| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently have a convoluted and complex selection of which random
numbers to use. We can simplify this down to two functions that cover
all of our use cases:
1) Randomness for crypto: this one needs to wait until the RNG is
initialized. So it uses getrandom(0). If that's not available, it
polls on /dev/random, and then reads from /dev/urandom. This function
returns whether or not it was successful, as before.
2) Randomness for other things: this one uses getrandom(GRND_INSECURE).
If it's not available it uses getrandom(GRND_NONBLOCK). And if that
would block, then it falls back to /dev/urandom. And if /dev/urandom
isn't available, it uses the fallback code. It never fails and
doesn't return a value.
These two cases match all the uses of randomness inside of systemd.
I would prefer to make both of these return void, and get rid of the
fallback code, and simply assert in the incredibly unlikely case that
/dev/urandom doesn't exist. But Luca disagrees, so this commit attempts
to instead keep case (1) returning a return value, which all the callers
already check, and fix the fallback code in (2) to be less bad than
before.
For the less bad fallback code for (2), we now use auxval and some
timestamps, together with various counters representing the invocation,
hash it all together and provide the output. Provided that AT_RANDOM is
secure, this construction is probably okay too, though notably it
doesn't have any forward secrecy. Fortunately, it's only used by
random_bytes() and not by crypto_random_bytes().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
No actual code changes, just splitting out of some dev_t handling
related calls from stat-util.[ch], they are quite a number already, and
deserve their own module now I think.
Also, try to settle on the name "devnum" as the name for the concept,
instead of "devno" or "dev" or "devid". "devnum" is the name exported in
udev APIs, hence probably best to stick to that. (this just renames a
few symbols to "devum", local variables are left untouched, to make the
patch not too invasive)
No actual code changes.
|
| |
|
|
| |
Then, we can safely open devices even if symlinks are not yet created by udevd.
|
| |
|
|
| |
Follow-up for 31cf58864d3f437c7e3f0497df0fef85130f159d.
|
| |\
| |
| |
| |
| | |
keszybz/fix-detection-of-libsystemd-shared-with-suffix
Fix detection of libsystemd-shared with suffix
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a high-level function, and it belongs in libsystemd-shared. This way we
don't end up linking a separate copy into various binaries. It would even end
up in libsystemd, where it is not needed. (Maybe it'd be removed in some
optimization phase, but it's better to not rely on that.)
$ grep -l -r -a 'path is not absolute%s' build/
build/libnss_systemd.so.2
build/pam_systemd_home.so
build/test-dlopen
build/src/basic/libbasic.a.p/path-util.c.o
build/src/basic/libbasic.a
build/src/shared/libsystemd-shared-249.so
build/test-bus-error
build/libnss_mymachines.so.2
build/pam_systemd.so
build/libnss_resolve.so.2
build/libnss_myhostname.so.2
build/libsystemd.so.0.32.0
build/libudev.so.1.7.2
$ grep -l -r -a 'path is not absolute%s' build/
build/src/shared/libsystemd-shared-251.a.p/parse-helpers.c.o
build/src/shared/libsystemd-shared-251.a
build/src/shared/libsystemd-shared-251.so
No functional change.
|
| |/ |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Same idea as 03677889f0ef42cdc534bf3b31265a054b20a354.
No functional change intended. The type of the iterator is generally changed to
be 'const char*' instead of 'char*'. Despite the type commonly used, modifying
the string was not allowed.
I adjusted the naming of some short variables for clarity and reduced the scope
of some variable declarations in code that was being touched anyway.
|
| |
|
|
| |
This also avoids multiple evaluations in STRV_FOREACH_BACKWARDS()
|
| | |
|
| | |
|
| |
|
|
| |
Follow-up for 6626ea08f6db3c050b5e05fa760cf0e371862173.
|
| | |
|
| |
|
|
|
|
|
|
| |
Add support for PIN enrollment with TPM2. A new "tpm2-pin" field is
introduced into metadata to signal that the policy needs to include a
PIN.
v2: fix tpm2_make_luks2_json in sd-repart
|
| |
|
|
|
|
|
|
|
|
|
| |
Modify TPM2 authentication policy to optionally include an authValue, i.e.
a password/PIN. We use the "PIN" terminology since it's used by other
systems such as Windows, even though the PIN is not necessarily numeric.
