| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
| |
No changes in wording, let's just make a very long man page a bit more
digestable by adding sections, and then reordering settings to fit into
them.
|
| |\
| |
| | |
Fixes #35176
|
| | | |
|
| | |
| |
| |
| |
| | |
Continuation of 4ebbb5bfe88ac3d793c395472648660c33251546.
Closes #35307.
|
| | | |
|
| | |
| |
| |
| | |
This reverts commit 7a9d0abe4df81a020e2e457405f8509b2afb7c04.
|
| | |
| |
| |
| | |
This reverts commit 6046cc3660810efcc6fe50b1c850ea642218245b.
|
| | |
| |
| |
| |
| |
| |
| | |
This page contains many short example codes. I do not think we should
add SPDX-License-Identifier for all codes.
Closes #35356.
|
| | |
| |
| |
| | |
Follow-up for #34909 and later PRs.
|
| | |
| |
| |
| | |
Closes #35307.
|
| |/
|
|
|
| |
We have the same sections in the --help text, hence we even more so
should have them in the man page.
|
| | |
|
| |
|
|
| |
Follow-up for 85a1360ecffd8929151e09279ea62dedea364dfa.
|
| | |
|
| | |
|
| | |
|
| |\ |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some ambiguity (e.g., same-named man pages in multiple volumes)
makes it impossible to fully automate this, but the following
Python snippet (run inside the man/ directory of the systemd repo)
helped to generate the sed command lines (which were subsequently
manually reviewed, run and the false positives reverted):
from pathlib import Path
import lxml
from lxml import etree as ET
man2vol: dict[str, str] = {}
man2citerefs: dict[str, list] = {}
for file in Path(".").glob("*.xml"):
tree = ET.parse(file, lxml.etree.XMLParser(recover=True))
meta = tree.find("refmeta")
if meta is not None:
title = meta.findtext("refentrytitle")
if title is not None:
vol = meta.findtext("manvolnum")
if vol is not None:
man2vol[title] = vol
citerefs = list(tree.iter("citerefentry"))
if citerefs:
man2citerefs[title] = citerefs
for man, refs in man2citerefs.items():
for ref in refs:
title = ref.findtext("refentrytitle")
if title is not None:
has = ref.findtext("manvolnum")
try:
should_have = man2vol[title]
except KeyError: # Non-systemd man page reference? Ignore.
continue
if has != should_have:
print(
f"sed -i '\\|<citerefentry><refentrytitle>{title}"
f"</refentrytitle><manvolnum>{has}</manvolnum>"
f"</citerefentry>|s|<manvolnum>{has}</manvolnum>|"
f"<manvolnum>{should_have}</manvolnum>|' {man}.xml"
)
|
| |/ |
|
| |\
| |
| |
| |
| |
| |
| | |
Let's gather generic key/certificate operations in a new tool
systemd-keyutil instead of spreading them across various special purpose
tools.
Fixes #35087
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Let's gather generic key/certificate operations in a new tool
systemd-keyutil instead of spreading them across various special
purpose tools.
Fixes #35087
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| | |
In the troff output, this doesn't seem to make any difference. But in the
html output, the whitespace is sometimes preserved, creating an additional
gap before the following content. Drop it everywhere to avoid this.
|
| | | |
|
| | |
| |
| |
| |
| | |
This translates to --certificate-source=provider:<provider> for
signing tools invoked by ukify.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This verb writes a public key to stdout extracted from either a public key
path, from a certificate (path or provider) or from a private key (path,
engine, provider). We'll use this in ukify to get rid of the use of the
python cryptography module to convert a private key or certificate to a
public key.
|
| |/
|
|
|
|
|
| |
This allows loading the X.509 certificate from an OpenSSL provider
instead of a file system path. This allows loading certficates directly
from hardware tokens instead of having to export them to a file on
disk first.
|
| | |
|
| | |
|
| |
|
|
| |
Follow-up for 5f163921e9ff6d735798db259c47543822f81b5c
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently in mkosi and ukify we use sbsigntools to do secure boot
signing. This has multiple issues:
- sbsigntools is practically unmaintained, sbvarsign is completely
broken with the latest gnu-efi when built without -fshort-wchar and
upstream has completely ignored my bug report about this.
- sbsigntools only supports openssl engines and not the new providers
API.
- sbsigntools doesn't allow us to cache hardware token pins in the
kernel keyring like we do nowadays when we sign stuff ourselves in
systemd-repart or systemd-measure
There are alternative tools like sbctl and pesign but these do not
support caching hardware token pins in the kernel keyring either.
To get around the issues with sbsigntools, let's introduce our own
tool systemd-sbsign to do secure boot signing. This allows us to
take advantage of our own openssl infra so that hardware token pins
are cached in the kernel keyring as expected and we get openssl
provider support as well.
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
This verb checks that we can load the specified private key.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently in mkosi and ukify we use sbsigntools to do secure boot
signing. This has multiple issues:
- sbsigntools is practically unmaintained, sbvarsign is completely
broken with the latest gnu-efi when built without -fshort-wchar and
upstream has completely ignored my bug report about this.
- sbsigntools only supports openssl engines and not the new providers
API.
- sbsigntools doesn't allow us to cache hardware token pins in the
kernel keyring like we do nowadays when we sign stuff ourselves in
systemd-repart or systemd-measure
There are alternative tools like sbctl and pesign but these do not
support caching hardware token pins in the kernel keyring either.
To get around the issues with sbsigntools, let's introduce our own
tool systemd-sbsign to do secure boot signing. This allows us to
take advantage of our own openssl infra so that hardware token pins
are cached in the kernel keyring as expected and we get openssl
provider support as well.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
We used both, in fact "Devicetree" was more common. But we have a general rule
that we capitalize all words in names and also we have a DeviceTree=
configuration setting, which we cannot change. If we use two different
spelllings, this will make it harder for people to use the correct one in
config files. So use the "DeviceTree" spelling everywhere.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The text added for .dtbauto/.hwids was very hard to grok. This rewords it to be
proper English. No semantic changes are intended.
When updating this, I noticed that the interaction of multi-profile UKIs and
dtb autoselection is very unclear, a FIXME is added.
|
| | |
| |
| |
| | |
Follow-up for 4f5fabe7a39f046e0456eba07472df061e85c94e.
|
| | |
| |
| |
| | |
Follow-up for df8f9b88bd41320653fe1c51ea515a2d03a349df.
|
| | |
| |
| |
| |
| |
| | |
Both syntaxes work, but let's use one syntax for consistency.
Fixup for 0641ce809a27cc1bc358924c26770f19d1213ec1.
|
| | |
| |
| |
| |
| | |
It's been a while, but systemd-measure doesn't need root, and
ukify has a more modern syntax.
|
| |\ \
| | |
| | | |
Split out from #34158
|
| | | | |
|
| | | | |
|
| | |/ |
|
| | |
| |
| |
| |
| |
| |
| | |
These were forgotten during the initial conversion, probably because
most of them consisted only of a single entry.
Fix that.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Let's systematically make sure that we link up the D-Bus interfaces from
the daemon man pages once in prose and once in short form at the bottom
("See Also"), for all daemons.
Also, add reverse links at the bottom of the D-Bus API docs.
Fixes: #34996
|
