test: add coverage for kernel keyring in TEST-50-DISSECT

Use the kernel keyring to verify images in the dissect test.
The userspace keyring is still covered by the DDI and mountfsd tests.

man/importctl.xml

@@ -340,7 +340,7 @@
         <term><option>--machine=</option></term>
 
         <listitem><para>Connect to
-        <citerefentry><refentrytitle>systemd-import.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        <citerefentry><refentrytitle>systemd-importd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
         running in a local container, to perform the specified operation within the container.</para>
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>

man/kernel-command-line.xml

@@ -768,7 +768,7 @@
         <term><varname>systemd.tpm2_allow_clear=</varname></term>
 
         <listitem><para>Controls whether to allow clearing of the TPM chip, implemented by
-        <citerefentry><refentrytitle>systemd-tpm2-clear</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+        <citerefentry><refentrytitle>systemd-tpm2-clear.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
 
         <xi:include href="version-info.xml" xpointer="v258"/></listitem>
       </varlistentry>

man/libsystemd.xml

@@ -62,7 +62,8 @@
     <citerefentry><refentrytitle>sd-id128</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
     <citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
     <citerefentry><refentrytitle>sd-json</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
-    <citerefentry><refentrytitle>sd-login</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>sd-login</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+    <citerefentry><refentrytitle>sd-path</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
     and
     <citerefentry><refentrytitle>sd-varlink</refentrytitle><manvolnum>3</manvolnum></citerefentry>
     for information about different parts of the library interface.</para>

man/logind.conf.xml

@@ -419,8 +419,8 @@
                configuration knobs. -->
           <para>
             Controls whether
-            <citerefentry><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry> messages
-            should be sent to the terminals of all currently logged in users upon shutdown or
+            <citerefentry project='die-net'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+            messages should be sent to the terminals of all currently logged in users upon shutdown or
             reboot. Defaults to <literal>yes</literal>, and can be changed at runtime via the DBus
             <literal>EnableWallMessages</literal> and <literal>WallMessagePrefix</literal> properties.
           </para>

man/org.freedesktop.timedate1.xml

@@ -196,8 +196,8 @@ $ gdbus introspect --system \
     <title>See Also</title>
     <para><simplelist type="inline">
       <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
-      <member><citerefentry><refentrytitle>systemd-timedate.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
-      <member><citerefentry><refentrytitle>timedatectl.service</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-timedated.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
       <member><ulink url="https://lists.freedesktop.org/archives/systemd-devel/2011-May/002526.html">More information on how the system clock and RTC interact</ulink></member>
     </simplelist></para>
   </refsect1>

man/org.freedesktop.timesync1.xml

@@ -157,7 +157,7 @@ $ gdbus introspect --system \
     <title>See Also</title>
     <para><simplelist type="inline">
       <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
-      <member><citerefentry><refentrytitle>systemd-timesync.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-timesyncd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
     </simplelist></para>
   </refsect1>
 </refentry>

man/rules/meson.build

@@ -154,6 +154,7 @@ manpages = [
  ['sd-journal', '3', [], ''],
  ['sd-json', '3', [], ''],
  ['sd-login', '3', [], 'HAVE_PAM'],
+ ['sd-path', '3', [], ''],
  ['sd-varlink', '3', [], ''],
  ['sd_booted', '3', [], ''],
  ['sd_bus_add_match',

man/sd-path.xml

@@ -0,0 +1,59 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+
+<refentry id="sd-path"
+  xmlns:xi="http://www.w3.org/2001/XInclude">
+
+  <refentryinfo>
+    <title>sd-path</title>
+    <productname>systemd</productname>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>sd-path</refentrytitle>
+    <manvolnum>3</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>sd-path</refname>
+    <refpurpose>APIs to query file system paths</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <funcsynopsis>
+      <funcsynopsisinfo>#include &lt;systemd/sd-path.h&gt;</funcsynopsisinfo>
+    </funcsynopsis>
+
+    <cmdsynopsis>
+      <command>pkg-config --cflags --libs libsystemd</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para><filename>sd-path.h</filename> is part of
+    <citerefentry><refentrytitle>libsystemd</refentrytitle><manvolnum>3</manvolnum></citerefentry> and
+    provides APIs to query file system paths. This functionality is similar to the command-line
+    functionality provided by
+    <citerefentry><refentrytitle>systemd-path</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
+    </para>
+
+    <para>See
+    <citerefentry><refentrytitle>sd_path_lookup</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+    for information about the functions available.</para>
+  </refsect1>
+
+  <xi:include href="libsystemd-pkgconfig.xml" />
+
+  <refsect1>
+    <title>See Also</title>
+    <para><simplelist type="inline">
+      <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-path</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+    </simplelist></para>
+  </refsect1>
+</refentry>

