Merge pull request #27849 from DaanDeMeyer/sign-pcr

mkosi: Sign expected PCRs

.github/workflows/mkosi.yml

@@ -76,7 +76,7 @@ jobs:
 
     steps:
     - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
-    - uses: systemd/mkosi@c3103868cccc722ef45838fdd37fb462c21948f2
+    - uses: systemd/mkosi@e59f763872e4d5f96acb11b4a77995b986bb31cc
 
     - name: Configure
       run: |
@@ -87,7 +87,6 @@ jobs:
 
         [Content]
         Environment=CI_BUILD=1
-                    DEFAULT_TIMEOUT_SEC=180
                     SLOW_TESTS=true
 
         [Output]
@@ -95,6 +94,8 @@ jobs:
                                systemd.journald.max_level_console=debug
                                # udev's debug log output is very verbose, so up it to info in CI.
                                udev.log_level=info
+                               # Root device can take a long time to appear, so let's bump the timeout.
+                               systemd.default_device_timeout_sec=180
 
         [Host]
         ExtraSearchPaths=!*

man/kernel-command-line.xml

@@ -423,6 +423,16 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>systemd.default_device_timeout_sec=</varname></term>
+
+        <listitem>
+          <para>Overrides the default device timeout <varname>DefaultDeviceTimeoutSec=</varname> at boot. For
+          details, see
+          <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>systemd.watchdog_device=</varname></term>
 

meson.build

@@ -1527,7 +1527,7 @@ conf.set10('HAVE_LIBFIDO2', have)
 
 want_tpm2 = get_option('tpm2')
 if want_tpm2 != 'false' and not skip_deps
-        tpm2 = dependency('tss2-esys tss2-rc tss2-mu',
+        tpm2 = dependency('tss2-esys tss2-rc tss2-mu tss2-tcti-device',
                           required : want_tpm2 == 'true')
         have = tpm2.found()
         have_esys3 = tpm2.version().version_compare('>= 3.0.0')

mkosi.conf.d/10-systemd.conf

@@ -11,11 +11,6 @@ OutputDirectory=mkosi.output
 BuildDirectory=mkosi.builddir
 CacheDirectory=mkosi.cache
 
-[Validation]
-SecureBoot=yes
-# Disabled until systemd-measure can operate without a TPM device.
-SignExpectedPcr=no
-
 [Host]
 QemuMem=2G
 ExtraSearchPaths=build/
@@ -41,3 +36,6 @@ KernelCommandLineExtra=systemd.crash_shell
                        systemd.wants=network-online.target
                        # Make sure we don't load vmw_vmci which messes with virtio vsock.
                        module_blacklist=vmw_vmci
+                       # Lower the default device timeout so we get a shell earlier if the root device does
+                       # not appear for some reason.
+                       systemd.default_device_timeout_sec=10

mkosi.presets/00-base/mkosi.build

@@ -51,8 +51,6 @@ if [ ! -f "$BUILDDIR"/build.ninja ]; then
     CONFIGURE_OPTS=(
         -D sysvinit-path="$sysvinit_path"
         -D rootprefix="$rootprefix"
-        -D default-timeout-sec="${DEFAULT_TIMEOUT_SEC:-10}"
-        -D default-user-timeout-sec="${DEFAULT_TIMEOUT_SEC:-10}"
         -D man=false
         -D translations=false
         -D version-tag="${VERSION_TAG}"

mkosi.presets/00-base/mkosi.conf.d/10-centos-fedora.conf

@@ -61,6 +61,7 @@ BuildPackages=
         pkgconfig(tss2-esys)
         pkgconfig(tss2-mu)
         pkgconfig(tss2-rc)
+        pkgconfig(tss2-tcti-device)
         pkgconfig(valgrind)
         pkgconfig(xkbcommon)
         rpm

mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf

@@ -28,8 +28,11 @@ Packages=
         libxkbcommon0
         libzstd1
         pam
-        python3-pytest-flakes
         shadow
+        libtss2-esys0
+        libtss2-mu0
+        libtss2-rc0
+        libtss2-tcti-device0
         tpm2-0-tss
         xz
 
@@ -76,6 +79,7 @@ BuildPackages=
         python3-pefile
         python3-pyelftools
         python3-pytest
+        python3-pytest-flakes
         qrencode-devel
         shadow
         systemd-sysvinit

mkosi.presets/10-initrd/mkosi.postinst

@@ -0,0 +1,7 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# OpenSUSE insists on blacklisting erofs by default because its supposedly a legacy filesystem.
+# See https://github.com/openSUSE/suse-module-tools/pull/71
+rm -f /usr/lib/modprobe.d/60-blacklist_fs-erofs.conf

mkosi.presets/20-final/mkosi.conf

@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 [Content]
+Autologin=yes
 BaseTrees=../../mkosi.output/base
 ExtraTrees=../../src:/root/src
 Initrds=../../mkosi.output/initrd
@@ -35,4 +36,5 @@ Packages=
         zsh
 
 [Validation]
-Autologin=yes
+SecureBoot=yes
+SignExpectedPcr=yes

mkosi.presets/20-final/mkosi.postinst

@@ -1,5 +1,6 @@
 #!/bin/sh
 # SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
 
 if [ "$1" = "build" ]; then
     exit 0

src/core/main.c

@@ -400,6 +400,18 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
                 if (arg_default_timeout_start_usec <= 0)
                         arg_default_timeout_start_usec = USEC_INFINITY;
 
+        } else if (proc_cmdline_key_streq(key, "systemd.default_device_timeout_sec")) {
+
+                if (proc_cmdline_value_missing(key, value))
+                        return 0;
+
+                r = parse_sec(value, &arg_default_device_timeout_usec);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to parse default device timeout '%s', ignoring: %m", value);
+
+                if (arg_default_device_timeout_usec <= 0)
+                        arg_default_device_timeout_usec = USEC_INFINITY;
+
         } else if (proc_cmdline_key_streq(key, "systemd.cpu_affinity")) {
 
                 if (proc_cmdline_value_missing(key, value))