| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's grab another so far unused PCR, and measure all sysext images into
it that we load from the ESP. Note that this is possibly partly redundant,
since sysext images should have dm-verity enabled, and that is hooked up
to IMA. However, measuring this explicitly has the benefit that we can
measure filenames too, easily, and that all without need for IMA or
anything like that.
This means: when booting a unified sd-stub kernel through sd-boot we'll
now have:
1. PCR 11: unified kernel image payload (i.e. kernel, initrd, boot
splash, dtb, osrelease)
2. PCR 12: kernel command line (i.e. the one embedded in the image, plus
optionally an overriden one) + any credential files picked up by
sd-stub
3. PCR 13: sysext images picked up by sd-stub
And each of these three PCRs should carry just the above, and start from
zero, thus be pre-calculatable.
Thus, all components and parameters of the OS boot process (i.e.
everything after the boot loader) is now nicely pre-calculable.
NOTE: this actually replaces previous measuring of the syext images into
PCR 4. I added this back in 845707aae23b3129db635604edb95c4048a5922a,
following the train of thought, that sysext images for the initrd should
be measured like the initrd itself they are for, and according to my
thinking that would be a unified kernel which is measured by firmware
into PCR 4 like any other UEFI executables.
However, I think we should depart from that idea. First and foremost
that makes it harder to pre-calculate PCR 4 (since we actually measured
quite incompatible records to the TPM event log), but also I think
there's great value in being able to write policies that bind to the
used sysexts independently of the earlier boot chain (i.e. shim, boot
loader, unified kernel), hence a separate PCR makes more sense.
Strictly speaking, this is a compatibility break, but I think one we can
get away with, simply because the initrd sysext images are currently not
picked up by systemd-sysext yet in the initrd, and because of that we
can be reasonably sure noone uses this yet, and hence relies on the PCR
register used. Hence, let's clean this up before people actually do
start relying on this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PCR 11
Here we grab a new – on Linux so far unused (by my Googling skills, that
is) – and measure all static components of the PE kernel image into.
This is useful since for the first time we'll have a PCR that contains
only a PCR of the booted kernel, nothing else. That allows putting
together TPM policies that bind to a specific kernel (+ builtin initrd),
without having to have booted that kernel first. PCRs can be
pre-calculated. Yay!
You might wonder, why we measure just the discovered PE sections we are
about to use, instead of the whole PE image. That's because of the next
step I have in mind: PE images should also be able to carry an
additional section that contains a signature for its own expected,
pre-calculated PCR values. This signature data should then be passed
into the booted kernel and can be used there in TPM policies. Benefit:
TPM policies can now be bound to *signatures* of PCRs, instead of the
raw hash values themselves. This makes update management a *lot* easier,
as policies don't need to be updated whenever a kernel is updated, as
long as the signature is available. Now, if the PCR signature is
embedded in the kernel PE image it cannot be of a PCR hash of the kernel
PE image itself, because that would be a chicken-and-egg problem. Hence,
by only measuring the relavent payload sections (and that means
excluding the future section that will contain the PCR hash signature)
we avoid this problem, naturally.
|
|
|
|
|
|
|
| |
line/credentials into
This is useful for userspace to know, so that policies can be put
together safely, matching what the stub actually measured.
|
|
|
|
|
|
|
|
|
| |
the measurement calls can succeed either when they actually measured
something, or when they skipped measurement because the local system
didn't support TPMs.
Let's optionally return a boolean saying which case it is. This is later
useful to tell userspace how and if we measured something.
|
|
|
|
| |
Fixes the IPv6LL issue in #23197.
|
| |
|
|
|
|
| |
Fixes IPv4LL issue reported in #23197.
|
|
|
|
| |
And move it from networkd-link.[ch] to relevant files.
|
| |
|
| |
|
|
|
|
| |
This should make gcc bpf compilation more reliable.
|
|
|
| |
Current docs claim this must be done before gcry_check_version.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Passing a file as a command argument in string form assumes that
run_command has the current subdir as its cwd, but Meson's documentation
*explicitly* calls this out as undefined and wrong to use.
Indeed, muon has a different implementation that uses a different cwd,
and this argument cannot be found. Instead, passing a files() object
means that it's the job of meson itself to verify the file exists, then
pass it to the run_command in some format that guarantees it is a valid
path reference.
|
|
|
|
|
|
|
| |
by default, gcrypt defaults to an userspace RNG, this is
the wrong thing (tm) to do on linux.
