network: introduce IPv6StableSecretAddress= setting

Previously, IPv6LinkLocalAddressGenerationMode= is not set, then we
define the address generation mode based on the result of reading
stable_secret sysctl value. This makes the mode is determined by whether
a secret address is specified in the new setting.

Closes #19622.

5 files changed, 59 insertions, 12 deletions

diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf
index c1ee05a043..8601012123 100644
--- a/src/network/networkd-network-gperf.gperf
+++ b/src/network/networkd-network-gperf.gperf
@@ -97,6 +97,7 @@ Network.DHCP,                                config_parse_dhcp,
 Network.DHCPServer,                          config_parse_bool,                                        0,                             offsetof(Network, dhcp_server)
 Network.LinkLocalAddressing,                 config_parse_link_local_address_family,                   0,                             offsetof(Network, link_local)
 Network.IPv6LinkLocalAddressGenerationMode,  config_parse_ipv6_link_local_address_gen_mode,            0,                             offsetof(Network, ipv6ll_address_gen_mode)
+Network.IPv6StableSecretAddress,             config_parse_in_addr_non_null,                            AF_INET6,                      offsetof(Network, ipv6ll_stable_secret)
 Network.IPv4LLRoute,                         config_parse_bool,                                        0,                             offsetof(Network, ipv4ll_route)
 Network.DefaultRouteOnDevice,                config_parse_bool,                                        0,                             offsetof(Network, default_route_on_device)
 Network.IPv6Token,                           config_parse_address_generation_type,                     0,                             0
diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
index 4e4ae7b76b..011cb94462 100644
--- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c
@@ -175,6 +175,10 @@ int network_verify(Network *network) {
         if (network->ipv6ll_address_gen_mode == IPV6_LINK_LOCAL_ADDRESSS_GEN_MODE_NONE)
                 SET_FLAG(network->link_local, ADDRESS_FAMILY_IPV6, false);
 
+        if (in6_addr_is_set(&network->ipv6ll_stable_secret) &&
+            network->ipv6ll_address_gen_mode < 0)
+                network->ipv6ll_address_gen_mode = IPV6_LINK_LOCAL_ADDRESSS_GEN_MODE_STABLE_PRIVACY;
+
         /* IPMasquerade implies IPForward */
         network->ip_forward |= network->ip_masquerade;
 
diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h
index ce030d2661..341cf477ce 100644
--- a/src/network/networkd-network.h
+++ b/src/network/networkd-network.h
@@ -209,6 +209,7 @@ struct Network {
         /* link local addressing support */
         AddressFamily link_local;
         IPv6LinkLocalAddressGenMode ipv6ll_address_gen_mode;
+        struct in6_addr ipv6ll_stable_secret;
         bool ipv4ll_route;
 
         /* IPv6 RA support */
diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c
index e9269d36ef..1a16871b75 100644
--- a/src/network/networkd-setlink.c
+++ b/src/network/networkd-setlink.c
@@ -545,18 +545,10 @@ int link_request_to_set_addrgen_mode(Link *link) {
                 mode = IN6_ADDR_GEN_MODE_NONE;
         else if (link->network->ipv6ll_address_gen_mode >= 0)
                 mode = link->network->ipv6ll_address_gen_mode;
-        else {
-                r = sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL);
-                if (r < 0) {
-                        /* The file may not exist. And even if it exists, when stable_secret is unset,
-                         * reading the file fails with ENOMEM when read_full_virtual_file(), which uses
-                         * read() as the backend, and EIO when read_one_line_file() which uses fgetc(). */
-                        log_link_debug_errno(link, r, "Failed to read sysctl property stable_secret, ignoring: %m");
-
-                        mode = IN6_ADDR_GEN_MODE_EUI64;
-                } else
-                        mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
-        }
+        else if (in6_addr_is_set(&link->network->ipv6ll_stable_secret))
+                mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
+        else
+                mode = IN6_ADDR_GEN_MODE_EUI64;
 
         r = link_request_set_link(link, SET_LINK_ADDRESS_GENERATION_MODE, link_set_addrgen_mode_handler, &req);
         if (r < 0)
diff --git a/src/network/networkd-sysctl.c b/src/network/networkd-sysctl.c
index ee5fe5f93d..e3e2c0c7a1 100644
--- a/src/network/networkd-sysctl.c
+++ b/src/network/networkd-sysctl.c
@@ -11,6 +11,9 @@
 #include "string-table.h"
 #include "sysctl-util.h"
 
+#define STABLE_SECRET_APP_ID_1 SD_ID128_MAKE(aa,05,1d,94,43,68,45,07,b9,73,f1,e8,e4,b7,34,52)
+#define STABLE_SECRET_APP_ID_2 SD_ID128_MAKE(52,c4,40,a0,9f,2f,48,58,a9,3a,f6,29,25,ba,7a,7d)
+
 static int link_update_ipv6_sysctl(Link *link) {
         assert(link);
 
@@ -202,6 +205,48 @@ int link_set_ipv6_mtu(Link *link) {
         return sysctl_write_ip_property_uint32(AF_INET6, link->ifname, "mtu", link->network->ipv6_mtu);
 }
 
+static int link_set_ipv6ll_stable_secret(Link *link) {
+        _cleanup_free_ char *str = NULL;
+        struct in6_addr a;
+        int r;
+
+        assert(link);
+        assert(link->network);
+
+        if (link->network->ipv6ll_address_gen_mode != IPV6_LINK_LOCAL_ADDRESSS_GEN_MODE_STABLE_PRIVACY)
+                return 0;
+
+        if (in6_addr_is_set(&link->network->ipv6ll_stable_secret))
+                a = link->network->ipv6ll_stable_secret;
+        else {
+                sd_id128_t key;
+                le64_t v;
+
+                /* Generate a stable secret address from machine-ID and the interface name. */
+
+                r = sd_id128_get_machine_app_specific(STABLE_SECRET_APP_ID_1, &key);
+                if (r < 0)
+                        return log_link_debug_errno(link, r, "Failed to generate key: %m");
+
+                v = htole64(siphash24_string(link->ifname, key.bytes));
+                memcpy(a.s6_addr, &v, sizeof(v));
+
+                r = sd_id128_get_machine_app_specific(STABLE_SECRET_APP_ID_2, &key);
+                if (r < 0)
+                        return log_link_debug_errno(link, r, "Failed to generate key: %m");
+
+                v = htole64(siphash24_string(link->ifname, key.bytes));
+                assert_cc(sizeof(v) * 2 == sizeof(a.s6_addr));
+                memcpy(a.s6_addr + sizeof(v), &v, sizeof(v));
+        }
+
+        r = in6_addr_to_string(&a, &str);
+        if (r < 0)
+                return r;
+
+        return sysctl_write_ip_property(AF_INET6, link->ifname, "stable_secret", str);
+}
+
 static int link_set_ipv4_accept_local(Link *link) {
         assert(link);
 
@@ -273,6 +318,10 @@ int link_set_sysctl(Link *link) {
         if (r < 0)
                 log_link_warning_errno(link, r, "Cannot set IPv6 MTU, ignoring: %m");
 
+        r = link_set_ipv6ll_stable_secret(link);
+        if (r < 0)
+                log_link_warning_errno(link, r, "Cannot set stable secret address for IPv6 link local address: %m");
+
         r = link_set_ipv4_accept_local(link);
         if (r < 0)
                 log_link_warning_errno(link, r, "Cannot set IPv4 accept_local flag for interface, ignoring: %m");