1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 06:25:37 +03:00
Commit Graph

59865 Commits

Author SHA1 Message Date
Lennart Poettering
7c46b19718 TEST-70-TPM2: add test for new signed TPM2 PCR policies 2022-09-08 16:34:27 +02:00
Lennart Poettering
75a9681ec0 cryptsetup: hook up TPM2 token code with policies based on PCR signatures, too 2022-09-08 16:34:27 +02:00
Lennart Poettering
4d5cc0d453 tpm2-util: add helper for formatting PCR masks as string 2022-09-08 16:34:27 +02:00
Lennart Poettering
fdf6c27cba tpm2-util: add common parser for the LUKS2 TPM2 JSON structure
This splits out the JSON parser used by the systemd-cryptsetup code.

This is preparation for later work to reuse it in the tpm2 cryptsetup
token module, which currently uses a separate but very similar parser
for the same data.

No change in behaviour.
2022-09-08 16:34:27 +02:00
Lennart Poettering
dc63b2c909 cryptsetup: hook up signed PCR policies 2022-09-08 16:34:27 +02:00
Lennart Poettering
02ef97cde0 repart: hook up new TPM2 signed policies with repart 2022-09-08 16:34:27 +02:00
Lennart Poettering
f0f4fcaeb7 cryptenroll: hook up new TPM2 signed policies with cryptenroll 2022-09-08 16:34:27 +02:00
Lennart Poettering
75ddec9301 creds-tool: expose new signed PCR policies in creds tool, too 2022-09-08 16:34:27 +02:00
Lennart Poettering
6a0779cbf9 creds-util: hook up new signed PCR policies 2022-09-08 16:34:27 +02:00
Lennart Poettering
d9b5841d40 tpm2-util: extend TPM2 policies to optionally check PCR values against signed values
Traditionally, TPM2 PCR policies are bound against literal PCR values,
which makes them hard to work with when updating software that is
measured into PCRs: each update will change the PCR values, and thus
break TPM2 policies of existing objects.

Let's improve the situation: let's allow signed PCR policies. Secrets
and other TPM2 objects can be associated with a public key that signs a
PCR policy. Thus, if the signed policy and the public key is presented,
access to the TPM2 object can be granted. This allows a less brittle
handling of updates: for example, whenever a kernel image is updated a
new signed PCR policy can be shipped along with it, signed by a private
key owned by the kernel vendor (ideally: same private key that is used
to sign the kernel image itself). TPM2 objects can then be bound to the
associated public key, thus allowing objects that can only be unlocked
by kernels of the same vendor. This makes it very easy to update kernels
without affecting locked secrets.

This does not hook up any of the consuming code (just passes NULL/0
everywhere). This is for later commits.
2022-09-08 16:34:27 +02:00
Lennart Poettering
cdaaa62ca1 measure: add 'sign' verb 2022-09-08 16:27:07 +02:00
Lennart Poettering
e8ccb5c7e1 openssl-util: add helper for calculating fingerprint of a DER public key 2022-09-08 16:27:07 +02:00
Lennart Poettering
bad4c73c37 tpm2-util: allow external code to create tpm2 contexts 2022-09-08 16:27:07 +02:00
Lennart Poettering
0d75641388 tpm2-util: pick up 4 more symbols of tpm2-tss 2022-09-08 16:27:07 +02:00
Lennart Poettering
bbb71e5c98 CODING_STYLE: fix header level 2022-09-08 16:13:07 +02:00
Lennart Poettering
8c87f2473f bootctl: don't start "bootctl list" output with a title line
Let's not output a title line given that we don't output multiple
different things here anyway, and the "bootctl list" command is about
listing boot entries anyway and it's documented that way.

