1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Commit Graph

749 Commits

Author SHA1 Message Date
Michal Sekletar
88e4bfa62b core: add possibility to not track certain unit types 2022-11-24 09:28:22 +09:00
Jason A. Donenfeld
47b3e96647 boot: remove random-seed-mode
Now that the random seed is used on virtualized systems, there's no
point in having a random-seed-mode toggle switch. Let's just always
require it now, with the existing logic already being there to allow not
having it if EFI itself has an RNG. In other words, the logic for this
can now be automatic.
2022-11-22 01:30:03 +01:00
Luca Boccassi
a0c544ee09
Merge pull request #25379 from keszybz/update-doc-links
Update doc links
2022-11-22 01:07:13 +01:00
Jason A. Donenfeld
a4eea6038c bootctl: install system token on virtualized systems
Removing the virtualization check might not be the worst thing in the
world, and would potentially get many, many more systems properly seeded
rather than not seeded. There are a few reasons to consider this:

- In most QEMU setups and most guides on how to setup QEMU, a separate
  pflash file is used for nvram variables, and this generally isn't
  copied around.

- We're now hashing in a timestamp, which should provide some level of
  differentiation, given that EFI_TIME has a nanoseconds field.

- The kernel itself will additionally hash in: a high resolution time
  stamp, a cycle counter, RDRAND output, the VMGENID uniquely
  identifying the virtual machine, any other seeds from the hypervisor
  (like from FDT or setup_data).

- During early boot, the RNG is reseeded quite frequently to account for
  the importance of early differentiation.

So maybe the mitigating factors make the actual feared problem
significantly less likely and therefore the pros of having file-based
seeding might outweigh the cons of weird misconfigured setups having a
hypothetical problem on first boot.
2022-11-21 15:13:26 +01:00
Zbigniew Jędrzejewski-Szmek
2bd051a06d docs/BOOT_LOADER_INTERFACE: reword sentence to apply to both entry types 2022-11-21 12:26:35 +01:00
Zbigniew Jędrzejewski-Szmek
db81144428 tree-wide: BLS and DPS are now on uapi-group website 2022-11-21 12:26:35 +01:00
Lennart Poettering
6337be0a4e pcrphase: add $SYSTEMD_PCRPHASE_STUB_VERIFY env var for overriding stub check 2022-11-17 07:44:11 +09:00
Jason A. Donenfeld
0be72218f1 boot: implement kernel EFI RNG seed protocol with proper hashing
Rather than passing seeds up to userspace via EFI variables, pass seeds
directly to the kernel's EFI stub loader, via LINUX_EFI_RANDOM_SEED_TABLE_GUID.
EFI variables can potentially leak and suffer from forward secrecy
issues, and processing these with userspace means that they are
initialized much too late in boot to be useful. In contrast,
LINUX_EFI_RANDOM_SEED_TABLE_GUID uses EFI configuration tables, and so
is hidden from userspace entirely, and is parsed extremely early on by
the kernel, so that every single call to get_random_bytes() by the
kernel is seeded.

In order to do this properly, we use a bit more robust hashing scheme,
and make sure that each input is properly memzeroed out after use. The
scheme is:

    key = HASH(LABEL || sizeof(input1) || input1 || ... || sizeof(inputN) || inputN)
    new_disk_seed = HASH(key || 0)
    seed_for_linux = HASH(key || 1)

The various inputs are:
- LINUX_EFI_RANDOM_SEED_TABLE_GUID from prior bootloaders
- 256 bits of seed from EFI's RNG
- The (immutable) system token, from its EFI variable
- The prior on-disk seed
- The UEFI monotonic counter
- A timestamp

This also adjusts the secure boot semantics, so that the operation is
only aborted if it's not possible to get random bytes from EFI's RNG or
a prior boot stage. With the proper hashing scheme, this should make
boot seeds safe even on secure boot.

There is currently a bug in Linux's EFI stub in which if the EFI stub
manages to generate random bytes on its own using EFI's RNG, it will
ignore what the bootloader passes. That's annoying, but it means that
either way, via systemd-boot or via EFI stub's mechanism, the RNG *does*
get initialized in a good safe way. And this bug is now fixed in the
efi.git tree, and will hopefully be backported to older kernels.

As the kernel recommends, the resultant seeds are 256 bits and are
allocated using pool memory of type EfiACPIReclaimMemory, so that it
gets freed at the right moment in boot.
2022-11-14 15:21:58 +01:00
Lennart Poettering
71ea84369e locale: honour new env var $SYSTEMD_UTF8=
This is useful to force off fancy unicode glyph use (i.e. use "->"
instead of "→"), which is useful in tests where locales might be
missing, and thus control via $LC_CTYPE is not reliable.

