1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-11 09:18:07 +03:00
Commit Graph

61991 Commits

Author SHA1 Message Date
Lennart Poettering
22ee78a898 loop-util: always tell kernel explicitly about loopback sector size
Let's not leave the sector size unspecified: either set a user supplied
value, or auto-detect the right size by probing the disk image
accordingly.
2023-01-18 10:47:17 +01:00
Lennart Poettering
05c4c59ff1 dissect-image: add probe_sector_size() helper for detecting sector size of a GPT disk image
When we operate with DDIs with sector sizes != 512 we need to configure
the loopback device to match it, otherwise the image and the kernel
block device will disagree what things are.

Let's add a prober that tries to determine the sector size of a GPT DDI.
It does this by looking for the GPT partition table header at the
various byte offsets they must be located on, given a specific sector
size. It will try sector size 512, 1024, 2048 and 4096. Of these only
the 512 and 4096 really make sense IRL I guess, but let's be thorough.
2023-01-18 10:10:57 +01:00
Lennart Poettering
1163ddb386 loop-util: insist on setting the sector size correctly
If we attach a disk image to a loopback device the sector size of the
image must match the one of the loopback device, hence be more careful
here.
2023-01-18 10:10:57 +01:00
Lennart Poettering
65046b92dc blockdev-util: add simple wrapper around BLKSSZGET
Just adds some typesafety and generates an error if the field is not
initialized in the block device yet.
2023-01-18 10:10:57 +01:00
Daan De Meyer
d3d308538e
Merge pull request #26044 from DaanDeMeyer/repart-sector-size
repart: Allow configuring sector size
2023-01-18 09:54:50 +01:00
Frantisek Sumsal
c78d18215b test: bump D-Bus service start timeout if we run without accel
The default (25s) doesn't seem to be enough in some cases (especially
in VMs without acceleration), causing spurious timeouts:

[  174.297658] dbus-daemon[647]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.0' (uid=0 pid=645 comm="hostnamectl " label="kernel")
[  184.202313] systemd[1]: systemd-update-utmp-runlevel.service: Consumed 1.253s CPU time.
[  197.335422] systemd[1]: Started dbus.service.
[  199.211468] testsuite-71.sh[639]: + assert_in 'Static hostname: H' ''
[  199.347192] dbus-daemon[647]: [system] Failed to activate service 'org.freedesktop.hostname1': timed out (service_start_timeout=25000ms)
[  199.394879] testsuite-71.sh[657]: + set +ex
[  199.438918] testsuite-71.sh[657]: FAIL: 'Static hostname: H' not found in:
[  200.966006] systemd-logind[631]: Watching system buttons on /dev/input/event0 (Power Button)
[  201.008178] systemd-logind[631]: Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard)
[  201.034106] systemd-logind[631]: New seat seat0.
[  201.238267] sh[658]: + systemctl poweroff --no-block
[  201.329890] systemd[1]: Starting systemd-hostnamed.service...
[  202.156622] systemd[1]: systemd-update-utmp-runlevel.service: Deactivated successfully.
[  204.818913] hostnamectl[645]: Failed to query system properties: Connection timed out
[  205.195583] systemd[1]: testsuite-71.service: Main process exited, code=exited, status=1/FAILURE
[  205.227237] systemd[1]: testsuite-71.service: Failed with result 'exit-code'.
[  205.712780] systemd[1]: Failed to start testsuite-71.service.
2023-01-17 23:09:34 +00:00
Luca Boccassi
2cd1e475dd
Merge pull request #26081 from yuwata/udev-symlink-remove
udev: support -= operator for SYMLINK
2023-01-17 21:59:12 +00:00
8facac5fdd coredump: use fstatvfs to check the available space
Given that we already have the file descriptor opened for writing, it
would make sense to call fstatvfs with that file descriptor rather than
statvfs with the directory path that was used to open that descriptor.
2023-01-17 22:22:12 +01:00
Lennart Poettering
f591cf66f0 doc: document how we expect empty lines to be used 2023-01-17 21:26:13 +01:00
Daan De Meyer
e1878ef72a repart: Allow configuring sector size
Let's allow users to configure the (logical) sector size of their
image. This is required when building images for a 4k sector size
disk on a 512b sector size host or vice-versa.
2023-01-17 20:09:22 +01:00
Daan De Meyer
065bdb6f0f mkfs-util: Shorten strv operations error handling 2023-01-17 19:50:48 +01:00
Jan Janssen
bb4e8820c1 boot: Fix missed argument to Print()
This fixes 3e87a057a7, which passed the
path to the wrong Print() call. Miraculously, this was printing the
correct path during testing and was therefore missed.
2023-01-17 19:44:39 +01:00
Frantisek Sumsal
0eb635ef4b units: don't install pcrphase-related units without gnu-efi
since we don't have systemd-pcrphase built anyway, which breaks the tests:

