elf2efi: import whole module, not individual symbols
When reading the code, it was hard to figure out if the given name was
imported or a local class. And the renaming of imports also made it
harder to look things up online. Arguably, the deeply nested import
structure and inconsistent naming in elftools is partially to blame:
there is just no good way to make this look nice. But anyway, let's use
the usual style of importing the module and using names prefixed with
the module path so that the origin of imported names is clear.
elfutils.elf.elffile is importered separately, because a) it needs to be
imported separately anyway bxecause the module does lazy imports
internally, a) the name already indicates the origin, c) is used in
quite a few places so the shorter name is nice.
Kai Lüke [Thu, 19 Feb 2026 07:01:06 +0000 (16:01 +0900)]
openssl-util: pass the UI callback for interactive PIN prompts
Observed with the tpm2 provider and the tpm2tss engine was that the
auth process failed because the provider/engine could not ask for the
PIN through the callback, resulting in:
"Failed to load private key from ...: Input/output error"
Apparently the default UI method is not enough and the key setup
functions expect an explicit method.
Pass the existing UI method through as callback for the key setup.
Oblivionsage [Wed, 18 Feb 2026 17:22:48 +0000 (18:22 +0100)]
pe-binary: wrap remaining LE fields with byte-swap macros
Follow-up to 02cab70acf5ca67e838d0d34860baacbf9fc3b6c. pe_hash(),
section_offset_cmp() and uki_hash() still had a bunch of raw accesses
to LE fields (e_lfanew, SizeOfHeaders, PointerToRawData, SizeOfRawData,
VirtualSize, certificate_table->Size) without le32toh(), so they'd
produce garbage on big-endian.
Also wrap VirtualSize in bootspec.c for consistency.
Daan De Meyer [Wed, 18 Feb 2026 20:27:45 +0000 (21:27 +0100)]
vpick: Make suffix a single string again instead of a strv
This was made a strv to handle either directories or raw images but
since we now handle that via multiple PickFilter instances, we don't
need suffixes to be a strv anymore.
Daan De Meyer [Wed, 18 Feb 2026 14:58:39 +0000 (15:58 +0100)]
machined: Skip root user namespace check for user managers
You can register whatever process you want in the user machined instance
that is running in the same namespace as pid 1 as machined won't be allowed
to do anything privileged anyway that could be dangerous when running as a user
instance.
We have to skip the check as we user machined instances don't have
privileges to inspect pid1's user namespaces.
Dmitry V. Levin [Wed, 18 Feb 2026 08:00:00 +0000 (08:00 +0000)]
github/workflows: disable persisting credentials for actions/checkout
Set `persist-credentials: false` for actions/checkout.
By default, using `actions/checkout` causes a credential to be persisted on
disk. Subsequent steps may accidentally publicly persist the credential, e.g.
by including it in a publicly accessible artifact via actions/upload-artifact.
However, even without this, persisting the credential on disk is non-ideal
unless actually needed.
Dmitry V. Levin [Wed, 18 Feb 2026 08:00:00 +0000 (08:00 +0000)]
github/dependabot: set cooldown period
By default, Dependabot does not perform any cooldown on dependency updates.
In other words, a regularly scheduled Dependabot run may perform an update
on a dependency that was just released moments before the run began.
This presents both stability and supply-chain security risks.
To mitigate these risks, explicitly set Dependabot cooldown period to 7 days.
ID_INTEGRATION is not being updated with hwdb entries, asign the new
value to it when hwdb has been imported.
We still need the 65-integration.rule assignment for devices that aren't
in hwdb.
While at it remove unneeded check in 70-touchpad.rules, as it was not
added for 70-joystick.rules with the statement if ID_INPUT_* is set and
ID_INPUT not, there is a bug elsewhere. And remove unneeded gotos in
both files.
Oblivionsage [Tue, 17 Feb 2026 18:39:05 +0000 (19:39 +0100)]
pe-binary: fix missing le16toh() on NumberOfSections in pe_hash/uki_hash
pe_hash() and uki_hash() pass pe_header->pe.NumberOfSections directly
to typesafe_qsort() and FOREACH_ARRAY() without le16toh(). On
big-endian (s390x), NumberOfSections=3 gets read as 0x0300 (768),
while pe_load_sections() correctly converts it and only allocates 3
sections. This makes qsort process 768 elements on a 3-element
buffer, causing a heap-buffer-overflow (confirmed with ASAN on
native s390x).
Wrap all three raw usages with le16toh() to match pe_load_sections().
dissect-image: measure Verity before making use of them
Let's hook up the dissection logic with the new measurement infra, and
issue the measurement after successfully unlock an image, but before
returning to the caller.
