| Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
|
|
Fixes the issue reported at https://github.com/systemd/systemd-centos-ci/pull/585#issuecomment-1385537641.
|
|
Takes a kernel image as argument. Prints details about the kernel.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
The command takes a kernel as argument and checks what kind of kernel
the image is. Returns one of uki, pe or unknown.
|
|
A pid can be recycled, but a pidfd is pinned. Add a new method that is safer
as it takes a pidfd as input.
Return not only the D-Bus object path, but also the unit id and the last
recorded invocation id, as they are both useful (especially the id, as
converting from a path object to a unit id from a script requires another
round-trip via D-Bus).
Note that the manager still tracks processes by pid, so theorethically this
is not fully error-proof, but on the other hand the method response is
synchronous and the manager is single-threaded, so once a call is being
processed the unit database will not change anyway. Once the manager
switches to use pidfds everywhere, this can be further hardened.
|
|
add Dell G16 series to use the mic mute hotkey.
|
|
|
|
|
|
|
|
Let's not leave the sector size unspecified: either set a user supplied
value, or auto-detect the right size by probing the disk image
accordingly.
|
|
GPT disk image
When we operate with DDIs with sector sizes != 512 we need to configure
the loopback device to match it, otherwise the image and the kernel
block device will disagree what things are.
Let's add a prober that tries to determine the sector size of a GPT DDI.
It does this by looking for the GPT partition table header at the
various byte offsets they must be located on, given a specific sector
size. It will try sector size 512, 1024, 2048 and 4096. Of these only
the 512 and 4096 really make sense IRL I guess, but let's be thorough.
|
|
If we attach a disk image to a loopback device the sector size of the
image must match the one of the loopback device, hence be more careful
here.
|
|
Just adds some typesafety and generates an error if the field is not
initialized in the block device yet.
|
|
The default (25s) doesn't seem to be enough in some cases (especially
in VMs without acceleration), causing spurious timeouts:
[ 174.297658] dbus-daemon[647]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.0' (uid=0 pid=645 comm="hostnamectl " label="kernel")
[ 184.202313] systemd[1]: systemd-update-utmp-runlevel.service: Consumed 1.253s CPU time.
[ 197.335422] systemd[1]: Started dbus.service.
[ 199.211468] testsuite-71.sh[639]: + assert_in 'Static hostname: H' ''
[ 199.347192] dbus-daemon[647]: [system] Failed to activate service 'org.freedesktop.hostname1': timed out (service_start_timeout=25000ms)
[ 199.394879] testsuite-71.sh[657]: + set +ex
[ 199.438918] testsuite-71.sh[657]: FAIL: 'Static hostname: H' not found in:
[ 200.966006] systemd-logind[631]: Watching system buttons on /dev/input/event0 (Power Button)
[ 201.008178] systemd-logind[631]: Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard)
[ 201.034106] systemd-logind[631]: New seat seat0.
[ 201.238267] sh[658]: + systemctl poweroff --no-block
[ 201.329890] systemd[1]: Starting systemd-hostnamed.service...
[ 202.156622] systemd[1]: systemd-update-utmp-runlevel.service: Deactivated successfully.
[ 204.818913] hostnamectl[645]: Failed to query system properties: Connection timed out
[ 205.195583] systemd[1]: testsuite-71.service: Main process exited, code=exited, status=1/FAILURE
[ 205.227237] systemd[1]: testsuite-71.service: Failed with result 'exit-code'.
[ 205.712780] systemd[1]: Failed to start testsuite-71.service.
|
|
Given that we already have the file descriptor opened for writing, it
would make sense to call fstatvfs with that file descriptor rather than
statvfs with the directory path that was used to open that descriptor.
|
|
|
|
Let's allow users to configure the (logical) sector size of their
image. This is required when building images for a 4k sector size
disk on a 512b sector size host or vice-versa.
|
|
|
|
This fixes 3e87a057a796b57bf9540b948823fbefef6693d7, which passed the
path to the wrong Print() call. Miraculously, this was printing the
correct path during testing and was therefore missed.
|
|
since we don't have systemd-pcrphase built anyway, which breaks the tests:
...
I: Attempting to install /usr/lib/systemd/systemd-networkd-wait-online (based on unit file reference)
I: Attempting to install /usr/lib/systemd/systemd-network-generator (based on unit file reference)
I: Attempting to install /usr/lib/systemd/systemd-oomd (based on unit file reference)
I: Attempting to install /usr/lib/systemd/systemd-pcrphase (based on unit file reference)
W: Failed to install '/usr/lib/systemd/systemd-pcrphase'
make: *** [Makefile:4: setup] Error 1
make: Leaving directory '/root/systemd/test/TEST-01-BASIC'
Follow-up to 04959faa632272a8fc9cdac3121b2e4af721c1b6.
|
|
|
|
|
|
|
|
|
|
|
|
measurements
Let's introduce a common implementation of a function that checks
whether we are booted on a kernel with systemd-stub that has TPM PCR
measurements enabled. Do our own userspace measurements only if we
detect that.
