Dan Streetman [Thu, 31 Aug 2023 13:10:40 +0000 (09:10 -0400)]
tpm2: change tpm2_unseal() to accept Tpm2Context instead of device string
This matches the change to tpm2_seal(), which now accepts a Tpm2Context instead
of a device string.
This also allows using the same TPM context for sealing and unsealing, which
will be required by (future) test code when sealing/unsealing using a transient
key.
Dan Streetman [Fri, 8 Sep 2023 18:22:11 +0000 (14:22 -0400)]
tpm2: use GREEDY_REALLOC_APPEND() in tpm2_get_capability_handles(), cap max value
Simplify the function with GREEDY_REALLOC_APPEND(). Also limit the size_t-sized
max value to UINT32_MAX since that's the maximum of the range this searches,
and the max parameter for tpm2_get_capability() is uint32_t.
Dan Streetman [Wed, 2 Aug 2023 17:35:46 +0000 (13:35 -0400)]
tpm2: update tpm2 test for supported commands
The test expects TPM2_CC_FIRST - 1 and TPM2_CC_LAST + 1 to be unsupported, but
those are not necessarily invalid commands. Instead test known-invalid
commands. Also add some more valid commands.
Dan Streetman [Fri, 8 Sep 2023 16:39:49 +0000 (12:39 -0400)]
tpm2: downgrade most log functions from error to debug
Because most TPM2 functions here are 'library-like' functions, they should be
at debug level, not error level.
The only functions not reduced to logging at debug are tpm2_list_devices(),
since it is expected to print output, and the tpm2_parse_pcr_argument_*()
functions, since the system-wide parse_*_argument() functions generally log at
error level.
resolve: tolerate merging a zero-ttl RR and a nonzero-ttl RR if not mDNS
resolved rejected RRsets containing a RR with a zero TTL and a RR with a nonzero TTL. In practice—see the linked issues—, this case triggered when an AF_UNSPEC query to a CNAMEd domain returned a zero TTL for the CNAME on one address family and a nonzero TTL for the CNAME on the other address family.
The zero-nonzero TTL check cites RFC 2181 § 5.2 in a comment. That section says DNS clients should reject any RRset containing differing TTLs, which the check only implements a very special case of. That the old behavior caused real-world false NXDOMAIN results is reason enough to completely ignore the RFC's recommendation. However, mDNS treats zero TTLs specially, so the error case needs to be kept for mDNS.
Luca Boccassi [Sun, 1 Oct 2023 17:55:12 +0000 (18:55 +0100)]
docs: add document about UEFI security posture in src/boot/efi/
This is not intended as a user guide, but to describe the generic security
posture of the UEFI components. Hence we do not publish it on systemd.io
but only in the repository.
dissect-image: optionally allow mounting via new kernel mount API in two steps
This adds support for the new fsmount() logic of the kernel: we'll first
create an unattached fsmount fd, and then in a second step attach this
to some real file system inode – as opposed to attaching file system
directly. The benefit of this is that we can pass the open fsmount fds
over some sockets if need be, to isolate the mounting code from the
attaching code.
core: Use a subdirectory of /run/ for PrivateDevices=
When we're starting early boot services such as systemd-userdbd.service,
/tmp might not yet be mounted, so let's use a directory in /run instead
which is guaranteed to be available.
Daan De Meyer [Sun, 1 Oct 2023 18:40:45 +0000 (20:40 +0200)]
mount: Log when we can't create the mount point
Debugging mount unit failures caused by systemd not being able to
create the mount point is currently rather hard. Let's log about
failures to create mount points to simplify debugging.
journalctl: find boot ID more gracefully in corrupted journal
In discover_next_boot(), first we find a new boot ID based on the value
stored in the entry object. Then, find the tail (or head when we are going
upwards) entry of the boot based on the _BOOT_ID= field data.
If boot IDs of an entry in the entry object and _BOOT_ID field data
are inconsistent, which may happen on corrupted journal, then previously
discover_next_boot() failed with -ENODATA.
