1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 06:25:37 +03:00
Commit Graph

56724 Commits

Author SHA1 Message Date
Frantisek Sumsal
43b9b2053c core: add %d specifier for the $CREDENTIALS_DIRECTORY
Resolves: #22549
2022-03-17 17:45:01 +01:00
Frantisek Sumsal
598a1d7633 core: drop an unnecessary initialization 2022-03-17 14:39:51 +01:00
Grigori Goronzy
da29de23ef tpm2: enable parameter encryption
Use a salted, unbound HMAC session with the primary key used as tpmKey,
which mean that the random salt will be encrypted with the primary
key while in transit. Decrypt/encrypt flags are set on the new session
with AES in CFB mode. There is no fallback to XOR mode.

This provides confidentiality and replay protection, both when sealing
and unsealing. There is no protection against man in the middle
attacks since we have no way to authenticate the TPM at the moment.
The exception is unsealing with PIN, as an attacker will be unable
to generate the proper HMAC digest.
2022-03-16 22:52:42 +01:00
Anita Zhang
c68ac12a0e
Merge pull request #22768 from poettering/cgls-delegate-xattr
make "delegate" xattr also available for unpriv programs
2022-03-16 14:49:00 -07:00
Lennart Poettering
e127ac90ef
Merge pull request #22761 from poettering/pcr-fix
sd-boot: change kernel cmdline PCR from 8 to 12
2022-03-16 22:32:43 +01:00
Yu Watanabe
06fb09cf40
Merge pull request #22765 from medhefgo/test
test: Use TEST macros in more places
2022-03-17 03:07:36 +09:00
Lennart Poettering
deb5c820ca sd-boot: disable bitlocker reboot feature for now
Conceptually the feature is great and should exist, but in its current
form should be worked to be generic (i.e. not specific to
Windows/Bitlocker, but appliable to any boot entry), not be global (but
be a per-entry thing), not require a BootXXXX entry to exist, and not
check for the BitLocker signature (as TPMs are not just used for
BitLocker).

Since we want to get 251 released, mark it in the documentation, in NEWS
and in code as experimental and make clear it will be reworked in a
future release. Also, make it opt-in to make it less likely people come
to rely on it without reading up on it, and understanding that it will
likely change sooner or later.

Follow-up for: #22043
See: #22390
2022-03-16 18:39:57 +01:00
Lennart Poettering
c2c7eea1e9
Merge pull request #22563 from grigorig/cryptenroll-tpm2-pin
sd-cryptenroll TPM2 PIN protected unlock
2022-03-16 18:04:28 +01:00
Lennart Poettering
bbfabc4498 NEWS: add entry announcing PCR change 2022-03-16 17:44:46 +01:00
Lennart Poettering
27818e2ece man: only document new PCR 12 2022-03-16 17:44:46 +01:00
Lennart Poettering
4d32507f51 sd-boot: measure kernel cmdline into PCR 12 rather than 8
Apparently Grub is measuring all kinds of garbage into PCR 8. Since people
apparently chainload sd-boot from grub, let's thus stay away from PCR 8,
and use PCR 12 instead for the kernel command line.

As discussed here: #22635

Fixes: #22635
2022-03-16 17:44:32 +01:00
Lennart Poettering
34604d6af7 boot: use UINT32 as type for PCR indexes
Thisis what the TPM2/UEFI headers use, and most of our EFI codebase.
Let's also use the same type here in cpio.[ch]
2022-03-16 17:33:28 +01:00
Lennart Poettering
c5a408ee35 boot: drop const from EFI_PHYSICAL_ADDRESS parameter
It's not a pointer after all, but a numeric value. As such the const
applies to the value and not the target, but we genreally don#t do that
for value parameters. Hence drop the const.
2022-03-16 17:33:28 +01:00
Lennart Poettering
1fa3b6c247 cgroup: also set user.invocation_id in addition to trusted.invocation_id
Similar thinking as the preceeding commit.

(While we are at it, let's unify some code we use over and over again in
two helper functions)
2022-03-16 16:47:07 +01:00
Lennart Poettering
200aa3583f docs: document the user.delegate xattr 2022-03-16 16:32:47 +01:00
Lennart Poettering
d9bc1c3614 cgroup: also indicate cgroup delegation state in user-accessible xattr
So far we set the "trusted.delegate" xattr on cgroups where delegation
is on. This duplicates this behaviour with the "user.delegate" xattr.
This has two benefits:

1. unprivileged clients can *read* the xattr. "systemd-cgls" can thus
   show delegated cgroups as such properly, even when invoked without
   privs

2. unprivileged systemd instances can set the xattr, i.e. when systemd
   --user delegates a cgroup to further payloads.

