1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 06:25:37 +03:00
Commit Graph

7005 Commits

Author SHA1 Message Date
David Jaša
ce0a056abc check-os-release.py compatible with Python < 3.8
The ":=" operator was only added in Python 3.8 so splitting the line with it into two makes check-os-release.py actually fulfill its claim of working with any python version.
2022-08-24 12:08:17 +09:00
Daan De Meyer
cae8edd93c journal: Add new _INITRD field
The _INITRD field is a boolean field (0 or 1) that specifies whether
a message was processed by systemd-journald in the initrd or not.
2022-08-23 19:35:04 +01:00
Luca Boccassi
0f74ca8668
Merge pull request #24412 from keszybz/man-similarly
man: grammar cleanups
2022-08-23 13:17:13 +01:00
Zbigniew Jędrzejewski-Szmek
6163dac48f man/crypttab: rework formatting in "key acquisition section"
<example> without <title> was rendered as "Example 1.", which did not
look good. While at it, the text is rewored to be, I hope, a bit easier to
read.
2022-08-23 12:32:17 +02:00
Zbigniew Jędrzejewski-Szmek
15102ced42 man: similar → similarly
Something *is* similar
Something *works* similarly
Something does something, similarly to how something else does something

See https://sites.ulethbridge.ca/roussel/2017/11/29/similar-and-similarly-are-they-similar/
for a clear explanation.
2022-08-23 12:14:58 +02:00
eggfly
6b5e82408d fix typos 2022-08-23 10:53:47 +02:00
Lennart Poettering
127b72da2b measure: add --current switch for "systemd-measure calculate"
This allows allows shortcutting measurements of the specified files and
use the information from /sys/ instead.

This is not too useful on its own given that "systemd-measure status"
already exists which displays the current, relevant PCR values. The main
difference is how "complete" the information is. "status" will detect if
the measurements make any sense, and show more than PCR 11. "calculate
--current" otoh only reads PCR 11 and uses that, and that's really it.

This is mainly preparation for later work to add PCR signing to the
tool, where usually it makes most sense to sign prepared kernel images,
but for testing it's really useful to shortcut signing to the current
PCR values instead
2022-08-22 19:17:18 +01:00
Antonio Alvarez Feijoo
782e41ab88 sysext: add missing COMMAND to the help output and man synopsis 2022-08-22 15:41:12 +01:00
Lennart Poettering
c06b6d46fd measure: add json output 2022-08-19 23:26:09 +02:00
Rene Hollander
d9bdb29bf5 Add --efi-boot-option-description argument to bootctl to control the name of the boot
entry.

By default an entry named "Linux Boot Manager" is created (which is the
previous behavior). With the flag the name of the entry can be
controlled, which is useful when installing systemd-boot to multiple ESP
partitions and having uniquely named entries.

Fixes #17044.
2022-08-19 14:55:31 +02:00
Frantisek Sumsal
cd7ad0cbde
Merge pull request #24054 from keszybz/initrd-no-reload
Don't do daemon-reload in the initrd
2022-08-18 13:15:14 +00:00
Luca Boccassi
e4e6cfaad0
Merge pull request #24301 from yuwata/network-tuntap
network/tuntap: introduce KeepFileDescriptor= setting
2022-08-16 23:06:16 +01:00
Kai Lueke
1abe15fe9d man: Correct information on sysext masking
While I had tested that a symlink to /dev/null works to "mask" a sysext
I must have gotten something wrong and thus the instructions in
519c2f0d6b don't work. What works,
at least at the moment, is to instead have an empty directory with the
extension name under /etc/extensions/.
Correct the info in the man page and add a test for it.
2022-08-16 20:43:51 +01:00
Yu Watanabe
f8b7c17764 network/tuntap: introduce KeepCarrier= setting
Closes #24267.
2022-08-16 21:57:31 +09:00
Yu Watanabe
be6c89b8f1
Merge pull request #24294 from rphibel/add-support-for-list-of-definitions-directories
repart: add support for list of definitions directories
2022-08-16 08:58:25 +09:00
Sean Anderson
b23b11719d Fix typo in net-naming-scheme man page
I noticed a typo in the man page. Fix it.

Fixes: 65c2ad985a ("udev: net_id: Use devicetree aliases when available")
2022-08-16 07:45:44 +09:00
Lennart Poettering
e228d48b9e
Merge pull request #24263 from pothos/sysext-for-static-binaries
sysext: Support distribution-independent extensions with static binaries
2022-08-15 13:34:54 +02:00
Kai Lueke
16c1ca0db4 sysext: introduce ARCHITECTURE field to match host architecture
When an extension image has binaries they should match the host
architecture. Currently there is no way to specify this requirement.
Introduce an ARCHITECTURE field in the extension's release file that
may be set to prevent loading on the wrong host architecture.
Since this new field is introduced late, we don't want to make
specifying it mandatory as it would break existing sysext images.