This makes the function check if the two boot IDs in each entry are
consistent, and skip the entry if not.
Fixes the failure of `journalctl -b -1` for 'truncated' journal:
https://github.com/systemd/systemd/pull/29334#issuecomment-1736567951
Yu Watanabe [Sun, 1 Oct 2023 07:48:36 +0000 (16:48 +0900)]
fileio: make read_full_file_full() usable with size and READ_FULL_FILE_UNBASE64
When READ_FULL_FILE_UNBASE64 (or READ_FULL_FILE_UNHEX) is specified,
setting size argument by caller is difficult, as it is hard to estimate
the encoded length.
This makes when size is specified with decoding option, let's read file
more, and check decoded size later with the specified size.
This adds a new script tools/check-version-history.py and a corresponding
test when building in developer mode. It checks manpages (except dbus
documentation which is handled by update-dbus-docs) for missing version
history information.
It also adds ignore lists based on version 183 (the version that our version
annotations go back to). These can be augmented if we want to ignore other
elements if it doesn't make sense for them to have version annotations.
Yu Watanabe [Sun, 1 Oct 2023 03:04:59 +0000 (12:04 +0900)]
sd-netlink: make the default timeout configurable by environment variable
On normal systems, triggering a timeout should be a bug in code or
configuration error, so I do not think we should extend the default
timeout. Also, we should not introduce a 'first class' configuration
option about that. But, making it configurable may be useful for cases
such that "an extremely highly utilized system (lots of OOM kills,
very high CPU utilization, etc)".
sd-journal: merge journal_file_next_entry_for_data() with generic_array_get_plus_one()
Because journal_file_next_entry_for_data() provides the first entry, while
journal_file_next_entry() actually provides the next entry of the input,
this also renames it to journal_file_move_to_entry_for_data().
Also, previously, on DIRECTION_UP the function did not fall back to the
'extra' entry when all entries linked in the chained array are broken.
This also fixes the issue, and now it fall back to the extra entry.
sd-journal: fix calculation of number of 'total' entries in the chained arrays
If there's corruption and we are going upwards, then the 'total'
must be decreased when we go to the previous array. However,
previously, we wrongly kept or increased the number. This fixes
the behavior.
In the do-while loop, we do not read any other entry array object, hence
the current object is always in the mmap cache and not necessary to re-read it.
Doing that in VMs without acceleration is prohibitively expensive (i.e.
20+ seconds in the C8S job). Thankfully, the recent [0] --lines=+n syntax
makes this all quite easy to fix.
test: shutdown the machine on fail after soft-reboot
Since the soft-reboot drops the enqueued end.service, we won't shutdown
the test VM if the test fails and have to wait for the watchdog to kill
us (which may take quite a long time). Let's just forcibly kill the
machine instead to save CI resources.
tpm2-setup: add new early boot tool for initializing the SRK
This adds an explicit service for initializing the TPM2 SRK. This is
implicitly also done by systemd-cryptsetup, hence strictly speaking
redundant, but doing this early has the benefit that we can parallelize
this in a nicer way. This also write a copy of the SRK public key in PEM
format to /run/ + /var/lib/, thus pinning the disk image to the TPM.
Making the SRK public key is also useful for allowing easy offline
encryption for a specific TPM.
Sooner or later we should probably grow what this service does, the
above is just the first step. For example, the service should probably
offer the ability to reset the TPM (clear the owner hierarchy?) on a
factory reset, if such a policy is needed. And we might want to install
some default AK (?).
Jan Janssen [Fri, 22 Sep 2023 12:41:47 +0000 (14:41 +0200)]
boot: Lift linker requirements
The biggest reason for forcing bfd was the use of linker scrips. Since
we don't rely on those anymore we can lift the requirement.
The biggest issue is gold as it does not understand -static-pie. Given
that it's pretty much on life support it's safe to just declare it not
supported anymore.
