Compare commits
20 Commits
1f8da0f460
...
0d1487596f
Author | SHA1 | Date |
---|---|---|
Daan De Meyer | 0d1487596f | |
Anselm Schueler | 73f4882ef3 | |
Zbigniew Jędrzejewski-Szmek | 9a10d7eae5 | |
Daan De Meyer | 5f05ba1d24 | |
Daan De Meyer | 3fcb78a819 | |
Luca Boccassi | bb5936f7f3 | |
Yu Watanabe | 869fe6c9e4 | |
Luca Boccassi | 9a032ec55a | |
Oğuz Ersen | 100ceecc6c | |
Luna Jernberg | af76e987e8 | |
Sergey A | d73735fbe1 | |
Piotr Drąg | 01aafdf637 | |
Andika Triwidada | 67c1f6bf04 | |
Léane GRASSER | b0cb4c70a9 | |
Temuri Doghonadze | e75d25ac1e | |
김인수 | d9b96bf093 | |
Antonio Alvarez Feijoo | 215292d09e | |
Daan De Meyer | c59ed3b80d | |
Daan De Meyer | 44f354aa9b | |
Daan De Meyer | 583c305d15 |
|
@ -18,7 +18,7 @@ body:
|
|||
If a distro build is used, please just paste the package version, e.g. `systemd-254.7-1.fc39.x86_64`.
|
||||
See https://github.com/systemd/systemd-stable/tags for the list of most recent releases.
|
||||
For older version please use distribution trackers (see https://systemd.io/CONTRIBUTING#filing-issues).
|
||||
placeholder: '255'
|
||||
placeholder: '256.x'
|
||||
validations:
|
||||
required: true
|
||||
|
||||
|
|
|
@ -121,6 +121,6 @@ body:
|
|||
attributes:
|
||||
label: The systemd version you checked that didn't have the feature you are asking for
|
||||
description: If this is not the most recently released upstream version, then please check first if it has that feature already.
|
||||
placeholder: '255'
|
||||
placeholder: '256.x'
|
||||
validations:
|
||||
required: false
|
||||
|
|
|
@ -529,8 +529,9 @@
|
|||
<varlistentry>
|
||||
<term><option>--secure-boot-auto-enroll=yes|no</option></term>
|
||||
<term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
|
||||
<term><option>--private-key-source=<replaceable>TYPE[:NAME]</replaceable></option></term>
|
||||
<term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
|
||||
<term><option>--certificate=<replaceable>PATH</replaceable></option></term>
|
||||
<term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
|
||||
|
||||
<listitem><para>Configure the ESP for secure boot auto-enrollment when invoking the
|
||||
<command>install</command> command. Takes a boolean argument. Disabled by default. Enabling this
|
||||
|
@ -542,9 +543,12 @@
|
|||
|
||||
<para>When specifying this option, a certificate and private key have to be provided as well using
|
||||
the <option>--certificate=</option> and <option>--private-key=</option> options. The
|
||||
<option>--certificate=</option> option takes a path to a PEM encoded X.509 certificate. The
|
||||
<option>--private-key=</option> option can take a path or a URI that will be passed to the OpenSSL
|
||||
engine or provider, as specified by <option>--private-key-source=</option> as a
|
||||
<option>--certificate=</option> option takes a path to a PEM encoded X.509 certificate or a URI
|
||||
that's passed to the OpenSSL provider configured with <option>--certificate-source</option> which
|
||||
takes one of <literal>file</literal> or <literal>provider</literal>, with the latter being followed
|
||||
by a specific provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>.
|
||||
The <option>--private-key=</option> option can take a path or a URI that will be passed to the
|
||||
OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a
|
||||
<literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL
|
||||
signing engine or provider will be used to sign the EFI signature lists.</para>
|
||||
|
||||
|
|
|
@ -191,7 +191,7 @@
|
|||
<literal>+drivers:</literal> followed by its driver subsystem and sysfs name separated with a colon.
|
||||
Example: <literal>+drivers:pci:iwlwifi</literal> for a driver device record whose driver subsystem is
|
||||
<literal>pci</literal> and sysfs name is <literal>iwlwifi</literal>,
|
||||
When an other type of device is specified, this function returns <literal>+</literal> followed by its
|
||||
When another type of device is specified, this function returns <literal>+</literal> followed by its
|
||||
subsystem and sysfs name separated with a colon. Example: <literal>+acpi:ACPI0003:00</literal>,
|
||||
<literal>+input:input16</literal>, or <literal>+pci:0000:00:1f.6</literal>.</para>
|
||||
</refsect1>
|
||||
|
|
|
@ -241,7 +241,7 @@
|
|||
|
||||
<listitem><para>Controls whether to query the system-wide or the per-user password agents. By default
|
||||
if invoked privileged the system-wide agents are queried, otherwise the per-user ones. These options
|
||||
allow to override this automatic behaviour.</para>
|
||||
allow one to override this automatic behaviour.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
||||
</varlistentry>
|
||||
|
|
|
@ -104,6 +104,16 @@
|
|||
|
||||
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><command>pcrpkey</command></term>
|
||||
|
||||
<listitem><para>This commands writes the public key to stdout extracted from either the public key
|
||||
given with <option>--public-key=</option>, the certificate given with <option>--certificate=</option>
|
||||
or the private key given with <option>--private-key=</option>.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
@ -188,8 +198,9 @@
|
|||
|
||||
<varlistentry>
|
||||
<term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
|
||||
<term><option>--private-key-source=<replaceable>TYPE[:NAME]</replaceable></option></term>
|
||||
<term><option>--certificate=<replaceable>PATH</replaceable></option></term>
|
||||
<term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
|
||||
<term><option>--certificate=<replaceable>PATH/URI</replaceable></option></term>
|
||||
<term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
|
||||
|
||||
<listitem><para>As an alternative to <option>--public-key=</option> for the
|
||||
<command>sign</command> command, these switches can be used to sign with an hardware token. The
|
||||
|
@ -197,6 +208,11 @@
|
|||
provider, as specified by <option>--private-key-source=</option> as a type:name tuple, such as
|
||||
engine:pkcs11. The specified OpenSSL signing engine or provider will be used to sign.</para>
|
||||
|
||||
<para>The <option>--certificate=</option> option also takes a path or a URI that will be passed to
|
||||
the OpenSSL provider, as specified by <option>--certificate-source=</option> as a
|
||||
<literal>type:name</literal> tuple, such as <literal>provider:pkcs11</literal>. Note that unlike
|
||||
<option>--private-key-source=</option> this option only supports providers and not engines.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
|
|
@ -348,9 +348,9 @@
|
|||
<varlistentry>
|
||||
<term><option>--private-key=</option></term>
|
||||
|
||||
<listitem><para>Takes a file system path. Configures the signing key to use when creating verity
|
||||
signature partitions with the <varname>Verity=signature</varname> setting in partition files.
|
||||
</para>
|
||||
<listitem><para>Takes a file system path or an engine or provider specific designation. Configures
|
||||
the signing key to use when creating verity signature partitions with the
|
||||
<varname>Verity=signature</varname> setting in partition files.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
|
||||
</varlistentry>
|
||||
|
@ -361,7 +361,7 @@
|
|||
<listitem><para>Takes one of <literal>file</literal>, <literal>engine</literal> or
|
||||
<literal>provider</literal>. In the latter two cases, it is followed by the name of a provider or
|
||||
engine, separated by colon, that will be passed to OpenSSL's "engine" or "provider" logic.
|
||||
Configures the signing mechanism to use when creating verity signature partitions with the
|
||||
Configures how to load the private key to use when creating verity signature partitions with the
|
||||
<varname>Verity=signature</varname> setting in partition files.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||
|
@ -370,13 +370,24 @@
|
|||
<varlistentry>
|
||||
<term><option>--certificate=</option></term>
|
||||
|
||||
<listitem><para>Takes a file system path. Configures the PEM encoded X.509 certificate to use when
|
||||
creating verity signature partitions with the <varname>Verity=signature</varname> setting in
|
||||
partition files.</para>
|
||||
<listitem><para>Takes a file system path or a provider specific designation. Configures the PEM
|
||||
encoded X.509 certificate to use when creating verity signature partitions with the
|
||||
<varname>Verity=signature</varname> setting in partition files.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--certificate-source=</option></term>
|
||||
|
||||
<listitem><para>Takes one of <literal>file</literal>, or <literal>provider</literal>. In the latter
|
||||
case, it is followed by the name of a provider, separated by colon, that will be passed to OpenSSL's
|
||||
"provider" logic. Configures how to load the X.509 certificate to use when creating verity signature
|
||||
partitions with the <varname>Verity=signature</varname> setting in partition files.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--tpm2-device=</option></term>
|
||||
<term><option>--tpm2-pcrs=</option></term>
|
||||
|
|
|
@ -85,11 +85,16 @@
|
|||
<term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
|
||||
<term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
|
||||
<term><option>--certificate=<replaceable>PATH</replaceable></option></term>
|
||||
<term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
|
||||
|
||||
<listitem><para>Set the Secure Boot private key and certificate for use with the
|
||||
<command>sign</command>. The <option>--certificate=</option> option takes a path to a PEM encoded
|
||||
X.509 certificate. The <option>--private-key=</option> option can take a path or a URI that will be
|
||||
passed to the OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a
|
||||
X.509 certificate or a URI that's passed to the OpenSSL provider configured with
|
||||
<option>--certificate-source</option>. The <option>--certificate-source</option> takes one of
|
||||
<literal>file</literal> or <literal>provider</literal>, with the latter being followed by a specific
|
||||
provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>. The
|
||||
<option>--private-key=</option> option can take a path or a URI that will be passed to the OpenSSL
|
||||
engine or provider, as specified by <option>--private-key-source=</option> as a
|
||||
<literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL
|
||||
signing engine or provider will be used to sign the PE binary.</para>
|
||||
|
||||
|
|
|
@ -527,6 +527,17 @@
|
|||
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>CertificateProvider=<replaceable>PROVIDER</replaceable></varname></term>
|
||||
<term><option>--certificate-provider=<replaceable>PROVIDER</replaceable></option></term>
|
||||
|
||||
<listitem><para>An OpenSSL provider to be used for loading the certificate used to sign the
|
||||
resulting binary and PCR measurements. This option can only be used when using
|
||||
<command>systemd-sbsign</command> as the signing tool.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>SignKernel=<replaceable>BOOL</replaceable></varname></term>
