Zbigniew Jędrzejewski-Szmek
616b8101b7
github: update version in bug templates
2022-12-20 15:12:41 +01:00
Frantisek Sumsal
a32831ae1d
mkosi: work around a file conflict between systemd and systemd-boot
2022-12-15 16:04:28 +01:00
Daan De Meyer
52c602d4c6
ci: Labeler improvements
...
- Mention "/please-review" in the contributing guide
- Remove "needs-rebase" on push
- Don't add "please-review" if a green label is set
- Don't add please-review label to draft PRs
- Add please-review when a PR moves out of draft
2022-12-09 15:37:43 +01:00
Daan De Meyer
8fc78e6845
ci: Add/Drop labels on pull request activity and comment
...
When a pull request is opened/updated, add "please-review" and
remove a few other labels.
When a comment is made with /please-review on a PR. Add the
"please-review" label to the PR.
2022-12-09 04:50:13 +09:00
Lennart Poettering
a579990277
Merge pull request #25180 from keszybz/ukify
...
ukify: add helper to create UKIs
2022-12-08 15:11:18 +01:00
Zbigniew Jędrzejewski-Szmek
1f6da5d902
ci: install pefile
2022-12-07 15:53:47 +01:00
dependabot[bot]
054f47defc
build(deps): bump ninja from 1.10.2.4 to 1.11.1 in /.github/workflows
...
Bumps [ninja](https://github.com/ninja-build/ninja ) from 1.10.2.4 to 1.11.1.
- [Release notes](https://github.com/ninja-build/ninja/releases )
- [Commits](https://github.com/ninja-build/ninja/commits/v1.11.1 )
---
updated-dependencies:
- dependency-name: ninja
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-12-01 11:59:45 +00:00
dependabot[bot]
80dd9e2de7
build(deps): bump meson from 0.63.3 to 0.64.1 in /.github/workflows
...
Bumps [meson](https://github.com/mesonbuild/meson ) from 0.63.3 to 0.64.1.
- [Release notes](https://github.com/mesonbuild/meson/releases )
- [Commits](https://github.com/mesonbuild/meson/compare/0.63.3...0.64.1 )
---
updated-dependencies:
- dependency-name: meson
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-12-01 10:28:47 +00:00
dependabot[bot]
58a1485fa9
build(deps): bump redhat-plumbers-in-action/differential-shellcheck
...
Bumps [redhat-plumbers-in-action/differential-shellcheck](https://github.com/redhat-plumbers-in-action/differential-shellcheck ) from 3.1.1 to 3.2.1.
- [Release notes](https://github.com/redhat-plumbers-in-action/differential-shellcheck/releases )
- [Changelog](https://github.com/redhat-plumbers-in-action/differential-shellcheck/blob/main/CHANGELOG.md )
- [Commits](1b1b75e42f...f3cd08fcf1
2022-12-01 10:03:09 +00:00
dependabot[bot]
690e7bfe8f
build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v3.1.0...83fd05a356d7e2593de66fc9913b3002723633cb )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-12-01 10:02:00 +00:00
dependabot[bot]
073747028b
build(deps): bump redhat-plumbers-in-action/advanced-issue-labeler
...
Bumps [redhat-plumbers-in-action/advanced-issue-labeler](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler ) from 2.0.0 to 2.0.1.
- [Release notes](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler/releases )
- [Commits](fe9c43b7d7...88209aef58
2022-12-01 10:01:10 +00:00
Luca Boccassi
c1fb3319ce
GA: do not run codeql on systemd-security
...
Scanning is not available on private repositories
2022-11-30 10:59:03 +00:00
Luca Boccassi
77e6166679
GA: run development_freeze only on main repository
...
No point in running this checker on other forks
2022-11-30 10:59:03 +00:00
Luca Boccassi
39a306ba34
Merge pull request #25319 from zx2c4-forks/krngseed
...
boot: implement kernel EFI RNG seed protocol with proper hashing
2022-11-16 15:07:54 +01:00
Jason A. Donenfeld
0be72218f1
boot: implement kernel EFI RNG seed protocol with proper hashing
...