Use this in TEST-58, to ensure the output checks we do aren't confused
by missing these glyphs being unicode or not.
2022-11-10 17:20:36 +01:00
Zbigniew Jędrzejewski-Szmek
b1fd5cd4ed Revert "initrd: extend SYSTEMD_IN_INITRD to accept non-ramfs rootfs"
This reverts commit 1f22621ba3.

As described in the reverted commit, we don't want to get rid of the check
completely. But the check requires opting-in by setting SYSTEMD_IN_INITRD=lenient,
which is cumbersome and doesn't seem to actually happen.
https://bugzilla.redhat.com/show_bug.cgi?id=2137631 is caused by systemd refusing
to treat the system as an initrd because overlayfs is used. Let's revert this
approach and do something that doesn't require opt-in instead.

I don't think it makes sense to keep support for "SYSTEMD_IN_INITRD=lenient" or
"SYSTEMD_IN_INITRD=auto". To get "auto" behaviour, just unset the option. And
"lenient" will be reimplemented as a better check. Thus the changes to the
option interface are completely reverted.
2022-11-09 09:20:33 +01:00
Luca Boccassi
729a492881 docs: DPS and BLS have moved to uapi-group.org 2022-11-02 07:31:18 +09:00
William Roberts
026d249969 docs/HACKING.md: clarify some portions
Clarify portions of HACKING.md so folks don't spend as much time as I
did on it.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2022-10-31 20:56:37 +01:00
Frantisek Sumsal
de85e1a2f4 docs: update translation strings before new release 2022-10-20 10:39:03 +02:00
Zbigniew Jędrzejewski-Szmek
0923b4253c tree-wide: replace "plural(s)" by "plurals"
(s) is just ugly with a vibe of DOS. In most cases just using the normal plural
form is more natural and gramatically correct.

There are some log_debug() statements left, and texts in foreign licenses or
headers. Those are not touched on purpose.
2022-10-17 15:10:53 +02:00
Daan De Meyer
beead603c5
Merge pull request #24629 from DaanDeMeyer/mkosi-kernel
mkosi: Optionally build a kernel image from mkosi.kernel/
2022-10-11 14:37:19 +02:00
Aidan Dang
fd83c98e8a Implement --luks-sector-size for homed 2022-10-07 16:36:04 +02:00
Daan De Meyer
e81710d3d0 journal: Store offsets to tail entry array objects in chain
Previously, we'd iterate an entry array from start to end every time
we added an entry offset to it. To speed up this operation, we cache
the last entry array in the chain and how many items it contains.
This allows the addition of an entry to the chain to be done in
constant time instead of linear time as we don't have to iterate
the entire chain anymore every time we add an entry.
2022-10-07 12:28:09 +02:00
Daan De Meyer
a9089a6604 journal: Use 32-bit entry item object offsets in compact mode
To do this, we move EntryItem out of journal-def.h and turn it into
a host only struct in native endian mode so we can still use it to
ship the necessary info around.

Aside from that, the changes are pretty simple, we introduce some
extra functions to access the right field depending on the mode and
convert all the other code to use those functions instead of
accessing the raw fields.

We also drop the unused entry item hash field in compact mode. We
already stopped doing anything with this field a while ago, now we
actually drop it from the format in compact mode.
2022-10-07 12:20:57 +02:00
Daan De Meyer
99daf3ce03 journal: Use 32-bit entry array offsets in compact mode
Before:

OBJECT TYPE      ENTRIES SIZE
Unused           0       0B
Data             3610336 595.7M
Field            5310    285.2K
Entry            3498326 1.2G
Data Hash Table  29	 103.1M
Field Hash Table 29      151.3K
Entry Array      605991  1011.6M
Tag              0	 0B
Total            7720021 2.9G

After:

OBJECT TYPE      ENTRIES SIZE
Unused           0	 0B
Data             3562667 591.0M
Field            3971    213.6K
Entry            3498566 1.2G
Data Hash Table  20	 71.1M
Field Hash Table 20	 104.3K
Entry Array	 582647  505.0M
Tag              0	 0B
Total            7647891 2.4G
2022-10-07 12:20:08 +02:00
Daan De Meyer
61297656c7 journal: Enable compact mode
We also add an environment variable $SYSTEMD_JOURNAL_COMPACT that
can be used to disable compact mode if needed (similar to
$SYSTEMD_JOURNAL_KEYED_HASH).
2022-10-07 11:28:12 +02:00
Daan De Meyer
87413812c9 journal: Add compact mode
This adds a new flag in preparation for incompatible journal changes
which will be gated behind this flag. The max file size of journal
files in compact mode is limited to 4 GiB.
2022-10-07 11:26:28 +02:00
Zbigniew Jędrzejewski-Szmek
868e6ce65c docs/CONTRIBUTING: strenghten language about ABI stability, fix links, other tweaks
The text made it sound like breaking ABI in libsystemd is allowed with good reasons.
In fact, we plan never to do this, so make the language stronger.

