1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-29 21:55:36 +03:00
Commit Graph

59852 Commits

Author SHA1 Message Date
Lennart Poettering
4889e809be man: be more careful regarding TPM vs. TPM2
We support PCR measurements for both classic TPM1.2 and TPM2, hence just
say "TPM" generically in that context. But the signed policies are
exclusive to TPM2, hence always say TPM2 there.

We mostly got that right, except at one place. Fix that.
2022-09-09 11:53:05 +02:00
Lennart Poettering
2deca517f6 man: document the new .pcrsig/.pcrpkey sections for unified kernel images 2022-09-09 11:53:05 +02:00
Lennart Poettering
f51b49c675 tmpfiles: copy PCR sig/pkey from initrd /.extra/ into /run/
Now that sd-stub will place the PCR signature and its public key in
the initrd's /.extra/ directory, let's copy it from there into /run/
from userspace. This is done because /.extra/ is on the initrd's tmpfs
which will be emptied during the initrd → host transition. Since we want
these two files to survive we'll copy them – if they exist – into /run/
where they will survive the transition.

Thus, with this last change the files will have safely propagated from
their PE sections into files in /run/ where userspace can find them

The paths in /run/ happen to be the exact ones that
systemd-cryptenroll/systemd-cryptsetup/systemd-creds look for them.
2022-09-09 11:31:04 +02:00
Lennart Poettering
23002b45b1 stub: pass .pcrsig and .pcrpkey PE sections as cpio into invoked kernel
Pick up the two new sections in sd-stub and pass them as initrds into
the booted kernels, where they'll show up as
/.extra/tpm2-pcr-signature.json and /.extra/tpm2-pcr-public-key.pem in
the initrd file system.

The initrd is then supposed to pick these files up from there and save
them at a place that will survive into the host OS.
2022-09-09 11:30:04 +02:00
Lennart Poettering
df7ee6f8b0 stub: add new special PE sections ".pcrsig" and ".pcrpkey" in unified kernels
These aren't wired up yet to do anything useful. For now we just define
them.

This sections are supposed to carry a signature for expected
measurements on PCR 11 if this kernel is booted, in the JSON format
"systemd-measure sign" generates, and the public key used for the
signature.

The idea is to embedd the signature and the public key in unified
kernels and making them available to userspace, so that userspace can
easily access them and enroll (for which the public key is needed) or
unlock (for which the PCR signature is needed) LUKS2 volumes and
credentials that are bound to the currently used kernel version stream.

Why put these files in PE sections rather than just into simple files in
the initrd or into the host fs?

The signature cannot be in the initrd, since it is after all covering
the initrd, and thus the initrd as input for the calculation cannot
carry the result of the calculation. Putting the signature onto the root
fs sucks too, since we typically want to unlock the root fs with it,
hence it would be inaccessible for it's primary purpose then.

The public key could be in the initrd or in the root fs, there's no
technical restriction for that. However, I still think it's a good idea
to put it in a PE section as well, because this means the piece of code
that attaches the signature can also attach the public key easily in one
step, which is nice since it allows separating the roles of the
kernel/initrd/root fs builder, and the role of the signer, and the
former doesn't have to have knowledge about what the latter is going to
add to the image.

Note that the signature section is excluded from the TPM measurements
sd-stub does about its resource sections, since – as mentioned – it's
the expected output of the signing operation whose input are the
measurements, hence it cannot also be input to them. The public key
section is included in the measurements however.
2022-09-09 11:28:38 +02:00
Lennart Poettering
e139565b01 cpio: add helper for packing cpios of literally specified data blobs
Let's add simple helpers for passing data blobs from the stub into the
booted kernel as initrds that are generated on-the-fly.

(Note used yet, a later commit will make use of this)
2022-09-09 11:27:08 +02:00
Suraj Krishnan
cb456374e0 Implement DNS notifications from resolved via varlink
* The new varlink interface exposes a method to subscribe to DNS
resolutions on the system. The socket permissions are open for owner and
group only.
* Notifications are sent to subscriber(s), if any, after successful
resolution of A and AAAA records.