man/systemd-dissect.xml

@@ -321,8 +321,8 @@
         specified output archive file name, e.g. any path suffixed with <literal>.tar.xz</literal> will
         result in an xz compressed UNIX tarball (if the path is omitted an uncompressed UNIX tarball is
         created). See
-        <citerefentry><refentrytitle>libarchive</refentrytitle><manvolnum>3</manvolnum></citerefentry> for a
-        list of supported archive formats and compression schemes.</para>
+        <citerefentry project='die-net'><refentrytitle>libarchive</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+        for a list of supported archive formats and compression schemes.</para>
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
       </varlistentry>

man/systemd-vmspawn.xml

@@ -413,7 +413,7 @@
 
           <listitem><para>Controls user namespacing under <option>--directory=</option>.
           If enabled,
-          <citerefentry><refentrytitle>virtiofsd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+          <citerefentry project='url'><refentrytitle url='https://manpages.debian.org/unstable/qemu-system-common/virtiofsd.1.en.html'>virtiofsd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
           is instructed to map user and group ids (UIDs and GIDs).
           This involves mapping the private UIDs/GIDs used in the virtual machine (starting with the virtual machine's
           root user 0 and up) to a range of UIDs/GIDs on the host that are not used for other purposes (usually in the

man/systemd.image-policy.xml

@@ -185,7 +185,6 @@
       <member><citerefentry><refentrytitle>systemd-gpt-auto-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
-      <member><citerefentry><refentrytitle>systemd.filter</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
     </simplelist></para>
   </refsect1>
 

man/systemd.system-credentials.xml

@@ -500,7 +500,7 @@
           <filename>/etc/userdb/foobar.group</filename>. Symlinks for the uid/gid will also be created in
           <filename>/etc/userdb/</filename>, as well as the corresponding<filename>.membership</filename>
           files. See
-          <citerefentry><refentrytitle>systemd-userdb</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+          <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
           <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, and
           <citerefentry><refentrytitle>userdbctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
           for details.</para>

mkosi/mkosi.finalize

@@ -13,3 +13,6 @@ if [ -n "$EFI_ARCHITECTURE" ]; then
         --secureboot-certificate "$SRCDIR/mkosi/mkosi.crt" \
         --secureboot-private-key "$SRCDIR/mkosi/mkosi.key"
 fi
+
+# Used to sign artifacts verified by kernel platform keyring
+cp "$SRCDIR/mkosi/mkosi.crt" "$SRCDIR/mkosi/mkosi.key" "$BUILDROOT/usr/share/"

src/boot/chid.c

@@ -105,7 +105,8 @@ EFI_STATUS chid_match(const void *hwid_buffer, size_t hwid_length, uint32_t matc
         const Device *devices = ASSERT_PTR(hwid_buffer);
 
         EFI_GUID chids[CHID_TYPES_MAX] = {};
-        static const size_t priority[] = { 17, 16, 15, 3, 6, 8, 10, 4, 5, 7, 9, 11 }; /* From most to least specific. */
+        static const size_t priority[] = { EXTRA_CHID_BASE + 2, EXTRA_CHID_BASE + 1, EXTRA_CHID_BASE + 0,
+                                           3, 6, 8, 10, 4, 5, 7, 9, 11 }; /* From most to least specific. */
 
         status = populate_board_chids(chids);
         if (EFI_STATUS_IS_ERROR(status))

test/integration-tests/TEST-50-DISSECT/meson.build

@@ -4,5 +4,6 @@ integration_tests += [
         integration_test_template + {
                 'name' : fs.name(meson.current_source_dir()),
                 'vm' : true,
+                'firmware' : 'auto',
         },
 ]

test/units/TEST-50-DISSECT.dissect.sh

@@ -9,6 +9,18 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
 . "$(dirname "$0")"/util.sh
 
