2026-04-26 00:45:09 +02:00
8 changed files with 79 additions and 98 deletions
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@ -49,7 +49,7 @@ jobs:
    steps:
    - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
-    - uses: systemd/mkosi@93098e2406e12ea7f06f962d4808952b8a06d345
+    - uses: systemd/mkosi@0dd39c20a4b3a2fab6efdc54da92bffad7c7b7ca
    - name: Install
      run: sudo apt-get update && sudo apt-get install --no-install-recommends python3-pexpect python3-jinja2
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@ -441,10 +441,3 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \
  use for LUKS home directories, overriding the built-in default mount
  options. There's one variable for each of the supported file systems for the
  LUKS home directory backend.
 `kernel-install`:
 * `$KERNEL_INSTALL_BYPASS` – If set to "1", execution of kernel-install is skipped
  when kernel-install is invoked. This can be useful if kernel-install is invoked
  unconditionally as a child process by another tool, such as package managers
  running kernel-install in a postinstall script.
--- a/hwdb.d/60-evdev.hwdb
+++ b/hwdb.d/60-evdev.hwdb
@ -624,17 +624,6 @@ evdev:input:b0003v258Ap001E*
 EVDEV_ABS_35=::15
 EVDEV_ABS_36=::15
 #########################################
 # Positivo-Vaio
 #########################################
 # Vaio FE14
 evdev:name:SYNA3602:00 0911:5288 Touchpad:dmi:*svnPositivoBahia-VAIO:pnVJFE41F11*
 EVDEV_ABS_00=::28
 EVDEV_ABS_01=::27
 EVDEV_ABS_35=::28
 EVDEV_ABS_36=::27
 #########################################
 # Razer
 #########################################
--- a/man/systemd-creds.xml
+++ b/man/systemd-creds.xml
@ -90,7 +90,7 @@
        <term><command>encrypt</command> <replaceable>input|-</replaceable> <replaceable>output|-</replaceable></term>
        <listitem><para>Loads the specified (unencrypted plaintext) input credential file, encrypts it and
-        writes the (encrypted ciphertext) output to the specified target credential file. The resulting file
+        writes the (encrypted ciphertext) version to the specified output credential file. The resulting file
        may be referenced in the <varname>LoadCredentialEncrypted=</varname> setting in unit files, or its
        contents used literally in <varname>SetCredentialEncrypted=</varname> settings.</para>
@ -102,8 +102,8 @@
        output path is specified as <literal>-</literal> the credential name cannot be derived from the file
        system path, and thus should be specified explicitly via the <option>--name=</option> switch.</para>
-        <para>The credential data is encrypted and authenticated symmetrically with one of the following
+        <para>The credential data is encrypted symmetrically with one of the following encryption
-        encryption keys:</para>
+        keys:</para>
        <orderedlist>
          <listitem><para>A secret key automatically derived from the system's TPM2 chip. This encryption key
@ -145,8 +145,8 @@
        <optional><replaceable>output|-</replaceable></optional></term>
        <listitem><para>Undoes the effect of the <command>encrypt</command> operation: loads the specified
-        (encrypted ciphertext) input credential file, decrypts and authenticates it and writes the (decrypted
+        (encrypted ciphertext) input credential file, decrypts it and writes the (decrypted plaintext)
-        plaintext) output to the specified target credential file.</para>
+        version to the specified output credential file.</para>
        <para>Takes one or two file system paths. The file name part of the input path is compared with the
        credential name embedded in the encrypted file. If it does not match decryption fails. This is done
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@ -3054,19 +3054,18 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
        loading from a directory, symlinks will be ignored.</para>
        <para>The <varname>LoadCredentialEncrypted=</varname> setting is identical to
-        <varname>LoadCredential=</varname>, except that the credential data is decrypted and authenticated
+        <varname>LoadCredential=</varname>, except that the credential data is decrypted before being passed
-        before being passed on to the executed processes. Specifically, the referenced path should refer to a
+        on to the executed processes. Specifically, the referenced path should refer to a file or socket with
-        file or socket with an encrypted credential, as implemented by
+        an encrypted credential, as implemented by
        <citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>. This
-        credential is loaded, decrypted, authenticated and then passed to the application in plaintext form,