This feature could be used by applications for auditing/logging services
downstream of the resolver. It could also be used to asynchronously
update the firewall. For example, a system that has a tightly configured
firewall could open up connections selectively to known good hosts based
on a known allow-list of hostnames. Of course, updating the firewall
asynchronously will require other design considerations (such as
queueing packets in the user space while a verdict is made).

See also:
https://lists.freedesktop.org/archives/systemd-devel/2022-August/048202.html
https://lists.freedesktop.org/archives/systemd-devel/2022-February/047441.html
2022-09-09 09:22:57 +01:00
Yu Watanabe
761787fc88
Merge pull request #24557 from yuwata/repart
repart: fix partition size calculation
2022-09-09 09:32:07 +09:00
Yu Watanabe
3b19e16056 test-58-repart: add test case for issue #24553 2022-09-09 05:53:01 +09:00
Yu Watanabe
9ccceb9d2b repart: make existing partition can be also 'dropped'
Previously, when an existing partition cannot grow, then entire process
fails. This makes such an existing partion handled as an foreign
partition, i.e. it is not managed by us.
2022-09-09 05:52:57 +09:00
Yu Watanabe
cdbcc33952 repart: check if existing partitions can grow
Fixes #24553.
2022-09-09 05:49:00 +09:00
Yu Watanabe
58b06ac1ab repart: split out free_area_{current,min}_end() from free_area_available_for_new_partitions()
No actual code changes, just preparation for later commits.
2022-09-09 05:49:00 +09:00
Yu Watanabe
f39cf264a6 repart: reset assignments by previous context_allocate_partitions()
The function context_allocate_partitions() may be called multiple times.
If this is called multiple times, then dropped partitions may still
assigned to free area.
2022-09-09 05:48:56 +09:00
Yu Watanabe
d7c46b5e1e repart: do not assign new size larger than acquired or the specified maximum
The acquired size may be larger than the requested maximum. So, let's
cap the value.

Note, at the final phase, the acquired size should be larger than the
requested minimum. Hence, the assertion about that is added.
2022-09-09 05:35:41 +09:00
Yu Watanabe
bf99aed6e8 repart: set new size for foreign partitions at first
Otherwise, the new size may be larger than the acquired one.
2022-09-09 05:35:41 +09:00
Yu Watanabe
2a503ad2a9 repart: anyway run loop at the end even if the loop will be restarted later
The order of the partitions processed in each phase does not change
result for the first two phase (PHASE_OVERCHARGE and PHASE_UNDERCHARGE).
2022-09-09 05:35:41 +09:00
Yu Watanabe
0245e15afe repart: make scale_by_weight() always succeed 2022-09-09 05:35:40 +09:00
Yu Watanabe
19903a4335 repart: split out context_grow_partition_one()
No actual code changes, just refactoring.
2022-09-09 05:35:40 +09:00
Yu Watanabe
a801bb0157 repart: introduce partition_{min,max}_padding()
No actual code changes, just refactoring.
2022-09-09 05:35:40 +09:00
Yu Watanabe
b0fbf90b5a repart: ensure partition_max_size() >= partition_min_size() 2022-09-09 05:35:40 +09:00
Yu Watanabe
822d9b9adc repart: make partition_max_size() return UINT64_MAX if not specified
Previously, it did not return UINT64_MAX, but a huge value, as
`UINT64_MAX / grain_size * grain_size != UINT64_MAX`.

This also drops unnecessary conditions.
2022-09-09 05:35:40 +09:00
Yu Watanabe
a80701e68f repart: constify partition_min_size() 2022-09-09 05:35:40 +09:00
Yu Watanabe
f126038f83 repart: rename variables in config_parse_weight()
This is for Weight= or PaddingWeight=, not for Priority=.

