| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
Rework serialization of command lines in pid1 and make run not expand variables
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
__builtin_popcount() is a bit of a mouthful, so let's provide a helper.
Using _Generic has the advantage that if a type other then the ones on
the list is given, compilation will fail. This is nice, because if by any
change we pass a wider type, it is rejected immediately instead of being
truncated.
log.h is also needed. It is included transitively, but let's include it
directly.
macro.h is *not* needed.
|
|/
|
|
| |
Addresses https://github.com/systemd/systemd/pull/27254#discussion_r1165267046.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds back sd-boot builds by using meson compile targets directly.
We can do this now, because userspace binaries use the special
dependency that allows us to easily separate flags, so that we don't
pass anything to EFI builds that shouldn't be passed.
Additionally, we pass a bunch of flags to hopefully disable/override any
distro provided flags that should not be used for EFI binaries.
Fixes: #12275
|
|
|
|
|
|
|
| |
This drops all mentions of gnu-efi and its manual build machinery. A
future commit will bring bootloader builds back. A new bootloader meson
option is now used to control whether to build sd-boot and its userspace
tooling.
|
|
|
|
|
|
|
|
| |
These are provided by libc instead of the compiler and are not supposed
to be used in freestanding environments.
When cross-compiling with clang and the corresponding gcc
cross-toolchain is not around, clang may pick up the wrong header from
the host system.
|
|
|
|
| |
With gnu-efi headers gone, we don't need these guards anymore.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want to get away from gnu-efi and the only really usable source of
EFI headers would be EDK2, which is somewhat impractical to use and
quite large to require to be around just for some headers.
As a bonus point, the new headers are safe to be included in userspace
code.
This should not have any behavior changes as it is mostly changing
header includes. There are some renames to conform to standard names
and a few minor device path fixups as the struct is defined slightly
different.
Of note is that this removes usage of uchar.h and wchar.h as they are
not guaranteed to be available in a freestanding environment. Instead
efi.h will provide the needed types.
|
|
|
|
|
|
| |
I tried to use DECLARE_FLEX_ARRAY like the kernel does, but it does not work
for anonymous structs (they cannot be declared inline), so an open-coded
version is used.
|
|
|
|
|
|
| |
The sha256 header uses size_t which is within stddef, so add it.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
| |
|
|
|
|
|
|
| |
clang puts the whole function signature in __PRETTY_FUNCTION__, which is
a bit excessive for something that can already be figured out by using
the line number.
|
|
|
|
|
|
|
|
|
| |
These options allow measuring the volume key used for unlocking the
volume to a TPM2 PCR. This is ideally used for the volume key of the
root file system and can then be used to bind other resources to the
root file system volume in a secure way.
See: #24503
|
| |
|
|
|
|
|
|
|
| |
We converted to not using #ifdef for most of our defines because the syntax is
nicer and we are protected against typos and can set -Werror=undef. Let's do
the same for SD_BOOT. The define is nicely hidden in build.h for normal builds,
and for EFI builds we were already setting SD_BOOT on the commandline.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Our HAVE_* variables are defined to 0 or 1, so '#if defined(HAVE_*)' is always true.
The variable is not defined when compiling for EFI though, so we need the
additional guard.
Fixup for 3f92dc2fd4070b213e6bc85263a9bef06ec9a486.
(I don't want to do something like add -DHAVE_EXPLICIT_BZERO=0 to the commandline
in src/efi/boot/meson.build, because this quite verbose. Our compilation commandlines
are very long already. Let's instead keep this localized in this one spot in the
source file.)x
|
|
|
|
|
|
|
|
| |
This erase_obj() machinery looks like voodoo and creates an awful lot of
noise as soon as we get back to building with -O0. We can do this in a
more simple way by introducing a struct that holds the information we
need on cleanup. When building with optimization enabled, all this gets
inlined and the eraser vanishes.
|
|
|
|
| |
It says remove in 2023; happy to oblige.
|
|
|
|
|
| |
Explicitly set __attribute__ ((noinline)) so that the compiler does not
attempt to inline expand_to_usable, even with LTO.
|
|
|
|
|
| |
We use this pattern all the time in order to thward extension attacks,
add a helper to make it shorter.
|
|
|
|
|
|
|
| |
If less than three parameters are passed a simple comparison is the
better choice.
Lo and behold this found two pretty bad typos.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
This drops the special casing for s390 and other archs, which was
cargo-culted from glibc. Given it's not obvious why it exists, and is at
best an optimization let's simply avoid it, in particular as the archs
are relatively non-mainstream.
Inspired by: #25636
|
|
|
|
|
| |
Let's generalize (and invert) the UNALIGNED32_P() macro from the sha256
code, and let's add a test for it.
|
| |
|
|
|
|
|
|
|
|
|
| |
unaligned-fundamental.h
Let's allow using this in code shared between userspace and EFI mode.
Also, don't implement these functions via endianness conversions given
we don't actually want to convert endianess here.
|
| |
|
|
|
|
|
|
|
|
|
| |
sd-stub has an opportunity to handle the seed the same way sd-boot does,
which would have benefits for UKIs when sd-boot is not in use. This
commit wires that up.
It refactors the XBOOTLDR partition discovery to also find the ESP
partition, so that it access the random seed there.
|
| |
|
|
|
|
|
|
|
|
|
| |
The CASE param would normally provide the operation for the compiler to
do in this macro magic. But in this case CASE_F_1 was hardcoding the
operation, making the parameter moot.
