Luca Boccassi [Sat, 25 Jan 2025 02:09:49 +0000 (02:09 +0000)]
ukify: add --pcrsig and --join-pcrsig arguments to append offline signature
Add a build parameter to take an existing UKI and attach a .pcrsig section
to it. This allows one to create a UKI with a .pcrpkey section with
--policy-digest to get the json output from sd-measure, sign the digest
offline, and attach the .pcrsig section with the signature later.
This definition is broken as rpm internally does the following
since 4.20 to calculate the buildroot:
```
char *bn = rpmExpand("%{NAME}-%{VERSION}-build", NULL);
/* Tilde and caret in paths are evil, convert to underscores */
for (char *t = bn; *t; t++) {
if (*t == '^' || *t == '~')
*t = '_';
}
```
This has broken our upstream opensuse CI builds in systemd as
we do the following to fetch the list of unpackaged files by the rpm build:
```
rpmbuild
...
--define "__check_files sh -c '$(rpm --define "_topdir /var/tmp" --eval %__check_files) | tee /tmp/unpackaged-files'"
...
```
which stopped working because the check files script tries
to look for unpackaged files in the "/var/tmp/BUILD/systemd-258~devel-build/BUILDROOT"
directory (%buildroot) whereas it should be looking in "/var/tmp/BUILD/systemd-258_devel-build/BUILDROOT".
Let's remove the %buildroot compat definition until the bug is
addressed in opensuse tumbleweed.
Michal Sekletar [Tue, 21 Jan 2025 14:31:14 +0000 (15:31 +0100)]
core/namespace: relabel bind mount source based on the target path
Some bind mounts, e.g. /tmp bind mount when PrivateTmp=disconnected,
must be explicitly relabeled because now it would have incorrect SELinux
label. /tmp is expected to have well-known SELinux label, tmp_t. Now it
has label inherited from the source directory of the bind mount.
Daniil [Fri, 7 Feb 2025 09:46:44 +0000 (10:46 +0100)]
hwdb: XBox Series Elite controller modalias entry has been added. (#36305)
Change was requested in response on #36297.
The reason for that change is that XBox Series Elite controller has
exact 4 buttons identified as keyboard key sets.
While it detects using USB connection without any issues, wireless
connection ends with assumption that it's a keyboard.
Yu Watanabe [Fri, 7 Feb 2025 02:20:21 +0000 (11:20 +0900)]
firstboot: Populate XKBLAYOUT and friends as well in vconsole.conf (#36275)
Let's derive XKBLAYOUT and friends from the given keymap and populate
these as well in vconsole.conf so that if the user configures a keymap
it's also respected in display managers such as gdm.
Daan De Meyer [Wed, 5 Feb 2025 13:31:33 +0000 (14:31 +0100)]
firstboot: Populate XKBLAYOUT and friends as well in vconsole.conf
Let's derive XKBLAYOUT and friends from the given keymap and populate
these as well in vconsole.conf so that if the user configures a keymap
it's also respected in display managers such as gdm.
Daan De Meyer [Wed, 5 Feb 2025 12:17:13 +0000 (13:17 +0100)]
locale: Move vconsole specific logic to shared/vconsole-util.h
This allows reusing the logic in systemd-firstboot.c.
To avoid having to link libxkbcommon into libsystemd-shared, we add
a level of indirection to vconsole_convert_to_x11() so that the verify
function is passed in by the caller.
Daan De Meyer [Thu, 6 Feb 2025 13:53:02 +0000 (14:53 +0100)]
mkosi: Only make build sources ephemeral if NO_BUILD is not enabled
If we're not building distribution packages from source, there's no
need to make the build sources ephemeral so don't enable the setting
if NO_BUILD is enabled.
homed: introduce "area" concept (i.e. secondary home directories stored below the primary one, of which one can pick one at login) (#36149)
This adds a new concept to homed/pam_systemd/pam_systemd_homed: "areas"
are secondary home dirs you can have inside your primary home dir, below
an `~/Areas/` hierarchy. You can log into these secondary dirs if you
specify "user%area" as user at login time.
