1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 06:25:37 +03:00
Commit Graph

57482 Commits

Author SHA1 Message Date
Lennart Poettering
231a1caf5e
Merge pull request #23122 from poettering/creds-has-tpm2
tpm2: beef up tpm2 support checks
2022-04-20 23:18:02 +02:00
Lennart Poettering
ebf3ee4105 man: update TPM2 PCR documentation
The assignments were partly simply incorrectly documented, partly changed
with 4d32507f51 and partly missing.
Moreover kernel 5.17 now measures all initrds to PCR 9 on its own
(https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f046fff8bc4c4d8f8a478022e76e40b818f692df)

Let's correct all this and bring it up-to-date.

And while we are at it extend the docs about this in systemd-stub, with
a new table that indicates which OS resource is protected by which PCR.
2022-04-20 21:30:49 +02:00
Yu Watanabe
f4bdbae725
Merge pull request #23084 from poettering/creds-no-tpm2-fallback
creds: add semi-automatic fallback support for initrd credentials on systems lacking TPM2
2022-04-21 04:11:19 +09:00
Lennart Poettering
947914cb44
Merge pull request #23099 from yuwata/sd-bus-track-fixlets
sd-bus: fix counter
2022-04-20 18:23:05 +02:00
Lennart Poettering
fe43a638c5 update TODO 2022-04-20 17:49:17 +02:00
Lennart Poettering
b6553329c0 creds-util: permit credentials encrypted/signed by fixed zero length keys as fallback for systems lacking TPM2
This is supposed to be useful when generating credentials for immutable
initrd environments, where it is is relevant to support credentials even
on systems lacking a TPM2 chip.

With this, if `systemd-creds encrypt --with-key=auto-initrd` is used a
credential will be encrypted/signed with the TPM2 if it is available and
recognized by the firmware. Otherwise it will be encrypted/signed with
the fixed empty key, thus providing no confidentiality or authenticity.

The idea is that distributions use this mode to generically create
credentials that are as locked down as possible on the specific
platform.
2022-04-20 17:49:17 +02:00
Lennart Poettering
571d829ee4 creds-util: add an explicit 128bit ID for identifying "automatic" key determination
Previously, when encrypting creds you could pick which key to use for
this via a 128bit ID identifying the key type, and use an all zero ID
for rquesting automatic mode.

Let's change this to use an explicitly picked 128bit ID for automatic
mode, i.e. something other than all zeros. This is in preparation for
adding one further automatic mode with slightly different semantics.

no change in behaviour.

Note that the new 128bit id is never written to disk but only used
internally to indicate a specific case.
2022-04-20 17:49:16 +02:00
Lennart Poettering
7cac4a2e2d creds-util: refuse unexpected key types explicitly 2022-04-20 17:19:45 +02:00
Daan De Meyer
b9b156ea3c
Merge pull request #23124 from yuwata/fixes-for-post-merge-review
Fixes for post merge review
2022-04-20 17:15:40 +02:00
Lennart Poettering
eb81249e8a man: document new has-tpm2 verb 2022-04-20 16:58:18 +02:00
Lennart Poettering
6e0cb81505 creds-tool: add new "has-tpm2" verb
Sometimes it's useful from shell scripts to check if we have a working
TPM2 chip around. For example, when putting together encrypted
credentials for the initrd (after all: it might be wise to place the
root pw in a credential for the initrd to consume, but do so only if we
can lock it to the TPM2, and not otherwise, so that we risk nothing).

Hence, let's add a new "systemd-creds has-tpm2" verb: it returns zero if we
have a working TPM2 (which means: supported by kernel + firmware + us),
or non-zero otherwise. Also show which parts are available.

Use-case: in future the 'kernel-install' script should use this when
deciding whether to augment kernels with security sensitive credentials.
2022-04-20 16:58:18 +02:00
Lennart Poettering
0ea911d14c bootctl: use new tpm2_support() helper to show TPM2 info
Let's improve the output regarding TPM2 support in "bootctl": let's show
whether we have local driver support and/or firmware support, and
colorize it.