...
I: Attempting to install /usr/lib/systemd/systemd-networkd-wait-online (based on unit file reference)
I: Attempting to install /usr/lib/systemd/systemd-network-generator (based on unit file reference)
I: Attempting to install /usr/lib/systemd/systemd-oomd (based on unit file reference)
I: Attempting to install /usr/lib/systemd/systemd-pcrphase (based on unit file reference)
W: Failed to install '/usr/lib/systemd/systemd-pcrphase'
make: *** [Makefile:4: setup] Error 1
make: Leaving directory '/root/systemd/test/TEST-01-BASIC'

Follow-up to 04959faa63.
2023-01-17 14:30:02 +01:00
chris
b895aa5ff5 send dhcpv6 release when stopping 2023-01-17 21:26:18 +09:00
Dan Streetman
1200777b21 tpm2: replace magic number 2023-01-17 11:04:37 +01:00
Lennart Poettering
a45215ed33
Merge pull request #25006 from poettering/pcr15
cryptsetup: measure LUKS volume keys to PCR 15
2023-01-17 11:04:03 +01:00
Lennart Poettering
5039eafb9f
Merge pull request #26005 from medhefgo/boot-hypervisor
boot: Detect hypervisors using SMBIOS info
2023-01-17 10:53:23 +01:00
Lennart Poettering
a67a50e8f4 update TODO 2023-01-17 09:42:16 +01:00
Lennart Poettering
f44ed151c6 test: add simple integration test for checking PCR extension works as it should 2023-01-17 09:42:16 +01:00
Lennart Poettering
2bd33c909c man: document new machine-id/fs measurement options 2023-01-17 09:42:16 +01:00
Lennart Poettering
6c51b49ce0 tpm2: add common helper for checking if we are running on UKI with TPM measurements
Let's introduce a common implementation of a function that checks
whether we are booted on a kernel with systemd-stub that has TPM PCR
measurements enabled. Do our own userspace measurements only if we
detect that.

PCRs are scarce and most likely there are projects which already make
use of them in other ways. Hence, instead of blindly stepping into their
territory let's conditionalize things so that people have to explicitly
buy into our PCR assignments before we start measuring things into them.
Specifically bind everything to an UKI that reported measurements.

This was previously already implemented in systemd-pcrphase, but with
this change we expand this to all tools that process PCR measurement
settings.

The env var to override the check is renamed to SYSTEMD_FORCE_MEASURE,
to make it more generic (since we'll use it at multiple places now).
This is not a compat break, since the original env var for that was not
included in any stable release yet.
2023-01-17 09:42:16 +01:00
Lennart Poettering
04959faa63 generators: optionally, measure file systems at boot
If we use gpt-auto-generator, automatically measure root fs and /var.

Otherwise, add x-systemd.measure option to request this.
2023-01-17 09:42:16 +01:00
Lennart Poettering
50072ccf1b units: rework growfs units to be just a regular unit that is instantiated
The systemd-growfs@.service units are currently written in full for each
file system to grow. Which is kinda pointless given that (besides an
optional ordering dep) they contain always the same definition. Let's
fix that and add a static template for this logic, that the generator
simply instantiates (and adds an ordering dep for).

