IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Let's grab another so far unused PCR, and measure all sysext images into
it that we load from the ESP. Note that this is possibly partly redundant,
since sysext images should have dm-verity enabled, and that is hooked up
to IMA. However, measuring this explicitly has the benefit that we can
measure filenames too, easily, and that all without need for IMA or
anything like that.
This means: when booting a unified sd-stub kernel through sd-boot we'll
now have:
1. PCR 11: unified kernel image payload (i.e. kernel, initrd, boot
splash, dtb, osrelease)
2. PCR 12: kernel command line (i.e. the one embedded in the image, plus
optionally an overriden one) + any credential files picked up by
sd-stub
3. PCR 13: sysext images picked up by sd-stub
And each of these three PCRs should carry just the above, and start from
zero, thus be pre-calculatable.
Thus, all components and parameters of the OS boot process (i.e.
everything after the boot loader) is now nicely pre-calculable.
NOTE: this actually replaces previous measuring of the syext images into
PCR 4. I added this back in 845707aae2,
following the train of thought, that sysext images for the initrd should
be measured like the initrd itself they are for, and according to my
thinking that would be a unified kernel which is measured by firmware
into PCR 4 like any other UEFI executables.
However, I think we should depart from that idea. First and foremost
that makes it harder to pre-calculate PCR 4 (since we actually measured
quite incompatible records to the TPM event log), but also I think
there's great value in being able to write policies that bind to the
used sysexts independently of the earlier boot chain (i.e. shim, boot
loader, unified kernel), hence a separate PCR makes more sense.
Strictly speaking, this is a compatibility break, but I think one we can
get away with, simply because the initrd sysext images are currently not
picked up by systemd-sysext yet in the initrd, and because of that we
can be reasonably sure noone uses this yet, and hence relies on the PCR
register used. Hence, let's clean this up before people actually do
start relying on this.
Here we grab a new – on Linux so far unused (by my Googling skills, that
is) – and measure all static components of the PE kernel image into.
This is useful since for the first time we'll have a PCR that contains
only a PCR of the booted kernel, nothing else. That allows putting
together TPM policies that bind to a specific kernel (+ builtin initrd),
without having to have booted that kernel first. PCRs can be
pre-calculated. Yay!
You might wonder, why we measure just the discovered PE sections we are
about to use, instead of the whole PE image. That's because of the next
step I have in mind: PE images should also be able to carry an
additional section that contains a signature for its own expected,
pre-calculated PCR values. This signature data should then be passed
into the booted kernel and can be used there in TPM policies. Benefit:
TPM policies can now be bound to *signatures* of PCRs, instead of the
raw hash values themselves. This makes update management a *lot* easier,
as policies don't need to be updated whenever a kernel is updated, as
long as the signature is available. Now, if the PCR signature is
embedded in the kernel PE image it cannot be of a PCR hash of the kernel
PE image itself, because that would be a chicken-and-egg problem. Hence,
by only measuring the relavent payload sections (and that means
excluding the future section that will contain the PCR hash signature)
we avoid this problem, naturally.
the measurement calls can succeed either when they actually measured
something, or when they skipped measurement because the local system
didn't support TPMs.
Let's optionally return a boolean saying which case it is. This is later
useful to tell userspace how and if we measured something.
Everywhere else that `conf.get('ENABLE_*')` is used as a boolean key for
something (for example in if statements) it always checks if == 1, but
in this one case it neglects to do so. This is important because
conf.get yields the same int that was stored, but if statements require
booleans.
So does executable's "install" kwarg, at least according to the
documentation. In actuality, it accepts all types without sanity
checking, then uses python "if bool(var)", so you can actually do
`install: 'do not'` and that's treated identical to `true`. This is a
type-checking bug which Meson will eventually fix.
muon fails on the same code, today.
Passing a file as a command argument in string form assumes that
run_command has the current subdir as its cwd, but Meson's documentation
*explicitly* calls this out as undefined and wrong to use.
Indeed, muon has a different implementation that uses a different cwd,
and this argument cannot be found. Instead, passing a files() object
means that it's the job of meson itself to verify the file exists, then
pass it to the run_command in some format that guarantees it is a valid
path reference.
When translations are disabled, it's not necessary to `import('i18n')`
and do nothing with it. Also, importing it is (slightly) slow as Meson
needs to load another implementation file from disk, so why bother with
that work?
More particularly, muon does not yet implement this module and fails to
setup. Since there's already an option to disable using it, it makes
sense to let that option completely skip the not-implemented
functionality and actually succeed.
Integers and booleans are supposed to be actual integers and booleans,
not strings describing their value, but Meson silently accepted either
one. It's still wrong to do it though, and other implementations of
Meson such as muon choke on it.
0 UID and GID are special, and should not be acceptable for the settings.
Hence, we can handle 0 as unset.
Strictly speaking, time epoch with 0 is valid, but I guess no one use
0 as a valid value.
Kubevirt is currently technically based on KVM (but not xen yet[1]).
The systemd-detect-virt command, used to differentiate the current
virtualization environment, works fine on x86 relying on CPUID, while
fails to get the correct value (none instead of kvm) on aarch64.
Let's fix this by adding a new 'vendor[KubeVirt] = kvm' classification
considering the sys_vendor is always KubeVirt.
[1] https://groups.google.com/g/kubevirt-dev/c/C6cUgzTOsVg
Signed-off-by: Fei Li <lifei.shirley@bytedance.com>
The journalctl tool may be needed on cross compilation hosts in order
to run --update-catalog against a target rootfs.
To avoid reliability issues caused by shared linking allow journalctl
to be linked statically.
Let's remove the baud settings for the container getty units since
they don't have any effect there anyway. On top of that, when we're
dealing with container TTYs, we can handle all the setup involved
ourselves so let's prevent agetty/login from touching the container
tty at all.
One example where this helps is that it actually makes disabling
TTYVHangup have an effect since before, login would unconditionally
call vhangup() on the tty.
machine: Add APIs CopyTo[Machine]WithFlags + CopyFrom[Machine]WithFlags
- Same API to those without `WithFlags` (except this can take flags)
- Initially, only a flag to allow replacing a file if it already exists
- Add a test that asserts that copy_tree on an existing file will fail without COPY_REPLACE
- Add a test that asserts that copy_tree with COPY_MERGE and COPY_REPLACE on an existing directory will overwrite files that already exist.
- Refactor: Move HardlinkContext to header file
- Refactor: Create `fd_copy_tree_generic` which isolates the functionality to check stat type and appropriately copy.
- Refactor: Create `fd_copy_leaf` which handles copying leaf nodes of a file tree.
The other variables are owned by the boot menu (i.e. sd-boot), we only
fill those in if it didn't do so for us (to support cases where our stub
kernel is directly invoked by UEFI). But StubInfo is genuinely about the
stub, hence let's simplify things and unconditionally set it from the
stub.
THis will be useful in a later commit, when we add more stuff to the
common exit path. But even without that, it's a nice simplification,
removing redundant lines.
When running on images you don't want to modify the /tmp
directory even if it's writable, and often it will just
be read-only. Set PrivateTmp=yes.
Fixes https://github.com/systemd/systemd/issues/23592
