The verb s not really specific to credential management, it was always a
bit misplaced. Hence move it to systemd-analyze, where we already have
some general TPM related verbs such as "srk" and "pcrs"
* 2c9954fa51 mkosi-initrd: correct `--debug-shell` help output
* 671708a10b Merge pull request #2990 from behrmann/allthemanuals
|\
| * 2671849125 initrd: add --show-documentation option
| * e2238f5dc7 Move show_docs to its own module
| * e366093b1c doc: make documentation command take an argument
* | 9fcff08b34 Update documentation links
* | 113f7f67dd Only write to /etc/machine-id if /etc exists
|/
* 62a610c0e5 Merge pull request #3005 from DaanDeMeyer/mypy
|\
| * 9b569c93bb Don't delete reader in _tempfile() backport
| * 16f4c94930 Mark all class variables as Final
| * ca7021e9a7 Annotate two more variables that need it
| * fec368dd4d Move KeySource.Type out of KeySource
| * ff5f7b06b8 user: Drop lru_cache() for home() and name()
| * 8f7c7b366f Move code backported from cpython upstream to backport.py
| * f66212e9c2 Drop listify()
| * 4293866df2 mypy: Disable allow_redefinition
| * 2700337f11 Fix mypyc warnings in sandbox.py
|/
* 025483af04 sandbox: Use separate variable name when we change types
* b04800cd30 Merge pull request #3003 from DaanDeMeyer/initrd
|\
| * fd64be9b60 mkosi-initrd: Ignore gnupg subdirectory
| * 7a8a21f8f6 mkosi-initrd: Only set --cacheonly=metadata when running as root
| * 156880c398 mkosi-initrd: Add --debug-shell argument
|/
* a32c8f393a Merge pull request #3002 from DaanDeMeyer/cherry-pick
|\
| * 1d8bfabc97 news: add note to change where the manual pages are
| * 8917d65db1 initrd: flatten module into a single file
| * 76085b788a sandbox: flatten module into a single file
| * 9f48afa4a7 cli: add missing completion stubs to pyproject.toml
| * 6e21cceb03 doc: move man pages to resources/man
| * 25d1c6b579 cli: use ellipsis ligature instead of writing out ...
|/
* 013d9b5595 Move various functions to bootloader.py
* 508ad85475 Update NEWS.md
* f25b8dee6f Simplify package cache dir mirror key
* dce4c8af51 Merge pull request #2998 from DaanDeMeyer/ci
|\
| * f4934828f7 tests: Show debug messages on console
| * fa3ae22598 ci: Drop machine-id commit timeout drop-in
* dba01269de base64 encode mirror if we put it in package cache dir key
* 364b65f7bb Add 'login' to Debian/Ubuntu/Kali package list
* ee07b5b6d2 Bump github/codeql-action from 3.25.15 to 3.26.6
This is very similar to tools/fetch-distro.py. The idea is that we extend the
commit to update the mkosi hash with a git log --pretty=oneline output, so that
the reader can know what changes were actually included.
The motivation is that I'm always wondering what changed in mkosi when I see a
commit updating the hash, and it's nicer to have this information shown
directly in the commit.
The script does _not_ pull changes from upstream, on the assumption that the
person doing the commit always has a fresh checkout and that they tested with
that checkout.
This splits out the core part into a new function
pe_section_table_find().
pe_header_find_section() takes a PeHeader as input, while
pe_section_table_find() just takes the section table and its size.
This renames pe_read_section_data() to pe_read_section_data_by_name()
and makes pe_read_section_data() a bit more low-level: it takes a header
table entry directly, instead of searching it first by name.
systemd-stub provides the signing key for TPM2 signed PCR policies in a
file tpm2-pcr-public-key.pem to userspace. Hence, to clarify that this
is the same key as used when signing via "systemd-measure", let's rename
it in the docs like that.
Also rename the private key to tpm2-pcr-private-key.pem, to keep the
symmetry.
With this we should universally stick to this nomenclature:
1. tpm2-pcr-public-key.pem ← public part of signing key
2. tpm2-pcr-private-key.pem ← private part of signing key
3. tpm2-pcr-signature.json ← signature file made with key pair
Inspired by: #34069
Monitor the sysctl set by networkd for writes, if a sysctl is
overwritten with a different value than the one we set, emit a warning.
Writes are detected with an eBPF program attached as BPF_CGROUP_SYSCTL
which reports the sysctl writes only in net/.
The eBPF program only reports sysctl writes from a different cgroup than networkd.
To do this, it uses the `bpf_current_task_under_cgroup_proto()` helper,
which will be available allowed in BPF_CGROUP_SYSCTL from kernel 6.12[1].
Loading a BPF_CGROUP_SYSCTL program requires the CAP_SYS_ADMIN capability,
so drop it just after the program load, whether it loads successfully or not.
Writes are logged but permitted, in future the functionality can be
extended to also deny writes to managed sysctls.
[1] https://lore.kernel.org/bpf/20240819162805.78235-3-technoboy85@gmail.com/
This is a rework of e7a93e7521: instead of
handling components with n_variants being zero at every step of the way, we instead
remove it from our list after loading all components, given that such a
component simply makes not sense for the rest of our logic.
If we operate in "offline" mode, i.e. know the device key, then we will
not have a TPM2 connection, hence don't try to read the PCR bank to use form
it.
We don't need it anyway because we are not going to test unseal things.
Fixes: #33855
The /dev/zramN devices can be used as regular block devices. They are
typically used for swap areas, but it would be beneficial to have
LABEL and UUID in the udev database to make it more user-friendly for
tools such as lsblk or mount (if used with other filesystems).