This mimics how systemd-fsck@.service is handled. Similar to the wait
that for root fs there's a special instance systemd-fsck-root.service
we also add a special instance systemd-growfs-root.service for the root
fs, since it has slightly different deps.

Fixes: #20788
See: #10014
2023-01-17 09:42:16 +01:00
Lennart Poettering
0ba07f9077 generator: teach generator_add_symlink() to instantiate specified unit
if we want generators to instantiate a template service, we need to
teach generator_add_symlink() the concept.

Just some preparation for a later commit.

While we are at it, modernize the function around
path_extract_filename() + path_extract_directory()
2023-01-17 09:42:16 +01:00
Lennart Poettering
072c8f6505 units: measure /etc/machine-id into PCR 15 during early boot
We want PCR 15 to be useful for binding per-system policy to. Let's
measure the machine ID into it, to ensure that every OS we can
distinguish will get a different PCR (even if the root disk encryption
key is already measured into it).
2023-01-17 09:42:16 +01:00
Lennart Poettering
17984c5551 pcrphase: make tool more generic, reuse for measuring machine id/fs uuids
See: #24503
2023-01-17 09:42:16 +01:00
Lennart Poettering
ff386f985b gpt-auto-generator: automatically measure root/var volume keys into PCR 15
let's enable PCR 15 measurements automatically if gpt-auto discovery is
used and systemd-stub is also used.
2023-01-17 09:42:16 +01:00
Lennart Poettering
572f78767f man: document the new crypttab measurement options 2023-01-17 09:42:16 +01:00
Lennart Poettering
94c0c85e30 cryptsetup: add tpm2-measure-pcr= and tpm2-measure-bank= crypttab options
These options allow measuring the volume key used for unlocking the
volume to a TPM2 PCR. This is ideally used for the volume key of the
root file system and can then be used to bind other resources to the
root file system volume in a secure way.

See: #24503
2023-01-17 09:42:16 +01:00
Lennart Poettering
9885c8745d tpm2-util: optionally do HMAC in tpm2_extend_bytes() in case we process sensitive data
When measuring data into a PCR we are supposed to hash the data on the
CPU and then pass the hash value over the wire to the TPM2. That's all
good as long as the data we intend to measure is not sensitive.

Let's be extra careful though if we want to measure sensitive data, for
example the root file system volume key. Instead of just hashing that
and passing it over the wire to the TPM2, let's do a HMAC signature
instead. It's also a hash operation, but should protect our secret
reasonably well and not leak direct information about it to wiretappers.
2023-01-17 09:42:16 +01:00
Lennart Poettering
15c591d1e2 tpm2-util: split out code that extends a PCR from pcrphase
This way we can reuse it later outside of pcrphase
2023-01-17 09:42:16 +01:00
Lennart Poettering
e4481cc512 tpm2-util: split out code that derives "good" TPM2 banks into an strv from pcrphase and generalize it in tpm2-util.c
That way we can reuse it later from different places.
2023-01-17 09:42:16 +01:00
Yu Watanabe
d314345a34 test-udev: add a brief test for -= operator for SYMLINK 2023-01-17 14:39:42 +09:00
Franck Bui
aeefa4d248 udev: support '-=' operator for SYMLINK
For some (corner) cases, it might be desirable to disable the generation of
some persistent storage symlinks that 60-persistent-storage.rules creates.

For example on big setups with a high number of partitions which uses the same
label name, this can result in a noticeable slow-down in the (re)start of the
udevd as there are many contenders for the symlink /dev/disk/by-partlabel.

However it's currently pretty hard to overwrite just some specific part of the
rule file. Indeed one need to copy and modify the whole rule file in /etc but
will lost any upcoming updates/fixes that the distro might release in the
future.