This is quite useful for maintaining multiple sets of user resources
within the same user account with the same access privileges. The
intended usecase for me is utimately WSL-like stuff: you start a local
unpriv container which gets the host's home dir mounted in and fully
accessible, without this also meaning that the user account gets the
full set of settings and so on propagated down.
Codewise the concept is really simple: whenever an area name like
"foobar" is specified we simply change a $HOME of /home/lennart into
/home/lennart/Areas/foobar. In a way this PR adds more docs than code
for all this.
This also makes this feature directly accessible via "run0 -a foobar"
(for opening a new session in the 'foobar' area).
To be truly fun to use on text (i.e. getty) logins, a util-linux version
containing https://github.com/util-linux/util-linux/pull/3354 is best,
since otherwise $HOME is updated to /home/lennart/Areas/foobar, but the
cwd is still at /home/lennart.
i.e. we generally want that PAM modules can override $HOME and it is
honoured for the CWD after login.
(This renames the 'home' variable we maintained sofar to 'pwent_home',
to clarify that it's the home directory listed in the struct passwd
entry, and thus not necessarily the one actually used)
Yu Watanabe [Thu, 6 Feb 2025 00:38:39 +0000 (09:38 +0900)]
udev-builtin: several trivial cleanups (#36239)
- introduces UDEV_BUILTIN_DESTRUCTOR macro,
- normalize log messages on initialize/finalize,
- explicitly initialize global variable,
- drop using _UDEV_BUILTIN_INVALID.
Luca Boccassi [Wed, 5 Feb 2025 19:54:08 +0000 (19:54 +0000)]
homectl: fix typos in help text (#36279)
I noticed two small typos while reading the help text for homectl.
The `-P` option is described as "Same as
--enforce-password-**password**=no" when the option's name is
`--enforce-password-policy`.
While checking the man page to check if the typo was also there, i
noticed another typo where `--enforce-password-policy=no` has 3 dashes
instead of 2 in the description for `-P`.
Daan De Meyer [Wed, 5 Feb 2025 11:42:39 +0000 (12:42 +0100)]
repart: Don't fail when we're unable to read file attributes
We're getting EOVERFLOW when reading file attributes trying to get
mkosi running in a docker container (don't ask). I have a suspicion
this is coming from fuse-overlayfs. Anyway, since the file attributes
stuff is supposed to be purely optional, let's not fail when we can't
read file attributes for whatever reason.
Yu Watanabe [Wed, 5 Feb 2025 00:14:51 +0000 (09:14 +0900)]
network/routing-policy-rule: fix compare func
Previously, when comparing an existing and requested routing policy
rules, `all` flag was unset, thus the from and to addresses in the two
rules were not compared. Hence, a new request with from and/or to
addresses might be considered as it already exists even the addresses of
existing one were different from the newly requested one.
All existing rules have valid family, i.e. AF_INET or AF_INET6. And,
all requesting rules with from and/or to addresses also have a valid
family. Hence, even `all` flag is unset, the addresses can be and must
be compared in that case.
Daan De Meyer [Tue, 4 Feb 2025 19:46:11 +0000 (20:46 +0100)]
test: Move external packages section down and reword a little
This is advanced level stuff that regular contributors don't care
about in the slightest, so move it further down. Also reword the
section a little while we're at it.
Daan De Meyer [Tue, 4 Feb 2025 19:21:36 +0000 (20:21 +0100)]
test: Drop -Dremote=enabled instructions from readme
The test commands now use mkosi sandbox which always makes sure the
required dependencies for systemd-journal-remote are enabled so no
need to reconfigure meson explicitly anymore.
Daan De Meyer [Tue, 4 Feb 2025 08:24:26 +0000 (09:24 +0100)]
ukify/measure: Revert changes to use SizeOfImage from Linux PE binary
With 19812661f1f65ebe777d1626b5abf6475faababc, we make sure at runtime
in the stub itself that SizeOfImage from the Linux EFISTUB PE binary is
taken into account, so there's no need to take this into account in ukify
itself. By reverting the ukify change, we again ensure that Misc_VirtualSize
reflects the actual size of the Linux EFISTUB PE binary in the .linux section
which lots of tooling depends on. It also makes sure we don't measure a bunch
of extra zeroes in the stub which should fix systemd-pcrlock measurements as
well.