Don't link addons with libefi as clang/lld is sometimes very eager to
include memset etc., causing needless binary bloat and link errors with
LTO.
Jan Janssen [Fri, 22 Sep 2023 10:15:55 +0000 (12:15 +0200)]
elf2efi: Add --copy-sections option
This makes the special PE sections available again in our output EFI
images.
Since the compiler provides no way to mark a section as not allocated,
we use GNU assembler syntax to emit the sections instead. This ensures
the section data isn't emitted twice as load segments will only contain
allocating input sections.
Jan Janssen [Thu, 28 Sep 2023 14:09:42 +0000 (16:09 +0200)]
elf2efi: Rework ELF section conversion
The main reason we need to apply a whole lot of logic to the section
conversion logic is because PE sections have to be aligned to the page
size (although, currently not even EDK2 enforces this). The process of
achieving this with a linker script is fraught with errors, they are a
pain to set up correctly and suck in general. They are also not
supported by mold, which requires us to forcibly use bfd, which also
means that linker feature detection is easily at odds as meson has a
differnt idea of what linker is in use.
Instead of forcing a manual ELF segment layout with a linker script we
just let the linker do its thing. We then simply copy/concatenate the
sections while observing proper page boundaries.
Note that we could just copy the ELF load *segments* directly and
achieve the same result. Doing this manually allows us to strip sections
we don't need at runtime like the dynamic linking information (the
elf2efi conversion is effectively the dynamic loader).
Important sections like .sbat that we emit directly from code will
currently *not* be exposed as individual PE sections as they are
contained within the ELF segments. A future commit will fix this.
Dan Streetman [Fri, 30 Jun 2023 16:52:10 +0000 (12:52 -0400)]
tpm2: add tpm2_index_to_handle() and tpm2_index_from_handle()
Adjust the tpm2_esys_handle_from_tpm_handle() function into better-named
tpm2_index_to_handle(), which operates like tpm2_get_srk() but allows using any
handle index. Also add matching tpm2_index_from_handle().
Also change the references to 'location' in tpm2_persist_handle() to more
appropriate 'handle index'.
So the coverage-related drop-in [0] can kick in to avoid errors with
DynamicUser=true. Also, to not make the test confusing with this change,
replace "nft-test" with "test-nft" everywhere.
[0] See test/README.testsuite, section "Code coverage"
tpm2: move measurement log to /run/log/ (from /var/log/)
I have no idea what went on in my mind when I used a path in /var/ for
the tpm2 event log we now keep for userspace measurements. The
measurements are only valid for the current boot, hence should not be
persisted (in particular as they cannot be rotated, hence should not
grow without bounds).
Fix that, simply move from /var/log/ to /run/log/.
fix: do not check/verify slice units if recursive errors are to be ignored
Before this fix, when recursive-errors was set to 'no' during a systemd-analyze
verification, the parent slice was checked regardless. The 'no' setting means that,
only the specified unit should be looked at and verified and errors in the slices should be
ignored. This commit fixes that issue.
Example:
Say we have a sample.service file:
[Unit]
Description=Sample Service
[Service]
ExecStart=/bin/echo "a"
Slice=support.slice
Before Change:
systemd-analyze verify --recursive-errors=no maanya/sample.service
Assertion 'u' failed at src/core/unit.c:153, function unit_has_name(). Aborting.
Aborted (core dumped)
After Change:
systemd-analyze verify --recursive-errors=no maanya/sample.service
{No errors}
core: move pid watch/unwatch logic of the service manager to pidfd
This makes sure unit_watch_pid() and unit_unwatch_pid() will track
processes by pidfd if supported. Also ports over some related code.
Should not really change behaviour.
Note that this does *not* add support waiting for POLLIN on the pidfds
as additional exit notification. This is left for a later commit (this
commit is already large enough), in particular as that would add new
logic and not just convert existing logic.
projects / thirdparty / systemd.git / log