With this simple patch, one can now disable the generation of the
"by-partlabel" symlinks (for example) with the following single rule:

$ cat /etc/udev/rules.d/99-no-by-partlabel.rules
ENV{ID_PART_ENTRY_NAME}=="?*", SYMLINK-="disk/by-partlabel/$env{ID_PART_ENTRY_NAME}"

Closes #24607.
2023-01-17 14:39:24 +09:00
Yu Watanabe
ab250890c0
Merge pull request #26004 from poettering/cleanuo-erase-moar
tree-wide: use CLEANUP_ERASE() at many places
2023-01-17 14:04:02 +09:00
Yu Watanabe
841dfd3dc0 sd-dhcp-client: gracefully handle invalid ether type client ID
Currently, sd-dhcp-server accepts spurious client IDs, then the leases
exposed by networkd may be invalid. Let's make networkctl gracefully
show such leases.

Fixes #25984.
2023-01-16 20:00:08 +00:00
Lennart Poettering
ec56edf55c busctl: simplify peeking the type
let's peek the type before we enter the variant, not after, so that we
can reuse it as-is, instead having to recombine it later.

Follow-up for: #26049
2023-01-16 20:54:44 +01:00
Yu Watanabe
ea9dbf51c6 sd-dhcp6: always append the default status message generated from status code
Fixes #25988.
2023-01-16 19:46:05 +00:00
Yu Watanabe
303dfa73b3 network: fix memleak
Fixes a bug introduced by af2aea8bb6.

Fixes #25883 and #25891.
2023-01-16 19:42:59 +00:00
Luca Boccassi
37df1221d5
Merge pull request #26071 from yuwata/network-dhcp-quick-ack
network: make TCP quick ACK mode for dynamic routes configurable
2023-01-16 19:41:03 +00:00
Luca Boccassi
36c7dcb7fa
Merge pull request #26054 from aplanas/fix_user_creds
creds-util: some fixes related with TPM2 and capabilities
2023-01-16 19:40:05 +00:00
Luca Boccassi
9e6b820e8d
Merge pull request #26051 from YHNdnzj/systemctl-list-dependencies-type
systemctl: list-dependencies: support --type= and --state=
2023-01-16 19:38:58 +00:00
Jan Janssen
3e87a057a7 boot: Skip soft-brick warning when in a VM
This part of the warning is annoying to look at not really true when
running inside of a VM.
2023-01-16 18:51:28 +01:00
Jan Janssen
ba27939274 boot: Detect hypervisors using SMBIOS info
This allows skipping secure boot enrollment wait time on other arches.
2023-01-16 18:51:21 +01:00
Lennart Poettering
5040b2cfab memory-util: add CLEANUP_ERASE_PTR() macro and use it 2023-01-16 16:19:07 +01:00
Lennart Poettering
692597c843 tree-wide: use CLEANUP_ERASE() at various places
Let's use this new macro wherever it makes sense, as it allows us to
shorten or clean-up paths, and makes it less likely to miss a return
path.
2023-01-16 15:44:43 +01:00
Lennart Poettering
32284ffc12 update TODO 2023-01-16 14:29:16 +01:00
Daan De Meyer
7ea3f4ff60
Merge pull request #25999 from DaanDeMeyer/mkosi
ci: Update mkosi action to latest commit
2023-01-16 14:24:04 +01:00
David Tardon
218cfe2335 mount: handle bind mount of file with non-existing target
When the target (Where=) of a mount does not exist, systemd tries to
create it. But previously, it'd always been created as a directory. That
doesn't work if one wants to bind-mount a file to a target that doesn't
exist.

Fixes: #17184
2023-01-16 22:16:49 +09:00
Alberto Planas
e37dfcec52 creds-util: merge the TPM2 detection for initrd
This patch merge the TPM2 detection paths when we are inside and outside
an initrd.

Signed-off-by: Alberto Planas <aplanas@suse.com>
2023-01-16 13:40:40 +01:00