IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Register a LINUX_EFI_INITRD_MEDIA_GUID DevicePath with a LoadFile2Protocol interface and serve the initrd to a supported Linux kernel (Version 5.8+)
Leave the x86 code for older kernels in place until supported kernels become more mainstream
We already did that for sd-boot, hence do it for sd-stub the same way.
Also, move the __attribute__ stuff to the beginning of the statement,
rather than the middle. Mostly just because we usually put it first for
implementations for identifiers (for prototypes we put it last).
These functions are used pretty much independently of locale, i.e. the
only info relevant is whether th locale is UTF-8 or not. Hence let's
give this its own pair of .c/.h files.
We inquire the EFI var for this at two places, let's add a helper that
queries it and gracefully handles it if we can't get it, by returning a
zero mask, i.e. no features supported.
Let's make some stuff const. Most importanly call AllocatePages() with
a pointer to an EFI_PHYSICAL_ADDRESS instead of a pointer to a
pointer. On 64bit this makes no difference, but on i386 this is simply
not correct, since EFI_PHYSICAL_ADDRESS is 64bit there, even though
pointers are 32bit.
let's move showing of the splash screen to the earliest place we know
the splash bmp address. After all a splash screen is all about showing
as early as we can. This matters as doing TPM stuff or packing up a
large cpio might take time.
While we are at it, move the conditionalization of the splash screen
into the function instead of doing it ahead of calling it. This should
encapsulate things more nicely.
This adds support for the EFI stub to look for credential files and
sysext files next to the EFI kernel image being loaded, and pack them up
in an initrd cpio image, and pass them to the kernel.
Specifically, for a kernel image foo.efi it looks for
foo.efi.extra.d/*.cred and packs these files up in an initrd, placing it
inside a directory /.extra/credentials/. It then looks for
foo.efi.extra.d/*.raw and pack these files up in an initrd, placing them
inside a directory /.extra/sysexts/. It then concatenates any other
initrd with these two initrds, so they are combined.
Or in other words auxiliary files placed next to the kernel image are
picked up automatically by the EFI stub and be made available in the
initrd in the /.extra/ directory.
What's the usecase for this? This is supposed to be useful in context of
implementing fully trusted initrds, i.e. initrds that are not built
locally on the system and unsigned/unmeasured – as we do things
currently —, but instead are built by the vendor, and measured to TPM.
The idea is that a basic initrd is always linked into the kernel EFI
image anyway. This will already be sufficient for many cases. However,
in some cases it is necessary to parameterize initrds, or to extend the
basic initrds with additional subsystems (e.g. think complex storage, or
passing server info/certificates/… to initrds). The idea is that the
parameterization is done using the "credentials" logic we already have
in systemd, with these credential files (which can optionally be
encrypted+authenticated by TPM2) being placed in the ESP next to the
kernel image. And the initrd extension via the "sysext" logic we already
have in systemd too.
Note that the files read by this code are not verified immediately, they
are copied *as-is* and placed into /.extra/ in the initrd. In a trusted
environment they need to be validated later, but before first use. For
the credentials logic this should be done via the TPM2
encryption/authentication logic. For the sysext stuff the idea is that
this is done via signed images, as implemented by #20691.
"bootctl update" tries to add sd-boot to the EFI boot loader list if it
is not already there. To do so, it uses find_slot() which finds the
proper BootXXXX slot ID to use and also returns 1 if an existing sd-boot
entry was found at this ID or 0 if it is a new unused ID. In "update"
case install_variables() only writes the entry in case 0 (no existing
entry).
However, find_slot() erroneously returns 1 if it finds a gap in the Boot
IDs (i.e. when not resorting to max(ids) + 1). This causes
"bootctl update" to not add a missing systemd-boot boot entry if the
existing BootXXXX entry IDs are not consecutive.
Fix that by returning 0 in find_slot() when an empty gap ID is selected
to make it match the behavior when selecting an empty non-gap ID.
In a follow-up patch we are going to modify the initrd, hence prepare
the pointers/"physical addresses" to it, first, so that we can do so
easily.
Also, do some other tweaks and cleanups to physical address/pointer
conversion.