|
||||
<term><option>--sign-kernel</option></term>
|
||||
|
|
9
po/de.po
9
po/de.po
|
@ -10,13 +10,13 @@
|
|||
# Christian Kirbach <christian.kirbach@gmail.com>, 2023.
|
||||
# Jarne Förster <fedora@mymailclient.de>, 2024.
|
||||
# Weblate Translation Memory <noreply-mt-weblate-translation-memory@weblate.org>, 2024.
|
||||
# Anselm Schueler <mail@anselmschueler.com>, 2024.
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Report-Msgid-Bugs-To: \n"
|
||||
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
|
||||
"PO-Revision-Date: 2024-11-05 13:46+0000\n"
|
||||
"Last-Translator: Weblate Translation Memory <noreply-mt-weblate-translation-"
|
||||
"memory@weblate.org>\n"
|
||||
"PO-Revision-Date: 2024-11-07 13:26+0000\n"
|
||||
"Last-Translator: Anselm Schueler <mail@anselmschueler.com>\n"
|
||||
"Language-Team: German <https://translate.fedoraproject.org/projects/systemd/"
|
||||
"main/de/>\n"
|
||||
"Language: de\n"
|
||||
|
@ -131,9 +131,8 @@ msgstr ""
|
|||
"Benutzers notwendig."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:53
|
||||
#, fuzzy
|
||||
msgid "Update your home area"
|
||||
msgstr "Einen persönlichen Bereich aktualisieren"
|
||||
msgstr "Deinen persönlichen Bereich aktualisieren"
|
||||
|
||||
# https://www.freedesktop.org/software/systemd/man/sd-login.html
|
||||
#: src/home/org.freedesktop.home1.policy:54
|
||||
|
|
15
po/fr.po
15
po/fr.po
|
@ -12,7 +12,7 @@ msgid ""
|
|||
msgstr ""
|
||||
"Report-Msgid-Bugs-To: \n"
|
||||
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
|
||||
"PO-Revision-Date: 2024-11-06 12:46+0000\n"
|
||||
"PO-Revision-Date: 2024-11-07 09:30+0000\n"
|
||||
"Last-Translator: Léane GRASSER <leane.grasser@proton.me>\n"
|
||||
"Language-Team: French <https://translate.fedoraproject.org/projects/systemd/"
|
||||
"main/fr/>\n"
|
||||
|
@ -128,16 +128,13 @@ msgstr ""
|
|||
"utilisateur."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:53
|
||||
#, fuzzy
|
||||
msgid "Update your home area"
|
||||
msgstr "Mettre à jour un espace personnel"
|
||||
msgstr "Mettre à jour votre espace personnel"
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:54
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to update your home area."
|
||||
msgstr ""
|
||||
"Une authentification est requise pour mettre à jour l'espace personnel d'un "
|
||||
"utilisateur."
|
||||
"Une authentification est requise pour mettre à jour votre espace personnel."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:63
|
||||
msgid "Resize a home area"
|
||||
|
@ -1261,14 +1258,12 @@ msgstr ""
|
|||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
|
||||
msgid "Manage optional features"
|
||||
msgstr ""
|
||||
msgstr "Gérer les fonctionnalités en option"
|
||||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to manage optional features"
|
||||
msgstr ""
|
||||
"Une authentification est requise pour gérer les sessions actives, les "
|
||||
"utilisateurs et les postes (seats)."
|
||||
"Une authentification est requise pour gérer les fonctionnalités en option."
|
||||
|
||||
#: src/timedate/org.freedesktop.timedate1.policy:22
|
||||
msgid "Set system time"
|
||||
|
|
15
po/id.po
15
po/id.po
|
@ -6,7 +6,7 @@ msgid ""
|
|||
msgstr ""
|
||||
"Report-Msgid-Bugs-To: \n"
|
||||
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
|
||||
"PO-Revision-Date: 2024-10-27 05:38+0000\n"
|
||||
"PO-Revision-Date: 2024-11-07 09:30+0000\n"
|
||||
"Last-Translator: Andika Triwidada <andika@gmail.com>\n"
|
||||
"Language-Team: Indonesian <https://translate.fedoraproject.org/projects/"
|
||||
"systemd/main/id/>\n"
|
||||
|
@ -15,7 +15,7 @@ msgstr ""
|
|||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"Plural-Forms: nplurals=1; plural=0;\n"
|
||||
"X-Generator: Weblate 5.7.2\n"
|
||||
"X-Generator: Weblate 5.8.2\n"
|
||||
|
||||
#: src/core/org.freedesktop.systemd1.policy.in:22
|
||||
msgid "Send passphrase back to system"
|
||||
|
@ -112,14 +112,12 @@ msgid "Authentication is required to update a user's home area."
|
|||
msgstr "Otentikasi diperlukan untuk memperbarui suatu area rumah pengguna."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:53
|
||||
#, fuzzy
|
||||
msgid "Update your home area"
|
||||
msgstr "Memperbarui suatu area rumah"
|
||||
msgstr "Memperbarui area rumah Anda"
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:54
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to update your home area."
|
||||
msgstr "Otentikasi diperlukan untuk memperbarui suatu area rumah pengguna."
|
||||
msgstr "Otentikasi diperlukan untuk memperbarui area rumah Anda."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:63
|
||||
msgid "Resize a home area"
|
||||
|
@ -1166,12 +1164,11 @@ msgstr "Otentikasi diperlukan untuk membersihkan pembaruan sistem lama."
|
|||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
|
||||
msgid "Manage optional features"
|
||||
msgstr ""
|
||||
msgstr "Kelola fitur opsional"
|
||||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to manage optional features"
|
||||
msgstr "Otentikasi diperlukan untuk mengelola seat, pengguna, dan sesi aktif."
|
||||
msgstr "Otentikasi diperlukan untuk mengelola fitur opsional"
|
||||
|
||||
#: src/timedate/org.freedesktop.timedate1.policy:22
|
||||
msgid "Set system time"
|
||||
|
|
17
po/ka.po
17
po/ka.po
|
@ -5,7 +5,7 @@ msgid ""
|
|||
msgstr ""
|
||||
"Report-Msgid-Bugs-To: \n"
|
||||
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
|
||||
"PO-Revision-Date: 2024-08-24 10:36+0000\n"
|
||||
"PO-Revision-Date: 2024-11-07 02:35+0000\n"
|
||||
"Last-Translator: Temuri Doghonadze <temuri.doghonadze@gmail.com>\n"
|
||||
"Language-Team: Georgian <https://translate.fedoraproject.org/projects/"
|
||||
"systemd/main/ka/>\n"
|
||||
|
@ -14,7 +14,7 @@ msgstr ""
|
|||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"Plural-Forms: nplurals=2; plural=n != 1;\n"
|
||||
"X-Generator: Weblate 5.7\n"
|
||||
"X-Generator: Weblate 5.8.2\n"
|
||||
|
||||
#: src/core/org.freedesktop.systemd1.policy.in:22
|
||||
msgid "Send passphrase back to system"
|
||||
|
@ -108,14 +108,12 @@ msgid "Authentication is required to update a user's home area."
|
|||
msgstr "სახლის ტერიტორიის განახლებისთვის საჭიროა ავთენტიკაცია."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:53
|
||||
#, fuzzy
|
||||
msgid "Update your home area"
|
||||
msgstr "სახლის ტერიტორიის განახლება"
|
||||
msgstr "თქვენი სახლის ტერიტორიის განახლება"
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:54
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to update your home area."
|
||||
msgstr "სახლის ტერიტორიის განახლებისთვის საჭიროა ავთენტიკაცია."
|
||||
msgstr "თქვენი სახლის ტერიტორიის განახლებისთვის საჭიროა ავთენტიკაცია."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:63
|
||||
msgid "Resize a home area"
|
||||
|
@ -1164,14 +1162,11 @@ msgstr "ძველი სისტემური განახლებე
|
|||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
|
||||
msgid "Manage optional features"
|
||||
msgstr ""
|
||||
msgstr "არასავალდებულო ფუნქციების მართვა"
|
||||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to manage optional features"
|
||||
msgstr ""
|
||||
"აქტიური სესიების, მომხმარებლებისა და სამუშაო მაგიდების მართვას ავთენტიკაცია "
|
||||
"სჭირდება."
