Exclude all `.in` files because they may contain unsupported syntax, and
they have to be preprocessed first. For example:
```sh
Error: SHELLCHECK_WARNING:
./src/rpm/systemd-update-helper.in:130:37: warning[SC1083]: This { is literal. Check expression (missing ;/\n?) or quote it.
```
Related to: https://github.com/systemd/systemd/pull/28521
Let's check for verity signature partitions as well. Let's also
check the configured verity mode, which is another way to indicate
verity partitions aside from the type UUID.
Like the cmdline file we look for a devicetree file in
$KERNEL_INSTALL_CONF_ROOT, /etc/kernel and /usr/lib/kernel. If it is
present we look for the specified device tree that comes with the kernel
we're adding and install it into $ENTRY_DIR_ABS and add a devicetree
stanza to the loader entry.
Unfortunately it seems there is no common consensus on where to install
device tree blobs, so we have to look in a few different places for it.
This macros wraps the call to daemon-reexec in all user managers. It would be
called for example from systemd %post right after the call to systemctl
daemon-reexec.
This will be used in the Fedora systemd package to fix a long-standing FIXME.
Tested via building and reinstalling the systemd package with the patches.
bus_unit_queue_job_one has two callers:
- bus_unit_queue_job which would do the appropriate transormations
to turn JOB_TRY_RESTART into JOB_TRY_RELOAD,
- and method_enqueue_marked_jobs which did not.
In effect, method_enqueue_marked_jobs() would queue restart jobs for
units which has Markers= needs-reload or needs-restart.
When the chunk of code which does the transformations is moved from
bus_unit_queue_job to bus_unit_queue_job_one, there is no change for
bus_unit_queue_job, and method_enqueue_marked_jobs is fixed.
The additional checks that are done seem reasonable to do from
method_enqueue_marked_jobs: we shouldn't be restarting units which are
configured to not allow that, or force unwanted start of dbus-broker.
60-ukify.install would only work with initrd provided by command line
arguements. Fixed to look for both microcode and initrd is found in
$KERNEL_INSTALL_STAGING_AREA which is placed by initrd generator like
mkinitcpio
This makes sure we use the actual size after mkfs which seems to be
important for btrfs as it refuses to mount the partition otherwise.
Follow-up for 2843df3e57
Follow-up for 99299d0d5a
is_device_node() calls lstat(), causing device node
symlinks under /dev/disk/ not being compared correctly
using devnode_same().
Fixes#28585
Handle the case when all the arguments are passed in through a
configuration file:
$ cat ukify.conf
[UKI]
Linux = /boot/vmlinuz-linux
Initrd = /boot/initramfs-linux.img
Before:
$ src/ukify/ukify.py --config ukify.conf build
Traceback (most recent call last):
File "/root/systemd/src/ukify/ukify.py", line 1604, in <module>
main()
File "/root/systemd/src/ukify/ukify.py", line 1590, in main
opts = parse_args()
^^^^^^^^^^^^
File "/root/systemd/src/ukify/ukify.py", line 1584, in parse_args
apply_config(opts)
File "/root/systemd/src/ukify/ukify.py", line 1431, in apply_config
item.apply_config(namespace, section_name, group, key, value)
File "/root/systemd/src/ukify/ukify.py", line 1123, in apply_config
self.config_push(namespace, group, dest, value)
File "/root/systemd/src/ukify/ukify.py", line 1019, in config_list_prepend
setattr(namespace, dest, value + old)
~~~~~~^~~~~
TypeError: can only concatenate list (not "NoneType") to list
After:
$ src/ukify/ukify.py --config ukify.conf build
Kernel version not specified, starting autodetection 😖.
Found uname version: 6.4.7-arch1-3
Wrote unsigned vmlinuz-linux.unsigned.efi
Resolves: #28688
Same scenario as with libsystemd - ldd might use unprefixed RPATH, and
we install our own stuff into the image unconditionally anyway.
Also, bail out early if we hit a missing DSO with a possibly helpful
message.
The count field indicates the number of elements in the pcrSelections field,
and the size of each elements is greater than 1 byte, so using sizeof() is
incorrect when verifying the count field is valid; instead ELEMENTSOF() should
be used.
Caught by coverity check: https://github.com/systemd/systemd/pull/26331#pullrequestreview-1556629586
Without this change, there are no ordering between udevd and tmpfiles,
and if tmpfiles is invoked later it may discard the permission set by
udevd.
Fixes an issue introduced by b42482af90.
Fixes#28588 and #28653.
c18f4eb9e9 made it possible to use --force with various verbs, by
going through the newer D-Bus methods. Except it didn't, as it regressed
during PR review refactorings, and nobody noticed because there were no
tests for it. Fix it, and add tests.
Follow-up for c18f4eb9e9
The previous commit extended the accepted format of --tpm2-pcrs to allow
specifying the hash algorithm (i.e. PCR bank) and hash digest value, this
updates the man page with those changes.
Move the calculation of the sealed object policy hash out of the tpm2_seal()
function. Instead, callers of tpm2_seal() can directly call
tpm2_calculate_sealing_policy() and then provide the policy hash to
tpm2_seal().
Add functions to convert a PEM or pkey to TPM2B_PUBLIC, and functions to
convert TPM2B_PUBLIC to pkey or fingerprint.
Supports both RSA and ECC keys.
Add ECC support to some test-tpm2 tests, and tests to cover the newly added functions.
Add function to create openssl pkey from ECC curve and point, and function to
get curve id and x/y point from existing ECC pkey. Also add function to create
new ECC key for specified curve.
Also add DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_MACRO() to handle case when func() is
a macro, not a function symbol; specifically in this case it is used for
OPENSSL_free() which is a macro.
Add function to generate an EVP_PKEY for a specific 'n' and 'e', and function
to get 'n' and 'e' values from existing RSA public key. Also add a function to
generate a new RSA key with a specified number of bits.
In order to allow users to specify expected PCR values, change the
tpm2_parse_pcr_argument() to parse the text argument into an array of
Tpm2PCRValue objects, which provide not only the selected PCR indexes, but also
(optionally) the hash algorithm and hash value for each PCR index.