This weakens security a tiny bit, given that code that got a cgroup
delegated can manipulate the xattr, but I think that's OK, given they
have a higher trust level regarding cgroups anyway, if they got a
subtree delegated, and access controls on the cgroup itself are still
enforced. Moreover PID 1 as the cgroup manager only sets these xattrs,
never reads them — the xattr is primarily a way to tell payloads about
the delegation, and it's strictly this one way.
2022-03-16 16:32:44 +01:00
Jan Janssen
b405e3aae1 test-journal-syslog: Add some valid priority cases 2022-03-16 14:50:12 +01:00
Jan Janssen
3df208468f test: Use C11 UTF-16 string literal 2022-03-16 14:50:12 +01:00
Jan Janssen
68da8adf54 test: Use TEST macros in more places 2022-03-16 14:50:12 +01:00
Lennart Poettering
bde2607563 cgroup-show: split out delegation xattr check into its own function
Just some refactoring.
2022-03-16 14:30:01 +01:00
Lennart Poettering
45cab6e3c1 update TODO 2022-03-16 11:33:27 +01:00
Lennart Poettering
4bb37359f6 docs: s/straight-forward/straightforward/
Inspired by https://github.com/systemd/systemd/pull/20156#discussion_r810878846
2022-03-15 22:46:09 +00:00
Luca Boccassi
3b1276c28b
Merge pull request #22746 from yuwata/home-cleanups
home: two cleanups
2022-03-15 22:44:58 +00:00
Lennart Poettering
69811f4763 import: improve error message
As suggested: https://github.com/systemd/systemd/pull/20156#discussion_r810941489
2022-03-15 22:43:48 +00:00
Luca Boccassi
2979c852a4
Merge pull request #22757 from DaanDeMeyer/bpf-error
BPF error logging improvements
2022-03-15 22:42:48 +00:00
Grigori Goronzy
fd8b924820 cryptenroll: add tests for TPM2 unlocking
Add tests for enrolling and unlocking. Various cases are tested:

- Default PCR 7 policy w/o PIN, good and bad cases (wrong PCR)
- PCR 7 + PIN policy, good and bad cases (wrong PCR, wrong PIN)
- Non-default PCR 0+7 policy w/o PIN, good and bad cases (wrong PCR 0)

v2: rename test, fix tss2 library installation, fix CI failures
v3: fix ppc64, load module
2022-03-15 21:17:00 +01:00
Grigori Goronzy
4005d41ef0 cryptsetup: add manual TPM2 PIN configuration
Handle the case where TPM2 metadata is not available and explicitly
provided in crypttab. This adds a new "tpm2-pin" option to crypttab
options for this purpose.
2022-03-15 21:17:00 +01:00
Grigori Goronzy
caeb5604f9 cryptenroll: add TPM2 PIN documentation 2022-03-15 21:17:00 +01:00
Grigori Goronzy
1f895adac2 cryptsetup: add libcryptsetup TPM2 PIN support
This is unfinished: we don't have any way to actually query for PINs
interactively this way. It is similar to FIDO2 and PKCS#11 in this
regard.

Nonetheless, this code is capable of validating and dumping tokens, so
it is already useful as-is.
2022-03-15 21:17:00 +01:00
Grigori Goronzy
bea344a1a4 cryptsetup: add support for TPM2 pin
Extend cryptsetup for TPM2 pin entry, similar to FIDO2.
2022-03-15 21:17:00 +01:00
Grigori Goronzy
6c7a168105 cryptenroll: add support for TPM2 pin
Add support for PIN enrollment with TPM2. A new "tpm2-pin" field is
introduced into metadata to signal that the policy needs to include a
PIN.

v2: fix tpm2_make_luks2_json in sd-repart
2022-03-15 21:17:00 +01:00
Grigori Goronzy
2f5a892aa0 tpm2: support policies with PIN
Modify TPM2 authentication policy to optionally include an authValue, i.e.
a password/PIN. We use the "PIN" terminology since it's used by other
systems such as Windows, even though the PIN is not necessarily numeric.

The pin is hashed via SHA256 to allow for arbitrary length PINs.