Just like userspace realloc() the EFIlib ReallocatePool() function is
happy to use a NULL pointer as input, in which case it is equivalent to
AllocatePool(). See:
269ef9dbc7/lib/misc.c (L57)
The Bootloader Specification says "devicetree refers to the binary
device tree to use when executing the kernel..", but systemd-boot
didn't actually do anything when encountering this stanza until now.
Add support for loading, applying fixups if relevant, and installing the
new device tree before executing the kernel.
When pulling in the SHA256 implementation from glibc, only some of the
coding style was adjusted to ours, other was not. Let's make things a
bit more consistent.
The GUIDs we usually deal with should be considered constant. Hence make
them so. Unfortunately the prototypes for various functions doesn't mark
them as const (but still decorates them with "IN", clarifying they are
input-only), hence we need to cast things at various places. We already
cast in similar fashion in many other cases, hence unify things here in
one style.
Making the EFI_GUID constant (and in particular so when specified in C99
compound literal style) allows compilers to merge multiple instances of
them.
Callers to linux_exec() are actually passing an EFI_HANDLE, not a pointer to
it. linux_efi_handover(), which is called by linux_exec(), also expects an
EFI_HANDLE.
Firmware likes to draw the EFI provided cursor in a weird way that
makes it invisible sometimes. This is even more likely to happen
if unusual colors are picked. It also fails to draw attention to the
user by being very small and not blinking.
Additionally, to make it more clear that we are in edit mode, we
now default to inverting the general default color and use that for
our line edit.
Fixes: #19301
Making keys case insensitive should help if caps lock is on.
We are not advertising them at runtime or in the manual to
reduce the noise.
This also hides the quit and version commands from the help
string. They are mostly for devs and otherwise have little
to no use to normal users. The latter overlaps with print
status which is still advertised.
We only need the PE header offset from the DOS header, not
its size. Previously, the section table could be cut off in the middle.
While we are at it, also modernize the remaining code.
There is a ASSERT() macro from gnu-efi, but that does not show any
output to ConOut. Having to do some additional setup just to get
some debug output is tedious and outright difficult on real hardware.
log_error_stall() and log_error_status_stall() will ensure the user has
a chance to catch an error message by stalling and also forcing a
lightred/black color on it. Also, convert several Print() calls to it
since they are actually error messages.
Let's be paranoid and do something useful if we operate with empty
haystack/needle. This doesn't actually fix anything, as the places as
far as I can see check for non-emptyness already beforehand, but I will
sleep safer at night, if we don't even allow the trap to be fallen in,
ever, even if the code is changed sooner or later.
This is like memmem_safe() but returns a pointer after the needle,
instead to the beginning of the needle.
This is then used at one place. Not much, but it makes me sleep safer at
night, as it avoids the manual counting done so far.
When boot ArchLinux from Ventoy, it always print `Failed to open random seed file: write protected.`
As Ventoy emulate the ISO file as a read-only CDROM, I didn't test with a real physical CDROM drive, but maybe it also has such problem.
As we use `EFI_FILE_MODE_WRITE` to open the `loader\random-seed` file, so I think it's better to check the result with both `EFI_WRITE_PROTECTED` and `EFI_NOT_FOUND`.
In general we almost never hit those asserts in production code, so users see
them very rarely, if ever. But either way, we just need something that users
can pass to the developers.
We have quite a few of those asserts, and some have fairly nice messages, but
many are like "WTF?" or "???" or "unexpected something". The error that is
printed includes the file location, and function name. In almost all functions
there's at most one assert, so the function name alone is enough to identify
the failure for a developer. So we don't get much extra from the message, and
we might just as well drop them.
Dropping them makes our code a tiny bit smaller, and most importantly, improves
development experience by making it easy to insert such an assert in the code
without thinking how to phrase the argument.
Previously, the "bootctl update" logic would refrain from downrgading a
boot loader, but if the boot loader that is installed already matched
the version we could install we'd install it anyway, under the
assumption this was effectively without effect. This behaviour was handy
while developing boot loaders, since installing a modified boot loader
didn't require a version bump.