Having titles for sections if we have mutliple sections of output
definitely makes sense, but if there's only one kind of information we
list it's redundant clutter.
2022-09-08 13:14:05 +02:00
Lennart Poettering
f2c513048c bootspec: don't follow symlinks when opening type1/type2 files
let's not follow symlinks when going from enumeraiton dir to enumerated
file either.
2022-09-08 13:14:05 +02:00
Lennart Poettering
2683ae2d73 bootspec: use chase_symlinks() where appropriate
Let's better be safe than sorry, and follow symlinks in ESP + XBOOTLDR
via chase_symlinks() relative to the root of these files systems. This is
not a big issue given that ESP/XBOOTLDR are supposed to be VFAT where
symlinks don't exist, but the specs don't strictly require this, and by
loading efifs drivers in uefi it would be possible to support symlinks,
but we'd rather not have that here.

No real change in behaviour, just stricter rules to make me sleep better
at night.
2022-09-08 13:14:05 +02:00
Lennart Poettering
be429c8ff6 update TODO 2022-09-08 13:14:04 +02:00
Lennart Poettering
3d83c3eacf
Merge pull request #24572 from DaanDeMeyer/repart-verity
repart: Add support for formatting verity partitions
2022-09-08 12:02:27 +02:00
Lennart Poettering
e586cc4cc5
Merge pull request #24434 from medhefgo/boot-fixes
boot: Small fixes
2022-09-08 11:17:12 +02:00
William Roberts
0e15c14f63 tpm2: add bind key
Currently, the tpm2 support will use encrypted sessions by creating a
primary key that is used to encrypt traffic. This creates a problem as
the key created for encrypting the traffic could be faked by an active
interposer on the bus. In cases when a pin is used, we can introduce the
bind key. The pin is used as the auth value for the seal key, aka the
disk encryption key, and that auth value can be used in the session
establishment. An attacker would need the pin value to create the secure
session and thus an active interposer without the pin could not
interpose on TPM traffic.

Related-to: #22637

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2022-09-08 11:16:28 +02:00
Yu Watanabe
2d9c58d786 test: add test for sd_device_enumerator_add_match_parent() 2022-09-08 18:10:50 +09:00
Yu Watanabe
6c876f0c20 sd-device-enumerator: rewrite child enumeration without recursion 2022-09-08 18:10:50 +09:00
Yu Watanabe
bae477676a sd-device-enumerator: do not fail when a directory vanishes on enumerate 2022-09-08 18:10:50 +09:00
Yu Watanabe
cdffb95cce sd-device-enumerator: use test_matches() more 2022-09-08 18:10:50 +09:00
Daan De Meyer
0fc40a0ef6 update TODO 2022-09-08 08:43:50 +02:00
Daan De Meyer
b5b7879a5d repart: Add support for formatting verity partitions
This commit adds a new Verity= setting to repart definition files
with two possible values: "data" and "hash".

If Verity= is set to "data", repart works as before, and populates
the partition with the content from CopyBlocks= or CopyFiles=.

If Verity= is set to "hash", repart will try to find a matching
data partition with Verity=data and equal values for CopyBlocks=
or CopyFiles=, Format= and MakeDirectories=. If a matching data
partition is found, repart will generate verity hashes for that
data partition in the verity partition. The UUID of the data
partition is set to the first 128 bits of the verity root hash. The
UUID of the hashes partition is set to the final 128 bits of the
verity root hash.