See https://github.com/systemd/systemd/issues/24061
2022-08-15 10:54:32 +02:00
Kai Lueke
ab4d43c54e sysext: support distribution-independent extensions using ID=_any
A sysext image that merely contains static binaries has no dependency
on the host distribution and should be able to be used anywhere.
Support the special '_any' value for the ID field in the extension to
opt-out of ID and VERSION_ID/SYSEXT_LEVEL matching.

See https://github.com/systemd/systemd/issues/24061
2022-08-15 10:51:01 +02:00
Yu Watanabe
38db7a4ed3
Merge pull request #24138 from Keksgesicht/rfe/cryptenroll-keyfile
adding the option to use a keyfile to unlock the device
2022-08-13 03:35:03 +09:00
Richard Phibel
ddf259311f man: document support for drop-in files in systemd-repart 2022-08-12 19:09:07 +02:00
Richard Phibel
ea2aaff80e man: document support for list of definitions directories in systemd-repart 2022-08-12 18:13:30 +02:00
Sean Anderson
65c2ad985a udev: net_id: Use devicetree aliases when available
Devicetree firmware contains an "aliases" node, containing various
aliases for devices described by the firmware. For ethernet devices,
these are named "ethernet0", "ethernet1", etc. They provide a convenient
means of numbering ethernet devices, especially on systems with no other
stable number other than the address. In particular, U-Boot already uses
these aliases to name its ethernet devices.

Previously, there have been attempts (such as [1]) to add support for
these aliases to Linux. However, these patches have been rejected
because it is the maintainers' view that naming policy be left to
userspace. Well, systemd is userspace, so here we are.

In terms of implementation, apparently there can be multiple device
trees at once. I have decided to dodge this problem for now, and just
use /proc/device-tree. If it is desired to support multiple device trees
later, then the scheme can be modified to include the device tree's
index. For example, /sys/firmware/devicetree/base2/aliases/ethernet3
might be named enb2d3.

For the moment we only support "ethernetX" aliases. Future patches might
want to also handle "canX" and "wifiX".

It is common on boards with only one ethernet device to use an alias of
just "ethernet". In this case, the index is an implicit 0. In case the
author of the firmware made a mistake, we check to ensure that aliases
of "ethernet" and "ethernet0" do not both exist.

[1] https://patchwork.kernel.org/project/linux-arm-kernel/patch/1399390594-1409-1-git-send-email-boris.brezillon@free-electrons.com/

Closes: #17625
2022-08-12 11:15:16 +02:00
wineway
c8340822cf core/cgroup: CPUWeight/CPUShares support idle input
Signed-off-by: wineway <wangyuweihx@gmail.com>
2022-08-11 14:25:58 +02:00
Jan B
1f4190244b docs: adding "--unlock-key-file" to systemd-cryptenroll 2022-08-11 12:32:47 +02:00
Oleg Solovyov
d784a8d474 oomd: notify via dbus what have been killed 2022-08-11 09:53:55 +02:00
Chih-Hsuan Yen
7aa0b0121e cryptsetup: support keyfile-timeout for using a device as the key file
Closes https://github.com/systemd/systemd/issues/21993
2022-08-08 17:03:28 +01:00
Lennart Poettering
d096265708
Merge pull request #24044 from dtardon/default-device-timeout
Add a configuration option for setting default device timeout
2022-08-08 15:32:55 +02:00
Lennart Poettering
7496235134 man,journalctl: introduce man/--help sections
So far the --help text and the man page of journactl were mostly a large
pile of options shown next to each other. Let's add some basic
structure, and group switches by sections such as "Filtering Options",
"Output Options" and so on.

Do this the same way in the --help text and in the man page.

Since this moves everything around anyway, I also opted to rebreak all
paragraphs in the man page. This makes the patch larger than necessary,
but given that this whole patch doesn't really change contents besides
section titles I figured this would be OK.
2022-08-05 16:13:07 +01:00
David Tardon
141332ab55 man: update dbus docs 2022-08-05 15:56:23 +02:00
David Tardon
9e69bd4801 man: document DefaultDeviceTimeoutSec= 2022-08-05 15:55:44 +02:00
Lennart Poettering
f17061ef95
Merge pull request #24189 from medhefgo/boot-secure
boot: Follow-up fixes for #20255
2022-08-04 17:27:20 +02:00
Jan Janssen
adb9485acb man: Add instructions for Microsoft secure boot keys
Adding Microsoft keys by default is recommended because firmware drivers
might be signed by it.

