summaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* sd-stub: measure sysext images picked up by sd-stub into PCR 13Lennart Poettering2022-08-022-15/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Let's grab another so far unused PCR, and measure all sysext images into it that we load from the ESP. Note that this is possibly partly redundant, since sysext images should have dm-verity enabled, and that is hooked up to IMA. However, measuring this explicitly has the benefit that we can measure filenames too, easily, and that all without need for IMA or anything like that. This means: when booting a unified sd-stub kernel through sd-boot we'll now have: 1. PCR 11: unified kernel image payload (i.e. kernel, initrd, boot splash, dtb, osrelease) 2. PCR 12: kernel command line (i.e. the one embedded in the image, plus optionally an overriden one) + any credential files picked up by sd-stub 3. PCR 13: sysext images picked up by sd-stub And each of these three PCRs should carry just the above, and start from zero, thus be pre-calculatable. Thus, all components and parameters of the OS boot process (i.e. everything after the boot loader) is now nicely pre-calculable. NOTE: this actually replaces previous measuring of the syext images into PCR 4. I added this back in 845707aae23b3129db635604edb95c4048a5922a, following the train of thought, that sysext images for the initrd should be measured like the initrd itself they are for, and according to my thinking that would be a unified kernel which is measured by firmware into PCR 4 like any other UEFI executables. However, I think we should depart from that idea. First and foremost that makes it harder to pre-calculate PCR 4 (since we actually measured quite incompatible records to the TPM event log), but also I think there's great value in being able to write policies that bind to the used sysexts independently of the earlier boot chain (i.e. shim, boot loader, unified kernel), hence a separate PCR makes more sense. Strictly speaking, this is a compatibility break, but I think one we can get away with, simply because the initrd sysext images are currently not picked up by systemd-sysext yet in the initrd, and because of that we can be reasonably sure noone uses this yet, and hence relies on the PCR register used. Hence, let's clean this up before people actually do start relying on this.
* stub: measure PE sections in a defined order, and include all sectionsLennart Poettering2022-08-021-2/+5
|
* efi: from the stub measure the ELF kernel + built-in initrd and so on into ↵Lennart Poettering2022-08-022-2/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | PCR 11 Here we grab a new – on Linux so far unused (by my Googling skills, that is) – and measure all static components of the PE kernel image into. This is useful since for the first time we'll have a PCR that contains only a PCR of the booted kernel, nothing else. That allows putting together TPM policies that bind to a specific kernel (+ builtin initrd), without having to have booted that kernel first. PCRs can be pre-calculated. Yay! You might wonder, why we measure just the discovered PE sections we are about to use, instead of the whole PE image. That's because of the next step I have in mind: PE images should also be able to carry an additional section that contains a signature for its own expected, pre-calculated PCR values. This signature data should then be passed into the booted kernel and can be used there in TPM policies. Benefit: TPM policies can now be bound to *signatures* of PCRs, instead of the raw hash values themselves. This makes update management a *lot* easier, as policies don't need to be updated whenever a kernel is updated, as long as the signature is available. Now, if the PCR signature is embedded in the kernel PE image it cannot be of a PCR hash of the kernel PE image itself, because that would be a chicken-and-egg problem. Hence, by only measuring the relavent payload sections (and that means excluding the future section that will contain the PCR hash signature) we avoid this problem, naturally.
* efi: tell userspace where the stub measured the kernel command ↵Lennart Poettering2022-08-023-29/+61
| | | | | | | line/credentials into This is useful for userspace to know, so that policies can be put together safely, matching what the stub actually measured.
* efi: optionally report when measuring to TPM whether we actually didLennart Poettering2022-08-025-21/+69
| | | | | | | | | the measurement calls can succeed either when they actually measured something, or when they skipped measurement because the local system didn't support TPMs. Let's optionally return a boolean saying which case it is. This is later useful to tell userspace how and if we measured something.
* network: make link_may_have_ipv6ll() optionally check Multicast= settingYu Watanabe2022-08-026-7/+9
| | | | Fixes the IPv6LL issue in #23197.
* network: fix possible NULL-pointer dereferenceYu Watanabe2022-08-021-2/+5
|
* network: do not try to start ipv4acd on non-supported interfacesYu Watanabe2022-08-021-1/+1
| | | | Fixes IPv4LL issue reported in #23197.
* network: split link_ipv4ll_enabled() into twoYu Watanabe2022-08-026-39/+49
| | | | And move it from networkd-link.[ch] to relevant files.
* network: drop doubled semicolonYu Watanabe2022-08-021-2/+2
|
* tree-wide: fix typoYu Watanabe2022-08-024-4/+4
|
* bpf: set gcc std and compile flagsJames Hilliard2022-08-011-0/+3
| | | | This should make gcc bpf compilation more reliable.