This just removes the somewhat pointless parameter instead of fixing
the one case. These macros are used for IN_SET case labels only and
not named generically anyways.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will now catch mistakes like this:
struct s {
int i:2;
} s = { 1 };
assert_se(IN_SET(s.i, ULLONG_MAX));
> warning: implicit conversion from 'unsigned long long' to
> 'typeof (+s.i)' (aka 'int') changes value from 18446744073709551615
> to -1 [-Wconstant-conversion]
|
|
|
|
|
|
|
|
|
| |
E.g.,
int job_frobnicate(Job *j) {
Unit *u = ASSERT_PTR(ASSERT_PTR(j)->unit);
...
}
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These aren't wired up yet to do anything useful. For now we just define
them.
This sections are supposed to carry a signature for expected
measurements on PCR 11 if this kernel is booted, in the JSON format
"systemd-measure sign" generates, and the public key used for the
signature.
The idea is to embedd the signature and the public key in unified
kernels and making them available to userspace, so that userspace can
easily access them and enroll (for which the public key is needed) or
unlock (for which the PCR signature is needed) LUKS2 volumes and
credentials that are bound to the currently used kernel version stream.
Why put these files in PE sections rather than just into simple files in
the initrd or into the host fs?
The signature cannot be in the initrd, since it is after all covering
the initrd, and thus the initrd as input for the calculation cannot
carry the result of the calculation. Putting the signature onto the root
fs sucks too, since we typically want to unlock the root fs with it,
hence it would be inaccessible for it's primary purpose then.
The public key could be in the initrd or in the root fs, there's no
technical restriction for that. However, I still think it's a good idea
to put it in a PE section as well, because this means the piece of code
that attaches the signature can also attach the public key easily in one
step, which is nice since it allows separating the roles of the
kernel/initrd/root fs builder, and the role of the signer, and the
former doesn't have to have knowledge about what the latter is going to
add to the image.
Note that the signature section is excluded from the TPM measurements
sd-stub does about its resource sections, since – as mentioned – it's
the expected output of the signing operation whose input are the
measurements, hence it cannot also be input to them. The public key
section is included in the measurements however.
|
| |
|
|
|
|
|
| |
This way we can specify a size with "static". All users use uint8_t
already, hence this comes at no price.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Report whether the devicetree + sort-key boot loader spec type #1
fields are supported, and whether the "@saved" pseudo-entry is
supported.
Strictly speaking, thes features have been added in versions that are
already released (250+), so by adding this those version even though
they support the features will be considered not supporting them, but
that should be OK (the opposite would be a problem though, i.e. if we'd
assume a boot loader had a feature it actually does not).
These three features are features relevant to userspace, as it allows
userspace to tweak/genereate BLS entries or set EFI vars correctly.
Other features (i.e. that have no impliciations to userspace) are not
reported.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
systemd-boot reports its features via the LoaderFeatures EFI variable.
Let's add something similar for stub features, given they have been
growing.
For starters only define four feature flags. One is a baseline feature
we pretty much always supported (see comment in code), two are features
added in one of the most recently released systemd version, and the
final one, is a feature we added a few commits ago.
This is useful for userspace to figure out what is supported and what
not.
|
|
|
|
|
| |
Le's share this code between userspace and uefispace. This is useful
later when pre-measuring expected PCRs from userspace.
|
|
|
|
| |
userspace and kernel space
|
|
|
|
|
|
|
|
|
| |
Objects without ObjectManager should not have
`org.freedesktop.DBus.ObjectManager` interface.
Object with ObjectManager should do.
Also added ASSERT_SE_NONNEG and ASSERT_NONNEG macros.
|
|
|
|
|
| |
For this one, we can actually just use __atomic_exchange_n since we
don't need the "compare" part of __atomic_compare_exchange_n.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NetworkManager takes systemd sources. It gets compiler warnings
related to _fallthrough_. They probably can also affect systemd
itself.
A) on RHEL-7, gcc 4.8.5-44.el7 we get:
../src/libnm-systemd-shared/src/fundamental/macro-fundamental.h:45:22: error: "__clang__" is not defined [-Werror=undef]
#if __GNUC__ >= 7 || __clang__
^
Presumably gcc older than 7 is supported, so fix this.
B) on Ubuntu 18.04, clang 1:6.0-41~exp5~ubuntu1 we get:
../src/libnm-systemd-core/src/libsystemd-network/sd-dhcp6-client.c:746:17: error: declaration does not declare anything [-Werror,-Wmissing-declarations]
_fallthrough_;
^
../src/libnm-systemd-shared/src/fundamental/macro-fundamental.h:46:25: note: expanded from macro '_fallthrough_'
# define _fallthrough_ __attribute__((__fallthrough__))
^
Granted, README comments that clang >= 10 is required. However,
parts of systemd build just fine with older clang. It seems unnecessary
to break this and the fix helps NetworkManager.
Fixes: c0f5d58c9ab7 ('meson: Document why -Wimplicit-fallthrough is not used with clang')
|
|
|
|
|
|
|
|
| |
We now have a local implementation in string-util-fundamental.c, but
it's useful at a lot of other places, hence let's give it a more
expressive name and share it across the tree.
Follow-up for: 8d9156660d6958c8d63b1d44692968f1b5d33920
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes the fundamental typedefs in favor of just using standard C
types. These are all used internally anyway and also do not do anything
special to warrant any redefinition to EFI types.
Even for BOOLEAN we can safely use stdbool. The defition from the EFI
specification is fully compatible, including making any other values
than 0/1 as undefined.
The exception is sd_char as those need to be char16_t. The typedef is
moved to string-util-fundamental.h instead.
|
|
|
|
|
|
| |
This also syncs the copyright blurb with current glibc sources. The
written by line does not appear in upstream, so it should be okay to
remove.
|