This also changes the file ending from .esl to .auth as that is used by
sign-efi-sig-list manpage and other sources.
2022-08-04 10:03:48 +02:00
Luca Boccassi
33b7d7b284
Merge pull request #24141 from DaanDeMeyer/dissect-umount
dissect: Add systemd-dissect --umount
2022-08-04 01:02:55 +01:00
Daan De Meyer
29e804dffd man: Clarify that tools should prefer mount units over editing fstab 2022-08-03 23:17:25 +01:00
Daan De Meyer
ac1f1adfc6 dissect: Add systemd-dissect --umount
This command takes a mountpoint, unmounts it and makes sure the
underlying partition devices and block device are removed before
exiting.

To mirror the --mount operation, we also add a --rmdir option which
does the opposite of --mkdir, and a -U option which is a shortcut
for --umount --rmdir.
2022-08-03 20:55:32 +02:00
Lennart Poettering
1374f5a03a man: fix docbook 2022-08-03 18:51:45 +02:00
Jan Janssen
f234a56db5 boot: Follow-up fixes for #20255 2022-08-03 11:05:12 +02:00
Vincent Dagonneau
e6b0cfad51 This patch adds support for enrolling secure boot boot keys from sd-boot.
***DANGER*** NOTE ***DANGER***

This feature might result in your device becoming soft-brick as outlined
below, please use this feature carefully.

***DANGER*** NOTE ***DANGER***

If secure-boot-enrollment is set to no, then no action whatsoever is performed,
no matter the files on the ESP.

If secure boot keys are found under $ESP/loader/keys and secure-boot-enrollment
is set to either manual or force then sd-boot will generate enrollment entries
named after the directories they are in. The entries are shown at the very bottom
of the list and can be selected by the user from the menu. If the user selects it,
the user is shown a screen allowing for cancellation before a timeout. The enrollment
proceeds if the action is not cancelled after the timeout.

Additionally, if the secure-boot-enroll option is set to 'force' then the keys
located in the directory named 'auto' are going to be enrolled automatically. The user
is still going to be shown a screen allowing them to cancel the action if they want to,
however the enrollment will proceed automatically after a timeout without
user cancellation.

After keys are enrolled, the system reboots with secure boot enabled therefore, it is
***critical*** to ensure that everything needed for the system to boot is signed
properly (sd-boot itself, kernel, initramfs, PCI option ROMs).

This feature currently only allows loading the most simple set of variables: PK, KEK
and db.

The files need to be prepared with cert-to-efi-sig-list and then signed with
sign-efi-sig-list.

Here is a short example to generate your own keys and the right files for
auto-enrollement.

`
keys="PK KEK DB"
uuid="{$(systemd-id128 new -u)}"
for key in ${keys}; do
	openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt"
	openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
	cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl.nosign"
done

sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl.nosign PK.esl
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl.nosign KEK.esl
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl.nosign db.esl
`

Once these keys are enrolled, all the files needed for boot ***NEED*** to be signed in
order to run. You can sign the binaries with the sbsign tool, for example:

`
sbsign --key db.key --cert db.crt bzImage --output $ESP/bzImage
`

Example:

Assuming the system has been put in Setup Mode:

`
$ESP/loader/keys/auto/db.esl
$ESP/loader/keys/auto/KEK.esl
$ESP/loader/keys/auto/PK.esl
$ESP/loader/keys/Linux Only/db.esl
$ESP/loader/keys/Linux Only/KEK.esl
$ESP/loader/keys/Linux Only/PK.esl
$ESP/loader/keys/Linux and Windows/db.esl
$ESP/loader/keys/Linux and Windows/KEK.esl
$ESP/loader/keys/Linux and Windows/PK.esl
`

If auto-enroll is set, then the db, KEK and then PK are enrolled from the 'auto'
directory.

If not, three new boot entries are available to the user in order to enroll either the
'Linux Only', 'Linux And Windows' or 'auto' set of keys.
2022-08-03 10:11:08 +02:00
Lennart Poettering
157cb4337b systemctl: clarify that "status" is about the most recent invocation of a service
And point people to "journalctl --unit=" for information of prior runs.

Inspired by: #24159
2022-08-03 09:10:07 +02:00
Lennart Poettering
ca1092dc15 measure: add new tool to precalculate PCR values for a kernel image
For now, this simply outputs the PCR hash values expected for a kernel
image, if it's measured like sd-stub would do it.

(Later on, we can extend the tool, to optionally sign these
pre-calculated measurements, in order to implement signed PCR policies
for disk encryption.)
2022-08-02 10:28:49 +02:00
Lennart Poettering
de7ad6d4f4 sd-stub: measure sysext images picked up by sd-stub into PCR 13
Let's grab another so far unused PCR, and measure all sysext images into
it that we load from the ESP. Note that this is possibly partly redundant,
since sysext images should have dm-verity enabled, and that is hooked up
to IMA. However, measuring this explicitly has the benefit that we can
measure filenames too, easily, and that all without need for IMA or
anything like that.