Rather than passing seeds up to userspace via EFI variables, pass seeds
directly to the kernel's EFI stub loader, via LINUX_EFI_RANDOM_SEED_TABLE_GUID.
EFI variables can potentially leak and suffer from forward secrecy
issues, and processing these with userspace means that they are
initialized much too late in boot to be useful. In contrast,
LINUX_EFI_RANDOM_SEED_TABLE_GUID uses EFI configuration tables, and so
is hidden from userspace entirely, and is parsed extremely early on by
the kernel, so that every single call to get_random_bytes() by the
kernel is seeded.
In order to do this properly, we use a bit more robust hashing scheme,
and make sure that each input is properly memzeroed out after use. The
scheme is:
key = HASH(LABEL || sizeof(input1) || input1 || ... || sizeof(inputN) || inputN)
new_disk_seed = HASH(key || 0)
seed_for_linux = HASH(key || 1)
The various inputs are:
- LINUX_EFI_RANDOM_SEED_TABLE_GUID from prior bootloaders
- 256 bits of seed from EFI's RNG
- The (immutable) system token, from its EFI variable
- The prior on-disk seed
- The UEFI monotonic counter
- A timestamp
This also adjusts the secure boot semantics, so that the operation is
only aborted if it's not possible to get random bytes from EFI's RNG or
a prior boot stage. With the proper hashing scheme, this should make
boot seeds safe even on secure boot.
There is currently a bug in Linux's EFI stub in which if the EFI stub
manages to generate random bytes on its own using EFI's RNG, it will
ignore what the bootloader passes. That's annoying, but it means that
either way, via systemd-boot or via EFI stub's mechanism, the RNG *does*
get initialized in a good safe way. And this bug is now fixed in the
efi.git tree, and will hopefully be backported to older kernels.
As the kernel recommends, the resultant seeds are 256 bits and are
allocated using pool memory of type EfiACPIReclaimMemory, so that it
gets freed at the right moment in boot.
2022-11-14 15:21:58 +01:00
Zbigniew Jędrzejewski-Szmek
e642816b65
ci: use mkosi executable directly
2022-11-14 11:59:30 +01:00
Zbigniew Jędrzejewski-Szmek
976ceafe1b
ci: skip running on docs-only changes
...
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-including-and-excluding-paths
> If you define a path with the ! character, you must also define at least one
> path without the ! character. If you only want to exclude paths, use
> paths-ignore instead.
>
> The order that you define patterns matters:
> A matching negative pattern (prefixed with !) after a positive match will
> exclude the path.
> A matching positive pattern after a negative match will include the path
> again.
Even if some of the exluded paths *could* impact the build, generally it's a
waste of time to do mkosi builds on them. Let's skip to releave the builders a
bit.
2022-11-11 11:27:35 +01:00
Jan Macku
b6a23ad642
ci(dev-freeze): Use GitHub Action for PR comments
...
GitHub Action `devel-freezer` helps with development freeze notifications
during the RC phase. It will create comments using predefined messages on
newly created and updated PRs when the RC tag has been released.
Also, it will update comments once a new major version has been released.
Documentation available at: https://github.com/redhat-plumbers-in-action/devel-freezer
2022-11-05 14:10:01 +01:00
Samuel Thibault
ede5a78f50
shutdown: Add Xen kexec support
...
In the Xen case, it's the hypervisor which manages kexec. We thus
have to ask it whether a kernel is loaded, instead of relying on
/sys/kernel/kexec_loaded.
2022-11-02 20:47:41 +01:00
dependabot[bot]
cd00185881
build(deps): bump github/codeql-action from 2.1.17 to 2.1.29
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.17 to 2.1.29.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](https://github.com/github/codeql-action/compare/v2.1.17...ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6 )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-11-01 11:20:30 +00:00
dependabot[bot]
65444c9cba
build(deps): bump meson from 0.63.2 to 0.63.3 in /.github/workflows
...