Also remind people about distro forums for reporting bugs. Those are probably a
better place than systemd-devel for new users.

Also, add some missing articles and apostrophes, fix URLs, remove repeated phrases,
etc.
2022-10-01 11:29:24 +02:00
Daan De Meyer
d12e9bdc76 mkosi: Optionally build a kernel image from mkosi.kernel/
If mkosi.kernel/ exists, the mkosi script will try to build a kernel
image from it. We use the architecture defconfig as a base and add
our own extra configuration on top.

We also add some extra tooling to the build image required to build
the kernel and include some documentation in HACKING.md on how to
use this new feature.

To avoid the kernel sources from being copied into the build or
final image (which we don't want because it takes a while), we put
the mkosi.kernel/ directory in .gitignore and use
"SourceFileTransfer=mount" so that the sources are still accessible
in the build image.
2022-09-29 20:15:57 +02:00
Zbigniew Jędrzejewski-Szmek
3efadceb9e docs/CONTRIBUTING: explain various labels and add link to "reviewable" PRs
The linked filter gives an up-to-date list of pull requests that need review.
(Yes, there's too many.) We used to set 'needs-review' label, but that is
not available to non-members, and also every pull requests which is not labeled
'reviewed/needs-rework'/'ci-fails/needs-rework'/'needs-rebase' can and should
be reviewed.

If this is merged, I'll drop the 'needs-review' label.
2022-09-30 01:23:30 +09:00
Sarah Brofeldt
f8151a707c docs/NETWORK_ONLINE: systemd.network hyperlink fix 2022-09-28 15:48:39 +09:00
Luca Boccassi
542e6eb38d
Merge pull request #24799 from poettering/initrd-ftw
use "initrd" rather than "initial RAM disk" or "initramfs" to refernce the concept
2022-09-23 20:43:15 +01:00
Daan De Meyer
354dc913c5
Merge pull request #24635 from DaanDeMeyer/repart-verity-sig
repart: Add support for generating verity sig partitions
2022-09-23 18:53:04 +02:00
Lennart Poettering
55c041b4e4 tree-wide: also settle on "initrd" instead of "initial RAM disk"
With this the concept is now called the same way everywhere except where
historical info is relevant or where the other names are API.
2022-09-23 15:12:18 +02:00
Daan De Meyer
35e596f83f docs: Mention that "certificateFingerprint" source should be in DER 2022-09-23 14:10:11 +02:00
Yu Watanabe
0b0cdb1652 doc: drop remaining references to LGTM.com 2022-09-23 18:29:22 +09:00
Lennart Poettering
4d0d34b4e7
Merge pull request #24709 from keszybz/partition-table-constants
Expose various GPT UUIDs as public contants and link them up in docs
2022-09-21 20:07:21 +02:00
Zbigniew Jędrzejewski-Szmek
da7dfd8ef5 docs/DPS: use the SD_GPT_* constants here too 2022-09-21 15:30:31 +02:00
Lennart Poettering
0b81e47e80 boot-loader-spec: undo redefinition of $BOOT
In 53c26db4da the meaning of $BOOT was
redefined. I think that's quite problematic, since the concept is
implemented in code and interface of bootctl. Thus, I think we should
stick to the original definition, which is: "where to *place* boot menu
entries" (as opposed to "where to *read* boot menu entries from").

The aforementioned change was done to address two things afaiu:

1. it focussed on a $BOOT as the single place to put boot entries in,
   instead of mentioning that both ESP and $BOOT are expected to be
   the source

2. it mentioned the /loader/ dir (as location for boot loader resources)
   itself as part of the spec, which however only really makes sense in
   the ESP. /loader/entries/ otoh makes sense in either the ESP or
   $BOOT.

With this rework I try to address these two issues differently:

1. I intend to make clear the $BOOT is the "primary" place to put stuff
   in, and is what should be mounted to /boot/.

2. The ESP (if different from $BOOT) is listed as "secondary" source to
   read from, and is what should be mounted to /efi/. NB we now make the
   distinction between "where to put" (which is single partition) and
   "where to read from".

3. This drops any reference of the /loader/ dir witout the /entries/
   suffix. Only the full /loader/entries/ dir (and its companion file
   /loader/entries.srel) are now mentioned. Thus isolated /loader/
   directory hence becomes irrelevant in the spec, and the fact that
   sd-boot maintains some files there (and only in the ESP) is kept out
   of the spec, because it is irrelevant to other boot loaders.