v2: fix tpm2_seal in sd-repart
v3: applied review feedback
2022-03-15 21:17:00 +01:00
Grigori Goronzy
e560cf4f71 hmac/sha256: move size define to sha256.h 2022-03-15 21:17:00 +01:00
Daan De Meyer
cc20479f42 bpf: Fix error handling
The __open() functions actually set errno on failure so let's
update the error handling to account for that.
2022-03-15 17:14:19 +00:00
Daan De Meyer
8f048bb76a bpf: Log at debug when checking if restricting ifaces is supported
Same change as 1a9e33aee3 did for
socket-bind.
2022-03-15 17:12:06 +00:00
Yu Watanabe
172e3817b0 home: use open_image_file() helper at one more place 2022-03-15 22:07:11 +09:00
Frantisek Sumsal
c8a4306e63
Merge pull request #22745 from yuwata/test-repart-fixes
test: fixes for TEST-58-REPART
2022-03-15 11:52:50 +00:00
Yu Watanabe
3b591ebbd1
Merge pull request #22739 from mrc0mmand/list-boot-followup
A couple of follow-ups for #22721
2022-03-15 15:59:45 +09:00
Yu Watanabe
e60c3c72f7 home: shorten code a bit and add missing assertions
This drops redundant call of fstat(), and reduces indentation.
2022-03-15 12:38:08 +09:00
Yu Watanabe
6626ea08f6 test: wait for loopback device being actually created
It seems there exists a short time period that we cannot see the
loopback device after `losetup` is finished:
```
testsuite-58.sh[367]: ++ losetup -b 1024 -P --show -f /tmp/testsuite-58-sector-1024.img
kernel: loop1: detected capacity change from 0 to 204800
testsuite-58.sh[285]: + LOOP=/dev/loop1
testsuite-58.sh[285]: + systemd-repart --pretty=yes --definitions=/tmp/testsuite-58-sector/ --seed=750b6cd5c4ae4012a15e7be3c29e6a47 --empty=require --dry-run=no /dev/loop1
testsuite-58.sh[368]: Device '/dev/loop1' has no dm-crypt/dm-verity device, no need to look for underlying block device.
testsuite-58.sh[368]: Failed to determine canonical path for '/dev/loop1': No such file or directory
testsuite-58.sh[368]: Failed to open file or determine backing device of /dev/loop1: No such file or directory
```
2022-03-15 12:35:50 +09:00
Yu Watanabe
8c166c962d test: format disk image through loopback device
It seems that the change on the image file sometimes not propagated on
the loopback device immediately.
2022-03-15 12:35:50 +09:00
Yu Watanabe
cc75e1f7c9 test: use /var/tmp for storing disk images
The Ubuntu CI on ppc64el seems to have a issue on tmpfs, and files
may not be fsynced. See c10caebb98.
For safety, let's use /var/tmp to store disk images.
2022-03-15 12:35:50 +09:00
Luca Boccassi
629c1cdf03
Merge pull request #22730 from GeorgesStavracas/gbsneto/multimedia-stream-deck
Add AV production devices to hwdb
2022-03-14 23:40:51 +00:00
Vivien Didelot
7080df5c2e units: fix factory-reset.target description
The current description for the factory reset target does not add any
value and doesn't respect the definition of the related property as
described in systemd.unit(5).

Starting the target currently results in the following log:

    [   11.139174] systemd[1]: Reached target Target that triggers factory reset. Does nothing by default..
    [  OK  ] Reached target Target that…set. Does nothing by default..

Simply update the target description to "Factory Reset".

Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com>
2022-03-14 22:39:32 +00:00
Frantisek Sumsal
f01aafd283 journal: make --reverse affect --list-boots
Fixes: #16274
2022-03-14 23:33:59 +01:00
Frantisek Sumsal
8e4b9a252b journal: use table_set_json_field_name() to override a column name
Pointed out in: https://github.com/systemd/systemd/pull/22721#discussion_r826014227
Follow-up for: 5a1355d848
2022-03-14 23:33:22 +01:00
Lennart Poettering
715193d1a6
Merge pull request #22734 from poettering/decimal-str-width-test
DECIMAL_STR_WIDTH() + DECIMAL_STR_MAX() tweaks
2022-03-14 23:07:59 +01:00
Luca Boccassi
e9c3312da1
Merge pull request #22727 from fbuihuu/journald-preserve-acl-when-rotating
Journald preserve acl when rotating
2022-03-14 20:39:14 +00:00
Jason A. Donenfeld
ffa047a03e random-util: remove RDRAND usage
/dev/urandom is seeded with RDRAND. Calling genuine_random_bytes(...,
..., 0) will use /dev/urandom as a last resort. Hence, we gain nothing
here by having our own RDRAND wrapper, because /dev/urandom already is
based on RDRAND output, even before /dev/urandom has fully initialized.

Furthermore, RDRAND is not actually fast! And on each successive
generation of new x86 CPUs, from both AMD and Intel, it just gets
slower.

This commit simplifies things by just using /dev/urandom in cases where
we before might use RDRAND, since /dev/urandom will always have RDRAND
mixed in as part of it.

And above where I say "/dev/urandom", what I actually mean is
GRND_INSECURE, which is the same thing but won't generate warnings in
dmesg.
2022-03-14 19:47:13 +00:00
Lennart Poettering
e28770e367 docs: document how we usually define enums 2022-03-14 19:10:11 +00:00