1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-24 21:34:08 +03:00
Backports of patch from systemd git to stable distributions
Go to file
Lennart Poettering de7ad6d4f4 sd-stub: measure sysext images picked up by sd-stub into PCR 13
Let's grab another so far unused PCR, and measure all sysext images into
it that we load from the ESP. Note that this is possibly partly redundant,
since sysext images should have dm-verity enabled, and that is hooked up
to IMA. However, measuring this explicitly has the benefit that we can
measure filenames too, easily, and that all without need for IMA or
anything like that.

This means: when booting a unified sd-stub kernel through sd-boot we'll
now have:

1. PCR 11: unified kernel image payload (i.e. kernel, initrd, boot
   splash, dtb, osrelease)

2. PCR 12: kernel command line (i.e. the one embedded in the image, plus
   optionally an overriden one) + any credential files picked up by
   sd-stub

3. PCR 13: sysext images picked up by sd-stub

And each of these three PCRs should carry just the above, and start from
zero, thus be pre-calculatable.

Thus, all components and parameters of the OS boot process (i.e.
everything after the boot loader) is now nicely pre-calculable.

NOTE: this actually replaces previous measuring of the syext images into
PCR 4. I added this back in 845707aae2,
following the train of thought, that sysext images for the initrd should
be measured like the initrd itself they are for, and according to my
thinking that would be a unified kernel which is measured by firmware
into PCR 4 like any other UEFI executables.

However, I think we should depart from that idea. First and foremost
that makes it harder to pre-calculate PCR 4 (since we actually measured
quite incompatible records to the TPM event log), but also I think
there's great value in being able to write policies that bind to the
used sysexts independently of the earlier boot chain (i.e. shim, boot
loader, unified kernel), hence a separate PCR makes more sense.

