Compare commits

...

10 Commits

Author SHA1 Message Date
Ani Sinha f81190fdd1
Merge 9f026bfd96 into c946b13575 2024-11-22 21:09:58 +01:00
Christian Hesse c946b13575 link README.logs from tmpfiles.d/legacy.conf only if available
The file README.logs is installed only if SysVInit support is enabled.
Thus the link should depend on it as well.
2024-11-22 18:33:20 +00:00
Lennart Poettering e39cbb1442 varlink: apparently on old kernels SO_PEERPIDFD returns EINVAL 2024-11-23 03:09:49 +09:00
Marco Tomaschett bc4a027f9c
hwdb: add support for PineTab2 to 60-sensor.hwdb (#35304)
Add accelerometer support for PineTab2
2024-11-23 03:08:06 +09:00
Lennart Poettering d209e197f8
userdbctl: two trivial fixlets (#35296)
Fixes: #35294
2024-11-22 16:06:01 +01:00
Antonio Alvarez Feijoo 9ed090230e tpm2-util: fix parameter name 2024-11-22 16:04:16 +01:00
Lennart Poettering 47c5ca237b userdbctl: respect selected disposition also when showing gid boundaries
Follow-up for: ad5de3222f
2024-11-22 11:28:30 +01:00
Lennart Poettering 7f8a4f12df userdbctl: fix counting
Fixes: #35294
2024-11-22 11:28:28 +01:00
Lennart Poettering e412fc5e04 userbdctl: show 'mapped' user range only inside of userns
Outside of userns the concept makes no sense, there cannot be users
mapped from further outside.
2024-11-22 11:28:17 +01:00
Ani Sinha 9f026bfd96 measure: introduce support for a .fmw section
UKIs container can be used to bundle a firmware image that can be measured and
used on a confidential computing environment. Add support to introduce a .fmw
section in UKI that can be used for a firmware image. ukify tool has been
also changed to support addition of a firmware image in UKI. For example:

ukify.py build \
        --stub ./build/src/boot/efi/linuxx64.efi.stub \
        --linux bzImage \
        --cmdline='blah blah debug' \
        --firmware ~/OVMF.fd \
        --output=root/efi/boot/bootx64.efi

Co-authored-by: harald.hoyer@gmail.com
2024-11-12 15:38:46 +05:30
10 changed files with 71 additions and 22 deletions

View File

@ -953,6 +953,15 @@ sensor:modalias:acpi:MXC6655*:dmi:*:svnDefaultstring*:pnP612F:*
sensor:modalias:acpi:SMO8500*:dmi:*:svnPEAQ:pnPEAQPMMC1010MD99187:* sensor:modalias:acpi:SMO8500*:dmi:*:svnPEAQ:pnPEAQPMMC1010MD99187:*
ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1 ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1
#########################################
# Pine64
#########################################
# PineTab2
sensor:modalias:of:NaccelerometerT_null_Csilan,sc7a20:*
ACCEL_MOUNT_MATRIX=0, 0, -1; 1, 0, 0; 0, -1, 0
######################################### #########################################
# Pipo # Pipo
######################################### #########################################

View File

@ -75,6 +75,9 @@
<listitem><para>An optional <literal>.ucode</literal> section with an initrd containing microcode, to <listitem><para>An optional <literal>.ucode</literal> section with an initrd containing microcode, to
be handed to the kernel before any other initrd. This initrd must not be compressed.</para></listitem> be handed to the kernel before any other initrd. This initrd must not be compressed.</para></listitem>
<listitem><para>An optional <literal>.fmw</literal> section with the firmware image.
</para></listitem>
<listitem><para>An optional <literal>.splash</literal> section with an image (in the Windows <listitem><para>An optional <literal>.splash</literal> section with an image (in the Windows
<filename>.BMP</filename> format) to show on screen before invoking the kernel.</para></listitem> <filename>.BMP</filename> format) to show on screen before invoking the kernel.</para></listitem>