Note that ideally we'd do this measurement in the kernel, so that we can
place it after authenticating the root hash, but before activating the
medium. One day we should be able to do that via eBPF based on userspace
policies, but for now, this would require too much kernel rework.
Let's however make sure our measurements only contain data that the
kernel could know too, so that we hopefully can move these measurements
to the kernel without changing their formatting.
pcrextend-util: add helpers for measuring roothash/signature of Verity volumes
This adds infrastructure for measuring Verity root hashes from
userspace, along with he issuer/serial of the signatures used to unlock
them.
We measure the triplet of volume name, root hash and issuer/serial. if
confext/sysext use different signing keys then this ensures the event
log carry information about the type of image measures.
pkcs7-util: add helpers for extracting signer info from PKCS7 signatures
Once we start measuring Verity volumes as we activate them we want to
include information about the signature keys used, so that we can have
distinct ones for confext and for sysext and ther purposes and thus have
a cryptograpically protected hint about the kind of image we have
activated in the event log.
Ideally we'd measure a fingerprint of the signing certificate here, but
we don't have that here typically (as PKCS7 signatures used here
typically do not embed that), hence use the next best thing: the issuer
name and the serial number.
tpm2-setup: introduce nvpcr for measuring Verity images
I thnk it's crucial we start to measure Verity images as we activate
them, so that the event log has a full trace of the compisition of the
system. hence let's introduce a new NvPCR for this purpse, under the
name "verity".
pcrextend: allow access to the userspace event type field when measuring something
It think we should move most measurements out of the individual tools
requesting them and into the pcrextend service via Varlink, so that
fewer components require access to the TPM.
This only works however, if we can actually write full-blown event log
records via this mechanism, and for that we still were missing access to
the userspace event type we insert into the event log. Add that.
cryptsetup: move default choice of nvpcr for keyslots from generator into cryptsetup
Let's pick the default NvPCR name to use inside of cryptsetup itself, instead
of in the generator. I think this is the better choice, since it means
the default can also be used if the regular verittab generator is used
instead of the gpt-auto generator.
r-vdp [Sun, 11 Jan 2026 18:49:34 +0000 (19:49 +0100)]
systemd-boot: add a preferred setting that's similar to default but avoids booting known-bad entries
Motivation:
Currently, when setting the default boot pattern, boot assessment status
is not taken into account. This means that with boot assessment enabled,
when an explicit boot entry is configured as the default entry using an
EFI var, as is common for instance in A/B boot schemes, the configured
entry will be booted indefinitly, regardless of the entry's boot
assessment status.
In order to allow for this use case in combination with boot assessment,
we introduce a new `preferred` keyword, both in the config file and in the
bootctl CLI, that acts very similar to the existing `default` keyword but
takes boot assessment into account and never selects any entries that
have been marked as bad.
If the preferred pattern does not resolve to any bootable entry, and a
default pattern is also specified, then the default pattern will be
considered next, and we may then still select a known-bad entry to be
booted.
Yu Watanabe [Tue, 17 Feb 2026 18:27:41 +0000 (03:27 +0900)]
boot: Fix UKI boot for kernels with non-zero ImageBase (#40429)
The current code incorrectly subtracts ImageBase from section
VirtualAddress values when loading sections into memory. This is based
on a misunderstanding of the PE specification.
VirtualAddress in section headers is the address of the first byte of
the section relative to the image base when the section is loaded into
memory. In other words, VirtualAddress is already an RVA measured from
the image base, it is definitely NOT an absolute address that needs to
be adjusted.
So when loading a PE image into a newly allocated buffer, sections
should be copied to buffer + VirtualAddress, regardless of what
ImageBase says. The ImageBase field merely indicates the *preferred*
load address, it does not affect how section RVAs are interpreted.
This happens to not cause issues when ImageBase was 0 (since
VirtualAddress - 0 = VirtualAddress), which is why this bug went
undetected on modern kernels. However, it fails with kernels that have
non-zero ImageBase values.
So let's remove the nonsensical VirtualAddress < ImageBase check, and
remove the ImageBase subtractions from section loading offsets. This
lets all kernel UKIs work properly again.
Daan De Meyer [Mon, 16 Feb 2026 12:14:58 +0000 (13:14 +0100)]
sd-bus: Don't fork unnecessarily to connect to container
Let's check if we're already in the right namespaces and call connect()
directly if that's the case. This can easily happen when the machine is
specified as .host or so.