Strictly speaking, this is a compatibility break, but I think one we can
get away with, simply because the initrd sysext images are currently not
picked up by systemd-sysext yet in the initrd, and because of that we
can be reasonably sure noone uses this yet, and hence relies on the PCR
register used. Hence, let's clean this up before people actually do
start relying on this.
2022-08-02 10:28:49 +02:00
.clusterfuzzlite ci: unpin CFLite 2022-04-26 09:13:57 +00:00
.github build(deps): bump meson from 0.62.2 to 0.63.0 in /.github/workflows 2022-08-01 14:06:32 +00:00
.lgtm/cpp-queries ci: pack-ify our custom CodeQL queries and enable them in Actions 2021-12-07 14:57:09 +01:00
.semaphore semaphoreci: re-enable rebooting tests 2022-04-07 14:53:49 +09:00
catalog Move message repeat 2022-06-01 00:20:30 +09:00
coccinelle basic/list: drop LIST_IS_EMPTY 2022-07-02 12:46:16 +02:00
docs mkosi: Remove usage of deprecated option names/sections 2022-07-18 16:54:58 +02:00
factory meson: also allow setting GIT_VERSION via templates 2022-04-05 22:18:31 +02:00
hwdb.d Add ACCEL_MOUNT_MATRIX for OXP Mini 2022-07-31 13:50:27 +09:00
LICENSES network: license all config files as CC0 2022-01-12 16:05:59 +01:00
man sd-stub: measure sysext images picked up by sd-stub into PCR 13 2022-08-02 10:28:49 +02:00
mkosi.default.d mkosi: Remove usage of deprecated option names/sections 2022-07-18 16:54:58 +02:00
modprobe.d meson: install the right README file in modprobe.d 2021-07-07 14:52:05 +02:00
network network: add example file that enables DHCP on ethernet links 2022-01-12 16:05:59 +01:00
po Update LINGUAS 2022-07-31 03:41:19 +09:00
presets units: enable systemd-network-generator by default 2021-12-16 09:49:39 +01:00
rules.d udev: add flag to allow disabling blkid probing 2022-07-15 07:54:14 +09:00
shell-completion shell-completion: add systemctl list-automounts 2022-07-25 13:37:20 +02:00
src sd-stub: measure sysext images picked up by sd-stub into PCR 13 2022-08-02 10:28:49 +02:00
sysctl.d tree-wide: link to docs.kernel.org for kernel documentation 2022-07-04 19:56:53 +02:00
sysusers.d Use descriptive name for nobody 2022-05-27 22:09:24 +01:00
test test-network: add test case for #23197 2022-08-02 03:43:04 +09:00
tmpfiles.d tree-wide: fix typo 2022-08-02 02:43:38 +09:00
tools meson: Switch default-locale default to C.UTF-8 2022-06-04 05:08:37 +09:00
units units: Simplify container getty handling 2022-07-28 21:30:53 +02:00
xorg xorg/50-systemd-user: add a full license header 2021-10-01 14:45:00 +02:00
.clang-format clang-format: Adjust style of pointers 2022-05-30 04:00:54 +09:00
.ctags editors: Prevent ctags from following symlinks 2019-02-15 11:01:20 -08:00
.dir-locals.el scripts: use 4 space indentation 2019-04-12 08:30:31 +02:00
.editorconfig docs: configure editorconfig for css and html 2022-05-17 21:13:17 +02:00
.gitattributes gitattributes: introduce and use "generated" attribute 2021-10-18 09:42:55 +02:00
.gitignore emacs: ignore .dir-locals-2.el (personal customization) versioning 2022-06-27 07:32:14 +00:00
.lgtm.yml Revert "lgtm: disable cpp/missing-return (again)" 2022-04-16 10:59:29 +00:00
.mailmap mailmap: two more names 2021-03-30 13:17:58 +02:00
.packit.yml Packit: build SRPMs in Copr 2022-03-09 09:52:41 +00:00
.vimrc scripts: use 4 space indentation 2019-04-12 08:30:31 +02:00
.ycm_extra_conf.py ycm: add doc string for all the functions in configuration file 2017-11-29 13:21:49 -07:00
configure tools: shellcheck-ify tool scripts 2021-09-30 12:27:06 +02:00
LICENSE.GPL2 relicense to LGPLv2.1 (with exceptions) 2012-04-12 00:24:39 +02:00
LICENSE.LGPL2.1 licence: remove references to old FSF address 2012-12-17 11:41:31 +01:00
Makefile tree-wide: add spdx header on all scripts and helpers 2021-01-28 09:55:35 +01:00
meson_options.txt meson: fix type for many build options 2022-07-30 13:58:22 +09:00
meson.build meson: fix broken boolean kwarg 2022-07-30 13:58:22 +09:00
mkosi.build mkosi: Changes to allow booting with sanitizers in mkosi 2022-07-18 16:54:56 +02:00
mkosi.postinst mkosi: Silence gdb debuginfo messages/prompts 2022-07-19 17:32:11 +01:00
NEWS TODO/NEWS: write down that we intend to remove cgroupsv1 support by EOY 2023 2022-07-22 19:59:36 +01:00
README README: gcc now has a minimum requirement of 4.7 2022-07-14 17:39:35 -04:00
README.md README: rawhide -> Rawhide 2022-04-06 23:14:21 +09:00
TODO update TODO 2022-08-02 10:28:15 +02:00

Systemd

System and Service Manager

Count of open issues over time Count of open pull requests over time Semaphore CI 2.0 Build Status
Coverity Scan Status
OSS-Fuzz Status
CIFuzz
CII Best Practices
Language Grade: C/C++
CentOS CI - CentOS 8
CentOS CI - Arch
CentOS CI - Arch (sanitizers)
CentOS CI - Rawhide (SELinux)
Fossies codespell report
Coverage Status
Packaging status

Details

Most documentation is available on systemd's web site.

Assorted, older, general information about systemd can be found in the systemd Wiki.

Information about build requirements is provided in the README file.

Consult our NEWS file for information about what's new in the most recent systemd versions.

Please see the Code Map for information about this repository's layout and content.

Please see the Hacking guide for information on how to hack on systemd and test your modifications.

Please see our Contribution Guidelines for more information about filing GitHub Issues and posting GitHub Pull Requests.

When preparing patches for systemd, please follow our Coding Style Guidelines.

If you are looking for support, please contact our mailing list or join our IRC channel.

Stable branches with backported patches are available in the stable repo.