TPM2 knows two types of policy sessions: "real" ones and "trial" ones. The
latter allow you to calculate a policy hash without this enforcing any
policy, which the former do. Typically you want to use the "trial" ones
when enrolling, and you have to use the "real" ones for unlocking. So
far we used "real" ones for both cases. Which works fine – as long as
the policy put together matches the current reality (e.g. the PCR values
included in the policy are the ones currently in place in the TPM).
Let's switch to using trial sessions for enrolling. First of all this is
preparation for later work to implement further policy extensions (for
example, policies binding to literally specified PCR values, instead of
the once currently measured). But from my perspective more importantly
it actually is cleaner, as it communicates more clearly what we are
actually doing here.
No user-visible change in behaviour.
The lifetime of variables decalred in the main switch/case body is just
weird. Let's not rely on it, but just open a new {} block, like
everywhere else in similar cases.
When an extension image has binaries they should match the host
architecture. Currently there is no way to specify this requirement.
Introduce an ARCHITECTURE field in the extension's release file that
may be set to prevent loading on the wrong host architecture.
Since this new field is introduced late, we don't want to make
specifying it mandatory as it would break existing sysext images.
See https://github.com/systemd/systemd/issues/24061
A sysext image that merely contains static binaries has no dependency
on the host distribution and should be able to be used anywhere.
Support the special '_any' value for the ID field in the extension to
opt-out of ID and VERSION_ID/SYSEXT_LEVEL matching.
See https://github.com/systemd/systemd/issues/24061
When we receive NoBinding status code, the requesting binding (address or
any other information) does not exist anymore in the server. Hence,
resending the request is meaningless. Let's restart the transaction from
the beginning in that case.
The cros-ec-accel and cros-ec-accel-legacy kernel modules internally
correct for the board-specific accelerometer mounting orientations.
Their sensor outputs are in a standard reference frame consistent across
different boards, so the orientation matrix already added for a number
of devices should apply to every device using cros-ec accelerometers.
The different matrix for the 'Nocturne' board seems to be an error.
Replace the existing hwdb rules for select Chromebooks with generic
rules that apply to all Chromebooks.
For example, /proc/device-tree is a symlink to /sys/firmware/devicetree/base,
and the kernel documentation says the symlink should be used by userspace app.
See, https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-firmware-ofw.
Hence, it is useful to make `sd_device_new_from_path()` support such symlink.
Devicetree firmware contains an "aliases" node, containing various
aliases for devices described by the firmware. For ethernet devices,
these are named "ethernet0", "ethernet1", etc. They provide a convenient
means of numbering ethernet devices, especially on systems with no other
stable number other than the address. In particular, U-Boot already uses
these aliases to name its ethernet devices.
Previously, there have been attempts (such as [1]) to add support for
these aliases to Linux. However, these patches have been rejected
because it is the maintainers' view that naming policy be left to
userspace. Well, systemd is userspace, so here we are.
In terms of implementation, apparently there can be multiple device
trees at once. I have decided to dodge this problem for now, and just
use /proc/device-tree. If it is desired to support multiple device trees
later, then the scheme can be modified to include the device tree's
index. For example, /sys/firmware/devicetree/base2/aliases/ethernet3
might be named enb2d3.
For the moment we only support "ethernetX" aliases. Future patches might
want to also handle "canX" and "wifiX".
It is common on boards with only one ethernet device to use an alias of
just "ethernet". In this case, the index is an implicit 0. In case the
author of the firmware made a mistake, we check to ensure that aliases
of "ethernet" and "ethernet0" do not both exist.
[1] https://patchwork.kernel.org/project/linux-arm-kernel/patch/1399390594-1409-1-git-send-email-boris.brezillon@free-electrons.com/Closes: #17625