The pin is hashed via SHA256 to allow for arbitrary length PINs.
v2: fix tpm2_seal in sd-repart
v3: applied review feedback
|
| |
|
|
|
|
|
|
|
|
|
| |
The approach to use '''…'''.split() instead of a list of strings was initially
used when converting from automake because it allowed identical blocks of lines
to be used for both, making the conversion easier.
But over the years we have been using normal lists more and more, especially
when there were just a few filenames listed. This converts the rest.
No functional change.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
We expose various other forms of UUID helpers already, i.e.
SD_ID128_UUID_FORMAT_STR and SD_ID128_MAKE_UUID_STR(), and we parse
UUIDs, hence add a high-level helper for formatting UUIDs too.
This doesn't add any new code, it just moves some helpers
id128-util.[ch] → sd-id128.[ch], to make them public.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This queries the sector size from libfdisk instead of assuming 512, and
uses that when converting from bytes to the offset/size values libfdisk
expects.
This is an alternative to Tom Yan's #21823, but prefers using libfdisk's
own ideas of the sector size instead of going directly to the backing
device via ioctls. (libfdisk can after all also operate on regular
files, where the sector size concept doesn't necessarily apply the same
way.)
This also makes the "grain" variable, i.e. how we'll align the
partitions. Previously this was hardcoded to 4K, and that still will be
the minimum grain we use, but should the sector size be larger than that
we'll use the next multiple of the sector size instead.
|
| |
|
|
| |
Fixes #21972.
|
| | |
|
| |
|
|
|
|
|
| |
Partitions are not always within our aligned scope. Bar printing
involves foreign partitions as well.
Fixes #21817.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This reduces dependencies. The speed of the code here is uimportant, because we
hash only a tiny amount of input data.
Debian and Ubuntu currently build without repart, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976959
> repart requires openssl and so far I tried to avoid linking against
> both gnutls and openssl.
Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
|
| | |
|
| | |
|
| |\
| |
| | |
Makefs quiet output
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
$ for i in ext2 ext3 ext4 btrfs xfs vfat swap minix; do
echo $i && wipefs -q -a /var/tmp/test2_img && build/systemd-makefs $i /var/tmp/test2_img
done
ext2
/var/tmp/test2_img successfully formatted as ext2 (label "test2_img", uuid ad584a5b-037b-497a-825d-eaf2ba90da2d)
ext3
/var/tmp/test2_img successfully formatted as ext3 (label "test2_img", uuid 95239fff-55f4-44d5-bae0-11ef75d13166)
ext4
/var/tmp/test2_img successfully formatted as ext4 (label "test2_img", uuid 8c7ea699-05ab-4ce6-8df6-bc20d53dfd29)
btrfs
/var/tmp/test2_img successfully formatted as btrfs (label "test2_img", uuid 860bb061-4d92-4607-8821-a9d00216490e)
xfs
/var/tmp/test2_img successfully formatted as xfs (label "test2_img", uuid f32499ea-7311-47bb-be57-da62e51d33ae)
vfat
mkfs.fat 4.2 (2021-01-31)
/var/tmp/test2_img successfully formatted as vfat (label "TEST2_IMG", uuid d1e4ae63)
swap
mkswap: /var/tmp/test2_img: insecure permissions 0644, fix with: chmod 0600 /var/tmp/test2_img
mkswap: /var/tmp/test2_img contains holes or other unsupported extents.
This swap file can be rejected by kernel on swap activation!
Use --verbose for more details.
Setting up swapspace version 1, size = 256 MiB (268431360 bytes)
LABEL=test2_img, UUID=16bc3d8c-98d4-462b-8ff8-338467cde871
/var/tmp/test2_img successfully formatted as swap (no label or uuid specified)
minix
21856 inodes
65535 blocks
Firstdatazone=696 (696)
Zonesize=1024
Maxsize=268966912
/var/tmp/test2_img successfully formatted as minix (no label or uuid specified)
|
| | |
| |
| |
| |
| |
| | |
To properly detect how much space we have to distribute we need to take
into account that both the partition offset and the partition size
aren't aligned.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If we operate on a disk that has a pre-existing unaligned partition
(i.e. one that doesn't start on multiple of 4K, or doesn't have a size
of multiple 4K), then the amount of space after it to distribute among
partitions isn't a multiple of 4K either. So far we might end up
passing the remaining fraction to any partition that wanted it, which
was usually the first one after it that is newly defined. This then
confused the later placement algorithm, since it assumed all partitions
we newly allocate were properly aligned but by being extended by the
fractional space they wouldn't be anymore.