+# Requires kernel built with certain kconfigs, as listed in README:
+# https://oracle.github.io/kconfigs/?config=UTS_RELEASE&config=DM_VERITY_VERIFY_ROOTHASH_SIG&config=DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING&config=DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING&config=IMA_ARCH_POLICY&config=INTEGRITY_MACHINE_KEYRING
+if grep -q "$(openssl x509 -noout -subject -in /usr/share/mkosi.crt | sed 's/^.*CN=//')" /proc/keys && \
+        ( . /etc/os-release; [ "$ID" != "centos" ] || systemd-analyze compare-versions "$VERSION_ID" ge 10 ) && \
+        ( . /etc/os-release; [ "$ID" != "debian" ] || systemd-analyze compare-versions "$VERSION_ID" ge 13 ) && \
+        ( . /etc/os-release; [ "$ID" != "ubuntu" ] || systemd-analyze compare-versions "$VERSION_ID" ge 24.04 ) && \
+        systemd-analyze compare-versions "$(cryptsetup --version | sed 's/^cryptsetup \([0-9]*\.[0-9]*\.[0-9]*\) .*/\1/')" ge 2.3.0; then
+    verity_sig_supported=1
+else
+    verity_sig_supported=0
+fi
+
 systemd-dissect --json=short "$MINIMAL_IMAGE.raw" | \
     grep -q -F '{"rw":"ro","designator":"root","partition_uuid":null,"partition_label":null,"fstype":"squashfs","architecture":null,"verity":"external"'
 systemd-dissect "$MINIMAL_IMAGE.raw" | grep -q -F "MARKER=1"
@@ -71,6 +83,10 @@ if [[ "$verity_count" -lt 1 ]]; then
     echo "Verity device $MINIMAL_IMAGE.raw not found in /dev/mapper/"
     exit 1
 fi
+# Ensure the kernel is verifying the signature if the mkosi key is in the keyring
+if [ "$verity_sig_supported" -eq 1 ]; then
+    veritysetup status "$(cat "$MINIMAL_IMAGE.roothash")-verity" | grep -q "verified (with signature)"
+fi
 systemd-dissect --umount "$IMAGE_DIR/mount"
 systemd-dissect --umount "$IMAGE_DIR/mount2"
 
@@ -729,6 +745,10 @@ ExecStart=bash -x -c ' \
 EOF
 systemctl start testservice-50k.service
 systemctl is-active testservice-50k.service
+# Ensure the kernel is verifying the signature if the mkosi key is in the keyring
+if [ "$verity_sig_supported" -eq 1 ]; then
+    veritysetup status "$(cat "$MINIMAL_IMAGE.roothash")-verity" | grep -q "verified (with signature)"
+fi
 # First reload should pick up the v1 marker
 mksquashfs "$VDIR/${VBASE}_1" "$VDIR2/${VBASE}_1.raw"
 systemctl reload testservice-50k.service

test/units/TEST-50-DISSECT.sh

@@ -110,17 +110,9 @@ install_extension_images
 
 OS_RELEASE="$(test -e /etc/os-release && echo /etc/os-release || echo /usr/lib/os-release)"
 
-if systemctl --version | grep -q -- +OPENSSL ; then
-    # The openssl binary is installed conditionally. If we have OpenSSL support enabled and openssl is
-    # missing, fail early with a proper error message.
-    if ! command -v openssl &>/dev/null; then
-        echo "openssl binary is missing" >/failed
-        exit 1
-    fi
-
-    OPENSSL_CONFIG="$(mktemp)"
-    # Unfortunately OpenSSL insists on reading some config file, hence provide one with mostly placeholder contents
-    cat >"${OPENSSL_CONFIG:?}" <<EOF
+OPENSSL_CONFIG="$(mktemp)"
+# Unfortunately OpenSSL insists on reading some config file, hence provide one with mostly placeholder contents
+cat >"${OPENSSL_CONFIG:?}" <<EOF
 [ req ]
 prompt = no
 distinguished_name = req_distinguished_name
@@ -134,7 +126,6 @@ OU = Org Unit Name
 CN = Common Name
 emailAddress = test@email.com
 EOF
-fi
 
 # Make a GPT disk on the fly, with the squashfs as partition 1 and the verity hash tree as partition 2
 #
@@ -154,25 +145,17 @@ fi
 verity_size="$((verity_size * 2))KiB"
 signature_size="$((signature_size * 2))KiB"
 