Bumps [meson](https://github.com/mesonbuild/meson ) from 0.63.2 to 0.63.3.
- [Release notes](https://github.com/mesonbuild/meson/releases )
- [Commits](https://github.com/mesonbuild/meson/compare/0.63.2...0.63.3 )
---
updated-dependencies:
- dependency-name: meson
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-11-01 11:19:52 +00:00
dependabot[bot]
a61119e299
build(deps): bump systemd/mkosi
...
Bumps [systemd/mkosi](https://github.com/systemd/mkosi ) from 792cbc60eb2dc4a58d66bb3c212bf92f8d50f6ea to 14. This release includes the previously tagged commit.
- [Release notes](https://github.com/systemd/mkosi/releases )
- [Changelog](https://github.com/systemd/mkosi/blob/main/NEWS.md )
- [Commits](792cbc60eb...c9772ec920
2022-11-01 10:26:17 +00:00
dependabot[bot]
ed770fc10a
build(deps): bump ossf/scorecard-action from 2.0.4 to 2.0.6
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.0.4 to 2.0.6.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](e363bfca00...99c53751e0
2022-11-01 10:25:31 +00:00
Luca Boccassi
6f96359dfc
Disable code freeze banner
2022-10-31 18:57:13 +00:00
Luca Boccassi
035dc08bea
gh actions: run a unit test iteration without machine-id
2022-10-25 16:00:26 +01:00
Frantisek Sumsal
b3ea9cf13b
ci: run the Scorecards action in PRs only on config update
...
Also, unify the string quotation a bit and drop one unnecessary
expression syntax (as everything in `if` statements is automatically
evaluated as an expression).
2022-10-20 17:10:50 +02:00
Frantisek Sumsal
3e35a3302c
ci: add a missing SPDX line
2022-10-20 17:03:37 +02:00
Joyce
b7a279f9ef
ci: Enable Scorecard Github Action and Badge ( #25054 )
...
* chore: enable scorecard action
* chore: add badge to the README file
* chore: enable on config file update
* chore: update scorecard to 2.0.4
* chore: run scorecard on PR at main branch
* chore: add condition to publish_result key
* chore: skip upload to code scanning if PR
* chore: only runs scorecard in the main repo
Resolves : #25042
2022-10-19 09:05:39 +00:00
Daan De Meyer
0aa1d40649
mkosi: Switch to Fedora 37
...
Official release date is close so let's switch mkosi CI to it already.
2022-10-17 16:02:16 +02:00
Daan De Meyer
71205f972b
mkosi: Add Centos Stream 8 back to CI
...
We can build all of systemd's features again on CentOS Stream 8, so
let's add it back to CI.
2022-10-17 08:45:57 +02:00
Luca Boccassi
da60182759
Merge pull request #24933 from keszybz/erradicate-strerror
...
Erradicate strerror
2022-10-11 21:47:38 +02:00
Zbigniew Jędrzejewski-Szmek
0cf1a4b3a7
Get rid of strerror_safe()
2022-10-11 16:59:00 +02:00
Luca Boccassi
dcf1bf3b6d
mkosi: update to latest commit
...
Require dto fix Debian testing/unstable builds, as the initrd is
versioned
2022-10-10 13:19:41 +02:00
Luca Boccassi
47819da972
Enable PR template for RC phase
2022-10-07 16:37:36 +02:00
dependabot[bot]
8ef866ace4
build(deps): bump ninja from 1.10.2.3 to 1.10.2.4 in /.github/workflows
...
Bumps [ninja](https://github.com/ninja-build/ninja ) from 1.10.2.3 to 1.10.2.4.
- [Release notes](https://github.com/ninja-build/ninja/releases )
- [Commits](https://github.com/ninja-build/ninja/commits )
---
updated-dependencies:
- dependency-name: ninja
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-10-01 14:36:48 +02:00
Frantisek Sumsal
f00fe51b9c
ci: pin stefanbuck/github-issue-parser to a tagged release
...
Since [0] got resolved ([1]) we can finally pin the action to a tagged
release (v2.0.4 ATTOW) and let Dependabot to do its job by updating it
to the latest tagged release when it becomes available.