|
||||
msgstr "არასავალდებულო ფუნქციების მართვას ავთენტიკაცია სჭირდება"
|
||||
|
||||
#: src/timedate/org.freedesktop.timedate1.policy:22
|
||||
msgid "Set system time"
|
||||
|
|
13
po/ko.po
13
po/ko.po
|
@ -9,7 +9,7 @@ msgid ""
|
|||
msgstr ""
|
||||
"Report-Msgid-Bugs-To: \n"
|
||||
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
|
||||
"PO-Revision-Date: 2024-08-24 10:36+0000\n"
|
||||
"PO-Revision-Date: 2024-11-07 02:35+0000\n"
|
||||
"Last-Translator: 김인수 <simmon@nplob.com>\n"
|
||||
"Language-Team: Korean <https://translate.fedoraproject.org/projects/systemd/"
|
||||
"main/ko/>\n"
|
||||
|
@ -18,7 +18,7 @@ msgstr ""
|
|||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"Plural-Forms: nplurals=1; plural=0;\n"
|
||||
"X-Generator: Weblate 5.7\n"
|
||||
"X-Generator: Weblate 5.8.2\n"
|
||||
"X-Poedit-SourceCharset: UTF-8\n"
|
||||
|
||||
#: src/core/org.freedesktop.systemd1.policy.in:22
|
||||
|
@ -109,12 +109,10 @@ msgid "Authentication is required to update a user's home area."
|
|||
msgstr "사용자 홈 영역을 최신화 하려면 인증이 필요합니다."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:53
|
||||
#, fuzzy
|
||||
msgid "Update your home area"
|
||||
msgstr "홈 영역을 최신화"
|
||||
msgstr "자신의 홈 영역 최신화"
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:54
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to update your home area."
|
||||
msgstr "사용자 홈 영역을 최신화 하려면 인증이 필요합니다."
|
||||
|
||||
|
@ -1117,12 +1115,11 @@ msgstr "오래된 시스템 최신화를 정리하려면 인증이 필요합니
|
|||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
|
||||
msgid "Manage optional features"
|
||||
msgstr ""
|
||||
msgstr "추가 사양을 관리합니다"
|
||||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to manage optional features"
|
||||
msgstr "활성 세션, 사용자 시트를 관리하려면 인증이 필요합니다."
|
||||
msgstr "추가 사양을 관리하려면 인증이 필요합니다"
|
||||
|
||||
#: src/timedate/org.freedesktop.timedate1.policy:22
|
||||
msgid "Set system time"
|
||||
|
|
17
po/pl.po
17
po/pl.po
|
@ -7,7 +7,7 @@ msgid ""
|
|||
msgstr ""
|
||||
"Report-Msgid-Bugs-To: \n"
|
||||
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
|
||||
"PO-Revision-Date: 2024-08-24 10:36+0000\n"
|
||||
"PO-Revision-Date: 2024-11-07 09:30+0000\n"
|
||||
"Last-Translator: Piotr Drąg <piotrdrag@gmail.com>\n"
|
||||
"Language-Team: Polish <https://translate.fedoraproject.org/projects/systemd/"
|
||||
"main/pl/>\n"
|
||||
|
@ -17,7 +17,7 @@ msgstr ""
|
|||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 "
|
||||
"|| n%100>=20) ? 1 : 2;\n"
|
||||
"X-Generator: Weblate 5.7\n"
|
||||
"X-Generator: Weblate 5.8.2\n"
|
||||
|
||||
#: src/core/org.freedesktop.systemd1.policy.in:22
|
||||
msgid "Send passphrase back to system"
|
||||
|
@ -122,15 +122,13 @@ msgstr ""
|
|||
"użytkownika."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:53
|
||||
#, fuzzy
|
||||
msgid "Update your home area"
|
||||
msgstr "Aktualizacja przestrzeni domowej"
|
||||
msgstr "Aktualizacja przestrzeni domowej tego użytkownika"
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:54
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to update your home area."
|
||||
msgstr ""
|
||||
"Wymagane jest uwierzytelnienie, aby zaktualizować przestrzeń domową "
|
||||
"Wymagane jest uwierzytelnienie, aby zaktualizować przestrzeń domową tego "
|
||||
"użytkownika."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:63
|
||||
|
@ -1212,14 +1210,11 @@ msgstr ""
|
|||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
|
||||
msgid "Manage optional features"
|
||||
msgstr ""
|
||||
msgstr "Zarządzanie funkcjami opcjonalnymi"
|
||||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to manage optional features"
|
||||
msgstr ""
|
||||
"Wymagane jest uwierzytelnienie, aby zarządzać aktywnymi sesjami, "
|
||||
"użytkownikami i stanowiskami."
|
||||
msgstr "Wymagane jest uwierzytelnienie, aby zarządzać funkcjami opcjonalnymi."
|
||||
|
||||
#: src/timedate/org.freedesktop.timedate1.policy:22
|
||||
msgid "Set system time"
|
||||
|
|
15
po/ru.po
15
po/ru.po
|
@ -14,7 +14,7 @@ msgid ""
|
|||
msgstr ""
|
||||
"Report-Msgid-Bugs-To: \n"
|
||||
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
|
||||
"PO-Revision-Date: 2024-08-25 11:38+0000\n"
|
||||
"PO-Revision-Date: 2024-11-07 09:30+0000\n"
|
||||
"Last-Translator: \"Sergey A.\" <Ser82-png@yandex.ru>\n"
|
||||
"Language-Team: Russian <https://translate.fedoraproject.org/projects/systemd/"
|
||||
"main/ru/>\n"
|
||||
|
@ -24,7 +24,7 @@ msgstr ""
|
|||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && "
|
||||
"n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
|
||||
"X-Generator: Weblate 5.7\n"
|
||||
"X-Generator: Weblate 5.8.2\n"
|
||||
|
||||
#: src/core/org.freedesktop.systemd1.policy.in:22
|
||||
msgid "Send passphrase back to system"
|
||||
|
@ -130,16 +130,13 @@ msgstr ""
|
|||
"аутентификацию."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:53
|
||||
#, fuzzy
|
||||
msgid "Update your home area"
|
||||
msgstr "Обновить домашнее пространство"
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:54
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to update your home area."
|
||||
msgstr ""
|
||||
"Чтобы обновить домашнее пространство пользователя, необходимо пройти "
|
||||
"аутентификацию."
|
||||
"Чтобы обновить ваше домашнее пространство, необходимо пройти аутентификацию."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:63
|
||||
msgid "Resize a home area"
|
||||
|
@ -1278,14 +1275,12 @@ msgstr ""
|
|||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
|
||||
msgid "Manage optional features"
|
||||
msgstr ""
|
||||
msgstr "Управление дополнительными функциями"
|
||||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to manage optional features"
|
||||
msgstr ""
|
||||
"Для управления текущими сеансами, пользователями и рабочими местами, "
|
||||
"необходимо пройти аутентификацию."
|
||||
"Для управления дополнительными функциями необходимо пройти аутентификацию."
|
||||
|
||||
#: src/timedate/org.freedesktop.timedate1.policy:22
|
||||
msgid "Set system time"
|
||||
|
|
18
po/sv.po
18
po/sv.po
|
@ -12,8 +12,8 @@ msgid ""
|
|||
msgstr ""
|
||||
"Report-Msgid-Bugs-To: \n"
|
||||
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
|
||||
"PO-Revision-Date: 2024-10-24 00:56+0000\n"
|
||||
"Last-Translator: Anders Jonsson <anders.jonsson@norsjovallen.se>\n"
|
||||
"PO-Revision-Date: 2024-11-07 09:30+0000\n"
|
||||
"Last-Translator: Luna Jernberg <bittin@reimu.nl>\n"
|
||||
"Language-Team: Swedish <https://translate.fedoraproject.org/projects/systemd/"
|
||||
"main/sv/>\n"
|
||||
"Language: sv\n"
|
||||
|
@ -21,7 +21,7 @@ msgstr ""
|
|||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"Plural-Forms: nplurals=2; plural=n != 1;\n"
|
||||
"X-Generator: Weblate 5.7.2\n"
|
||||
"X-Generator: Weblate 5.8.2\n"
|
||||
|
||||
#: src/core/org.freedesktop.systemd1.policy.in:22
|
||||
msgid "Send passphrase back to system"
|
||||
|
@ -117,14 +117,12 @@ msgid "Authentication is required to update a user's home area."
|
|||
msgstr "Autentisering krävs för att uppdatera en användares hemarea."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:53
|
||||
#, fuzzy
|
||||
msgid "Update your home area"
|
||||
msgstr "Uppdatera en hemarea"
|
||||
msgstr "Uppdatera din hemarea"
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:54
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to update your home area."
|
||||
msgstr "Autentisering krävs för att uppdatera en användares hemarea."
|
||||
msgstr "Autentisering krävs för att uppdatera din hemarea."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:63
|
||||
msgid "Resize a home area"
|
||||
|
@ -1172,13 +1170,11 @@ msgstr "Autentisering krävs för att rensa gamla systemuppdateringar."
|
|||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
|
||||
msgid "Manage optional features"
|
||||
msgstr ""
|
||||
msgstr "Hantera valfria funktioner"
|
||||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to manage optional features"
|
||||
msgstr ""
|
||||
"Autentisering krävs för att hantera aktiva sessioner, användare och platser."