* gcrypt: switch to system rng before gcry_check_version (#24162)Cristian Rodríguez2022-08-011-1/+1
| | | Current docs claim this must be done before gcry_check_version.
* meson: use files in run_command with relativized pathEli Schwartz2022-07-301-1/+1
| | | | | | | | | | | | Passing a file as a command argument in string form assumes that run_command has the current subdir as its cwd, but Meson's documentation *explicitly* calls this out as undefined and wrong to use. Indeed, muon has a different implementation that uses a different cwd, and this argument cannot be found. Instead, passing a files() object means that it's the job of meson itself to verify the file exists, then pass it to the run_command in some format that guarantees it is a valid path reference.
* gcrypt: prefer the OS RNGCristian Rodríguez2022-07-291-0/+2
| | | | | | | by default, gcrypt defaults to an userspace RNG, this is the wrong thing (tm) to do on linux. Switch to the SYSTEM rng instead.
* virt: detect KubeVirt instanceFei Li2022-07-291-0/+1
| | | | | | | | | | | | | | Kubevirt is currently technically based on KVM (but not xen yet[1]). The systemd-detect-virt command, used to differentiate the current virtualization environment, works fine on x86 relying on CPUID, while fails to get the correct value (none instead of kvm) on aarch64. Let's fix this by adding a new 'vendor[KubeVirt] = kvm' classification considering the sys_vendor is always KubeVirt. [1] https://groups.google.com/g/kubevirt-dev/c/C6cUgzTOsVg Signed-off-by: Fei Li <lifei.shirley@bytedance.com>
* Merge pull request #24080 from rdtscp/feature/machinectl/copy-force-flagDaan De Meyer2022-07-286-24/+206
|\ | | | | Add --force flag to machinectl copy-[to|from]
| * machinectl: Add plumbing for a `--force` flag for file copyAlexander Wilson2022-07-274-1/+54
| | | | | | | | | | | | machine: Add APIs CopyTo[Machine]WithFlags + CopyFrom[Machine]WithFlags - Same API to those without `WithFlags` (except this can take flags) - Initially, only a flag to allow replacing a file if it already exists
| * copy: Respect COPY_REPLACE flag for copy_treeAlexander Wilson2022-07-272-2/+79
| | | | | | | | | | - Add a test that asserts that copy_tree on an existing file will fail without COPY_REPLACE - Add a test that asserts that copy_tree with COPY_MERGE and COPY_REPLACE on an existing directory will overwrite files that already exist.
| * copy.[ch]: RefactorAlexander Wilson2022-07-271-23/+75
| | | | | | | | | | | | - Refactor: Move HardlinkContext to header file - Refactor: Create `fd_copy_tree_generic` which isolates the functionality to check stat type and appropriately copy. - Refactor: Create `fd_copy_leaf` which handles copying leaf nodes of a file tree.
* | Merge pull request #23875 from yuwata/resolve-mdns-fix-use-after-freeLuca Boccassi2022-07-276-158/+214
|\ \ | | | | | | resolve: mdns: fix use-after-free
| * | resolve: mdns: calculate required packet size to store questions and authoritiesYu Watanabe2022-07-093-61/+131
| | | | | | | | | | | | | | | | | | | | | | | | | | | Otherwise, if we have many cached entries or pending transactions with TYPE_ANY, then dns_transaction_make_packet_mdns() fails with -EMSGSIZE. This also fixes use-after-free. Fixes #23894.
| * | resolve: do not trigger assertions on invalid queryYu Watanabe2022-07-092-2/+5
| | |
| * | resolve: mdns_packet_extract_matching_rrs() may return 0Yu Watanabe2022-07-091-2/+0
| | | | | | | | | | | | | | | | | | | | | Fixes the following assertion: --- Assertion 'r > 0' failed at src/resolve/resolved-mdns.c:180, function mdns_do_tiebreak(). Aborting. ---
| * | resolve: shorten code a bitYu Watanabe2022-07-091-2/+2
| | |
| * | resolve: introduce dns_transaction_setup_timeout()Yu Watanabe2022-07-091-40/+33
| | | | | | | | | | | | | | | This also fixes timeout in dns_transaction_make_packet_mdns(), which was incremented multiple times.
| * | resolve: fix misuse of accuracy parameter in sd_event_add_time()Yu Watanabe2022-07-093-18/+13
| | | | | | | | | | | | | | | | | | | | | | | | Also, this makes mDNS regular queries sent without delay (except for one caused by the default accuracy of sd-event). Note, RFC 6762 Section 5.2 is about continuous mDNS query, which is not implemented yet.
| * | resolve: drop unnecessary else, and add short commentYu Watanabe2022-07-091-3/+4
| | |
| * | Revert "resolve: mDNS transaction max attempts fix"Yu Watanabe2022-07-092-29/+9
| | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 127b26f3d8b589907ed75a34d34ab330995778f9. The commit made mDNS queries quite unstable. Note that, RFC 6762 does not explicitly prohibit to send a request multiple times.
| * | resolve: mdns: fix use-after-freeYu Watanabe2022-07-091-5/+21
| | | | | | | | | | | | Fixes #23843 and #23873.
