1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-29 21:55:36 +03:00
The systemd System and Service Manager
Go to file
Lennart Poettering df7ee6f8b0 stub: add new special PE sections ".pcrsig" and ".pcrpkey" in unified kernels
These aren't wired up yet to do anything useful. For now we just define
them.

This sections are supposed to carry a signature for expected
measurements on PCR 11 if this kernel is booted, in the JSON format
"systemd-measure sign" generates, and the public key used for the
signature.

The idea is to embedd the signature and the public key in unified
kernels and making them available to userspace, so that userspace can
easily access them and enroll (for which the public key is needed) or
unlock (for which the PCR signature is needed) LUKS2 volumes and
credentials that are bound to the currently used kernel version stream.

Why put these files in PE sections rather than just into simple files in
the initrd or into the host fs?

The signature cannot be in the initrd, since it is after all covering
the initrd, and thus the initrd as input for the calculation cannot
carry the result of the calculation. Putting the signature onto the root
fs sucks too, since we typically want to unlock the root fs with it,
hence it would be inaccessible for it's primary purpose then.

The public key could be in the initrd or in the root fs, there's no
technical restriction for that. However, I still think it's a good idea
to put it in a PE section as well, because this means the piece of code
that attaches the signature can also attach the public key easily in one
step, which is nice since it allows separating the roles of the
kernel/initrd/root fs builder, and the role of the signer, and the
former doesn't have to have knowledge about what the latter is going to
add to the image.

Note that the signature section is excluded from the TPM measurements
sd-stub does about its resource sections, since – as mentioned – it's
the expected output of the signing operation whose input are the
measurements, hence it cannot also be input to them. The public key
section is included in the measurements however.
2022-09-09 11:28:38 +02:00
.clusterfuzzlite ci: unpin CFLite 2022-04-26 09:13:57 +00:00
.github ci(issue-labeler): Add missing policy for coredump label 2022-09-06 14:59:00 +00:00
.lgtm/cpp-queries lgtm: dirname() is now icky 2022-08-23 15:10:15 +02:00
.semaphore semaphore: run autopkgtest with sudo 2022-08-11 13:36:15 +02:00
catalog Move message repeat 2022-06-01 00:20:30 +09:00
coccinelle basic/list: drop LIST_IS_EMPTY 2022-07-02 12:46:16 +02:00
docs docs: mention tmpfiles.d in CREDENTIALS.md and add example 2022-09-08 16:33:24 +01:00
factory meson: also allow setting GIT_VERSION via templates 2022-04-05 22:18:31 +02:00
hwdb.d hwdb: Add accel orientation quirk for the Aya Neo Air 2022-09-05 21:48:25 +02:00
LICENSES network: license all config files as CC0 2022-01-12 16:05:59 +01:00
man Implement DNS notifications from resolved via varlink 2022-09-09 09:22:57 +01:00
mkosi.default.d mkosi: add back packages removed from OpenSUSE build 2022-08-26 00:12:55 +01:00
modprobe.d meson: install the right README file in modprobe.d 2021-07-07 14:52:05 +02:00
network network: add example file that enables DHCP on ethernet links 2022-01-12 16:05:59 +01:00
po po: Translated using Weblate (Hungarian) 2022-08-10 06:04:56 +09:00
presets units: enable systemd-network-generator by default 2021-12-16 09:49:39 +01:00
rules.d udev/rules,hwdb: filter out mostly meaningless default strings 2022-09-06 03:38:09 +09:00
shell-completion shell-completion: drop unused $mode 2022-08-28 08:11:26 +00:00
src stub: add new special PE sections ".pcrsig" and ".pcrpkey" in unified kernels 2022-09-09 11:28:38 +02:00
sysctl.d tree-wide: link to docs.kernel.org for kernel documentation 2022-07-04 19:56:53 +02:00
sysusers.d Use descriptive name for nobody 2022-05-27 22:09:24 +01:00
test Implement DNS notifications from resolved via varlink 2022-09-09 09:22:57 +01:00
tmpfiles.d tree-wide: fix typo 2022-08-02 02:43:38 +09:00
tools ci: simplify the Coverity script a bit 2022-08-11 10:57:25 +02:00
units units: prolong the stop timeout for homed 2022-09-05 15:22:53 +02:00
xorg xorg/50-systemd-user: add a full license header 2021-10-01 14:45:00 +02:00
.clang-format clang-format: Adjust style of pointers 2022-05-30 04:00:54 +09:00
.ctags editors: Prevent ctags from following symlinks 2019-02-15 11:01:20 -08:00
.dir-locals.el scripts: use 4 space indentation 2019-04-12 08:30:31 +02:00
.editorconfig docs: configure editorconfig for css and html 2022-05-17 21:13:17 +02:00
.gitattributes gitattributes: introduce and use "generated" attribute 2021-10-18 09:42:55 +02:00
.gitignore core/cgroup: CPUWeight/CPUShares support idle input 2022-08-11 14:25:58 +02:00
.lgtm.yml Revert "lgtm: disable cpp/missing-return (again)" 2022-04-16 10:59:29 +00:00
.mailmap mailmap: two more names 2021-03-30 13:17:58 +02:00
.packit.yml Packit: build SRPMs in Copr 2022-03-09 09:52:41 +00:00
.vimrc scripts: use 4 space indentation 2019-04-12 08:30:31 +02:00
.ycm_extra_conf.py ycm: add doc string for all the functions in configuration file 2017-11-29 13:21:49 -07:00
configure tools: shellcheck-ify tool scripts 2021-09-30 12:27:06 +02:00
LICENSE.GPL2
LICENSE.LGPL2.1 licence: remove references to old FSF address 2012-12-17 11:41:31 +01:00
Makefile tree-wide: add spdx header on all scripts and helpers 2021-01-28 09:55:35 +01:00
meson_options.txt core: allow disabling system time correction if rtc returns time far in the future 2022-08-24 21:39:46 +01:00
meson.build meson: Compile with -Werror=format-signedness 2022-08-30 12:03:33 +02:00
mkosi.build mkosi: Print logs of failing tests 2022-08-25 21:42:57 +01:00
mkosi.postinst mkosi: Ensure we build all features/components in mkosi 2022-08-23 15:19:26 +02:00
NEWS mention ConditionKernelVersion= compat break in NEWS 2022-09-01 23:20:11 +02:00
README README: we don't use crypto API in kernel anymore 2022-09-07 11:04:34 +01:00
README.md README: rawhide -> Rawhide 2022-04-06 23:14:21 +09:00
TODO update TODO 2022-09-08 13:14:04 +02:00

Systemd

System and Service Manager

Count of open issues over time Count of open pull requests over time Semaphore CI 2.0 Build Status
Coverity Scan Status
OSS-Fuzz Status
CIFuzz
CII Best Practices
Language Grade: C/C++
CentOS CI - CentOS 8
CentOS CI - Arch
CentOS CI - Arch (sanitizers)
CentOS CI - Rawhide (SELinux)
Fossies codespell report
Coverage Status
Packaging status

Details

Most documentation is available on systemd's web site.

Assorted, older, general information about systemd can be found in the systemd Wiki.

Information about build requirements is provided in the README file.

Consult our NEWS file for information about what's new in the most recent systemd versions.

Please see the Code Map for information about this repository's layout and content.

Please see the Hacking guide for information on how to hack on systemd and test your modifications.

Please see our Contribution Guidelines for more information about filing GitHub Issues and posting GitHub Pull Requests.

When preparing patches for systemd, please follow our Coding Style Guidelines.

If you are looking for support, please contact our mailing list or join our IRC channel.

Stable branches with backported patches are available in the stable repo.