+        credential is loaded, decrypted and then passed to the application in decrypted plaintext form, in
-        in the same way a regular credential specified via <varname>LoadCredential=</varname> would be. A
+        the same way a regular credential specified via <varname>LoadCredential=</varname> would be. A
-        credential configured this way may be symmetrically encrypted/authenticated with a secret key derived
+        credential configured this way may encrypted with a secret key derived from the system's TPM2
-        from the system's TPM2 security chip, or with a secret key stored in
+        security chip, or with a secret key stored in
-        <filename>/var/lib/systemd/credentials.secret</filename>, or with both. Using encrypted and
+        <filename>/var/lib/systemd/credentials.secret</filename>, or with both. Using encrypted credentials
-        authenticated credentials improves security as credentials are not stored in plaintext and only
+        improves security as credentials are not stored in plaintext and only decrypted into plaintext the
-        authenticated and decrypted into plaintext the moment a service requiring them is started. Moreover,
+        moment a service requiring them is started. Moreover, credentials may be bound to the local hardware
-        credentials may be bound to the local hardware and installations, so that they cannot easily be
+        and installations, so that they cannot easily be analyzed offline.</para>
        analyzed offline, or be generated externally.</para>
        <para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
        be directly accessible to the unit's processes: the credential data is read and copied into separate,
--- a/src/hostname/hostnamed.c
+++ b/src/hostname/hostnamed.c
@ -1284,51 +1284,68 @@ static const sd_bus_vtable hostname_vtable[] = {
        SD_BUS_PROPERTY("HardwareModel", "s", property_get_hardware_model, 0, SD_BUS_VTABLE_PROPERTY_CONST),
        SD_BUS_PROPERTY("FirmwareVersion", "s", property_get_firmware_version, 0, SD_BUS_VTABLE_PROPERTY_CONST),
-        SD_BUS_METHOD_WITH_ARGS("SetHostname",
+        SD_BUS_METHOD_WITH_NAMES("SetHostname",
-                                SD_BUS_ARGS("s", hostname, "b", interactive),
+                                 "sb",
-                                SD_BUS_NO_RESULT,
+                                 SD_BUS_PARAM(hostname)
-                                method_set_hostname,
+                                 SD_BUS_PARAM(interactive),
-                                SD_BUS_VTABLE_UNPRIVILEGED),
+                                 NULL,,
-        SD_BUS_METHOD_WITH_ARGS("SetStaticHostname",
+                                 method_set_hostname,
-                                SD_BUS_ARGS("s", hostname, "b", interactive),
+                                 SD_BUS_VTABLE_UNPRIVILEGED),
-                                SD_BUS_NO_RESULT,
+        SD_BUS_METHOD_WITH_NAMES("SetStaticHostname",
-                                method_set_static_hostname,
+                                 "sb",
-                                SD_BUS_VTABLE_UNPRIVILEGED),
+                                 SD_BUS_PARAM(hostname)
-        SD_BUS_METHOD_WITH_ARGS("SetPrettyHostname",
+                                 SD_BUS_PARAM(interactive),
-                                SD_BUS_ARGS("s", hostname, "b", interactive),
+                                 NULL,,
-                                SD_BUS_NO_RESULT,
+                                 method_set_static_hostname,
-                                method_set_pretty_hostname,
+                                 SD_BUS_VTABLE_UNPRIVILEGED),
-                                SD_BUS_VTABLE_UNPRIVILEGED),
+        SD_BUS_METHOD_WITH_NAMES("SetPrettyHostname",
-        SD_BUS_METHOD_WITH_ARGS("SetIconName",
+                                 "sb",
-                                SD_BUS_ARGS("s", icon, "b", interactive),
+                                 SD_BUS_PARAM(hostname)
-                                SD_BUS_NO_RESULT,
+                                 SD_BUS_PARAM(interactive),
-                                method_set_icon_name,
+                                 NULL,,
-                                SD_BUS_VTABLE_UNPRIVILEGED),
+                                 method_set_pretty_hostname,
-        SD_BUS_METHOD_WITH_ARGS("SetChassis",
+                                 SD_BUS_VTABLE_UNPRIVILEGED),
-                                SD_BUS_ARGS("s", chassis, "b", interactive),
+        SD_BUS_METHOD_WITH_NAMES("SetIconName",
-                                SD_BUS_NO_RESULT,
+                                 "sb",
-                                method_set_chassis,
