systemd - systemd

	Commit message (Collapse)	Author	Age	Files	Lines
*	units: retitle systemd-pcrextend.{service,socket}, change TPM2→TPM	Zbigniew Jędrzejewski-Szmek	2024-03-14	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	I was looking at the logs in some bug and saw this: Mar 13 15:55:12 fedora systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionSecurity=measured-uki). Mar 13 15:55:12 fedora systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems... Mar 13 15:55:12 fedora systemd[1]: systemd-tpm2-setup-early.service - TPM2 SRK Setup (Early) was skipped because of an unmet condition check (ConditionSecurity=measured-uki). This is overly technical, for most units we don't provide this level of detail about the implementation. So retitle the units to be more accessible. Also, the fact that it's a v. 2 of the TPM is not that important. We don't support TPM 1.2, but computers without TPM v2 are getting rare. For other units we don't advertise the version of hardware, and let's not do this here, to reduce some complexity.
*	units: enable MaxConnectionsPerSocket= for all our Accept=yes units	Lennart Poettering	2024-02-12	1	-0/+1
\| \| \| \| \| \| \| \| \| \| \|	Let's make sure that user's cannot DoS services for other users so easily, and enable MaxConnectionsPerSocket= by default for all of them. Note that this is mostly paranoia for systemd-pcrextend.socket and systemd-sysext.socket: the socket is only accessible to root anyway, hence the accounting shouldn#t change anything. But this is just a safety net, in preparation that we open up some functionality of these services sooner or later.
*	units: add a tpm2.target synchronization point and small generator that pulls in	Lennart Poettering	2024-01-03	1	-0/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Distributions apparently only compile a subset of TPM2 drivers into the kernel. For those not compiled it but provided as kmod we need a synchronization point: we must wait before the first TPM2 interaction until the driver is available and accessible. This adds a tpm2.target unit as such a synchronization point. It's ordered after /dev/tpmrm0, and is pulled in by a generator whenever we detect that the kernel reported a TPM2 to exist but we have no device for it yet. This should solve the issue, but might create problems: if there are TPM devices supported by firmware that we don't have Linux drivers for we'll hang for a bit. Hence let's add a kernel cmdline switch to disable (or alternatively force) this logic. Fixes: #30164
*	pcrextend: make pcrextend tool acccessible via varlink	Lennart Poettering	2023-10-06	1	-0/+24
	This is primarily supposed to be a 1st step with varlinkifying our various command line tools, and excercise in how this might look like across our codebase one day. However, at AllSystemsGo! 2023 it was requested that we provide an API to do a PCR measurement along with a matching event log record, and this provides that.