by default when combined with --scope, will be changed in a future
release to be enabled by default.
- * "systemctl switch-root" is now restricted to initrd transtions only.
+ * "systemctl switch-root" is now restricted to initrd transitions only.
Transitions between real systems should be done with "systemctl soft-reboot"
instead.
* add a new PE binary section ".mokkeys" or so which sd-stub will insert into
Mok keyring, by overriding/extending whatever shim sets in the EFI
var. Benefit: we can extend the kernel module keyring at ukify time,
- i.e. without recompiling the kernel, taking an upstrem OS' kernel and adding
+ i.e. without recompiling the kernel, taking an upstream OS' kernel and adding
a local key to it.
* PidRef conversion work:
* similar, add the same for journal stream clients that log too much
-* systemd-mount sould only consider modern file systems when mounting, similar
+* systemd-mount should only consider modern file systems when mounting, similar
to systemd-dissect
* new "systemd-pcrlock" component for dealing with PCR4. Design idea:
* sd-boot: make boot loader spec type #1 accept http urls in "linux"
lines. Then, do the uefi http dance to download kernels and boot them. This
- is then useful for network boot, by embdedding a cpio with type #1 snippets
+ is then useful for network boot, by embedding a cpio with type #1 snippets
in sd-boot, which reference remote kernels.
* maybe prohibit setuid() to the nobody user, to lock things down, via seccomp.
* systemd-measure: allow operating with PEM certificates in addition to PEM
public keys when signing PCR values. SecureBoot and our Verity signatures
operate with certificates already, hence I guess we should also just deal for
- convencience with certificates for the PCR stuff too.
+ convenience with certificates for the PCR stuff too.
* systemd-measure: add --pcrpkey-auto as an alternative to --pcrpkey=, where it
would just use the same public key specified with --public-key= (or the one
<para><function>sd_event_set_signal_exit()</function> may be used to ensure the event loop terminates
once a <constant>SIGINT</constant> or <constant>SIGTERM</constant> signal is received. It is a
- convencience wrapper around invocations of
+ convenience wrapper around invocations of
<citerefentry><refentrytitle>sd_event_add_signal</refentrytitle><manvolnum>3</manvolnum></citerefentry>
for both signals. The two signals are automatically added to the calling thread's signal mask (if a
program is multi-threaded care should be taken to either invoke this function before the first thread is
#define LIST_CLEAR(name, head, free_func) \
_LIST_CLEAR(name, head, free_func, UNIQ_T(elem, UNIQ))
-/* Clear the list, destroing each element with free_func */
+/* Clear the list, destroying each element with free_func */
#define _LIST_CLEAR(name, head, free_func, elem) \
({ \
typeof(head) elem; \
Another mechanism is supported by `systemd-boot` and `systemd-stub` to add additional payloads to the boot
process: `addons`. Addons are PE signed binaries that can carry kernel command line arguments or Devicetree
-blobs (more might be added in the future). In constrast to the user-specified additions in the Type #1 case
+blobs (more might be added in the future). In contrast to the user-specified additions in the Type #1 case
described above, these addons are loaded through the UEFI image loading protocol, and thus are subject to
signature validation, and will be rejected if not signed or if the signature is invalid, following the
standard SecureBoot model. They are also measured in the TPM.
uint64_t freq = crystal_hz;
if (crystal_hz == 0) {
- /* If the crystal frquency is not available, try to deduce it from
+ /* If the crystal frequency is not available, try to deduce it from
* the processor frequency leaf if available. */
if (max_leaf < 0x16)
return 0;
/* Called for every token matching our URI */
r = pkcs11_token_login_by_pin(m, session, token_info, token_label, data->pin, data->pin_size);
if (r == -ENOLCK) {
- /* Referesh the token info, so that we can prompt knowing the new flags if they changed. */
+ /* Refresh the token info, so that we can prompt knowing the new flags if they changed. */
rv = m->C_GetTokenInfo(slot_id, &updated_token_info);
if (rv != CKR_OK) {
crypt_log_error(data->cd,
old_image_size = st.st_size;
- /* Note an asymetry here: when we operate on loopback files the specified disk size we get we
+ /* Note an asymmetry here: when we operate on loopback files the specified disk size we get we
* apply onto the loopback file as a whole. When we operate on block devices we instead apply
* to the partition itself only. */
if (FLAGS_SET(mount_table[k].mount_settings, MOUNT_PREFIX_ROOT)) {
/* Optionally prefix the mount source with the root dir. This is useful in bind
* mounts to be created within the container image before we transition into it. Note
- * that MOUNT_IN_USERNS is run after we transitioned hence prefixing is not ncessary