+                                 SD_BUS_PARAM(icon)
-                                SD_BUS_VTABLE_UNPRIVILEGED),
+                                 SD_BUS_PARAM(interactive),
-        SD_BUS_METHOD_WITH_ARGS("SetDeployment",
+                                 NULL,,
-                                SD_BUS_ARGS("s", deployment, "b", interactive),
+                                 method_set_icon_name,
-                                SD_BUS_NO_RESULT,
+                                 SD_BUS_VTABLE_UNPRIVILEGED),
-                                method_set_deployment,
+        SD_BUS_METHOD_WITH_NAMES("SetChassis",
-                                SD_BUS_VTABLE_UNPRIVILEGED),
+                                 "sb",
-        SD_BUS_METHOD_WITH_ARGS("SetLocation",
+                                 SD_BUS_PARAM(chassis)
-                                SD_BUS_ARGS("s", location, "b", interactive),
+                                 SD_BUS_PARAM(interactive),
-                                SD_BUS_NO_RESULT,
+                                 NULL,,
-                                method_set_location,
+                                 method_set_chassis,
-                                SD_BUS_VTABLE_UNPRIVILEGED),
+                                 SD_BUS_VTABLE_UNPRIVILEGED),
-        SD_BUS_METHOD_WITH_ARGS("GetProductUUID",
+        SD_BUS_METHOD_WITH_NAMES("SetDeployment",
-                                SD_BUS_ARGS("b", interactive),
+                                 "sb",
-                                SD_BUS_RESULT("ay", uuid),
+                                 SD_BUS_PARAM(deployment)
-                                method_get_product_uuid,
+                                 SD_BUS_PARAM(interactive),
-                                SD_BUS_VTABLE_UNPRIVILEGED),
+                                 NULL,,
-        SD_BUS_METHOD_WITH_ARGS("GetHardwareSerial",
+                                 method_set_deployment,
-                                SD_BUS_NO_ARGS,
+                                 SD_BUS_VTABLE_UNPRIVILEGED),
-                                SD_BUS_RESULT("s", serial),
+        SD_BUS_METHOD_WITH_NAMES("SetLocation",
-                                method_get_hardware_serial,
+                                 "sb",
-                                SD_BUS_VTABLE_UNPRIVILEGED),
+                                 SD_BUS_PARAM(location)
                                 SD_BUS_PARAM(interactive),
                                 NULL,,
                                 method_set_location,
                                 SD_BUS_VTABLE_UNPRIVILEGED),
        SD_BUS_METHOD_WITH_NAMES("GetProductUUID",
                                 "b",
                                 SD_BUS_PARAM(interactive),
                                 "ay",
                                 SD_BUS_PARAM(uuid),
                                 method_get_product_uuid,
                                 SD_BUS_VTABLE_UNPRIVILEGED),
        SD_BUS_METHOD_WITH_NAMES("GetHardwareSerial",
                                 NULL,,
                                 "s",
                                 SD_BUS_PARAM(serial),
                                 method_get_hardware_serial,
                                 SD_BUS_VTABLE_UNPRIVILEGED),
        SD_BUS_METHOD_WITH_ARGS("Describe",
                                SD_BUS_NO_ARGS,
                                SD_BUS_RESULT("s", json),
--- a/src/kernel-install/kernel-install.in
+++ b/src/kernel-install/kernel-install.in
@ -67,11 +67,6 @@ for i; do
    fi
 done
 if [ "$KERNEL_INSTALL_BYPASS" = "1" ]; then
    echo "kernel-install: Skipping execution because KERNEL_INSTALL_BYPASS=1"
    exit 0
 fi
 export KERNEL_INSTALL_VERBOSE=0
 if [ "$1" = "--verbose" ] || [ "$1" = "-v" ]; then
    shift
--- a/tools/oss-fuzz.sh
+++ b/tools/oss-fuzz.sh
@ -55,18 +55,6 @@ else
        CFLAGS="$CFLAGS $UBSAN_FLAGS"
        CXXFLAGS="$CXXFLAGS $UBSAN_FLAGS"
    fi
    if [[ "$SANITIZER" == introspector ]]; then
        # fuzz-introspector passes -fuse-ld=gold and -flto using CFLAGS/LDFLAGS and due to
        # https://github.com/mesonbuild/meson/issues/6377#issuecomment-575977919 and
        # https://github.com/mesonbuild/meson/issues/6377 it doesn't mix well with meson.
        # It's possible to build systemd with duct tape there using something like
        # https://github.com/google/oss-fuzz/pull/7583#issuecomment-1104011067 but
        # apparently even with gold and lto some parts of systemd are missing from
        # reports (presumably due to https://github.com/google/oss-fuzz/issues/7598).
        # Let's just fail here for now to make it clear that fuzz-introspector isn't supported.
        exit 1
    fi
 fi
 if ! meson "$build" "-D$fuzzflag" -Db_lundef=false; then