From 6a15846d10571487501deeb9243907c3034274db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 7 Aug 2021 08:40:51 +0200 Subject: [PATCH 1/4] man: fix minor grammar issue The usual: "searched" vs. "searched for". --- man/systemd-sysext.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/man/systemd-sysext.xml b/man/systemd-sysext.xml index f8a9f47539f..3ceb9fe7de1 100644 --- a/man/systemd-sysext.xml +++ b/man/systemd-sysext.xml @@ -92,7 +92,7 @@ During boot OS extension images are activated automatically, if the systemd-sysext.service is enabled. Note that this service runs only after the - underlying file systems where system extensions are searched are mounted. This means they are not + underlying file systems where system extensions may be located have been mounted. This means they are not suitable for shipping resources that are processed by subsystems running in earliest boot. Specifically, OS extension images are not suitable for shipping system services or systemd-sysusers8 From 98579f19e74c2850570eb924d10a6f0fade2e4ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 4 Aug 2021 09:19:13 +0200 Subject: [PATCH 2/4] docs: adjust sentece, fix minor typo The verity partition types are per-architecture already, and they contain the hash data independently of whether we are on a given architecture. (Or in other words, we would make *use* this partition on some architecture, but the contents always *exists*.) --- docs/DISCOVERABLE_PARTITIONS.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/DISCOVERABLE_PARTITIONS.md b/docs/DISCOVERABLE_PARTITIONS.md index 4caa086dc5b..bd4cb24602b 100644 --- a/docs/DISCOVERABLE_PARTITIONS.md +++ b/docs/DISCOVERABLE_PARTITIONS.md @@ -49,7 +49,7 @@ Interface](https://systemd.io/BOOT_LOADER_INTERFACE). | `77055800-792c-4f94-b39a-98c91b762bb6` | _Root Partition (LoongArch 64-bit)_ | ditto | ditto | | `60d5a7fe-8e7d-435c-b714-3dd8162144e1` | _Root Partition (RISC-V 32-bit)_ | ditto | ditto | | `72ec70a6-cf74-40e6-bd49-4bda08e8f224` | _Root Partition (RISC-V 64-bit)_ | ditto | ditto | -| `d13c5d3b-b5d1-422a-b29f-9454fdc89d76` | _Root Verity Partition (x86)_ | A dm-verity superblock followed by hash data | On systems with matching architecture, contains dm-verity integrity hash data for the matching root partition. If this feature is used the partition UUID of the root partition should be the first 128bit of the root hash of the dm-verity hash data, and the partition UUID of this dm-verity partition should be the final 128bit of it, so that the root partition and its verity partition can be discovered easily, simply by specifying the root hash. | +| `d13c5d3b-b5d1-422a-b29f-9454fdc89d76` | _Root Verity Partition (x86)_ | A dm-verity superblock followed by hash data | Contains dm-verity integrity hash data for the matching root partition. If this feature is used the partition UUID of the root partition should be the first 128 bits of the root hash of the dm-verity hash data, and the partition UUID of this dm-verity partition should be the final 128 bits of it, so that the root partition and its verity partition can be discovered easily, simply by specifying the root hash. | | `2c7357ed-ebd2-46d9-aec1-23d437ec2bf5` | _Root Verity Partition (x86-64)_ | ditto | ditto | | `7386cdf2-203c-47a9-a498-f2ecce45a2d6` | _Root Verity Partition (32-bit ARM)_ | ditto | ditto | | `df3300ce-d69f-4c92-978c-9bfb0f38d820` | _Root Verity Partition (64-bit ARM/AArch64)_ | ditto | ditto | @@ -75,7 +75,7 @@ Interface](https://systemd.io/BOOT_LOADER_INTERFACE). | `8f1056be-9b05-47c4-81d6-be53128e5b54` | _`/usr/` Verity Partition (RISC-V 64-bit)_ | ditto | ditto | | `933ac7e1-2eb4-4f13-b844-0e14e2aef915` | _Home Partition_ | Any native, optionally in LUKS | The first partition with this type UUID on the disk containing the root partition is automatically mounted to `/home/`. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/home`. | | `3b8f8425-20e0-4f3b-907f-1a25a76f98e8` | _Server Data Partition_ | Any native, optionally in LUKS | The first partition with this type UUID on the disk containing the root partition is automatically mounted to `/srv/`. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/srv`. | -| `4d21b016-b534-45c2-a9fb-5c16e091fd2d` | _Variable Data Partition_ | Any native, optionally in LUKS | The first partition with this type UUID on the disk containing the root partition is automatically mounted to `/var/` — under the condition that its partition UUID matches the first 128 bit of `HMAC-SHA256(machine-id, 0x4d21b016b53445c2a9fb5c16e091fd2d)` (i.e. the SHA256 HMAC hash of the binary type UUID keyed by the machine ID as read from [`/etc/machine-id`](https://www.freedesktop.org/software/systemd/man/machine-id.html). This special requirement is made because `/var/` (unlike the other partition types listed here) is inherently private to a specific installation and cannot possibly be shared between multiple OS installations on the same disk, and thus should be bound to a specific instance of the OS, identified by its machine ID. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/var`. | +| `4d21b016-b534-45c2-a9fb-5c16e091fd2d` | _Variable Data Partition_ | Any native, optionally in LUKS | The first partition with this type UUID on the disk containing the root partition is automatically mounted to `/var/` — under the condition that its partition UUID matches the first 128 bits of `HMAC-SHA256(machine-id, 0x4d21b016b53445c2a9fb5c16e091fd2d)` (i.e. the SHA256 HMAC hash of the binary type UUID keyed by the machine ID as read from [`/etc/machine-id`](https://www.freedesktop.org/software/systemd/man/machine-id.html). This special requirement is made because `/var/` (unlike the other partition types listed here) is inherently private to a specific installation and cannot possibly be shared between multiple OS installations on the same disk, and thus should be bound to a specific instance of the OS, identified by its machine ID. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/var`. | | `7ec6f557-3bc5-4aca-b293-16ef5df639d1` | _Temporary Data Partition_ | Any native, optionally in LUKS | The first partition with this type UUID on the disk containing the root partition is automatically mounted to `/var/tmp/`. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/tmp`. Note that the intended mount point is indeed `/var/tmp/`, not `/tmp/`. The latter is typically maintained in memory via tmpfs and does not require a partition on disk. In some cases it might be desirable to make `/tmp/` persistent too, in which case it is recommended to make it a symlink or bind mount to `/var/tmp/`, thus not requiring its own partition type UUID. | | `0657fd6d-a4ab-43c4-84e5-0933c84b4f4f` | _Swap_ | Swap, optionally in LUKS | All swap partitions on the disk containing the root partition are automatically enabled. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/swap`. This partition type predates the Discoverable Partitions Specification. | | `0fc63daf-8483-4772-8e79-3d69d8477de4` | _Generic Linux Data Partitions_ | Any native, optionally in LUKS | No automatic mounting takes place for other Linux data partitions. This partition type should be used for all partitions that carry Linux file systems. The installer needs to mount them explicitly via entries in /etc/fstab. Optionally, these partitions may be encrypted with LUKS. This partition type predates the Discoverable Partitions Specification. | From c8cab396a0834ca5d4d9da405b38eafa2dcc2202 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 21 Aug 2021 16:02:09 +0200 Subject: [PATCH 3/4] man: adjust the description of extension-release.* --- man/os-release.xml | 42 ++++++++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 18 deletions(-) diff --git a/man/os-release.xml b/man/os-release.xml index 6be96cf8bc7..15608c437a3 100644 --- a/man/os-release.xml +++ b/man/os-release.xml @@ -93,30 +93,36 @@ main system. Additionally, the presence of that file means that the system is in the initrd phase. /etc/os-release should be symlinked to /etc/initrd-release (or vice versa), so programs that only look for /etc/os-release (as described - above) work correctly. The rest of this document that talks about os-release - should be understood to apply to initrd-release too. + above) work correctly. + + The rest of this document that talks about os-release should be understood + to apply to initrd-release too. <filename>/usr/lib/extension-release.d/extension-release.<replaceable>IMAGE</replaceable></filename> /usr/lib/extension-release.d/extension-release.IMAGE - for extension images plays the same role as os-release in the main system, and follows the - same syntax and rules as described in the Portable Services Documentation. - The purpose of this file is to allow the operating system to correctly match an extension image - to a base OS image, This is typically implemented by first checking that the ID= - options match, and if they do either SYSEXT_LEVEL= has to match too (preferred), or - as a fallback if that is not present VERSION_ID= is checked. This ensures that ABI/API - between the layers matches and no incompatible images are merged in an overlay. - It is preferred that the extension-release.IMAGE filename is suffixed - with the exact file name of the image that contains it, so that all such files in every layer of an overlay are visible. - But for the purpose of parsing metadata, in case it is not possible to guarantee that an image file name is stable - and doesn't change between the build and the deployment phases, the first and only file which name starts with - extension-release., is located in the same directory and is tagged with a - user.extension-release.strict xattr7 - set to the string 0, will be parsed instead, if the one with the expected name cannot be found. - The rest of this document that talks about os-release should be understood to apply to - extension-release too. + plays the same role for extension images as os-release for the main system, and + follows the syntax and rules as described in the Portable Services Documentation. The purpose of this + file is to identify the extension and to allow the operating system to verify that the extension image + matches the base OS. This is typically implemented by checking that the ID= options + match, and either SYSEXT_LEVEL= exists and matches too, or if it is not present, + VERSION_ID= exists and matches. This ensures ABI/API compatibility between the + layers and prevents merging of an incompatible image in an overlay. + + In the extension-release.IMAGE filename, the + IMAGE part must exactly match the file name of the containing image with the + suffix removed. In case it is not possible to guarantee that an image file name is stable and doesn't + change between the build and the deployment phases, it is possible to relax this check: if exactly one + file whose name matches extension-release.* is present in this + directory, and the file is tagged with a user.extension-release.strict + xattr7 set to the + string 0, it will be used instead. + + The rest of this document that talks about os-release should be understood + to apply to extension-release too. From f064b40ec99c61a1b01c7e044b9cb1ecbef2549d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 24 Aug 2021 14:54:50 +0200 Subject: [PATCH 4/4] meson: capitalize the last instance of "efi" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit All the others in this section use "EFI"… --- meson.build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meson.build b/meson.build index f7b18c6b98e..6e1a8b1e50e 100644 --- a/meson.build +++ b/meson.build @@ -3830,7 +3830,7 @@ summary({ # LDFLAGS: ${OUR_LDFLAGS} ${LDFLAGS} if conf.get('ENABLE_EFI') == 1 - summary({'efi arch' : efi_arch}, + summary({'EFI arch' : efi_arch}, section : 'Extensible Firmware Interface') if have_gnu_efi