+ * that MOUNT_IN_USERNS is run after we transitioned hence prefixing is not necessary
* for those. */
r = chase(mount_table[k].what, dest, CHASE_PREFIX_ROOT, &prefixed, NULL);
if (r < 0)
return log_openssl_errors("Failed to create new EVP_MD_CTX");
if (!EVP_DigestInit_ex(ctx, md, NULL))
- return log_openssl_errors("Failed to initializate EVP_MD_CTX");
+ return log_openssl_errors("Failed to initialize EVP_MD_CTX");
for (size_t i = 0; i < n_data; i++)
if (!EVP_DigestUpdate(ctx, data[i].iov_base, data[i].iov_len))
return log_openssl_errors("Failed to build HMAC OSSL_PARAM");
if (!EVP_MAC_init(ctx, key, key_size, params))
- return log_openssl_errors("Failed to initializate EVP_MAC_CTX");
+ return log_openssl_errors("Failed to initialize EVP_MAC_CTX");
#else
_cleanup_(HMAC_CTX_freep) HMAC_CTX *ctx = HMAC_CTX_new();
if (!ctx)
if (r != -ENOLCK)
return r;
- /* Referesh the token info, so that we can prompt knowing the new flags if they changed. */
+ /* Refresh the token info, so that we can prompt knowing the new flags if they changed. */
rv = m->C_GetTokenInfo(slotid, &updated_token_info);
if (rv != CKR_OK)
return log_error_errno(SYNTHETIC_ERRNO(EIO),
int serialize_item_format(FILE *f, const char *key, const char *format, ...) {
_cleanup_free_ char *allocated = NULL;
- char buf[256]; /* Something resonably short that fits nicely on any stack (i.e. is considerably less
+ char buf[256]; /* Something reasonably short that fits nicely on any stack (i.e. is considerably less
* than LONG_LINE_MAX (1MiB!) */
const char *b;
va_list ap;
r = tpm2_cache_capabilities(context);
if (r < 0)
- return log_debug_errno(r, "Failed to cache TPM capbilities: %m");
+ return log_debug_errno(r, "Failed to cache TPM capabilities: %m");
/* We require AES and CFB support for session encryption. */
if (!tpm2_supports_alg(context, TPM2_ALG_AES))
*
* Returns 1 if the object was successfully persisted, or 0 if there is already a key at the requested
* handle, or < 0 on error. Theoretically, this would also return 0 if no specific persistent handle is
- * requiested but all persistent handles are used, but it is extremely unlikely the TPM has enough internal
+ * requested but all persistent handles are used, but it is extremely unlikely the TPM has enough internal
* memory to store the entire persistent range, in which case an error will be returned if the TPM is out of
* memory for persistent storage. The persistent handle is only provided when returning 1. */
static int tpm2_persist_handle(
values.count++;
}
- /* Open + lock the log file *before* we start measuring, so that noone else can come between our log
+ /* Open + lock the log file *before* we start measuring, so that no one else can come between our log
* and our measurement and change either */
log_fd = tpm2_userspace_log_open();
/* This might fail, if btrfs is used and we run in a container. In that case we cannot
* resolve the device node paths that BTRFS_IOC_DEV_INFO returns, because the device nodes
* are unlikely to exist in the container. But if we can't stat() them we cannot determine
- * the dev_t of them, and thus cannot figure out if they are enrypted. Hence let's just
+ * the dev_t of them, and thus cannot figure out if they are encrypted. Hence let's just
* ignore ENOENT here. Also skip the test if we lack privileges. */
return;
assert_se(r >= 0);
assert_se(unit_add_name(c, "c.service") >= 0);
assert_se(set_isempty(c->pids));
- /* Fork off a child so thta we have a PID to watch */
+ /* Fork off a child so that we have a PID to watch */
_cleanup_(sigkill_waitp) pid_t pid = 0;
pid = fork();
if (pid == 0) {
r = verify_vc_allocation(i);
if (r < 0) {
- log_debug_errno(r, "VC %u existance check failed, skipping: %m", i);
+ log_debug_errno(r, "VC %u existence check failed, skipping: %m", i);
RET_GATHER(err, r);
continue;
}
self.wait_online(['veth-peer:carrier'])
# Note that at this point the DHCPv6 client has not been started because no RA (with managed
- # bit set) has yet been recieved and the configuration does not include WithoutRA=true
+ # bit set) has yet been received and the configuration does not include WithoutRA=true
state = get_dbus_dhcp6_client_state('veth99')
print(f"State = {state}")
self.assertEqual(state, 'stopped')
(! systemd-cryptsetup attach test-volume "$img" - tpm2-device=auto,headless=1)
if tpm_has_pcr sha256 12; then
- # Enroll using an explict PCR value (that does match current PCR value)
+ # Enroll using an explicit PCR value (that does match current PCR value)
systemd-cryptenroll --wipe-slot=tpm2 "$img"
EXPECTED_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12)
PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="12:sha256=$EXPECTED_PCR_VALUE" "$img"
# $1: block device
# $2: sector size
# $3: version
- # $4: partiton number of part1
- # $5: partiton number of part2
+ # $4: partition number of part1
+ # $5: partition number of part2
gpt_reserved_sectors=$(( 1024 * 1024 / $2 ))
part1_offset=$(( ( $4 - 1 ) * 2048 + gpt_reserved_sectors ))
projects / thirdparty / systemd.git / commitdiff