Daan De Meyer [Tue, 4 Feb 2025 10:42:42 +0000 (11:42 +0100)]
sysupdate: Update example mode to 644 instead of 444
The UKI file has to be writable to be able to do boot counting in
the UEFI firmware which involves renaming the file by writing to
the file metadata which requires the file to be writable in the FAT
filesystem.
docs: Update CPE fields in package metadata spec (#36251)
Update osCPE field example to use cpe 2.3 format, as is in active use by
AmazonLinux 2023 for example.
Add appCPE field example to document the upstream application CPE for
the applicable CVEs. Often distribution source package names are
different from the upstream CPE. For example adding/removing "lib"
prefix, or adding version stream "-3" suffix. This typically leads to
guessing or fuzzy matching. Adding appCPE in such cases can help to
disambiguate (or collate) correct application CPEs; especially beyond
the lifetime of osCPE support timeframes. This also will help a lot with
packaging multiple alternative source packages of the same software
(e.g. nginx-full nginx-core); different version streams (e.g.
openssl-1.1, openssl-3); or alternative builds of upstream software with
largely the same CVEs with multiple version streams (e.g.
openjdk-{22,17,11..}, corretto-{22,17,11..}, temurin-{22,17,11..}, etc).
Update osCPE field example to use cpe 2.3 format, as is in active use by
AmazonLinux 2023 for example.
Add appCPE field example to document the upstream application CPE for the
applicable CVEs. Often distribution source package names are different from the
upstream CPE. For example adding/removing "lib" prefix, or adding version
stream "-3" suffix. This typically leads to guessing or fuzzy matching. Adding
appCPE in such cases can help to disambiguate (or collate) correct application
CPEs; especially beyond the lifetime of osCPE support timeframes.
ukify: Calculate section size more correctly (#36215)
We should only use Misc_VirtualSize if it's smaller than SizeOfRawData,
since in that case it'll be the non-aligned section size. Otherwise we
have to use SizeOfRawData to get the size on disk.
Yu Watanabe [Sun, 2 Feb 2025 06:28:15 +0000 (15:28 +0900)]
udevadm-verify: document '--resolve-names=late' and accept 'never' as is
When '--resolve-names=late', systemd-udevd resolves user/group names
during each event being processed, and does not verify names on parse.
When '--resolve-names=never', systemd-udevd refuses any user/group names
on parse. Hence, the parser of udev rules behaves diffrently. Let's not
convert 'never' -> 'late' silently, and use the specified option as is.
This also updates man page and shell completion for --resolve-names
option.
Yu Watanabe [Sun, 2 Feb 2025 04:30:26 +0000 (13:30 +0900)]
udevadm: several cleanups around parse_device_action()
- drop unnecessary one line function dump_device_action_table(),
- make parse_device_action() log about invalid action string,
- rename output argument of parse_device_action().
Ani Sinha [Fri, 8 Nov 2024 06:31:51 +0000 (12:01 +0530)]
uki: introduce support for a .efifw section
UKIs can be used to bundle uefi firmwares that can be measured and
used on a confidential computing environment. There can be more than one
firmware blob bundle, each one for a specific platform. Also firmware images
can themselves be containers like IGVM files that can in turn bundle the
actual firmware blob. This change is specifically for uefi firmwares, not
IGVM container files.
This change adds support to introduce a .efifw section in UKI that can be
used for firmware blobs/images. There can be multiple such sections and each
section can contain a single firmware image.
The matching .hwids entry for a specific platform can be used to select the
most appropriate firmware blob.
ukify tool has been also changed to support addition of a firmware image
in UKI.
Since firmware gets measured automatically, we do not need to measure it
separately as a part of the UKI.
projects / thirdparty / systemd.git / log