|
||||
msgstr "Autentisering krävs för att hantera valfria funktioner"
|
||||
|
||||
#: src/timedate/org.freedesktop.timedate1.policy:22
|
||||
msgid "Set system time"
|
||||
|
|
17
po/tr.po
17
po/tr.po
|
@ -10,7 +10,7 @@ msgid ""
|
|||
msgstr ""
|
||||
"Report-Msgid-Bugs-To: \n"
|
||||
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
|
||||
"PO-Revision-Date: 2024-08-25 11:38+0000\n"
|
||||
"PO-Revision-Date: 2024-11-07 09:30+0000\n"
|
||||
"Last-Translator: Oğuz Ersen <oguz@ersen.moe>\n"
|
||||
"Language-Team: Turkish <https://translate.fedoraproject.org/projects/systemd/"
|
||||
"main/tr/>\n"
|
||||
|
@ -19,7 +19,7 @@ msgstr ""
|
|||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"Plural-Forms: nplurals=1; plural=0;\n"
|
||||
"X-Generator: Weblate 5.7\n"
|
||||
"X-Generator: Weblate 5.8.2\n"
|
||||
|
||||
#: src/core/org.freedesktop.systemd1.policy.in:22
|
||||
msgid "Send passphrase back to system"
|
||||
|
@ -117,14 +117,12 @@ msgid "Authentication is required to update a user's home area."
|
|||
msgstr "Bir kullanıcının ev alanını güncellemek kimlik doğrulaması gerektirir."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:53
|
||||
#, fuzzy
|
||||
msgid "Update your home area"
|
||||
msgstr "Ev alanını güncelle"
|
||||
msgstr "Ev alanınızı güncelleyin"
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:54
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to update your home area."
|
||||
msgstr "Bir kullanıcının ev alanını güncellemek kimlik doğrulaması gerektirir."
|
||||
msgstr "Ev alanınızı güncellemek kimlik doğrulaması gerektirir."
|
||||
|
||||
#: src/home/org.freedesktop.home1.policy:63
|
||||
msgid "Resize a home area"
|
||||
|
@ -1221,14 +1219,11 @@ msgstr ""
|
|||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
|
||||
msgid "Manage optional features"
|
||||
msgstr ""
|
||||
msgstr "İsteğe bağlı özellikleri yönet"
|
||||
|
||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
|
||||
#, fuzzy
|
||||
msgid "Authentication is required to manage optional features"
|
||||
msgstr ""
|
||||
"Aktif oturumları, kullanıcıları ve yuvaları yönetmek için kimlik doğrulaması "
|
||||
"gereklidir."
|
||||
msgstr "İsteğe bağlı özellikleri yönetmek için kimlik doğrulaması gereklidir"
|
||||
|
||||
#: src/timedate/org.freedesktop.timedate1.policy:22
|
||||
msgid "Set system time"
|
||||
|
|
|
@ -956,10 +956,26 @@ int verb_install(int argc, char *argv[], void *userdata) {
|
|||
graceful = !install && arg_graceful; /* support graceful mode for updates */
|
||||
|
||||
if (arg_secure_boot_auto_enroll) {
|
||||
r = openssl_load_x509_certificate(arg_certificate, &certificate);
|
||||
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
|
||||
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
r = openssl_load_x509_certificate(
|
||||
arg_certificate_source_type,
|
||||
arg_certificate_source,
|
||||
arg_certificate,
|
||||
&certificate);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
|
||||
|
||||
if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
|
||||
r = parse_path_argument(arg_private_key, /* suppress_root= */ false, &arg_private_key);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to parse private key path %s: %m", arg_private_key);
|
||||
}
|
||||
|
||||
r = openssl_load_private_key(
|
||||
arg_private_key_source_type,
|
||||
arg_private_key_source,
|
||||
|
|
|
@ -64,6 +64,8 @@ ImagePolicy *arg_image_policy = NULL;
|
|||
bool arg_varlink = false;
|
||||
bool arg_secure_boot_auto_enroll = false;
|
||||
char *arg_certificate = NULL;
|
||||
CertificateSourceType arg_certificate_source_type = OPENSSL_CERTIFICATE_SOURCE_FILE;
|
||||
char *arg_certificate_source = NULL;
|
||||
char *arg_private_key = NULL;
|
||||
KeySourceType arg_private_key_source_type = OPENSSL_KEY_SOURCE_FILE;
|
||||
char *arg_private_key_source = NULL;
|
||||
|
@ -77,6 +79,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_image, freep);
|
|||
STATIC_DESTRUCTOR_REGISTER(arg_efi_boot_option_description, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_certificate, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_certificate_source, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_private_key, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_private_key_source, freep);
|
||||
|
||||
|
@ -295,9 +298,14 @@ static int help(int argc, char *argv[], void *userdata) {
|
|||
" Specify how to use KEY for --private-key=. Allows\n"
|
||||
" an OpenSSL engine/provider to be used when setting\n"
|
||||
" up secure boot auto-enrollment\n"
|
||||
" --certificate=PATH\n"
|
||||
" PEM certificate to use when setting up secure boot\n"
|
||||
" auto-enrollment\n"
|
||||
" --certificate=PATH|URI\n"
|
||||
" PEM certificate to use when setting up Secure Boot\n"
|
||||
" auto-enrollment, or a provider specific designation\n"
|
||||
" if --certificate-source= is used\n"
|
||||
" --certificate-source=file|provider:PROVIDER\n"
|
||||
" Specify how to interpret the certificate from\n"
|
||||
" --certificate=. Allows the certificate to be loaded\n"
|
||||
" from an OpenSSL provider\n"
|
||||
"\nSee the %2$s for details.\n",
|
||||
program_invocation_short_name,
|
||||
link,
|
||||
|
@ -332,6 +340,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
ARG_PRINT_STUB_PATH,
|
||||
ARG_SECURE_BOOT_AUTO_ENROLL,
|
||||
ARG_CERTIFICATE,
|
||||
ARG_CERTIFICATE_SOURCE,
|
||||
ARG_PRIVATE_KEY,
|
||||
ARG_PRIVATE_KEY_SOURCE,
|
||||
};
|
||||
|
@ -366,6 +375,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
{ "dry-run", no_argument, NULL, ARG_DRY_RUN },
|
||||
{ "secure-boot-auto-enroll", required_argument, NULL, ARG_SECURE_BOOT_AUTO_ENROLL },
|
||||
{ "certificate", required_argument, NULL, ARG_CERTIFICATE },
|
||||
{ "certificate-source", required_argument, NULL, ARG_CERTIFICATE_SOURCE },
|
||||
{ "private-key", required_argument, NULL, ARG_PRIVATE_KEY },
|
||||
{ "private-key-source", required_argument, NULL, ARG_PRIVATE_KEY_SOURCE },
|
||||
{}
|
||||
|
@ -526,12 +536,20 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
return r;
|
||||
break;
|
||||
|
||||
case ARG_CERTIFICATE: {
|
||||
r = parse_path_argument(optarg, /*suppress_root=*/ false, &arg_certificate);
|
||||
case ARG_CERTIFICATE:
|
||||
r = free_and_strdup_warn(&arg_certificate, optarg);
|
||||
if (r < 0)
|
||||
return r;
|
||||
break;
|
||||
|
||||
case ARG_CERTIFICATE_SOURCE:
|
||||
r = parse_openssl_certificate_source_argument(
|
||||
optarg,
|
||||
&arg_certificate_source,
|
||||
&arg_certificate_source_type);
|
||||
if (r < 0)
|
||||
return r;
|
||||
break;
|
||||
}
|
||||
|
||||
case ARG_PRIVATE_KEY: {
|
||||
r = free_and_strdup_warn(&arg_private_key, optarg);
|
||||
|
|
|
@ -41,6 +41,8 @@ extern ImagePolicy *arg_image_policy;
|
|||
extern bool arg_varlink;
|
||||
extern bool arg_secure_boot_auto_enroll;
|
||||
extern char *arg_certificate;
|
||||
extern CertificateSourceType arg_certificate_source_type;
|
||||
extern char *arg_certificate_source;
|
||||
extern char *arg_private_key;
|
||||
extern KeySourceType arg_private_key_source_type;
|
||||
extern char *arg_private_key_source;
|
||||
|
|
|
@ -38,6 +38,8 @@ static KeySourceType arg_private_key_source_type = OPENSSL_KEY_SOURCE_FILE;
|
|||
static char *arg_private_key_source = NULL;
|
||||
static char *arg_public_key = NULL;
|
||||
static char *arg_certificate = NULL;
|
||||
static CertificateSourceType arg_certificate_source_type = OPENSSL_CERTIFICATE_SOURCE_FILE;
|
||||
static char *arg_certificate_source = NULL;
|
||||
static sd_json_format_flags_t arg_json_format_flags = SD_JSON_FORMAT_PRETTY_AUTO|SD_JSON_FORMAT_COLOR_AUTO|SD_JSON_FORMAT_OFF;
|
||||
static PagerFlags arg_pager_flags = 0;
|
||||
static bool arg_current = false;
|
||||
|
@ -50,6 +52,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_private_key, freep);
|
|||
STATIC_DESTRUCTOR_REGISTER(arg_private_key_source, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_public_key, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_certificate, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_certificate_source, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_phase, strv_freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_append, freep);
|
||||
|
||||
|
@ -74,6 +77,7 @@ static int help(int argc, char *argv[], void *userdata) {
|
|||
" status Show current PCR values\n"
|
||||
" calculate Calculate expected PCR values\n"
|
||||
" sign Calculate and sign expected PCR values\n"
|
||||
" pcrpkey Calculate the PCR public key\n"
|
||||
"\n%3$sOptions:%4$s\n"
|
||||
" -h --help Show this help\n"
|
||||
" --version Print version\n"
|
||||
|
@ -87,7 +91,13 @@ static int help(int argc, char *argv[], void *userdata) {
|
|||
" Specify how to use KEY for --private-key=. Allows\n"
|
||||
" an OpenSSL engine/provider to be used for signing\n"
|
||||
" --public-key=KEY Public key (PEM) to validate against\n"
|
||||