View File

@ -9,19 +9,20 @@ const char* const unified_sections[_UNIFIED_SECTION_MAX + 1] = {
* https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#section-table-section-headers * https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#section-table-section-headers
* (Note that PE *object* files may have longer section names (via indirection in the string table) but * (Note that PE *object* files may have longer section names (via indirection in the string table) but
* this is not allowed for PE *executables*, which UKIs are.) */ * this is not allowed for PE *executables*, which UKIs are.) */
[UNIFIED_SECTION_LINUX] = ".linux", [UNIFIED_SECTION_LINUX] = ".linux",
[UNIFIED_SECTION_OSREL] = ".osrel", [UNIFIED_SECTION_OSREL] = ".osrel",
[UNIFIED_SECTION_CMDLINE] = ".cmdline", [UNIFIED_SECTION_CMDLINE] = ".cmdline",
[UNIFIED_SECTION_INITRD] = ".initrd", [UNIFIED_SECTION_INITRD] = ".initrd",
[UNIFIED_SECTION_UCODE] = ".ucode", [UNIFIED_SECTION_UCODE] = ".ucode",
[UNIFIED_SECTION_SPLASH] = ".splash", [UNIFIED_SECTION_SPLASH] = ".splash",
[UNIFIED_SECTION_DTB] = ".dtb", [UNIFIED_SECTION_DTB] = ".dtb",
[UNIFIED_SECTION_UNAME] = ".uname", [UNIFIED_SECTION_UNAME] = ".uname",
[UNIFIED_SECTION_SBAT] = ".sbat", [UNIFIED_SECTION_SBAT] = ".sbat",
[UNIFIED_SECTION_PCRSIG] = ".pcrsig", [UNIFIED_SECTION_PCRSIG] = ".pcrsig",
[UNIFIED_SECTION_PCRPKEY] = ".pcrpkey", [UNIFIED_SECTION_PCRPKEY] = ".pcrpkey",
[UNIFIED_SECTION_PROFILE] = ".profile", [UNIFIED_SECTION_PROFILE] = ".profile",
[UNIFIED_SECTION_DTBAUTO] = ".dtbauto", [UNIFIED_SECTION_DTBAUTO] = ".dtbauto",
[UNIFIED_SECTION_HWIDS] = ".hwids", [UNIFIED_SECTION_HWIDS] = ".hwids",
[UNIFIED_SECTION_FIRMWARE] = ".fmw",
NULL, NULL,
}; };

View File

@ -20,6 +20,7 @@ typedef enum UnifiedSection {
UNIFIED_SECTION_PROFILE, UNIFIED_SECTION_PROFILE,
UNIFIED_SECTION_DTBAUTO, UNIFIED_SECTION_DTBAUTO,
UNIFIED_SECTION_HWIDS, UNIFIED_SECTION_HWIDS,
UNIFIED_SECTION_FIRMWARE,
_UNIFIED_SECTION_MAX, _UNIFIED_SECTION_MAX,
} UnifiedSection; } UnifiedSection;

View File

@ -16,7 +16,7 @@ int varlink_get_peer_pidref(sd_varlink *v, PidRef *ret) {
int pidfd = sd_varlink_get_peer_pidfd(v); int pidfd = sd_varlink_get_peer_pidfd(v);
if (pidfd < 0) { if (pidfd < 0) {
if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd)) if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd) && pidfd != -EINVAL)
return pidfd; return pidfd;
pid_t pid; pid_t pid;

View File

@ -104,6 +104,7 @@ static int help(int argc, char *argv[], void *userdata) {
" --linux=PATH Path to Linux kernel image file %7$s .linux\n" " --linux=PATH Path to Linux kernel image file %7$s .linux\n"
" --osrel=PATH Path to os-release file %7$s .osrel\n" " --osrel=PATH Path to os-release file %7$s .osrel\n"
" --cmdline=PATH Path to file with kernel command line %7$s .cmdline\n" " --cmdline=PATH Path to file with kernel command line %7$s .cmdline\n"
" --firmware=PATH Path to firmware image file %7$s .fmw\n"
" --initrd=PATH Path to initrd image file %7$s .initrd\n" " --initrd=PATH Path to initrd image file %7$s .initrd\n"
" --ucode=PATH Path to microcode image file %7$s .ucode\n" " --ucode=PATH Path to microcode image file %7$s .ucode\n"
" --splash=PATH Path to splash bitmap file %7$s .splash\n" " --splash=PATH Path to splash bitmap file %7$s .splash\n"
@ -158,8 +159,9 @@ static int parse_argv(int argc, char *argv[]) {
ARG_PCRPKEY, ARG_PCRPKEY,
ARG_PROFILE, ARG_PROFILE,
ARG_HWIDS, ARG_HWIDS,
ARG_DTBAUTO,
_ARG_SECTION_LAST, _ARG_SECTION_LAST,
ARG_DTBAUTO = _ARG_SECTION_LAST, ARG_FIRMWARE = _ARG_SECTION_LAST,
ARG_BANK, ARG_BANK,
ARG_PRIVATE_KEY, ARG_PRIVATE_KEY,
ARG_PRIVATE_KEY_SOURCE, ARG_PRIVATE_KEY_SOURCE,
@ -180,6 +182,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "osrel", required_argument, NULL, ARG_OSREL }, { "osrel", required_argument, NULL, ARG_OSREL },
{ "cmdline", required_argument, NULL, ARG_CMDLINE }, { "cmdline", required_argument, NULL, ARG_CMDLINE },
{ "initrd", required_argument, NULL, ARG_INITRD }, { "initrd", required_argument, NULL, ARG_INITRD },
{ "firmware", required_argument, NULL, ARG_FIRMWARE },
{ "ucode", required_argument, NULL, ARG_UCODE }, { "ucode", required_argument, NULL, ARG_UCODE },
{ "splash", required_argument, NULL, ARG_SPLASH }, { "splash", required_argument, NULL, ARG_SPLASH },
{ "dtb", required_argument, NULL, ARG_DTB }, { "dtb", required_argument, NULL, ARG_DTB },

