kuznetsov [Tue, 13 Jan 2026 16:43:22 +0000 (17:43 +0100)]
TEST-58-REPART: Add a test for fixate_folume_key
The test checks that the expected hash is correctly recorded to the
generated crypttab and also checks that systemd-cryptsetup handles
the option correctly.
Vitaly Kuznetsov [Wed, 14 Jan 2026 08:51:24 +0000 (09:51 +0100)]
cryptsetup: Add fixate-volume-key option to pin the expected volume key hash
The expected hash (SHA265 HMAC signature) uses the exact same algorithm which
is used to calculate sha256 PCR bank digest when 'tpm2-measure-pcr=' is used.
Mike Yuan [Tue, 6 Jan 2026 21:02:17 +0000 (22:02 +0100)]
core/dbus-util: several cleanups for bus_read_mount_options()
* Make sure ret_options is initialized on success.
* Return empty mount options as-is rather than NULL-ing it -
dbus property parser for RootImageOptions relies on it
for resetting options for a specific partition designator.
* Format partition:options properly with strextendf, currently
multiple ":" will be emitted.
* Allow separator to be unset if in_out_format_str is not
needed.
Luca Boccassi [Mon, 19 Jan 2026 16:24:44 +0000 (16:24 +0000)]
portable: pin attached image via image-policy (#40152)
When attaching images generate a policy in the portable drop-in that
matches the partition types and content found while dissecting, so that
it can no longer be changed later without a reattach
Luca Boccassi [Fri, 19 Dec 2025 17:02:03 +0000 (17:02 +0000)]
portable: pin attached image via image-policy
When attaching images generate a policy in the portable drop-in
that matches the partition types and content found while dissecting,
so that it can no longer be changed later without a reattach.
zefr0x [Sat, 17 Jan 2026 19:59:22 +0000 (22:59 +0300)]
busctl: handle `--limit-messages` option under the `wait` verb
Main focus was to not introduce breaking change or duplicated argument.
The `--limit-messages=` option that is used under the `monitor` verb is
reused here. However, both `wait` and `monitor` have contradicting
default behaviors, so it's not the cleanest thing to do.
There was some post-commit discussion about the API in #33961, but the
final name adopted in #34928 wasn't that flexible either to fit nicely
here in the `wait` verbe.
Additionally, there wasn't consideration in #34555 for having uniform
behavrious, so we ended with `wait` verb and `--limit-messages=` option,
rather than `receive` verb with default of continuously receving signals
withtout exit so `--limit-messages=` make more sence and be expectable.
Vitaly Kuznetsov [Mon, 19 Jan 2026 12:42:34 +0000 (13:42 +0100)]
tpm2-util: make tpm2_pcr_extend_bytes() declaration match its implementation
tpm2_pcr_extend_bytes() has differences in parameter names between the
declaration and the implementation, in particular, 'event' in the header is
named 'event_type' in the implementation.
Vitaly Kuznetsov [Mon, 12 Jan 2026 16:05:59 +0000 (17:05 +0100)]
repart: Generate fstab and crypttab late
The immediate need for the change is to allow to capture the expected
LUKS volume key hash and record it to the generated crypttab but it
also seems to make sense to not generate crypttab/fstab before we know
that partition creation succeeded as fstab/crypttab entries are bogus
otherwise.
cyclopentane [Fri, 16 Jan 2026 23:54:51 +0000 (00:54 +0100)]
cryptenroll,cryptsetup,shutdown: only call mlockall if we have CAP_IPC_LOCK
Calling mlockall in an unprivileged process most notably had the effect
of making systemd-cryptenroll OOM while trying to open a normal-sized
argon2 keyslot due to it hitting RLIMIT_MEMLOCK.
Mike Yuan [Fri, 9 Jan 2026 18:06:07 +0000 (19:06 +0100)]
core/unit: drop unneeded unit_modify_nft_set() call during coldplug
We re-realize all unit cgroups upon daemon-reload, and
cgroup_context_apply() would take care of NFT set refreshing.
No need to duplicate that in unit_coldplug().
projects / thirdparty / systemd.git / log