" --certificate=PATH PEM certificate to use when signing with a URI\n"
|
||||
" --certificate=PATH|URI\n"
|
||||
" PEM certificate to use for signing, or a provider\n"
|
||||
" specific designation if --certificate-source= is used\n"
|
||||
" --certificate-source=file|provider:PROVIDER\n"
|
||||
" Specify how to interpret the certificate from\n"
|
||||
" --certificate=. Allows the certificate to be loaded\n"
|
||||
" from an OpenSSL provider\n"
|
||||
" --json=MODE Output as JSON\n"
|
||||
" -j Same as --json=pretty on tty, --json=short otherwise\n"
|
||||
" --append=PATH Load specified JSON signature, and append new signature to it\n"
|
||||
|
@ -156,6 +166,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
ARG_PRIVATE_KEY_SOURCE,
|
||||
ARG_PUBLIC_KEY,
|
||||
ARG_CERTIFICATE,
|
||||
ARG_CERTIFICATE_SOURCE,
|
||||
ARG_TPM2_DEVICE,
|
||||
ARG_JSON,
|
||||
ARG_PHASE,
|
||||
|
@ -186,6 +197,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
{ "private-key-source", required_argument, NULL, ARG_PRIVATE_KEY_SOURCE },
|
||||
{ "public-key", required_argument, NULL, ARG_PUBLIC_KEY },
|
||||
{ "certificate", required_argument, NULL, ARG_CERTIFICATE },
|
||||
{ "certificate-source", required_argument, NULL, ARG_CERTIFICATE_SOURCE },
|
||||
{ "json", required_argument, NULL, ARG_JSON },
|
||||
{ "phase", required_argument, NULL, ARG_PHASE },
|
||||
{ "append", required_argument, NULL, ARG_APPEND },
|
||||
|
@ -265,10 +277,18 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
break;
|
||||
|
||||
case ARG_CERTIFICATE:
|
||||
r = parse_path_argument(optarg, /* suppress_root= */ false, &arg_certificate);
|
||||
r = free_and_strdup_warn(&arg_certificate, optarg);
|
||||
if (r < 0)
|
||||
return r;
|
||||
break;
|
||||
|
||||
case ARG_CERTIFICATE_SOURCE:
|
||||
r = parse_openssl_certificate_source_argument(
|
||||
optarg,
|
||||
&arg_certificate_source,
|
||||
&arg_certificate_source_type);
|
||||
if (r < 0)
|
||||
return r;
|
||||
break;
|
||||
|
||||
case ARG_TPM2_DEVICE: {
|
||||
|
@ -841,7 +861,17 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
|
|||
|
||||
/* This must be done before openssl_load_private_key() otherwise it will get stuck */
|
||||
if (arg_certificate) {
|
||||
r = openssl_load_x509_certificate(arg_certificate, &certificate);
|
||||
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
|
||||
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
r = openssl_load_x509_certificate(
|
||||
arg_certificate_source_type,
|
||||
arg_certificate_source,
|
||||
arg_certificate,
|
||||
&certificate);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
|
||||
}
|
||||
|
@ -1144,12 +1174,100 @@ static int verb_status(int argc, char *argv[], void *userdata) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int verb_pcrpkey(int argc, char *argv[], void *userdata) {
|
||||
_cleanup_(EVP_PKEY_freep) EVP_PKEY *public_key = NULL;
|
||||
int r;
|
||||
|
||||
if (arg_public_key) {
|
||||
_cleanup_fclose_ FILE *public_keyf = NULL;
|
||||
|
||||
public_keyf = fopen(arg_public_key, "re");
|
||||
if (!public_keyf)
|
||||
return log_error_errno(errno, "Failed to open public key file '%s': %m", arg_public_key);
|
||||
|
||||
public_key = PEM_read_PUBKEY(public_keyf, NULL, NULL, NULL);
|
||||
if (!public_key)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to parse public key '%s'.", arg_public_key);
|
||||
|
||||
} else if (arg_certificate) {
|
||||
_cleanup_(X509_freep) X509 *certificate = NULL;
|
||||
|
||||
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
|
||||
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
r = openssl_load_x509_certificate(
|
||||
arg_certificate_source_type,
|
||||
arg_certificate_source,
|
||||
arg_certificate,
|
||||
&certificate);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
|
||||
|
||||
public_key = X509_get_pubkey(certificate);
|
||||
if (!public_key)
|
||||
return log_error_errno(
|
||||
SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to extract public key from certificate %s.",
|
||||
arg_certificate);
|
||||
|
||||
} else if (arg_private_key) {
|
||||
_cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
|
||||
_cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL;
|
||||
|
||||
if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
|
||||
r = parse_path_argument(arg_private_key, /* suppress_root= */ false, &arg_private_key);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to parse private key path %s: %m", arg_private_key);
|
||||
}
|
||||
|
||||
r = openssl_load_private_key(
|
||||
arg_private_key_source_type,
|
||||
arg_private_key_source,
|
||||
arg_private_key,
|
||||
&(AskPasswordRequest) {
|
||||
.id = "measure-private-key-pin",
|
||||
.keyring = arg_private_key,
|
||||
.credential = "measure.private-key-pin",
|
||||
},
|
||||
&private_key,
|
||||
&ui);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to load private key from %s: %m", arg_private_key);
|
||||
|
||||
_cleanup_(memstream_done) MemStream m = {};
|
||||
FILE *tf = memstream_init(&m);
|
||||
if (!tf)
|
||||
return log_oom();
|
||||
|
||||
if (i2d_PUBKEY_fp(tf, private_key) != 1)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to extract public key from private key file '%s'.", arg_private_key);
|
||||
|
||||
fflush(tf);
|
||||
rewind(tf);
|
||||
|
||||
if (!d2i_PUBKEY_fp(tf, &public_key))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to parse extracted public key of private key file '%s'.", arg_private_key);
|
||||
} else
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "One of --public-key=, --certificate= or --private-key= must be specified");
|
||||
|
||||
if (PEM_write_PUBKEY(stdout, public_key) == 0)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to write public key to stdout");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int measure_main(int argc, char *argv[]) {
|
||||
static const Verb verbs[] = {
|
||||
{ "help", VERB_ANY, VERB_ANY, 0, help },
|
||||
{ "status", VERB_ANY, 1, VERB_DEFAULT, verb_status },
|
||||
{ "calculate", VERB_ANY, 1, 0, verb_calculate },
|
||||
{ "sign", VERB_ANY, 1, 0, verb_sign },
|
||||
{ "pcrpkey", VERB_ANY, 1, 0, verb_pcrpkey },
|
||||
{}
|
||||
};
|
||||
|
||||
|
|
|
@ -21,12 +21,15 @@
|
|||
static PagerFlags arg_pager_flags = 0;
|
||||
static char *arg_output = NULL;
|
||||
static char *arg_certificate = NULL;
|
||||
static CertificateSourceType arg_certificate_source_type = OPENSSL_CERTIFICATE_SOURCE_FILE;
|
||||
static char *arg_certificate_source = NULL;
|
||||
static char *arg_private_key = NULL;
|
||||
static KeySourceType arg_private_key_source_type = OPENSSL_KEY_SOURCE_FILE;
|
||||
static char *arg_private_key_source = NULL;
|
||||
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_output, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_certificate, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_certificate_source, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_private_key, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_private_key_source, freep);
|
||||
|
||||
|
@ -42,13 +45,19 @@ static int help(int argc, char *argv[], void *userdata) {
|
|||
"\n%5$sSign binaries for EFI Secure Boot%6$s\n"
|
||||
"\n%3$sCommands:%4$s\n"
|
||||
" sign EXEFILE Sign the given binary for EFI Secure Boot\n"
|
||||
" validate-key Load and validate the given private key\n"
|
||||
" validate-key Load and validate the given certificate and private key\n"
|
||||
"\n%3$sOptions:%4$s\n"
|
||||
" -h --help Show this help\n"
|
||||
" --version Print version\n"
|
||||
" --no-pager Do not pipe output into a pager\n"
|
||||
" --output Where to write the signed PE binary\n"
|
||||
" --certificate=PATH PEM certificate to use when signing with a URI\n"
|
||||
" --certificate=PATH|URI\n"
|
||||
" PEM certificate to use for signing, or a provider\n"
|
||||
" specific designation if --certificate-source= is used\n"
|
||||
" --certificate-source=file|provider:PROVIDER\n"
|
||||
" Specify how to interpret the certificate from\n"
|
||||
" --certificate=. Allows the certificate to be loaded\n"
|
||||
" from an OpenSSL provider\n"
|
||||
" --private-key=KEY Private key (PEM) to sign with\n"
|
||||
" --private-key-source=file|provider:PROVIDER|engine:ENGINE\n"
|
||||
" Specify how to use KEY for --private-key=. Allows\n"
|
||||
|
@ -70,6 +79,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
ARG_NO_PAGER,
|
||||
ARG_OUTPUT,
|
||||
ARG_CERTIFICATE,
|
||||
ARG_CERTIFICATE_SOURCE,
|
||||
ARG_PRIVATE_KEY,
|
||||
ARG_PRIVATE_KEY_SOURCE,
|
||||
};
|
||||
|
@ -80,6 +90,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
{ "version", no_argument, NULL, ARG_VERSION },
|
||||
{ "output", required_argument, NULL, ARG_OUTPUT },
|
||||
{ "certificate", required_argument, NULL, ARG_CERTIFICATE },
|
||||
{ "certificate-source", required_argument, NULL, ARG_CERTIFICATE_SOURCE },
|
||||
{ "private-key", required_argument, NULL, ARG_PRIVATE_KEY },