Replaces: #24886
[0] https://github.com/stefanbuck/github-issue-parser/issues/23
[1] https://github.com/stefanbuck/github-issue-parser/pull/39
2022-10-01 14:35:41 +02:00
dependabot[bot]
e316ab5747
build(deps): bump actions/labeler from 4.0.0 to 4.0.1
...
Bumps [actions/labeler](https://github.com/actions/labeler ) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/actions/labeler/releases )
- [Commits](9fd24f1f9d...e54e5b338f
2022-10-01 13:04:34 +02:00
dependabot[bot]
254c049ccb
build(deps): bump redhat-plumbers-in-action/differential-shellcheck
...
Bumps [redhat-plumbers-in-action/differential-shellcheck](https://github.com/redhat-plumbers-in-action/differential-shellcheck ) from 3.0.1 to 3.1.1.
- [Release notes](https://github.com/redhat-plumbers-in-action/differential-shellcheck/releases )
- [Changelog](https://github.com/redhat-plumbers-in-action/differential-shellcheck/blob/main/CHANGELOG.md )
- [Commits](a14889568f...1b1b75e42f
2022-10-01 13:04:15 +02:00
dependabot[bot]
5d4ba4e534
build(deps): bump meson from 0.63.1 to 0.63.2 in /.github/workflows
...
Bumps [meson](https://github.com/mesonbuild/meson ) from 0.63.1 to 0.63.2.
- [Release notes](https://github.com/mesonbuild/meson/releases )
- [Commits](https://github.com/mesonbuild/meson/compare/0.63.1...0.63.2 )
---
updated-dependencies:
- dependency-name: meson
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-10-01 13:00:45 +02:00
Frantisek Sumsal
9fe61660ba
ci: fix a couple of typos
2022-09-14 22:09:19 +02:00
Frantisek Sumsal
5e781e07db
ci: enable a couple more possibly useful CodeQL queries
2022-09-14 22:09:19 +02:00
Frantisek Sumsal
d97733908b
ci: rename codeql-analysis.yml to codeql.yml
...
Just to be consistent with other repos under the systemd umbrella.
2022-09-14 19:13:49 +02:00
Frantisek Sumsal
736a1df747
ci: limit scope for the CodeQL scan
...
Don't run the workflow unnecessarily for non-{cpp,python} related changes.
2022-09-13 21:32:15 +02:00
Frantisek Sumsal
774cf0d8fd
ci: drop LGTM stuff and move remaining bits into a new location
2022-09-13 21:32:15 +02:00
Frantisek Sumsal
27d6281158
ci: run CodeQL on push to main/stable branches as well
...
Since we need results for the base branches as well in order to have
something to compare against.
Follow-up to cbe25d0dcc
2022-09-13 21:18:44 +02:00
Frantisek Sumsal
cbe25d0dcc
ci: run CodeQL on every PR
...
Since LGTM is no longer enabled for the systemd repo (as it's going to
be discontinued by the EOY), let's run CodeQL on every PR instead to
replace it.
2022-09-14 03:55:16 +09:00
Jan Macku
500ca79f22
issue-templates: Add note about updating labeling policy
2022-09-07 10:51:48 +02:00
Jan Macku
a4965366ec
ci(issue-labeler): Update to advanced-issue-labeler@v2
...
The new version of `advanced-issue-labeler` GitHub Action introduces new
structure of policy that requires adjustments to systemd issue labeling
policy.
Changes introduced in v2.0.0 - https://github.com/redhat-plumbers-in-action/advanced-issue-labeler/releases/tag/v2.0.0
2022-09-07 10:43:48 +02:00
Jan Macku
3a8352cbf3
ci(issue-labeler): Add missing policy for coredump label
2022-09-06 14:59:00 +00:00
Luca Boccassi
31ed4b9147
mkosi: update to latest commit
...
Required to fix Debian testing/unstable builds, as resolved is
now in its own package
2022-09-02 19:46:54 +01:00