Let's hence fix that by ensuring we never pass space to later partitions
so that things wouldn't be aligned anymore.
Anything that is left-over then at the very end (i.e. typically exactly
the remaining fraction) is added as padding to the existing, unaligned
partition, so that it can't confuse anyone.
Fixes: #20622
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
| |
Otherwise we'll miss the log message from allocation of the context. We
already made this change in most of our tools that interface with
libcryptsetup, but we forgot two.
As suggested:
https://github.com/systemd/systemd/pull/21135#discussion_r738287504
|
| |\
| |
| | |
split up a few files in src/basic/
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
glyph-util.[ch]
These functions are used pretty much independently of locale, i.e. the
only info relevant is whether th locale is UTF-8 or not. Hence let's
give this its own pair of .c/.h files.
|
| | |
| |
| |
| | |
No changes in code, just some splitting out.
|
| |/ |
|
| |\
| |
| | |
ci: build with clang-13
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
otherwise compilation with -Db_ndebug=true complains about a
set-but-not-used variable:
```
../src/partition/repart.c:907:33: error: variable 'left' set but not used [-Werror,-Wunused-but-set-variable]
uint64_t start, left;
^
1 error generated.
```
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, we hardcoded use of ECC as primary keys, since they are much
faster (i.e. saving multiple seconds) to do TPM2 operations with. Alas,
not all TPM2 chips appear to support ECC. Bummer.
Let's hence add a fallback logic: if we can't create an ECC primary key,
use an RSA key, and store that fact away.
AFIU the security guarantees should be roughly the same, it's just that
RSA primary keys is so much slower to work with than ECC.
The primary key algorithm is used is stored in the JSON header of LUKS
disks, in a new field. If the field is absent we assume to use ECC, to
provide full compatibility with old systemd versions.
The primary key algorithm is stored in a new field in the credentials
file format (in fact, a previously unused zero space is used), too.
Hopefully, this should ensure that TPM2 support will "just work" on more
systems.
Fixes: #20361
|
| |
|
|
|
|
|
|
|
| |
The automatic logic can't always find the original root partition (ex:
if the rootfs is copied to a ext4 fs backed by zram in the initramfs),
so we want to support "/run/systemd/volatile-root" which is a symlink to
the original root partition.
Fix #20610
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
When the flag COPY_ALL_XATTRS is set, it causes the complete set of xattrs
to be copied. If the flag is unset, only xattrs from the "user" namespace
are copied.
Fixes #17178.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In general we almost never hit those asserts in production code, so users see
them very rarely, if ever. But either way, we just need something that users
can pass to the developers.
We have quite a few of those asserts, and some have fairly nice messages, but
many are like "WTF?" or "???" or "unexpected something". The error that is
printed includes the file location, and function name. In almost all functions
there's at most one assert, so the function name alone is enough to identify
the failure for a developer. So we don't get much extra from the message, and
we might just as well drop them.
Dropping them makes our code a tiny bit smaller, and most importantly, improves
development experience by making it easy to insert such an assert in the code
without thinking how to phrase the argument.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, we'd encode PCR policies strictly with the SHA256 PCR bank
set. However, as it appears not all hw implement those. Sad.
Let's add some minimal logic to auto-detect supported PCR banks: if
SHA256 is supported, use that. But if not, automatically fall back to
SHA1.
This then changes both the LUKS code, and the credentials code to
serialize the selected bank, along with the rest of the data in order to
make this robust.
This extends the LUK2 JSON metadata in a compatible way. The credentials
encryption format is modified in an incompatible way however, but given
that this is not part of any official release should be OK.
Fixes: #20134
|
| | |
|