|
||||
{ "private-key-source", required_argument, NULL, ARG_PRIVATE_KEY_SOURCE },
|
||||
{}
|
||||
|
@ -90,7 +101,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
assert(argc >= 0);
|
||||
assert(argv);
|
||||
|
||||
while ((c = getopt_long(argc, argv, "hjc", options, NULL)) >= 0)
|
||||
while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
|
||||
switch (c) {
|
||||
|
||||
case 'h':
|
||||
|
@ -112,10 +123,18 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
break;
|
||||
|
||||
case ARG_CERTIFICATE:
|
||||
r = parse_path_argument(optarg, /* suppress_root= */ false, &arg_certificate);
|
||||
r = free_and_strdup_warn(&arg_certificate, optarg);
|
||||
if (r < 0)
|
||||
return r;
|
||||
break;
|
||||
|
||||
case ARG_CERTIFICATE_SOURCE:
|
||||
r = parse_openssl_certificate_source_argument(
|
||||
optarg,
|
||||
&arg_certificate_source,
|
||||
&arg_certificate_source_type);
|
||||
if (r < 0)
|
||||
return r;
|
||||
break;
|
||||
|
||||
case ARG_PRIVATE_KEY:
|
||||
|
@ -168,7 +187,17 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
|
|||
if (!arg_output)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No output specified, use --output=");
|
||||
|
||||
r = openssl_load_x509_certificate(arg_certificate, &certificate);
|
||||
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
|
||||
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
r = openssl_load_x509_certificate(
|
||||
arg_certificate_source_type,
|
||||
arg_certificate_source,
|
||||
arg_certificate,
|
||||
&certificate);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
|
||||
|
||||
|
@ -470,14 +499,33 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
|
|||
}
|
||||
|
||||
static int verb_validate_key(int argc, char *argv[], void *userdata) {
|
||||
_cleanup_(X509_freep) X509 *certificate = NULL;
|
||||
_cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
|
||||
_cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL;
|
||||
int r;
|
||||
|
||||
if (!arg_certificate)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"No certificate specified, use --certificate=");
|
||||
|
||||
if (!arg_private_key)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"No private key specified, use --private-key=.");
|
||||
|
||||
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
|
||||
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
r = openssl_load_x509_certificate(
|
||||
arg_certificate_source_type,
|
||||
arg_certificate_source,
|
||||
arg_certificate,
|
||||
&certificate);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
|
||||
|
||||
if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
|
||||
r = parse_path_argument(arg_private_key, /* suppress_root= */ false, &arg_private_key);
|
||||
if (r < 0)
|
||||
|
|
|
@ -154,6 +154,8 @@ static char *arg_private_key = NULL;
|
|||
static KeySourceType arg_private_key_source_type = OPENSSL_KEY_SOURCE_FILE;
|
||||
static char *arg_private_key_source = NULL;
|
||||
static char *arg_certificate = NULL;
|
||||
static CertificateSourceType arg_certificate_source_type = OPENSSL_CERTIFICATE_SOURCE_FILE;
|
||||
static char *arg_certificate_source = NULL;
|
||||
static char *arg_tpm2_device = NULL;
|
||||
static uint32_t arg_tpm2_seal_key_handle = 0;
|
||||
static char *arg_tpm2_device_key = NULL;
|
||||
|
@ -186,6 +188,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_key, erase_and_freep);
|
|||
STATIC_DESTRUCTOR_REGISTER(arg_private_key, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_private_key_source, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_certificate, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_certificate_source, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device_key, freep);
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep);
|
||||
|
@ -7808,8 +7811,14 @@ static int help(void) {
|
|||
" Specify how to use KEY for --private-key=. Allows\n"
|
||||
" an OpenSSL engine/provider to be used when generating\n"
|
||||
" verity roothash signatures\n"
|
||||
" --certificate=PATH PEM certificate to use when generating verity\n"
|
||||
" roothash signatures\n"
|
||||
" --certificate=PATH|URI\n"
|
||||
" PEM certificate to use when generating verity roothash\n"
|
||||
" signatures, or a provider specific designation if\n"
|
||||
" --certificate-source= is used\n"
|
||||
" --certificate-source=file|provider:PROVIDER\n"
|
||||
" Specify how to interpret the certificate from\n"
|
||||
" --certificate=. Allows the certificate to be loaded\n"
|
||||
" from an OpenSSL provider\n"
|
||||
"\n%3$sEncryption:%4$s\n"
|
||||
" --key-file=PATH Key to use when encrypting partitions\n"
|
||||
" --tpm2-device=PATH Path to TPM2 device node to use\n"
|
||||
|
@ -7878,6 +7887,7 @@ static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY *
|
|||
ARG_PRIVATE_KEY,
|
||||
ARG_PRIVATE_KEY_SOURCE,
|
||||
ARG_CERTIFICATE,
|
||||
ARG_CERTIFICATE_SOURCE,
|
||||
ARG_TPM2_DEVICE,
|
||||
ARG_TPM2_DEVICE_KEY,
|
||||
ARG_TPM2_SEAL_KEY_HANDLE,
|
||||
|
@ -7922,6 +7932,7 @@ static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY *
|
|||
{ "private-key", required_argument, NULL, ARG_PRIVATE_KEY },
|
||||
{ "private-key-source", required_argument, NULL, ARG_PRIVATE_KEY_SOURCE },
|
||||
{ "certificate", required_argument, NULL, ARG_CERTIFICATE },
|
||||
{ "certificate-source", required_argument, NULL, ARG_CERTIFICATE_SOURCE },
|
||||
{ "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
|
||||
{ "tpm2-device-key", required_argument, NULL, ARG_TPM2_DEVICE_KEY },
|
||||
{ "tpm2-seal-key-handle", required_argument, NULL, ARG_TPM2_SEAL_KEY_HANDLE },
|
||||
|
@ -8130,12 +8141,20 @@ static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY *
|
|||
return r;
|
||||
break;
|
||||
|
||||
case ARG_CERTIFICATE: {
|
||||
r = parse_path_argument(optarg, /*suppress_root=*/ false, &arg_certificate);
|
||||
case ARG_CERTIFICATE:
|
||||
r = free_and_strdup_warn(&arg_certificate, optarg);
|
||||
if (r < 0)
|
||||
return r;
|
||||
break;
|
||||
|
||||
case ARG_CERTIFICATE_SOURCE:
|
||||
r = parse_openssl_certificate_source_argument(
|
||||
optarg,
|
||||
&arg_certificate_source,
|
||||
&arg_certificate_source_type);
|
||||
if (r < 0)
|
||||
return r;
|
||||
break;
|
||||
}
|
||||
|
||||
case ARG_TPM2_DEVICE: {
|
||||
_cleanup_free_ char *device = NULL;
|
||||
|
@ -8468,7 +8487,17 @@ static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY *
|
|||
}
|
||||
|
||||
if (arg_certificate) {
|
||||
r = openssl_load_x509_certificate(arg_certificate, &certificate);
|
||||
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
|
||||
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
r = openssl_load_x509_certificate(
|
||||
arg_certificate_source_type,
|
||||
arg_certificate_source,
|
||||
arg_certificate,
|
||||
&certificate);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
|
||||
}
|
||||
|
|
|
@ -1340,6 +1340,9 @@ static int load_key_from_provider(
|
|||
if (!store)
|
||||
return log_openssl_errors("Failed to open OpenSSL store via '%s'", private_key_uri);
|
||||
|
||||
if (OSSL_STORE_expect(store, OSSL_STORE_INFO_PKEY) == 0)
|
||||
return log_openssl_errors("Failed to filter store by private keys");
|
||||
|
||||
_cleanup_(OSSL_STORE_INFO_freep) OSSL_STORE_INFO *info = OSSL_STORE_load(store);
|
||||
if (!info)
|
||||
return log_openssl_errors("Failed to load OpenSSL store via '%s'", private_key_uri);
|
||||
|
@ -1479,6 +1482,80 @@ static int openssl_ask_password_ui_new(const AskPasswordRequest *request, OpenSS
|
|||
*ret = TAKE_PTR(ui);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int load_x509_certificate_from_file(const char *path, X509 **ret) {
|
||||
_cleanup_free_ char *rawcert = NULL;
|
||||
_cleanup_(X509_freep) X509 *cert = NULL;
|
||||
_cleanup_(BIO_freep) BIO *cb = NULL;
|
||||
size_t rawcertsz;
|
||||
int r;
|
||||
|
||||
assert(path);
|
||||
assert(ret);
|
||||
|
||||
r = read_full_file_full(
|
||||
AT_FDCWD, path, UINT64_MAX, SIZE_MAX,
|
||||
READ_FULL_FILE_CONNECT_SOCKET,
|
||||
NULL,
|
||||
&rawcert, &rawcertsz);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to read certificate file '%s': %m", path);
|
||||
|
||||
cb = BIO_new_mem_buf(rawcert, rawcertsz);
|
||||
if (!cb)
|
||||
return log_oom_debug();
|
||||
|
||||
cert = PEM_read_bio_X509(cb, NULL, NULL, NULL);
|
||||
if (!cert)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "Failed to parse X.509 certificate: %s",
|
||||
ERR_error_string(ERR_get_error(), NULL));
|
||||
|
||||
if (ret)
|
||||
*ret = TAKE_PTR(cert);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int load_x509_certificate_from_provider(const char *provider, const char *certificate_uri, X509 **ret) {
|
||||
assert(provider);
|
||||
assert(certificate_uri);
|
||||
assert(ret);
|
||||
|
||||
#if OPENSSL_VERSION_MAJOR >= 3
|
||||
/* Load the provider so that this can work without any custom written configuration in /etc/.