Switch to the SYSTEM rng instead.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kubevirt is currently technically based on KVM (but not xen yet[1]).
The systemd-detect-virt command, used to differentiate the current
virtualization environment, works fine on x86 relying on CPUID, while
fails to get the correct value (none instead of kvm) on aarch64.
Let's fix this by adding a new 'vendor[KubeVirt] = kvm' classification
considering the sys_vendor is always KubeVirt.
[1] https://groups.google.com/g/kubevirt-dev/c/C6cUgzTOsVg
Signed-off-by: Fei Li <lifei.shirley@bytedance.com>
|
|\
| |
| | |
Add --force flag to machinectl copy-[to|from]
|
| |
| |
| |
| |
| |
| | |
machine: Add APIs CopyTo[Machine]WithFlags + CopyFrom[Machine]WithFlags
- Same API to those without `WithFlags` (except this can take flags)
- Initially, only a flag to allow replacing a file if it already exists
|
| |
| |
| |
| |
| | |
- Add a test that asserts that copy_tree on an existing file will fail without COPY_REPLACE
- Add a test that asserts that copy_tree with COPY_MERGE and COPY_REPLACE on an existing directory will overwrite files that already exist.
|
| |
| |
| |
| |
| |
| | |
- Refactor: Move HardlinkContext to header file
- Refactor: Create `fd_copy_tree_generic` which isolates the functionality to check stat type and appropriately copy.
- Refactor: Create `fd_copy_leaf` which handles copying leaf nodes of a file tree.
|
|\ \
| | |
| | | |
resolve: mdns: fix use-after-free
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Otherwise, if we have many cached entries or pending transactions with
TYPE_ANY, then dns_transaction_make_packet_mdns() fails with -EMSGSIZE.
This also fixes use-after-free.
Fixes #23894.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fixes the following assertion:
---
Assertion 'r > 0' failed at src/resolve/resolved-mdns.c:180, function mdns_do_tiebreak(). Aborting.
---
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
This also fixes timeout in dns_transaction_make_packet_mdns(), which was
incremented multiple times.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Also, this makes mDNS regular queries sent without delay (except for
one caused by the default accuracy of sd-event).
Note, RFC 6762 Section 5.2 is about continuous mDNS query, which is not
implemented yet.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This reverts commit 127b26f3d8b589907ed75a34d34ab330995778f9.
The commit made mDNS queries quite unstable.
Note that, RFC 6762 does not explicitly prohibit to send a request
multiple times.
|
| | |
| | |
| | |
| | | |
Fixes #23843 and #23873.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The other variables are owned by the boot menu (i.e. sd-boot), we only
fill those in if it didn't do so for us (to support cases where our stub
kernel is directly invoked by UEFI). But StubInfo is genuinely about the
stub, hence let's simplify things and unconditionally set it from the
stub.
|
| | |
| | |
| | |
| | |
| | |
| | | |
THis will be useful in a later commit, when we add more stuff to the
common exit path. But even without that, it's a nice simplification,
removing redundant lines.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When running on images you don't want to modify the /tmp
directory even if it's writable, and often it will just
be read-only. Set PrivateTmp=yes.
Fixes https://github.com/systemd/systemd/issues/23592
|
|\ \ \
| | | |
| | | | |
core/mount: ignore -EACCES from mkdir_p_label() on NFS
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This reverts commit e4de58c8231e47509ffeb3aa47620ca42f22d7f6.
If mkdir() fails and the path does exist, then the later mount
command fails anyway. Hence, it is not necessary to fail here.
Fixes #24120.
|
|/ / / |
|
| | |
| | |
| | |
| | | |
Fixes #24117.
|
| | |
| | |
| | |
| | | |
Fixes #24114.
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
igo95862/fix-object-manager-interface-in-wrong-places
Fix ObjectManager interfaces for `GetManagedObjects`, `InerfacesAdded` and `InterfacesRemoved`
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | | |
`org.freedesktop.DBus.ObjectManager` should only be emitted if
object in question has ObjectManager attached.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Objects without ObjectManager should not have
`org.freedesktop.DBus.ObjectManager` interface.
Object with ObjectManager should do.
Also added ASSERT_SE_NONNEG and ASSERT_NONNEG macros.
|
|\ \ \ \
| |/ / /
|/| | | |
Add `systemctl list-automounts`
|
| | | |
| | | |
| | | |
| | | | |
Fixes: #6056
|
| | | | |
|
| | | | |
|
| | | | |
|