However, outside of the systems of boot loader developers I don't think
this behaviour makes much sense: we should always emphasize doing
minimal changes to the ESP, hence when an update is supposedly not
necessary, then don't do it. Only update if it really makes sense, to
minimize writes to the ESP. Updating the boot loader is a good thing
after all, but doing so redundantly is not.
Also, downgrade the message about this to LOG_NOTICE, given this
shouldn't be a reason to log.
Finally, exit cleanly in this cases (or if another boot loader is
detected)
Since autodetection is unlikely to work reliably for cross builds
disable it unless explicitly enabled.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
The logic is that if the options are updated after boot, we *don't* use
the new value. But we still want to print out the changed contents in
bootctl as to not confuse people.
Fixes#19597.
Also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988450.
$ build/bootctl systemd-efi-options
quiet
Note: SystemdOptions EFI variable has been modified since boot. New value: debug
The hint is printed to stderr, so scripts should not be confused.
Creating those string dynamically at runtime is slow and unnecessary.
Let's use static strings with a bit of macro magic and the let the compiler
coalesce as much as possible.
$ size build/src/shared/libsystemd-shared-248.so{.old,}
text data bss dec hex filename
2813453 94572 4584 2912609 2c7161 build/src/shared/libsystemd-shared-248.so.old
2812309 94564 4584 2911457 2c6ce1 build/src/shared/libsystemd-shared-248.so
A nice side-effect is that the same form is used everywhere, so it's easier to
figure out all variables that are used, and where each specific variable is
used.
C.f. 2b0445262a.
Note: 'const char *foo = alloca(…);' seems OK. Our coding style document and
alloca(3) only warn against using alloca() in function invocations. Declaring
both stack variable and alloca at the same time should be fine: no matter in
which order they happen, i.e. if the pointer variable is above the contents,
or the contents are above the pointer, or even if the pointer is elided by the
compiler, everything should be fine.
The naming of variables is very inconsistent. I tried to use more
modern style naming (UNDERSCORED_TITLE_CASE), but I didn't change existing
names too much. Only SYSTEM_DATA_UNIT_PATH is renamed to SYSTEM_DATA_UNIT_DIR
to match SYSTEM_CONFIG_UNIT_DIR.
Meson 0.58 has gotten quite bad with emitting a message every time
a quoted command is used:
Program /home/zbyszek/src/systemd-work/tools/meson-make-symlink.sh found: YES (/home/zbyszek/src/systemd-work/tools/meson-make-symlink.sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program xsltproc found: YES (/usr/bin/xsltproc)
Configuring custom-entities.ent using configuration
Message: Skipping bootctl.1 because ENABLE_EFI is false
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Message: Skipping journal-remote.conf.5 because HAVE_MICROHTTPD is false
Message: Skipping journal-upload.conf.5 because HAVE_MICROHTTPD is false
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Message: Skipping loader.conf.5 because ENABLE_EFI is false
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
...
Let's suffer one message only for each command. Hopefully we can silence
even this when https://github.com/mesonbuild/meson/issues/8642 is
resolved.
Some motherboards convert the path to uppercase under certain circumstances
(e.g. after booting into the Boot Menu in the ASUS ROG STRIX B350-F GAMING).
Binutils for non-x86 architectures currently does not support PE binaries. Thus
linux.efi.stub is useless on those, as one cannot use any tooling to add
linux/cmdline/splash sections to it. In addition to PE linux.efi.stub also
install ELF linux.elf.stub, such that one can use objcopy ELF target to copy in
linux/cmdline/splash sections and then convert the result to a PE binary.
Add SBAT support, when -Dsbat-distro value is specified. One can use
-Dsbat-distro=auto for autodetection of all sbat options. Many meson configure
options added to customize SBAT CSV values, but sensible defaults are auto
detected by default. SBAT support is required if shim v15+ is used to load
systemd-boot binary or kernel.efi (Type II BootLoaderSpec).
Fixes#19247
With some versions of the compiler, the _cleanup_ attr makes it think
the variable might be freed/closed when uninitialized, even though it
cannot happen. The added cost is small enough to be worth the benefit,
and optimized builds will help reduce it even further.