|
||||
* Also load the 'default' as that seems to be the recommendation. */
|
||||
if (!OSSL_PROVIDER_try_load(/* ctx= */ NULL, provider, /* retain_fallbacks= */ true))
|
||||
return log_openssl_errors("Failed to load OpenSSL provider '%s'", provider);
|
||||
if (!OSSL_PROVIDER_try_load(/* ctx= */ NULL, "default", /* retain_fallbacks= */ true))
|
||||
return log_openssl_errors("Failed to load OpenSSL provider 'default'");
|
||||
|
||||
_cleanup_(OSSL_STORE_closep) OSSL_STORE_CTX *store = OSSL_STORE_open(
|
||||
certificate_uri,
|
||||
/*ui_method=*/ NULL,
|
||||
/*ui_method=*/ NULL,
|
||||
/* post_process= */ NULL,
|
||||
/* post_process_data= */ NULL);
|
||||
if (!store)
|
||||
return log_openssl_errors("Failed to open OpenSSL store via '%s'", certificate_uri);
|
||||
|
||||
if (OSSL_STORE_expect(store, OSSL_STORE_INFO_CERT) == 0)
|
||||
return log_openssl_errors("Failed to filter store by X.509 certificates");
|
||||
|
||||
_cleanup_(OSSL_STORE_INFO_freep) OSSL_STORE_INFO *info = OSSL_STORE_load(store);
|
||||
if (!info)
|
||||
return log_openssl_errors("Failed to load OpenSSL store via '%s'", certificate_uri);
|
||||
|
||||
_cleanup_(X509_freep) X509 *cert = OSSL_STORE_INFO_get1_CERT(info);
|
||||
if (!cert)
|
||||
return log_openssl_errors("Failed to load certificate via '%s'", certificate_uri);
|
||||
|
||||
*ret = TAKE_PTR(cert);
|
||||
|
||||
return 0;
|
||||
#else
|
||||
return -EOPNOTSUPP;
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui) {
|
||||
|
@ -1514,36 +1591,33 @@ int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) {
|
|||
#endif
|
||||
}
|
||||
|
||||
int openssl_load_x509_certificate(const char *path, X509 **ret) {
|
||||
int openssl_load_x509_certificate(
|
||||
CertificateSourceType certificate_source_type,
|
||||
const char *certificate_source,
|
||||
const char *certificate,
|
||||
X509 **ret) {
|
||||
#if HAVE_OPENSSL
|
||||
_cleanup_free_ char *rawcert = NULL;
|
||||
_cleanup_(X509_freep) X509 *cert = NULL;
|
||||
_cleanup_(BIO_freep) BIO *cb = NULL;
|
||||
size_t rawcertsz;
|
||||
int r;
|
||||
|
||||
assert(path);
|
||||
assert(ret);
|
||||
assert(certificate);
|
||||
|
||||
r = read_full_file_full(
|
||||
AT_FDCWD, path, UINT64_MAX, SIZE_MAX,
|
||||
READ_FULL_FILE_CONNECT_SOCKET,
|
||||
NULL,
|
||||
&rawcert, &rawcertsz);
|
||||
switch (certificate_source_type) {
|
||||
|
||||
case OPENSSL_CERTIFICATE_SOURCE_FILE:
|
||||
r = load_x509_certificate_from_file(certificate, ret);
|
||||
break;
|
||||
case OPENSSL_CERTIFICATE_SOURCE_PROVIDER:
|
||||
r = load_x509_certificate_from_provider(certificate_source, certificate, ret);
|
||||
break;
|
||||
default:
|
||||
assert_not_reached();
|
||||
}
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to read certificate file '%s': %m", path);
|
||||
|
||||
cb = BIO_new_mem_buf(rawcert, rawcertsz);
|
||||
if (!cb)
|
||||
return log_oom_debug();
|
||||
|
||||
cert = PEM_read_bio_X509(cb, NULL, NULL, NULL);
|
||||
if (!cert)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "Failed to parse X.509 certificate: %s",
|
||||
ERR_error_string(ERR_get_error(), NULL));
|
||||
|
||||
if (ret)
|
||||
*ret = TAKE_PTR(cert);
|
||||
return log_debug_errno(
|
||||
r,
|
||||
"Failed to load certificate '%s' from OpenSSL certificate source %s: %m",
|
||||
certificate,
|
||||
certificate_source);
|
||||
|
||||
return 0;
|
||||
#else
|
||||
|
@ -1603,6 +1677,35 @@ int openssl_load_private_key(
|
|||
#endif
|
||||
}
|
||||
|
||||
int parse_openssl_certificate_source_argument(
|
||||
const char *argument,
|
||||
char **certificate_source,
|
||||
CertificateSourceType *certificate_source_type) {
|
||||
|
||||
CertificateSourceType type;
|
||||
const char *e = NULL;
|
||||
int r;
|
||||
|
||||
assert(argument);
|
||||
assert(certificate_source);
|
||||
assert(certificate_source_type);
|
||||
|
||||
if (streq(argument, "file"))
|
||||
type = OPENSSL_CERTIFICATE_SOURCE_FILE;
|
||||
else if ((e = startswith(argument, "provider:")))
|
||||
type = OPENSSL_CERTIFICATE_SOURCE_PROVIDER;
|
||||
else
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid certificate source '%s'", argument);
|
||||
|
||||
r = free_and_strdup_warn(certificate_source, e);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
*certificate_source_type = type;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int parse_openssl_key_source_argument(
|
||||
const char *argument,
|
||||
char **private_key_source,
|
||||
|
|
|
@ -6,6 +6,13 @@
|
|||
#include "macro.h"
|
||||
#include "sha256.h"
|
||||
|
||||
typedef enum CertificateSourceType {
|
||||
OPENSSL_CERTIFICATE_SOURCE_FILE,
|
||||
OPENSSL_CERTIFICATE_SOURCE_PROVIDER,
|
||||
_OPENSSL_CERTIFICATE_SOURCE_MAX,
|
||||
_OPENSSL_CERTIFICATE_SOURCE_INVALID = -EINVAL,
|
||||
} CertificateSourceType;
|
||||
|
||||
typedef enum KeySourceType {
|
||||
OPENSSL_KEY_SOURCE_FILE,
|
||||
OPENSSL_KEY_SOURCE_ENGINE,
|
||||
|
@ -16,6 +23,8 @@ typedef enum KeySourceType {
|
|||
|
||||
typedef struct OpenSSLAskPasswordUI OpenSSLAskPasswordUI;
|
||||
|
||||
int parse_openssl_certificate_source_argument(const char *argument, char **certificate_source, CertificateSourceType *certificate_source_type);
|
||||
|
||||
int parse_openssl_key_source_argument(const char *argument, char **private_key_source, KeySourceType *private_key_source_type);
|
||||
|
||||
#define X509_FINGERPRINT_SIZE SHA256_DIGEST_SIZE
|
||||
|
@ -182,7 +191,11 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OpenSSLAskPasswordUI*, openssl_ask_password_ui_
|
|||
|
||||
int x509_fingerprint(X509 *cert, uint8_t buffer[static X509_FINGERPRINT_SIZE]);
|
||||
|
||||
int openssl_load_x509_certificate(const char *path, X509 **ret);
|
||||
int openssl_load_x509_certificate(
|
||||
CertificateSourceType certificate_source_type,
|
||||
const char *certificate_source,
|
||||
const char *certificate,
|
||||
X509 **ret);
|
||||
|
||||
int openssl_load_private_key(
|
||||
KeySourceType private_key_source_type,
|
||||
|
|
|
@ -538,7 +538,6 @@ TEST(bind_mount_submounts) {
|
|||
}
|
||||
|
||||
TEST(path_is_network_fs_harder) {
|
||||
ASSERT_OK(path_is_network_fs_harder("/"));
|
||||
ASSERT_OK_ZERO(path_is_network_fs_harder("/dev"));
|
||||
ASSERT_OK_ZERO(path_is_network_fs_harder("/sys"));
|
||||
ASSERT_OK_ZERO(path_is_network_fs_harder("/run"));
|
||||
|
|
|
@ -207,11 +207,11 @@ def test_parse_args_many_deprecated():
|
|||
assert opts.uname == '1.2.3'
|
||||
assert opts.stub == pathlib.Path('STUBPATH')
|
||||
assert opts.pcr_private_keys == ['PKEY1']
|
||||
assert opts.pcr_public_keys == [pathlib.Path('PKEY2')]
|
||||
assert opts.pcr_public_keys == ['PKEY2']
|
||||
assert opts.pcr_banks == ['SHA1', 'SHA256']
|
||||
assert opts.signing_engine == 'ENGINE'
|
||||
assert opts.sb_key == 'SBKEY'
|
||||
assert opts.sb_cert == 'SBCERT'
|
||||
assert opts.sb_cert == Path('SBCERT')
|
||||
assert opts.sign_kernel is False
|
||||
assert opts.tools == [pathlib.Path('TOOLZ/')]
|
||||
assert opts.output == pathlib.Path('OUTPUT')
|
||||
|
@ -253,7 +253,7 @@ def test_parse_args_many():
|
|||
assert opts.uname == '1.2.3'
|
||||
assert opts.stub == pathlib.Path('STUBPATH')
|
||||
assert opts.pcr_private_keys == ['PKEY1']
|
||||
assert opts.pcr_public_keys == [pathlib.Path('PKEY2')]
|
||||
assert opts.pcr_public_keys == ['PKEY2']
