IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The verb s not really specific to credential management, it was always a
bit misplaced. Hence move it to systemd-analyze, where we already have
some general TPM related verbs such as "srk" and "pcrs"
* 2c9954fa51 mkosi-initrd: correct `--debug-shell` help output
* 671708a10b Merge pull request #2990 from behrmann/allthemanuals
|\
| * 2671849125 initrd: add --show-documentation option
| * e2238f5dc7 Move show_docs to its own module
| * e366093b1c doc: make documentation command take an argument
* | 9fcff08b34 Update documentation links
* | 113f7f67dd Only write to /etc/machine-id if /etc exists
|/
* 62a610c0e5 Merge pull request #3005 from DaanDeMeyer/mypy
|\
| * 9b569c93bb Don't delete reader in _tempfile() backport
| * 16f4c94930 Mark all class variables as Final
| * ca7021e9a7 Annotate two more variables that need it
| * fec368dd4d Move KeySource.Type out of KeySource
| * ff5f7b06b8 user: Drop lru_cache() for home() and name()
| * 8f7c7b366f Move code backported from cpython upstream to backport.py
| * f66212e9c2 Drop listify()
| * 4293866df2 mypy: Disable allow_redefinition
| * 2700337f11 Fix mypyc warnings in sandbox.py
|/
* 025483af04 sandbox: Use separate variable name when we change types
* b04800cd30 Merge pull request #3003 from DaanDeMeyer/initrd
|\
| * fd64be9b60 mkosi-initrd: Ignore gnupg subdirectory
| * 7a8a21f8f6 mkosi-initrd: Only set --cacheonly=metadata when running as root
| * 156880c398 mkosi-initrd: Add --debug-shell argument
|/
* a32c8f393a Merge pull request #3002 from DaanDeMeyer/cherry-pick
|\
| * 1d8bfabc97 news: add note to change where the manual pages are
| * 8917d65db1 initrd: flatten module into a single file
| * 76085b788a sandbox: flatten module into a single file
| * 9f48afa4a7 cli: add missing completion stubs to pyproject.toml
| * 6e21cceb03 doc: move man pages to resources/man
| * 25d1c6b579 cli: use ellipsis ligature instead of writing out ...
|/
* 013d9b5595 Move various functions to bootloader.py
* 508ad85475 Update NEWS.md
* f25b8dee6f Simplify package cache dir mirror key
* dce4c8af51 Merge pull request #2998 from DaanDeMeyer/ci
|\
| * f4934828f7 tests: Show debug messages on console
| * fa3ae22598 ci: Drop machine-id commit timeout drop-in
* dba01269de base64 encode mirror if we put it in package cache dir key
* 364b65f7bb Add 'login' to Debian/Ubuntu/Kali package list
* ee07b5b6d2 Bump github/codeql-action from 3.25.15 to 3.26.6
This is very similar to tools/fetch-distro.py. The idea is that we extend the
commit to update the mkosi hash with a git log --pretty=oneline output, so that
the reader can know what changes were actually included.
The motivation is that I'm always wondering what changed in mkosi when I see a
commit updating the hash, and it's nicer to have this information shown
directly in the commit.
The script does _not_ pull changes from upstream, on the assumption that the
person doing the commit always has a fresh checkout and that they tested with
that checkout.
systemd-stub provides the signing key for TPM2 signed PCR policies in a
file tpm2-pcr-public-key.pem to userspace. Hence, to clarify that this
is the same key as used when signing via "systemd-measure", let's rename
it in the docs like that.
Also rename the private key to tpm2-pcr-private-key.pem, to keep the
symmetry.
With this we should universally stick to this nomenclature:
1. tpm2-pcr-public-key.pem ← public part of signing key
2. tpm2-pcr-private-key.pem ← private part of signing key
3. tpm2-pcr-signature.json ← signature file made with key pair
Inspired by: #34069
This is a rework of e7a93e7521: instead of
handling components with n_variants being zero at every step of the way, we instead
remove it from our list after loading all components, given that such a
component simply makes not sense for the rest of our logic.
If we operate in "offline" mode, i.e. know the device key, then we will
not have a TPM2 connection, hence don't try to read the PCR bank to use form
it.
We don't need it anyway because we are not going to test unseal things.
Fixes: #33855
The /dev/zramN devices can be used as regular block devices. They are
typically used for swap areas, but it would be beneficial to have
LABEL and UUID in the udev database to make it more user-friendly for
tools such as lsblk or mount (if used with other filesystems).
Such a policy won't provide any protection, but it's still entirely fine
to have it like this in various contexts, for example at OS install
time, to allocate the nvindex and reference it in enrollments. However,
it does deserve mention, hence log about it at LOG_NOTICE level.
This is based on a similar patch by Arnaud Patard
<arnaud.patard@collabora.com> proposed at #33663.
It is not true that "no string" is written to journal; the binary
name is used when run via `systemd-cat command`, or `cat` is used
when run via `command | systemd-cat`.
TEST-64-UDEV-STORAGE is invoked with the subtest appended, so TEST_SKIP=TEST-64-UDEV-STORAGE
does not work. Fix it by using TEST_SKIP as a partial match.
Follow-up for ddc91af4ea
These variables closely mirror the existing
LoaderDevicePartUUID/LoaderImageIdentifier variables. But the Stub…
variables indicate the location of the stub/UKI (i.e. of systemd-stub),
while the Loader… variables indicate the location of the boot loader
(i.e. of systemd-boot). (Except of course, there is no boot loader used,
in which case both sets point to the stub/UKI, as a special case).
This actually matters, as we support that sd-boot runs off the ESP,
while a UKI then runs off XBOOTLDR, i.e. two distinct partitions.
Let's always check if we have data to set *first*, and only then check
if an EFI var is already set.
Checking for the EFI var is more expensive after all.
First of all, these were always set, i.e. since sd-boot was merged into
our tree, i.e. v220. Let's say so explicitly.
Also, let's be more accurate, regarding which partition this referes to:
it's usually "the" ESP, but given that you can make firmware boot from
arbitrary disks, it could be any other partition too. Hence, be
explicit on this.
Also, clarify tha sd-stub will set this too, if sd-boot never set it.
If this is not done, and there are two images, image_1.raw and image_2.raw under
an image.raw.v folder, then the log will say "Using extensions image" instead of
using "Using extensions image_2.raw" which is the desired behavior for v-picked extensions.
Let's move copying out the PCR signature/key into its own tmpfiles
snippet.
And then let's add support for copying out the profile + os-release
information systemd-stub now places in the invoked initrd.
That way these four pieces of information are available even after the
initrd→host transition.