* | | Use correct option name in error messageJanis Goldschmidt2022-07-271-1/+1
| | |
* | | stub: override StubInfo EFI variable unconditionally, since *we* own itLennart Poettering2022-07-271-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | The other variables are owned by the boot menu (i.e. sd-boot), we only fill those in if it didn't do so for us (to support cases where our stub kernel is directly invoked by UEFI). But StubInfo is genuinely about the stub, hence let's simplify things and unconditionally set it from the stub.
* | | boot: introduce common shortcut exit path in pack_cpio()Lennart Poettering2022-07-271-20/+14
| | | | | | | | | | | | | | | | | | THis will be useful in a later commit, when we add more stuff to the common exit path. But even without that, it's a nice simplification, removing redundant lines.
* | | portable: set PrivateTmp=yes in trusted profile tooLuca Boccassi2022-07-261-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | When running on images you don't want to modify the /tmp directory even if it's writable, and often it will just be read-only. Set PrivateTmp=yes. Fixes https://github.com/systemd/systemd/issues/23592
* | | Merge pull request #24122 from yuwata/core-mount-bind-mount-on-nfsLuca Boccassi2022-07-261-5/+7
|\ \ \ | | | | | | | | core/mount: ignore -EACCES from mkdir_p_label() on NFS
| * | | core/mount: downgrade log level about several mkdir failuresYu Watanabe2022-07-271-2/+6
| | | |
| * | | Revert "core/mount: fail early if directory cannot be created"Yu Watanabe2022-07-271-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit e4de58c8231e47509ffeb3aa47620ca42f22d7f6. If mkdir() fails and the path does exist, then the later mount command fails anyway. Hence, it is not necessary to fail here. Fixes #24120.
* | | | efi: update measure.h comments a bitLennart Poettering2022-07-261-2/+2
|/ / /
* | | home: drop conflicted headersYu Watanabe2022-07-265-2/+14
| | | | | | | | | | | | Fixes #24117.
* | | homed: fix dbus node enumeratorYu Watanabe2022-07-261-0/+2
| | | | | | | | | | | | Fixes #24114.
* | | Merge pull request #23702 from ↵Lennart Poettering2022-07-263-20/+159
|\ \ \ | | | | | | | | | | | | | | | | igo95862/fix-object-manager-interface-in-wrong-places Fix ObjectManager interfaces for `GetManagedObjects`, `InerfacesAdded` and `InterfacesRemoved`
| * | | Fix ObjectManager interface emitted for non-manager objectsigo958622022-07-251-15/+29
| | | |
| * | | test-bus-objects: Test interfaces added/removed signal interfacesigo958622022-07-251-0/+67
| | | | | | | | | | | | | | | | | | | | `org.freedesktop.DBus.ObjectManager` should only be emitted if object in question has ObjectManager attached.
| * | | Fix GetManagedObjects returning ObjectManager interface for non-manager objectsigo958622022-07-251-5/+14
| | | |
| * | | test-bus-objects: Test GetManagedObjects interfaces are correctigo958622022-07-252-0/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Objects without ObjectManager should not have `org.freedesktop.DBus.ObjectManager` interface. Object with ObjectManager should do. Also added ASSERT_SE_NONNEG and ASSERT_NONNEG macros.
* | | | Merge pull request #24033 from dtardon/list-automountsLuca Boccassi2022-07-253-62/+238
|\ \ \ \ | |/ / / |/| | | Add `systemctl list-automounts`
| * | | systemctl: add list-automounts verbDavid Tardon2022-07-253-0/+188
| | | | | | | | | | | | | | | | Fixes: #6056
| * | | systemctl: simplify var. definition a bitDavid Tardon2022-07-251-5/+3
| | | |
| * | | systemctl: extract output of legend to a functionDavid Tardon2022-07-251-20/+17
| | | |
| * | | systemctl: drop unneeded conditionDavid Tardon2022-07-251-32/+32
| | | |
View Lorry Controller Status