| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
| |
parse_boolean_argument() returns the same information via both the output
argument and normal return.
|
| |
|
|
| |
character buffers to NUL terminated C strings
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-1 was used everywhere, but -EBADF or -EBADFD started being used in various
places. Let's make things consistent in the new style.
Note that there are two candidates:
EBADF 9 Bad file descriptor
EBADFD 77 File descriptor in bad state
Since we're initializating the fd, we're just assigning a value that means
"no fd yet", so it's just a bad file descriptor, and the first errno fits
better. If instead we had a valid file descriptor that became invalid because
of some operation or state change, the other errno would fit better.
In some places, initialization is dropped if unnecessary.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Instead of succeeding when either the firmware reports a TPM device
or we find a TPM device, let's check that the firmware reports a TPM
device and the TPM subsystem is enabled in the kernel.
To check whether the subsystem enabled, we check if the relevant
subdirectory in /sys exists at all.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Add a new tpm2_parse_pcr_argument() helper that unifies how we merge PCR
masks in a single function, we can use all over the place. Previously we
had basically the same code for this at 4 places.
|
| |
|
|
|
|
| |
The lifetime of variables decalred in the main switch/case body is just
weird. Let's not rely on it, but just open a new {} block, like
everywhere else in similar cases.
|
| |
|
|
|
|
| |
As per:
https://github.com/systemd/systemd/pull/23170#pullrequestreview-959233817
|
| |
|
|
|
| |
Also, properly hook up things with the new fixed paths for system
credentials.
|
| | |
|
| |\
| |
| | |
tpm2: beef up tpm2 support checks
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Sometimes it's useful from shell scripts to check if we have a working
TPM2 chip around. For example, when putting together encrypted
credentials for the initrd (after all: it might be wise to place the
root pw in a credential for the initrd to consume, but do so only if we
can lock it to the TPM2, and not otherwise, so that we risk nothing).
Hence, let's add a new "systemd-creds has-tpm2" verb: it returns zero if we
have a working TPM2 (which means: supported by kernel + firmware + us),
or non-zero otherwise. Also show which parts are available.
Use-case: in future the 'kernel-install' script should use this when
deciding whether to augment kernels with security sensitive credentials.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
fallback for systems lacking TPM2
This is supposed to be useful when generating credentials for immutable
initrd environments, where it is is relevant to support credentials even
on systems lacking a TPM2 chip.
With this, if `systemd-creds encrypt --with-key=auto-initrd` is used a
credential will be encrypted/signed with the TPM2 if it is available and
recognized by the firmware. Otherwise it will be encrypted/signed with
the fixed empty key, thus providing no confidentiality or authenticity.
The idea is that distributions use this mode to generically create
credentials that are as locked down as possible on the specific
platform.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
determination
Previously, when encrypting creds you could pick which key to use for
this via a 128bit ID identifying the key type, and use an all zero ID
for rquesting automatic mode.
Let's change this to use an explicitly picked 128bit ID for automatic
mode, i.e. something other than all zeros. This is in preparation for
adding one further automatic mode with slightly different semantics.
no change in behaviour.
Note that the new 128bit id is never written to disk but only used
internally to indicate a specific case.
|
| |
|
|
|
| |
The env var is called $CREDENTIALS_DIRECTORY, not $CREDENTIALS_PATH. Fix
message about it accordingly.
|
| |
|
|
| |
This also avoids multiple evaluations in STRV_FOREACH_BACKWARDS()
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In general we almost never hit those asserts in production code, so users see
them very rarely, if ever. But either way, we just need something that users
can pass to the developers.
We have quite a few of those asserts, and some have fairly nice messages, but
many are like "WTF?" or "???" or "unexpected something". The error that is
printed includes the file location, and function name. In almost all functions
there's at most one assert, so the function name alone is enough to identify
the failure for a developer. So we don't get much extra from the message, and
we might just as well drop them.
Dropping them makes our code a tiny bit smaller, and most importantly, improves
development experience by making it easy to insert such an assert in the code
without thinking how to phrase the argument.
|
| |\
| |
| | |
Coverity fixes
|
| | |
| |
| |
| |
| |
| | |
IIUC, "auto" is the same as NULL. There is no need to strdup() anything.
Coverity CID#1458113.
|
| | |
| |
| |
| |
| | |
Coverity also thinks a leak happens here, CID #1458112.
This seems wrong, but let's add an assert, maybe that'll help.
|
| |/
|
|
| |
Yet another batch of Coccinelle fixes.
|
| |
|