-if [[ -n "${OPENSSL_CONFIG:-}" ]]; then
-    # Create key pair
-    openssl req -config "$OPENSSL_CONFIG" -new -x509 -newkey rsa:1024 \
-                -keyout "$MINIMAL_IMAGE.key" -out "$MINIMAL_IMAGE.crt" -days 365 -nodes
-    # Sign Verity root hash with it
-    openssl smime -sign -nocerts -noattr -binary \
+# Sign Verity root hash with mkosi key
+openssl smime -sign -nocerts -noattr -binary \
                 -in "$MINIMAL_IMAGE.roothash" \
-                  -inkey "$MINIMAL_IMAGE.key" \
-                  -signer "$MINIMAL_IMAGE.crt" \
+                -inkey /usr/share/mkosi.key \
+                -signer /usr/share/mkosi.crt \
                 -outform der \
                 -out "$MINIMAL_IMAGE.roothash.p7s"
-    # Generate signature partition JSON data
-    echo '{"rootHash":"'"$MINIMAL_IMAGE_ROOTHASH"'","signature":"'"$(base64 -w 0 <"$MINIMAL_IMAGE.roothash.p7s")"'"}' >"$MINIMAL_IMAGE.verity-sig"
-    # Pad it
-    truncate -s "$signature_size" "$MINIMAL_IMAGE.verity-sig"
-    # Register certificate in the (userspace) verity key ring
-    mkdir -p /run/verity.d
-    ln -s "$MINIMAL_IMAGE.crt" /run/verity.d/ok.crt
-fi
+# Generate signature partition JSON data
+echo '{"rootHash":"'"$MINIMAL_IMAGE_ROOTHASH"'","signature":"'"$(base64 -w 0 <"$MINIMAL_IMAGE.roothash.p7s")"'"}' >"$MINIMAL_IMAGE.verity-sig"
+# Pad it
+truncate -s "$signature_size" "$MINIMAL_IMAGE.verity-sig"
 
 # Construct a UUID from hash
 # input:  11111111222233334444555566667777
@@ -181,30 +164,23 @@ uuid="$(head -c 32 "$MINIMAL_IMAGE.roothash" | sed -r 's/(.{8})(.{4})(.{4})(.{4}
 echo -e "label: gpt\nsize=$root_size, type=$ROOT_GUID, uuid=$uuid" | sfdisk "$MINIMAL_IMAGE.gpt"
 uuid="$(tail -c 32 "$MINIMAL_IMAGE.roothash" | sed -r 's/(.{8})(.{4})(.{4})(.{4})(.+)/\1-\2-\3-\4-\5/')"
 echo -e "size=$verity_size, type=$VERITY_GUID, uuid=$uuid" | sfdisk "$MINIMAL_IMAGE.gpt" --append
-if [[ -n "${OPENSSL_CONFIG:-}" ]]; then
-    echo -e "size=$signature_size, type=$SIGNATURE_GUID" | sfdisk "$MINIMAL_IMAGE.gpt" --append
-fi
+echo -e "size=$signature_size, type=$SIGNATURE_GUID" | sfdisk "$MINIMAL_IMAGE.gpt" --append
+
 sfdisk --part-label "$MINIMAL_IMAGE.gpt" 1 "Root Partition"
 sfdisk --part-label "$MINIMAL_IMAGE.gpt" 2 "Verity Partition"
-if [[ -n "${OPENSSL_CONFIG:-}" ]]; then
-    sfdisk --part-label "$MINIMAL_IMAGE.gpt" 3 "Signature Partition"
-fi
+sfdisk --part-label "$MINIMAL_IMAGE.gpt" 3 "Signature Partition"
 loop="$(losetup --show -P -f "$MINIMAL_IMAGE.gpt")"
 partitions=(
     "${loop:?}p1"
     "${loop:?}p2"
+    "${loop:?}p3"
 )
-if [[ -n "${OPENSSL_CONFIG:-}" ]]; then
-    partitions+=("${loop:?}p3")
-fi
 # The kernel sometimes(?) does not emit "add" uevent for loop block partition devices.
 # Let's not expect the devices to be initialized.
 udevadm wait --timeout=60 --settle --initialized=no "${partitions[@]}"
 udevadm lock --timeout=60 --device="${loop}p1" dd if="$MINIMAL_IMAGE.raw" of="${loop}p1"
 udevadm lock --timeout=60 --device="${loop}p2" dd if="$MINIMAL_IMAGE.verity" of="${loop}p2"
-if [[ -n "${OPENSSL_CONFIG:-}" ]]; then
-    udevadm lock --timeout=60 --device="${loop}p3" dd if="$MINIMAL_IMAGE.verity-sig" of="${loop}p3"
-fi
+udevadm lock --timeout=60 --device="${loop}p3" dd if="$MINIMAL_IMAGE.verity-sig" of="${loop}p3"
 losetup -d "$loop"
 udevadm settle --timeout=60