IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This is supposed to be useful when generating credentials for immutable
initrd environments, where it is is relevant to support credentials even
on systems lacking a TPM2 chip.
With this, if `systemd-creds encrypt --with-key=auto-initrd` is used a
credential will be encrypted/signed with the TPM2 if it is available and
recognized by the firmware. Otherwise it will be encrypted/signed with
the fixed empty key, thus providing no confidentiality or authenticity.
The idea is that distributions use this mode to generically create
credentials that are as locked down as possible on the specific
platform.
Previously, when encrypting creds you could pick which key to use for
this via a 128bit ID identifying the key type, and use an all zero ID
for rquesting automatic mode.
Let's change this to use an explicitly picked 128bit ID for automatic
mode, i.e. something other than all zeros. This is in preparation for
adding one further automatic mode with slightly different semantics.
no change in behaviour.
Note that the new 128bit id is never written to disk but only used
internally to indicate a specific case.
Sometimes it's useful from shell scripts to check if we have a working
TPM2 chip around. For example, when putting together encrypted
credentials for the initrd (after all: it might be wise to place the
root pw in a credential for the initrd to consume, but do so only if we
can lock it to the TPM2, and not otherwise, so that we risk nothing).
Hence, let's add a new "systemd-creds has-tpm2" verb: it returns zero if we
have a working TPM2 (which means: supported by kernel + firmware + us),
or non-zero otherwise. Also show which parts are available.
Use-case: in future the 'kernel-install' script should use this when
deciding whether to augment kernels with security sensitive credentials.
Let's improve the output regarding TPM2 support in "bootctl": let's show
whether we have local driver support and/or firmware support, and
colorize it.
(For now, don't show if we natively support TPM2, since the tool is
mostly bout boot time stuff, where it dosn't really matter much what we
do in userspace)
So far we were a bit sloppy regarding checks for TPM2 support. Let's
make things more precise and introduce a single helper that checks for
three axis of TPM2 support: whether we have a loaded kernel driver,
whether the firmware used it, and whether we ourselves are compiled for
it.
This only adds the helper. Follow-up patches will use it at various
places.
Follow-up for cd3c6322db
journal-def.h should be self-contained too, as it represents the journal object ABI.
Duplicate the enums, as they also need to be in config.h for it to be self-contained,
and enums are not available to the preprocessor. Use an assert to ensure they don't
diverge.
RestrictNamespaces should block clone3() like flatpak:
a10f52a756
clone3() passes arguments in a structure referenced by a pointer, so we can't
filter on the flags as with clone(). Let's disallow the whole function call.
Follow-up for 2362fdde1b
When --machine is specified with --ephemeral, no random suffix is added, so
the recently added assert would fail.
Add a top-level variable with the expected file name for nspawn files, and
compute it when the rest of the names are computed.
When 'recursive' is false, then sd_bus_track_remove_name() does not
return negative errno when unknown name is specified. Let's follow the
same pattern for the case that 'recursive' is true.
Add keymappings for the Acer Aspire One AO532h netbook.
Unmap the brightnesskeys because they send duplicate key events with
the ACPI video bus key events and add a mapping for the bluetooth
on/off hotkey.
When --ephemeral is used, a random 16 characters suffix is added to the image
name, so matching on .nspawn files based on the image name no longer works.
Fixes https://github.com/systemd/systemd/issues/13297
Compression and decompression are controlled by the same build flag,
so if one wants to use, say, LZ4 to compress, ZSTD has to be disabled,
which means one loses the ability to read zstd-compressed journals.
Add a default-compression meson option, that allows to select any of
the available compression algorithms as the default.