This means: when booting a unified sd-stub kernel through sd-boot we'll
now have:

1. PCR 11: unified kernel image payload (i.e. kernel, initrd, boot
   splash, dtb, osrelease)

2. PCR 12: kernel command line (i.e. the one embedded in the image, plus
   optionally an overriden one) + any credential files picked up by
   sd-stub

3. PCR 13: sysext images picked up by sd-stub

And each of these three PCRs should carry just the above, and start from
zero, thus be pre-calculatable.

Thus, all components and parameters of the OS boot process (i.e.
everything after the boot loader) is now nicely pre-calculable.

NOTE: this actually replaces previous measuring of the syext images into
PCR 4. I added this back in 845707aae2,
following the train of thought, that sysext images for the initrd should
be measured like the initrd itself they are for, and according to my
thinking that would be a unified kernel which is measured by firmware
into PCR 4 like any other UEFI executables.

However, I think we should depart from that idea. First and foremost
that makes it harder to pre-calculate PCR 4 (since we actually measured
quite incompatible records to the TPM event log), but also I think
there's great value in being able to write policies that bind to the
used sysexts independently of the earlier boot chain (i.e. shim, boot
loader, unified kernel), hence a separate PCR makes more sense.

Strictly speaking, this is a compatibility break, but I think one we can
get away with, simply because the initrd sysext images are currently not
picked up by systemd-sysext yet in the initrd, and because of that we
can be reasonably sure noone uses this yet, and hence relies on the PCR
register used. Hence, let's clean this up before people actually do
start relying on this.
2022-08-02 10:28:49 +02:00
Lennart Poettering
72c97c19c3 efi: from the stub measure the ELF kernel + built-in initrd and so on into PCR 11
Here we grab a new – on Linux so far unused (by my Googling skills, that
is) – and measure all static components of the PE kernel image into.
This is useful since for the first time we'll have a PCR that contains
only a PCR of the booted kernel, nothing else. That allows putting
together TPM policies that bind to a specific kernel (+ builtin initrd),
without having to have booted that kernel first. PCRs can be
pre-calculated. Yay!

You might wonder, why we measure just the discovered PE sections we are
about to use, instead of the whole PE image. That's because of the next
step I have in mind: PE images should also be able to carry an
additional section that contains a signature for its own expected,
pre-calculated PCR values. This signature data should then be passed
into the booted kernel and can be used there in TPM policies. Benefit:
TPM policies can now be bound to *signatures* of PCRs, instead of the
raw hash values themselves. This makes update management a *lot* easier,
as policies don't need to be updated whenever a kernel is updated, as
long as the signature is available. Now, if the PCR signature is
embedded in the kernel PE image it cannot be of a PCR hash of the kernel
PE image itself, because that would be a chicken-and-egg problem. Hence,
by only measuring the relavent payload sections (and that means
excluding the future section that will contain the PCR hash signature)
we avoid this problem, naturally.
2022-08-02 10:28:49 +02:00
Lennart Poettering
599fe002a1 efi: tell userspace where the stub measured the kernel command line/credentials into
This is useful for userspace to know, so that policies can be put
together safely, matching what the stub actually measured.
2022-08-02 10:28:49 +02:00
Yu Watanabe
5162b2a1c4 tree-wide: fix typo 2022-08-02 02:43:38 +09:00
Max Gautier
e0a12b9634 docs: Correct StandartOutput documentation
fix #2114
2022-07-30 13:48:36 +01:00
Daan De Meyer
71ec216e86
Merge pull request #24080 from rdtscp/feature/machinectl/copy-force-flag
Add --force flag to machinectl copy-[to|from]
2022-07-28 14:15:33 +02:00
Alexander Wilson
ae03e1a972 machinectl: Add plumbing for a --force flag for file copy
machine: Add APIs CopyTo[Machine]WithFlags + CopyFrom[Machine]WithFlags
- Same API to those without `WithFlags` (except this can take flags)
- Initially, only a flag to allow replacing a file if it already exists
2022-07-27 08:41:03 -07:00
David Tardon
2d5cdc6224 man: document systemctl list-automounts 2022-07-25 13:37:20 +02:00
Quentin Deslandes
e88748c17e sysctl: add --strict option to fail if sysctl does not exists
systemd-sysctl currently fails silently under any of these conditions:
- Missing permission to write a sysctl.
- Invalid sysctl (path doesn't exists).
- Ignore failure flag ('-' in front of the sysctl name).

Because of this behaviour, configuration issues can go unnoticed as
there is no way to detect those unless going through the logs.

--strict option forces systemd-sysctl to fail if a sysctl is invalid or
if permission are insufficient. Errors on sysctl marked as "ignore
failure" will still be ignored.
2022-07-25 10:15:43 +02:00