(For now, don't show if we natively support TPM2, since the tool is
mostly bout boot time stuff, where it dosn't really matter much what we
do in userspace)
2022-04-20 16:58:18 +02:00
Lennart Poettering
e1be2c779c condition: rework ConditionSecurity=tpm2 check on top of tpm2_support()
No change in behaviour. Let's just use our new helper here.
2022-04-20 16:58:18 +02:00
Lennart Poettering
ba57855628 tpm2-util: add helper that checks for the various facets of TPM2 support
So far we were a bit sloppy regarding checks for TPM2 support. Let's
make things more precise and introduce a single helper that checks for
three axis of TPM2 support: whether we have a loaded kernel driver,
whether the firmware used it, and whether we ourselves are compiled for
it.

This only adds the helper. Follow-up patches will use it at various
places.
2022-04-20 16:58:18 +02:00
Lennart Poettering
47a9f91760 update TODO 2022-04-20 15:45:10 +02:00
Lennart Poettering
8b82513375 update TODO 2022-04-20 14:49:53 +02:00
Luca Boccassi
7d40544643
Merge pull request #23126 from keszybz/clone3-prohibit
Prohibit clone3() when RestrictNamespaces is used
2022-04-20 11:27:58 +02:00
Luca Boccassi
da13d2ca07 compression: add separate pre-processor definitions
Follow-up for cd3c6322db

journal-def.h should be self-contained too, as it represents the journal object ABI.
Duplicate the enums, as they also need to be in config.h for it to be self-contained,
and enums are not available to the preprocessor. Use an assert to ensure they don't
diverge.
2022-04-19 23:18:19 +02:00
Zbigniew Jędrzejewski-Szmek
30193fe817 manager: prohibit clone3() in seccomp filters
RestrictNamespaces should block clone3() like flatpak:
a10f52a756

clone3() passes arguments in a structure referenced by a pointer, so we can't
filter on the flags as with clone(). Let's disallow the whole function call.
2022-04-19 22:04:31 +02:00
Luca Boccassi
3603f15171 nspawn: fix --ephemeral with --machine
Follow-up for 2362fdde1b

When --machine is specified with --ephemeral, no random suffix is added, so
the recently added assert would fail.

Add a top-level variable with the expected file name for nspawn files, and
compute it when the rest of the names are computed.
2022-04-20 02:33:01 +09:00
w30023233
01d9fbccdd virt: detect OpenStack Nova instance 2022-04-20 02:32:33 +09:00
Yu Watanabe
5a560d4cc3 firewall-util: emphasize that nfnl_netlink_sendv() takes at least one message
Addresses https://github.com/systemd/systemd/pull/23090#discussion_r853002631.
2022-04-20 02:28:54 +09:00
Yu Watanabe
2a86ed67ed efi-api: use string_replace_char() 2022-04-20 02:23:11 +09:00
Yu Watanabe
9dbfcaf229 sd-device: use string_replace_char() and strspn_from_end() 2022-04-20 02:19:44 +09:00
Yu Watanabe
146f4482b2 string-util: introduce strspn_from_end() 2022-04-20 02:15:01 +09:00
Yu Watanabe
072f5f9b18 string-util: introduce string_replace_char() 2022-04-20 02:14:35 +09:00
Yu Watanabe
e4e1353c25 sd-device: refuse O_DIRECTORY returned from path_extract_filename()
In both cases, it is expected that the symlink targets do not end with '/'.

Addresses https://github.com/systemd/systemd/pull/23089#discussion_r853007218.
2022-04-20 01:43:27 +09:00
Yu Watanabe
bb60956b39 path-util: make readlink_value() refuse O_DIRECTORY returned from path_extract_filename()
The function is now only used by sd-device.c and pam_systemd.c, and they
expects the result are not directory. Hence, it is safe to change the
behavior.