Fixes #24559
2022-09-08 08:43:07 +02:00
Yu Watanabe
e21253d3d7
Merge pull request #24587 from yuwata/sd-device-monitor-running-user-ns
sd-device-monitor: relax sender uid check when running in user namespace
2022-09-08 14:27:21 +09:00
Yu Watanabe
c0aa23cf1e sd-device-monitor: relax sender uid check when running in user namespace
If sd-device-monitor is running in a user namespace, the sender uid is
not zero. Let's relax the verification in that case.
2022-09-08 11:08:43 +09:00
Yu Watanabe
a30d3c0134 uid-range: move to src/basic/
To make the functions defined in the files usable by libsystemd library.
2022-09-08 11:08:43 +09:00
Lennart Poettering
cdba12b34f uid-range: error code tweak for uid_range_load_userns()
Let's return ENOSYS if /proc/ is not mounted (as that's what we usually
return in that case in various helpers that operate on /proc/). Return
EOPNOTSUPP if the kernel simply doesn't support userns.
2022-09-08 06:27:29 +09:00
Yu Watanabe
30633dbd32
Merge pull request #24571 from yuwata/dissect-loop-image-use-backing-file
dissect: save image path to LoopDevice and use it when dissect loop device
2022-09-07 23:45:29 +09:00
Daan De Meyer
3ab44dbdac repart: Invert no_dropin_files boolean 2022-09-07 14:46:21 +02:00
Daan De Meyer
a26d463d08 repart: Extract context dump into a separate function 2022-09-07 14:46:17 +02:00
Yu Watanabe
0fb5036f4d dissect-image: drop unnecessary duplication of partition device node 2022-09-07 20:45:24 +09:00
Yu Watanabe
0b214aa0d0 dissect-image: reuse LoopDevice.node in dissect_image()
Currently, dissect_image() is only called through dissect_loop_device(),
and the LoopDevice object has device name. Hence, it is not necessary to
get device name in dissect_image().
2022-09-07 20:45:24 +09:00
Yu Watanabe
bec0c37c9e dissect-image: drop currently unused arguments 2022-09-07 20:45:24 +09:00
Yu Watanabe
7726bd4b03 dissect-image: drop currently unused code
Currently, dissect_image() is called only through dissect_loop_device(),
and image_path is always specified. Let's drop it.
2022-09-07 20:45:24 +09:00
Yu Watanabe
64dd3a245f dissect-image: use loop backing file or device node as name of the image
Note, currently, for each call of dissect_loop_device_and_warn(), the
specified name is equivalent to the path passed to loop_device_make_by_path().
Hence, this should not change the current behavios.
2022-09-07 20:45:24 +09:00
Yu Watanabe
55a065cd30 gpt-auto: use LoopDevice object to manage whole block disk 2022-09-07 20:45:24 +09:00
Yu Watanabe
369de26fdf dissect-image: use backing_file stored in LoopDevice object to generate image name
Follow-up for e374439f4b (#24322).

This also simplify the logic of generating image name from image path.
2022-09-07 20:45:24 +09:00
Yu Watanabe
e77cab8248 loop-util: save backing file of loopback block device
It will be used in later commits.
2022-09-07 20:45:24 +09:00
Yu Watanabe
aa0295f1d9 loop-util: move device_has_block_children() to blockdev-util.c
As the function is not only for loopback block device.

No actual code changes, just refactoring.
2022-09-07 20:45:24 +09:00
Yu Watanabe
af15ee0368 blockdev-util: check if provided sd_device is for a whole block device
And split out partition_generator_new(), to make it usable in other
functions.
2022-09-07 20:45:24 +09:00
Yu Watanabe
46c3a28845 blockdev-util: make block_device_remove_all_partitions() take sd_device object
Then, it is not necessary to recreate sd_device object when we already
have.
2022-09-07 20:45:20 +09:00
Jan Janssen
97f077df05 boot: Avoid magic values in timeout EFI vars 2022-09-07 12:55:55 +02:00
Jan Janssen
28fda21c85 boot: Use proper scan codes
This arg expects scan codes and it can be very confusing to find a key
conflict when trying to add a F3 button when there are no F3 keycodes
seemingly in use. CHAR_CARRIAGE_RETURN and SCAN_F3 use the same value,
so no changes in behavior.
2022-09-07 12:55:55 +02:00
Jan Janssen
230f78206a boot: Accept Ctrl+Del for deleting words 2022-09-07 12:55:55 +02:00
Jan Janssen
d17d0e6770 boot: Correctly handle shift keys 2022-09-07 12:55:55 +02:00