No actual code changes, just refactoring.
2022-09-09 05:35:40 +09:00
Yu Watanabe
833106b876 loop-util: do not try to enumerate partitions twice 2022-09-09 05:16:41 +09:00
Yu Watanabe
53274fdb59 loop-util: always check if backing file is not attached yet
An image file without partition table may be attached.
2022-09-09 05:16:01 +09:00
Yu Watanabe
da4fd28871 loop-util: open loopback block device in loop_configure()
And make it return LoopDevice object on success.
No functional changes, just refactoring.
2022-09-09 04:31:10 +09:00
Yu Watanabe
bb273a5145 loop-util: save the flag about if LOOP_CONFIGURE ioctl works or not in loop_configure()
When LOOP_CONFIGURE fail, then it is not necessary to call it on any
later call of loop_configure(). Let's save the flag in a static variable
in the function.
2022-09-09 04:31:10 +09:00
Yu Watanabe
54ba7daf23 loop-util: split out several functions fron loop_configure() and loop_device_make_internal()
The two functions were quite long, and hard to understand its logic.
No functional change, just refactoring.
2022-09-09 04:31:10 +09:00
Yu Watanabe
539b6597b2
Merge pull request #24601 from yuwata/sd-device-enumerator-drop-recursion
sd-device-enumerator: do not recursively find child devices
2022-09-09 04:30:42 +09:00
Frantisek Sumsal
8432b0cd20
Merge pull request #24351 from poettering/pcr-sign
support for signed TPM2 PCR policies in cryptsetup/cryptenrolls/credentials
2022-09-08 19:07:04 +00:00
Lennart Poettering
d56f77e17f measure: print a helpful message if TPM2 PCR sysfs attributes are missing
Prompted by:

https://github.com/systemd/systemd/pull/24351#pullrequestreview-1100418585
2022-09-08 19:46:54 +02:00
Guillaume W. Bres
b3fe33ff52 basic/missing_loop.h: fix missing lo_flags LO_FLAGS_DIRECT_IO 2022-09-08 18:46:19 +01:00
Luca Boccassi
90235a3df2
Merge pull request #24608 from bluca/example
docs: mention tmpfiles.d in CREDENTIALS.md and add example for ssh provisioning (to manpage too)
2022-09-08 17:42:07 +01:00
Lennart Poettering
b2629096e2
Merge pull request #24600 from poettering/bootspec-chase-symlinks
bootspec: more chase_symlinks()
2022-09-08 18:40:10 +02:00
Luca Boccassi
b60d3016eb docs: mention tmpfiles.d in CREDENTIALS.md and add example 2022-09-08 16:33:24 +01:00
Luca Boccassi
87d1886346 man: add example with one-liner for ssh provisioning via tmpfiles.d + Creds 2022-09-08 16:27:52 +01:00
Frantisek Sumsal
f53d56f1a3 test: check the numa-test.service status directly
In a couple of recent CI runs I noticed TEST-36 failing due to a missed
service exit notification and a subsequent fail of the `grep` command:

```
[  257.112153] H systemd[1]: Started numa-test.service.
[  257.114343] H systemd[899]: numa-test.service: Failed to set NUMA memory policy: Invalid argument
[  257.118270] H systemd[899]: numa-test.service: Failed at step NUMA_POLICY spawning /bin/sleep: Invalid argument
[  257.126170] H systemd[1]: Bus private-bus-connection: changing state RUNNING → CLOSING
[  257.130290] H systemd[1]: numa-test.service: Failed to send unit change signal for numa-test.service: Connection reset by peer
[  257.131567] H systemd[1]: Received SIGCHLD from PID 899 ((sleep)).
[  257.132870] H systemd[1]: Got disconnect on private connection.
[  257.134299] H systemd[1]: systemd-journald.service: Got notification message from PID 498 (FDSTORE=1)
[  257.135611] H systemd[1]: systemd-journald.service: Added fd 38 (n/a) to fd store.
[  257.136999] H systemd[1]: systemd-journald.service: Received EPOLLHUP on stored fd 38 (stored), closing.
[  257.366996] H testsuite-36.sh[536]: + stopJournalctl
[  257.366996] H testsuite-36.sh[536]: + local unit=init.scope
[  257.366996] H testsuite-36.sh[536]: + echo 'Force journald to write all queued messages'
[  257.366996] H testsuite-36.sh[536]: Force journald to write all queued messages
[  257.366996] H testsuite-36.sh[536]: + journalctl --sync
[  257.488642] H systemd-journald[498]: Received client request to rotate journal.
[  257.520821] H testsuite-36.sh[536]: + journalctl -u init.scope --cursor-file=jounalCursorFile
[  257.981399] H testsuite-36.sh[536]: + pid1StopUnit numa-test.service
[  257.984533] H testsuite-36.sh[536]: + systemctl stop numa-test.service
[  258.173656] H systemd[1]: Bus private-bus-connection: changing state AUTHENTICATING → RUNNING
[  258.180710] H systemd[1]: numa-test.service: Trying to enqueue job numa-test.service/stop/replace
[  258.182424] H systemd[1]: Added job numa-test.service/stop to transaction.
[  258.185234] H systemd[1]: numa-test.service: Installed new job numa-test.service/stop as 738
[  258.187017] H systemd[1]: numa-test.service: Enqueued job numa-test.service/stop as 738
[  258.239930] H testsuite-36.sh[536]: + grep 'numa-test.service: Main process exited, code=exited, status=242/NUMA' journal.log
```