Daan De Meyer [Tue, 17 Feb 2026 14:36:00 +0000 (15:36 +0100)]
namespace-util: Do is_our_namespace() checks first in namespace_enter()
These checks may rely on /proc on older kernels which we could lose access
to by joining namespaces so let's do all the checks first and then join
namespaces.
NEWS: clarify the change for non-system accounts in v260 vs. v259
In 5c05a339c6665e3a35f6000a46dcd1da80fcdced I retroactively changed the NEWS
entry for v259. But this is very confusing, because it looks like the original
change never happened and it's not clear what is being reverted.
Let's restore the original text, and just add a short note, but then move
the new text to the section for v260.
XDG_SESSION_EXTRA_DEVICE_ACCESS will now take a colon-separated list of
identifiers. For every identifier $ID, the session is granted access to all
devices tagged as "xaccess-$ID" in udev.
Yu Watanabe [Tue, 17 Feb 2026 14:23:23 +0000 (23:23 +0900)]
Fixes & improvments for using homed-luks on 4k disks (#35776)
Mostly consists of fixes to
- use the same sector_size as the fdisk context we are using, when
converting between sectors returned by libfdisk to bytes. Fixes #30394 ,
Fixes #30393
- Use the explicit sector size if specified in the home record when are
probing the image file using libblkid. Fixes #30393
Also contains some other improvements with using physical block devices.
- Automatically probe sector size of physical block device, if user does
not pass luks-sector-size explicitly.
- Assign partitions to 1 MiB boundaries, as it is the standard practice
followed by all tools, fdisk, gptfdisk, gnu parted etc.
- Avoid stacking of loop device on top of physical block device in
home_create_luks as it leads to degradation of discard operations, and
mkfs getting stuck.
Yu Watanabe [Tue, 17 Feb 2026 13:20:38 +0000 (22:20 +0900)]
Sensor cleanup 1st pass (#40675)
This is a general cleanup of the sensors hwdb file divides into several
commits per brand.
I have merged the devices that use the same matrices, clean up a little
some clear dmi matches, and apply a inline comment with the device where
is certainly very clear way to display.
My idea is to do more cleanup steps but actually will require more
effort to achieve complete dmis, I can do it with little time, and some
consensus for comment styling.
About the comment styling actually I thing we could follow two rules at
the same time: inline comment when the dmi match is short and there is
no additional many information than just the model, and the other one
comment above the dmi match when is too long or there are need to add
more info.
scarlet-storm [Sat, 28 Dec 2024 08:44:11 +0000 (14:14 +0530)]
Use sectorsize for partition tables on block devs
Fix for specific case #30393 where 4k sector luks container is created
on a 512b device. In this case the partition table needs to be 512b,
else the kernel will not be able to find the partition, and we will
have to create a loop device to translate the partition table to 4k.
scarlet-storm [Sat, 28 Dec 2024 07:55:25 +0000 (13:25 +0530)]
homework: Ensure we don't stack block devices
Ensure we don't create a loop device on top of a physical block device.
This leads to huge performance degradation of discard operations if the
physical device does not support discard_on_zeroes.
- loop device historical semantics dictates that when the device is
discarded, it needs to return zero data on read. This can be
implemented easily on a filesystem. since fallocate zero-range
would return immediately & the holes are handled at the filesystem
level to return zero data on read.
- For a raw block device, the feature (discard_zeroes_data) depends on
the capabilities of the physical device that is exposed to the
block layer by the driver. This means that to guarantee that the loop
device stacked on a block device returns zero on discarded data,
it needs to convert discarded range into write_zero op on the block device.
https://github.com/torvalds/linux/blob/63676eefb7a026d04b51dcb7aaf54f358517a2ec/drivers/block/loop.c#L773
For example on one of my local nvme I can see the following:
cat /sys/class/block/nvme1n1/queue/write_zeroes_max_bytes
131072
cat /sys/class/block/nvme0n1/queue/discard_max_hw_bytes 2199023255040
This means maximum size of a write_zero operation can be 128KiB &
maximum size of discard operation can be 2TiB on the block device.
So discarding for example 1TB of data, which would be a single block
device operation, gets split into 8.3 million block device operations
when issued on top of stacked loop device.
scarlet-storm [Sat, 28 Dec 2024 03:43:34 +0000 (09:13 +0530)]
homework: Use same sector size when probing the device
If there is an explicit sector size specified in the user record,
use the same when probing the file using libblkid. The default
is 512 bytes, which will not be able to find the signatures, if the
partition table on regular file was created assuming 4k sectors
projects / thirdparty / systemd.git / log