4. It puts back the suggestion to mount $BOOT to /boot/ and the ESP to
   /efi/ (and suggests adding a symlink or bind mount if both are the
   same partition). Why? Because the dirs are semantically unrelated:
   it's OK and common to have and ESP but no $BOOT, hence putting ESP
   inside of a useless, non-existing "ghost" dir /boot/ makes little
   sense. More importantly though, because these partitions are
   typically backed by VFAT we want to maintain them as an autofs, with
   a short idle delay, so that the file systems are unmounted (and thus
   fully clean) at almost all times. This doesn't work if they are
   nested within each other, as the establishment of the inner autofs
   would pin the outer one, making the excercise useless. Now I don't
   think the spec should mention autofs (since that is an implementation
   detail), but it should arrange things so that this specific, very
   efficient, safe and robust implementation can be implemented.

The net result should be easy from an OS perspective:

1. *Put* boot loader entries in /boot/, always.

2. *Read* boot loader entries from both /boot/ and /efi/ -- if these are distinct.

3. The only things we define in the spec are /loader/entries/*.conf and
   /EFI/Linux/*.efi in these two partitions (well, and the companion
   file /loader/entries.srel

4. /efi/ and /boot/ because not nested can be autofs.

5. bootctl code and interface (in particular --esp-path= and
   --boot-path=) match the spec again. `bootctl -x` and `bootctl -p`
   will now print the path to $BOOT and ESP again, matching the concepts
   in the spec again.

From the sd-boot perspective things are equally easy:

1. Read boot enrties from ESP and XBOOTLDR.

2. Maintain boot loader config/other resources in ESP only.

And that's it.

Fixes: #24247
2022-09-20 21:49:58 +02:00
Lennart Poettering
e04ef18e48 boot-loader-spec: fix typo 2022-09-20 21:35:58 +02:00
Lennart Poettering
cae6a289db boot-loader-spec: add comment about case sensitivity of file names 2022-09-20 21:35:58 +02:00
Zbigniew Jędrzejewski-Szmek
7bb99e23e5
Delete CNAME 2022-09-20 17:46:40 +02:00
Zbigniew Jędrzejewski-Szmek
9a941ffefe sd-gpt, docs: define s390 before s390x
In all other cases we have the older variant before the newer. And since we
generate some documentation tables from the header, this order is also visible
for users. Let's restore the order. This commit does
4565246911 in a slightly different fashion.
2022-09-20 16:48:50 +02:00
Luca BRUNO
72ceee435d docs: add a note about selectively overriding default dependencies
This documents that explicit `Before=`/`After=` dependencies can be
used to selectively override implicit ordering coming from default
dependencies. That allows for more granular control compared to the
already documented `DefaultDependencies=no` option.

The alternative approach came up in a discussion around the ordering
of `boot-complete.target`, so this also adds an explicit suggestion
in that direction to the "Automatic Boot Assessment" documentation.

Ref: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048330.html
2022-09-20 13:57:26 +02:00
Luca Boccassi
b60d3016eb docs: mention tmpfiles.d in CREDENTIALS.md and add example 2022-09-08 16:33:24 +01:00
Lennart Poettering
bbb71e5c98 CODING_STYLE: fix header level 2022-09-08 16:13:07 +02:00
Jan Janssen
97f077df05 boot: Avoid magic values in timeout EFI vars 2022-09-07 12:55:55 +02:00
Lennart Poettering
e8a587dca2 docs: Some CODING_STYLE additions 2022-09-07 10:05:46 +02:00
Johannes Schauer Marin Rodrigues
3fa8a1148a sysusers: make sp_lstchg shadow field reproducible
If the environment variable SOURCE_DATE_EPOCH is set, use its value
instead of the current time.
2022-09-02 07:17:25 +02:00
Yu Watanabe
2b6605102d dissect-image: add environment variable to control timeout for waiting devlink to be configured 2022-08-31 23:20:09 +09:00
Lennart Poettering
79127368d8 docs: use Title Case for section titles
as per:

https://titlecase.com/
2022-08-29 14:48:26 +02:00
Uriel Corfa
c0a18932dc docs: fix incorrect env var name for credentials directory
CREDENTIAL_PATH appears nowhere in the systemd source code.
$CREDENTIALS_DIRECTORY is what is used instead.
2022-08-28 17:35:58 +09:00
Jacek Migacz
d896260958 resolve: control system hostname synthesis via environment variable 2022-08-26 11:19:17 +09:00
Lennart Poettering
e109541fe6 docs: suggests people use path_extract_filename() + path_extract_directory() 2022-08-23 15:10:15 +02:00
Daan De Meyer
2d92c35b35 docs: Add guide to debug binaries in vscode that need to run as root 2022-08-18 14:46:01 +02:00
Daan De Meyer
d1e9a4244b docs: Recommend pkexec over using an askpass program with sudo
Less configuration required than downloading and configuring an
askpass program.
2022-08-18 14:17:07 +02:00