Addresses https://github.com/systemd/systemd/pull/23089#discussion_r853006017.
2022-04-20 01:40:39 +09:00
Sonali Srivastava
c52950c292 hostnamed: display firmware version 2022-04-19 13:54:16 +02:00
Lennart Poettering
e4b5226d63 update TODO 2022-04-19 12:44:45 +02:00
Zbigniew Jędrzejewski-Szmek
c5503601e2 shared/seccomp: add note about clone2() being unimportant
In case anyone else starts wondering whether it should be listed
as I did…
2022-04-19 11:56:23 +02:00
Yu Watanabe
056a18e465 test: add several tests for track item 2022-04-19 18:02:10 +09:00
Yu Watanabe
63ec7a8490 test: shorten code a bit 2022-04-19 18:02:10 +09:00
Yu Watanabe
c399ed923d sd-bus: use hashmap_contains() and drop unnecessary cast 2022-04-19 18:02:10 +09:00
Yu Watanabe
55bfacc6c3 sd-bus: do not return negative errno when unknown name is specified
When 'recursive' is false, then sd_bus_track_remove_name() does not
return negative errno when unknown name is specified. Let's follow the
same pattern for the case that 'recursive' is true.
2022-04-19 18:02:10 +09:00
Yu Watanabe
6a7ca27740 sd-bus: do not read unused value 2022-04-19 18:02:10 +09:00
Yu Watanabe
c2d7dd35d2 sd-bus: introduce ref/unref function for track_item 2022-04-19 18:01:46 +09:00
Yu Watanabe
b21f237d99 sd-bus: fix reference counter to be incremented
Fixes #23097.
2022-04-19 17:58:08 +09:00
Yu Watanabe
c8431e9e35 macro: check over flow in reference counter 2022-04-19 17:58:02 +09:00
Yu Watanabe
6dd18b34cf json: use unsigned for refernce counter
For other places, we use unsigned for reference counter.
2022-04-19 17:56:40 +09:00
Hans de Goede
5e3b8aeef3 hwdb: 60-keyboard: Add Acer Aspire One AO532h keymappings
Add keymappings for the Acer Aspire One AO532h netbook.

Unmap the brightnesskeys because they send duplicate key events with
the ACPI video bus key events and add a mapping for the bluetooth
on/off hotkey.
2022-04-19 06:17:35 +09:00
Luca Boccassi
2362fdde1b nspawn: fix locating config files with --ephemeral
When --ephemeral is used, a random 16 characters suffix is added to the image
name, so matching on .nspawn files based on the image name no longer works.

Fixes https://github.com/systemd/systemd/issues/13297
2022-04-19 06:17:16 +09:00
davijosw
39cd62c30c
hwdb: Update 60-keyboard.hwdb (#23074)
Fix Fn+F1 (toggle touchpad) that wasn't working.

Closes #23058
2022-04-18 20:51:45 +09:00
Yu Watanabe
b0c3d2b76b
Merge pull request #23107 from yuwata/man-network-numeric-prefix
man: recommend that .network or friends should have a numeric prefix
2022-04-18 07:02:10 +09:00
Yu Watanabe
915774ecb8
Merge pull request #23101 from yuwata/sd-device-cleanups
sd-device: several cleanups
2022-04-18 07:01:42 +09:00
Yu Watanabe
98e5a6c93c resolve: fix typo in dns_class_is_pseudo() 2022-04-18 07:01:17 +09:00
Luca Boccassi
cd3c6322db compression: add build-time option to select default
Compression and decompression are controlled by the same build flag,
so if one wants to use, say, LZ4 to compress, ZSTD has to be disabled,
which means one loses the ability to read zstd-compressed journals.

Add a default-compression meson option, that allows to select any of
the available compression algorithms as the default.
2022-04-18 05:43:59 +09:00
Yu Watanabe
23d20adc05 sd-device: rename arguments and variables 2022-04-18 04:34:14 +09:00
Yu Watanabe
9c5d7151c1 sd-device: fix possible use-of-uninitialized-value 2022-04-18 04:34:14 +09:00
Yu Watanabe
17761fb3bf sd-device: use ERRNO_IS_DEVICE_ABSENT() at one more place 2022-04-18 04:34:14 +09:00