PCRs are scarce and most likely there are projects which already make
use of them in other ways. Hence, instead of blindly stepping into their
territory let's conditionalize things so that people have to explicitly
buy into our PCR assignments before we start measuring things into them.
Specifically bind everything to an UKI that reported measurements.
This was previously already implemented in systemd-pcrphase, but with
this change we expand this to all tools that process PCR measurement
settings.
The env var to override the check is renamed to SYSTEMD_FORCE_MEASURE,
to make it more generic (since we'll use it at multiple places now).
This is not a compat break, since the original env var for that was not
included in any stable release yet.
|
|
If we use gpt-auto-generator, automatically measure root fs and /var.
Otherwise, add x-systemd.measure option to request this.
|
|
The systemd-growfs@.service units are currently written in full for each
file system to grow. Which is kinda pointless given that (besides an
optional ordering dep) they contain always the same definition. Let's
fix that and add a static template for this logic, that the generator
simply instantiates (and adds an ordering dep for).
This mimics how systemd-fsck@.service is handled. Similar to the wait
that for root fs there's a special instance systemd-fsck-root.service
we also add a special instance systemd-growfs-root.service for the root
fs, since it has slightly different deps.
Fixes: #20788
See: #10014
|
|
if we want generators to instantiate a template service, we need to
teach generator_add_symlink() the concept.
Just some preparation for a later commit.
While we are at it, modernize the function around
path_extract_filename() + path_extract_directory()
|
|
We want PCR 15 to be useful for binding per-system policy to. Let's
measure the machine ID into it, to ensure that every OS we can
distinguish will get a different PCR (even if the root disk encryption
key is already measured into it).
|
|
See: #24503
|
|
let's enable PCR 15 measurements automatically if gpt-auto discovery is
used and systemd-stub is also used.
|
|
|
|
These options allow measuring the volume key used for unlocking the
volume to a TPM2 PCR. This is ideally used for the volume key of the
root file system and can then be used to bind other resources to the
root file system volume in a secure way.
See: #24503
|
|
sensitive data
When measuring data into a PCR we are supposed to hash the data on the
CPU and then pass the hash value over the wire to the TPM2. That's all
good as long as the data we intend to measure is not sensitive.
Let's be extra careful though if we want to measure sensitive data, for
example the root file system volume key. Instead of just hashing that
and passing it over the wire to the TPM2, let's do a HMAC signature
instead. It's also a hash operation, but should protect our secret
reasonably well and not leak direct information about it to wiretappers.
|
|
This way we can reuse it later outside of pcrphase
|
|
pcrphase and generalize it in tpm2-util.c
That way we can reuse it later from different places.
|
|
|
|
For some (corner) cases, it might be desirable to disable the generation of
some persistent storage symlinks that 60-persistent-storage.rules creates.
For example on big setups with a high number of partitions which uses the same
label name, this can result in a noticeable slow-down in the (re)start of the
udevd as there are many contenders for the symlink /dev/disk/by-partlabel.
However it's currently pretty hard to overwrite just some specific part of the
rule file. Indeed one need to copy and modify the whole rule file in /etc but
will lost any upcoming updates/fixes that the distro might release in the
future.
With this simple patch, one can now disable the generation of the
"by-partlabel" symlinks (for example) with the following single rule:
$ cat /etc/udev/rules.d/99-no-by-partlabel.rules
ENV{ID_PART_ENTRY_NAME}=="?*", SYMLINK-="disk/by-partlabel/$env{ID_PART_ENTRY_NAME}"
Closes #24607.
|
|
Currently, sd-dhcp-server accepts spurious client IDs, then the leases
exposed by networkd may be invalid. Let's make networkctl gracefully
show such leases.
Fixes #25984.
|
|
let's peek the type before we enter the variant, not after, so that we
can reuse it as-is, instead having to recombine it later.
Follow-up for: #26049
|
|
Fixes #25988.
|
|
Fixes a bug introduced by af2aea8bb64b0dc42ecbe5549216eb567681a803.
Fixes #25883 and #25891.
|
|
This part of the warning is annoying to look at not really true when
running inside of a VM.
|
|
This allows skipping secure boot enrollment wait time on other arches.
|
|
|
|
Let's use this new macro wherever it makes sense, as it allows us to
shorten or clean-up paths, and makes it less likely to miss a return
path.
|