|
||||
assert opts.pcr_banks == ['SHA1', 'SHA256']
|
||||
assert opts.signing_engine == 'ENGINE'
|
||||
assert opts.sb_key == 'SBKEY'
|
||||
|
@ -360,8 +360,7 @@ def test_config_priority(tmp_path):
|
|||
assert opts.uname == '1.2.3'
|
||||
assert opts.stub == pathlib.Path('STUBPATH')
|
||||
assert opts.pcr_private_keys == ['PKEY1', 'some/path7']
|
||||
assert opts.pcr_public_keys == [pathlib.Path('PKEY2'),
|
||||
pathlib.Path('some/path8')]
|
||||
assert opts.pcr_public_keys == ['PKEY2', 'some/path8']
|
||||
assert opts.pcr_banks == ['SHA1', 'SHA256']
|
||||
assert opts.signing_engine == 'ENGINE'
|
||||
assert opts.signtool == ukify.SbSign # from args
|
||||
|
|
|
@ -249,7 +249,7 @@ class UkifyConfig:
|
|||
output: Optional[str]
|
||||
pcr_banks: list[str]
|
||||
pcr_private_keys: list[str]
|
||||
pcr_public_keys: list[Path]
|
||||
pcr_public_keys: list[str]
|
||||
pcrpkey: Optional[Path]
|
||||
phase_path_groups: Optional[list[str]]
|
||||
profile: Union[str, Path, None]
|
||||
|
@ -264,6 +264,7 @@ class UkifyConfig:
|
|||
sign_kernel: bool
|
||||
signing_engine: Optional[str]
|
||||
signing_provider: Optional[str]
|
||||
certificate_provider: Optional[str]
|
||||
signtool: Optional[type['SignTool']]
|
||||
splash: Optional[Path]
|
||||
stub: Path
|
||||
|
@ -554,6 +555,11 @@ class SystemdSbSign(SignTool):
|
|||
if opts.signing_provider is not None
|
||||
else []
|
||||
),
|
||||
*(
|
||||
['--certificate-source', f'provider:{opts.certificate_provider}']
|
||||
if opts.certificate_provider is not None
|
||||
else []
|
||||
),
|
||||
input_f,
|
||||
'--output', output_f,
|
||||
] # fmt: skip
|
||||
|
@ -666,7 +672,7 @@ def combine_signatures(pcrsigs: list[dict[str, str]]) -> str:
|
|||
return json.dumps(combined)
|
||||
|
||||
|
||||
def key_path_groups(opts: UkifyConfig) -> Iterator[tuple[str, Optional[Path], Optional[str]]]:
|
||||
def key_path_groups(opts: UkifyConfig) -> Iterator[tuple[str, Optional[str], Optional[str]]]:
|
||||
if not opts.pcr_private_keys:
|
||||
return
|
||||
|
||||
|
@ -757,6 +763,10 @@ def call_systemd_measure(uki: UKI, opts: UkifyConfig, profile_start: int = 0) ->
|
|||
extra += [f'--certificate={pub_key}']
|
||||
elif pub_key:
|
||||
extra += [f'--public-key={pub_key}']
|
||||
|
||||
if opts.certificate_provider is not None:
|
||||
extra += [f'--certificate-source=provider:{opts.certificate_provider}']
|
||||
|
||||
extra += [f'--phase={phase_path}' for phase_path in group or ()]
|
||||
|
||||
print('+', shell_join(cmd + extra)) # type: ignore
|
||||
|
@ -1007,34 +1017,30 @@ def make_uki(opts: UkifyConfig) -> None:
|
|||
|
||||
pcrpkey: Union[bytes, Path, None] = opts.pcrpkey
|
||||
if pcrpkey is None:
|
||||
measure_tool = find_tool('systemd-measure', '/usr/lib/systemd/systemd-measure')
|
||||
cmd = [measure_tool, "pcrpkey"]
|
||||
|
||||
if opts.pcr_public_keys and len(opts.pcr_public_keys) == 1:
|
||||
pcrpkey = opts.pcr_public_keys[0]
|
||||
# If we are getting a certificate when using an engine or provider, we need to convert it to
|
||||
# public key format.
|
||||
if (opts.signing_engine or opts.signing_provider) and Path(pcrpkey).exists():
|
||||
from cryptography.hazmat.primitives import serialization
|
||||
from cryptography.x509 import load_pem_x509_certificate
|
||||
|
||||
try:
|
||||
cert = load_pem_x509_certificate(Path(pcrpkey).read_bytes())
|
||||
except ValueError:
|
||||
raise ValueError(f'{pcrpkey} must be an X.509 certificate when signing with an engine')
|
||||
# If we're using an engine or provider, the public key will be an X.509 certificate.
|
||||
if (opts.signing_engine or opts.signing_provider):
|
||||
cmd += ["--certificate", opts.pcr_public_keys[0]]
|
||||
if opts.certificate_provider:
|
||||
cmd += ["--certificate-source", f"provider:{opts.certificate_provider}"]
|
||||
else:
|
||||
pcrpkey = cert.public_key().public_bytes(
|
||||
encoding=serialization.Encoding.PEM,
|
||||
format=serialization.PublicFormat.SubjectPublicKeyInfo,
|
||||
)
|
||||
elif opts.pcr_private_keys and len(opts.pcr_private_keys) == 1:
|
||||
from cryptography.hazmat.primitives import serialization
|
||||
cmd += ["--public-key", opts.pcr_public_keys[0]]
|
||||
|
||||
privkey = serialization.load_pem_private_key(
|
||||
Path(opts.pcr_private_keys[0]).read_bytes(),
|
||||
password=None,
|
||||
)
|
||||
pcrpkey = privkey.public_key().public_bytes(
|
||||
encoding=serialization.Encoding.PEM,
|
||||
format=serialization.PublicFormat.SubjectPublicKeyInfo,
|
||||
)
|
||||
print('+', shell_join(cmd))
|
||||
pcrpkey = subprocess.check_output(cmd)
|
||||
elif opts.pcr_private_keys and len(opts.pcr_private_keys) == 1:
|
||||
cmd += ["--private-key", Path(opts.pcr_private_keys[0])]
|
||||
|
||||
if opts.signing_engine:
|
||||
cmd += ["--private-key-source", f"engine:{opts.signing_engine}"]
|
||||
if opts.signing_provider:
|
||||
cmd += ["--private-key-source", f"provider:{opts.signing_provider}"]
|
||||
|
||||
print('+', shell_join(cmd))
|
||||
pcrpkey = subprocess.check_output(cmd)
|
||||
|
||||
sections = [
|
||||
# name, content, measure?
|
||||
|
@ -1674,6 +1680,12 @@ CONFIG_ITEMS = [
|
|||
help='OpenSSL provider to use for signing',
|
||||
config_key='UKI/SigningProvider',
|
||||
),
|
||||
ConfigItem(
|
||||
'--certificate-provider',
|
||||
metavar='PROVIDER',
|
||||
help='OpenSSL provider to load certificate from',
|
||||
config_key='UKI/CertificateProvider',
|
||||
),
|
||||
ConfigItem(
|
||||
'--signtool',
|
||||
choices=('sbsign', 'pesign', 'systemd-sbsign'),
|
||||
|
@ -1746,7 +1758,6 @@ CONFIG_ITEMS = [
|
|||
'--pcr-public-key',
|
||||
dest='pcr_public_keys',
|
||||
metavar='PATH',
|
||||
type=Path,
|
||||
action='append',
|
||||
help='public part of the keypair or engine/provider designation for signing PCR signatures',
|
||||
config_key='PCRSignature:/PCRPublicKey',
|
||||
|
@ -1982,10 +1993,10 @@ def finalize_options(opts: argparse.Namespace) -> None:
|
|||
if opts.signing_engine and opts.signing_provider:
|
||||
raise ValueError('Only one of --signing-engine= and --signing-provider= may be specified')
|
||||
|
||||
if opts.signing_engine is None and opts.signing_provider is None:
|
||||
if opts.sb_key:
|
||||
if opts.signing_engine is None and opts.signing_provider is None and opts.sb_key:
|
||||
opts.sb_key = Path(opts.sb_key)
|
||||
if opts.sb_cert:
|
||||
|
||||
if opts.certificate_provider is None and opts.sb_cert:
|
||||
opts.sb_cert = Path(opts.sb_cert)
|
||||
|
||||
if bool(opts.sb_key) ^ bool(opts.sb_cert):
|
||||
|
@ -2012,6 +2023,9 @@ def finalize_options(opts: argparse.Namespace) -> None:
|
|||
if opts.signing_provider and opts.signtool != SystemdSbSign:
|
||||
raise ValueError('--signing-provider= can only be used with--signtool=systemd-sbsign')
|
||||
|
||||
if opts.certificate_provider and opts.signtool != SystemdSbSign:
|
||||
raise ValueError('--certificate-provider= can only be used with--signtool=systemd-sbsign')
|
||||
|
||||
if opts.sign_kernel and not opts.sb_key and not opts.sb_cert_name:
|
||||
raise ValueError(
|
||||
'--sign-kernel requires either --secureboot-private-key= and --secureboot-certificate= (for sbsign) or --secureboot-certificate-name= (for pesign) to be specified' # noqa: E501
|
||||
|
|
Loading…
Reference in New Issue