Let's mitigate this by checking the test service exit status directly
instead of relying on the notification.
2022-09-08 15:00:26 +00:00
Lennart Poettering
7c46b19718 TEST-70-TPM2: add test for new signed TPM2 PCR policies 2022-09-08 16:34:27 +02:00
Lennart Poettering
75a9681ec0 cryptsetup: hook up TPM2 token code with policies based on PCR signatures, too 2022-09-08 16:34:27 +02:00
Lennart Poettering
4d5cc0d453 tpm2-util: add helper for formatting PCR masks as string 2022-09-08 16:34:27 +02:00
Lennart Poettering
fdf6c27cba tpm2-util: add common parser for the LUKS2 TPM2 JSON structure
This splits out the JSON parser used by the systemd-cryptsetup code.

This is preparation for later work to reuse it in the tpm2 cryptsetup
token module, which currently uses a separate but very similar parser
for the same data.

No change in behaviour.
2022-09-08 16:34:27 +02:00
Lennart Poettering
dc63b2c909 cryptsetup: hook up signed PCR policies 2022-09-08 16:34:27 +02:00
Lennart Poettering
02ef97cde0 repart: hook up new TPM2 signed policies with repart 2022-09-08 16:34:27 +02:00
Lennart Poettering
f0f4fcaeb7 cryptenroll: hook up new TPM2 signed policies with cryptenroll 2022-09-08 16:34:27 +02:00
Lennart Poettering
75ddec9301 creds-tool: expose new signed PCR policies in creds tool, too 2022-09-08 16:34:27 +02:00
Lennart Poettering
6a0779cbf9 creds-util: hook up new signed PCR policies 2022-09-08 16:34:27 +02:00
Lennart Poettering
d9b5841d40 tpm2-util: extend TPM2 policies to optionally check PCR values against signed values
Traditionally, TPM2 PCR policies are bound against literal PCR values,
which makes them hard to work with when updating software that is
measured into PCRs: each update will change the PCR values, and thus
break TPM2 policies of existing objects.

Let's improve the situation: let's allow signed PCR policies. Secrets
and other TPM2 objects can be associated with a public key that signs a
PCR policy. Thus, if the signed policy and the public key is presented,
access to the TPM2 object can be granted. This allows a less brittle
handling of updates: for example, whenever a kernel image is updated a
new signed PCR policy can be shipped along with it, signed by a private
key owned by the kernel vendor (ideally: same private key that is used
to sign the kernel image itself). TPM2 objects can then be bound to the
associated public key, thus allowing objects that can only be unlocked
by kernels of the same vendor. This makes it very easy to update kernels
without affecting locked secrets.

This does not hook up any of the consuming code (just passes NULL/0
everywhere). This is for later commits.
2022-09-08 16:34:27 +02:00
Lennart Poettering
cdaaa62ca1 measure: add 'sign' verb 2022-09-08 16:27:07 +02:00
Lennart Poettering
e8ccb5c7e1 openssl-util: add helper for calculating fingerprint of a DER public key 2022-09-08 16:27:07 +02:00
Lennart Poettering
bad4c73c37 tpm2-util: allow external code to create tpm2 contexts 2022-09-08 16:27:07 +02:00