These were added to eficonex.h in gnu-efi 3.0.13. Let's move them
to missing_efi.h behind an appropriate guard to fix the build with
recent versions of gnu-efi.
The firmware spec doesn't really say whether FilePath of the LoadedImage
protocol may be NULL or not. So far we assumed it to be non-NULL, but
apparently the FreeBSD UEFI chainloader sets it to NULL. Handle this
gracefully.
(Noticed and tracked down by Alexander Schreiber)
Fixes: #18733
As suggested in https://github.com/systemd/systemd/pull/11484#issuecomment-775288617.
This does not touch anything exposed in src/systemd. Changing the defines there
would be a compatibility break.
Note that tests are broken after this commit. They will be fixed in the next one.
sd-boot has a copy of a subset of codes from libbasic. This makes
sd-boot share the code with libbasic, and dedup the code.
Note, startswith_no_case() is dropped from sd-boot, as
- it is not used,
- the previous implementation is not correct,
- gnu-efi does not have StrniCmp() or so.
To add secure-boot enrolling support, we need to be able to specify
the EFI_VARIABLE_APPEND_WRITE flag so let's make the efivar_set()
methods more generic so we can set that flag.
Let's make these functions a little more generic so we can have
them work on more than one GUID. More specifically, this allows
using them with the global guid which will be used a bit more to
extend the secure boot support.
Instead of using -nostdinc, we use -nostdlib. This is necessary
to allow moving to C99 as efibind.h includes stdint.h when C99
is enabled. It isn't necessarily problematic to use some standard
library headers as long as they don't contain functions defined in
libc or another system library (or in other words, header only
headers are fine to use in sd-boot).
I think this formatting was originally used because it simplified
adding new options to the help messages. However, these days, most
tools their help message end with "\nSee the %s for details.\n" so
the final line almost never has to be edited which eliminates the
benefit of the custom formatting used for printf() help messages.
Let's make things more consistent and use the same formatting for
printf() help messages that we use everywhere else.
Prompted by https://github.com/systemd/systemd/pull/18355#discussion_r567241580
Even though many of those scripts are very simple, it is easier to include
the header than to try to say whether each of those files is trivial enough
not to require one.
Using `bootctl set-default @current` will set the default loader entry
to the currently booted entry as read from the `LoaderEntrySelected` EFI
variable.
Also `bootctl set-oneshot @current` will set the oneshot loader entry to
the current booted entry.
Correspondingly `@default` and `@oneshot` can be used to read from the
LoaderEntryDefault and LoaderEntryOneshot EFI variables.
bootctl implements three types of operation: those that work with an EFI
boot loader, those which work with any EFI boot loader that implements
the boot loader spec + interface, and finally those specific to sd-boot.
Previously the --help text and the man page mixed them all up. Let's put
them clearly in three separate sections however, to communicate clearly
what is supposed to work everywhere, and what is specific to
systemd-boot or boot loaders implementing the two specs.
This adjusts wording here and there, but is mostly just about
re-ordering existing docs, and putting them under new sections.
Functions that accept no arguments should be
explicitly declared a void parameter in their parameter list.
Signed-off-by: Marco Wang <m.aesophor@gmail.com>
The machine-id is used to create a few directories and setup a default
loader entry in loader.conf. Having bootctl create the directories
itself is not particularly useful as it does not put anything in them
and bootctl install is not guaranteed to be called before an initramfs
tool like kernel-install so other programs will always need to have
logic to create the directories themselves if they happen to be called
before bootctl install is called.
On top of this, when using unified kernel images, these are installed to
$BOOT/EFI/Linux which removes the need to have the directories created
by bootctl at all. This further indicates that these directories should
be created by the program that puts something in them rather than by
bootctl.
Removing the machine-id dependency allows bootctl install to be called
even when there's no machine-id in the image. This is useful for image
builders such as mkosi which don't have a machine-id when
installing systemd-boot (via bootctl) because it should only be
generated by systemd when the final image is booted.
The default entry in loader.conf based on the machine-id in loader.conf
is also removed which shouldn't be a massive loss in usability overall.
This commit reverts commit 341890d.