View File

@ -392,7 +392,7 @@ int tpm2_make_pcr_json_array(uint32_t pcr_mask, sd_json_variant **ret);
int tpm2_parse_pcr_json_array(sd_json_variant *v, uint32_t *ret); int tpm2_parse_pcr_json_array(sd_json_variant *v, uint32_t *ret);
int tpm2_make_luks2_json(int keyslot, uint32_t hash_pcr_mask, uint16_t pcr_bank, const struct iovec *pubkey, uint32_t pubkey_pcr_mask, uint16_t primary_alg, const struct iovec blobs[], size_t n_blobs, const struct iovec policy_hash[], size_t n_policy_hash, const struct iovec *salt, const struct iovec *srk, const struct iovec *pcrlock_nv, TPM2Flags flags, sd_json_variant **ret); int tpm2_make_luks2_json(int keyslot, uint32_t hash_pcr_mask, uint16_t pcr_bank, const struct iovec *pubkey, uint32_t pubkey_pcr_mask, uint16_t primary_alg, const struct iovec blobs[], size_t n_blobs, const struct iovec policy_hash[], size_t n_policy_hash, const struct iovec *salt, const struct iovec *srk, const struct iovec *pcrlock_nv, TPM2Flags flags, sd_json_variant **ret);
int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *pcrlock_nv, TPM2Flags *ret_flags); int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *ret_pcrlock_nv, TPM2Flags *ret_flags);
/* Default to PCR 7 only */ /* Default to PCR 7 only */
#define TPM2_PCR_INDEX_DEFAULT UINT32_C(7) #define TPM2_PCR_INDEX_DEFAULT UINT32_C(7)

View File

@ -242,6 +242,7 @@ class UkifyConfig:
efi_arch: str efi_arch: str
hwids: Path hwids: Path
initrd: list[Path] initrd: list[Path]
firmware: Path
join_profiles: list[Path] join_profiles: list[Path]
json: Union[Literal['pretty'], Literal['short'], Literal['off']] json: Union[Literal['pretty'], Literal['short'], Literal['off']]
linux: Optional[Path] linux: Optional[Path]
@ -364,6 +365,7 @@ class Uname:
DEFAULT_SECTIONS_TO_SHOW = { DEFAULT_SECTIONS_TO_SHOW = {
'.linux': 'binary', '.linux': 'binary',
'.initrd': 'binary', '.initrd': 'binary',
'.fmw': 'binary',
'.ucode': 'binary', '.ucode': 'binary',
'.splash': 'binary', '.splash': 'binary',
'.dtb': 'binary', '.dtb': 'binary',
@ -1213,6 +1215,7 @@ def make_uki(opts: UkifyConfig) -> None:
('.splash', opts.splash, True), ('.splash', opts.splash, True),
('.pcrpkey', pcrpkey, True), ('.pcrpkey', pcrpkey, True),
('.initrd', initrd, True), ('.initrd', initrd, True),
('.fmw', opts.firmware, True),
('.ucode', opts.microcode, True), ('.ucode', opts.microcode, True),
] # fmt: skip ] # fmt: skip
@ -1269,6 +1272,7 @@ def make_uki(opts: UkifyConfig) -> None:
'.osrel', '.osrel',
'.cmdline', '.cmdline',
'.initrd', '.initrd',
'.fmw',
'.ucode', '.ucode',
'.splash', '.splash',
'.dtb', '.dtb',
@ -1729,6 +1733,12 @@ CONFIG_ITEMS = [
config_key='UKI/Initrd', config_key='UKI/Initrd',
config_push=ConfigItem.config_list_prepend, config_push=ConfigItem.config_list_prepend,
), ),
ConfigItem(
'--firmware',
type=Path,
help='firmware file [.fmw section]',
config_key='UKI/Firmware',
),
ConfigItem( ConfigItem(
'--microcode', '--microcode',
metavar='UCODE', metavar='UCODE',

View File

@ -23,6 +23,7 @@
#include "user-util.h" #include "user-util.h"
#include "userdb.h" #include "userdb.h"
#include "verbs.h" #include "verbs.h"
#include "virt.h"
static enum { static enum {
OUTPUT_CLASSIC, OUTPUT_CLASSIC,
@ -139,10 +140,16 @@ static int show_user(UserRecord *ur, Table *table) {
return 0; return 0;
} }
static bool test_show_mapped(void) {
/* Show mapped user range only in environments where user mapping is a thing. */
return running_in_userns() > 0;
}
static const struct { static const struct {
uid_t first, last; uid_t first, last;
const char *name; const char *name;
UserDisposition disposition; UserDisposition disposition;
bool (*test)(void);
} uid_range_table[] = { } uid_range_table[] = {
{ {
.first = 1, .first = 1,
@ -175,11 +182,12 @@ static const struct {
.last = MAP_UID_MAX, .last = MAP_UID_MAX,
.name = "mapped", .name = "mapped",
.disposition = USER_REGULAR, .disposition = USER_REGULAR,
.test = test_show_mapped,
}, },
}; };
static int table_add_uid_boundaries(Table *table, const UIDRange *p) { static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
int r; int r, n_added = 0;
assert(table); assert(table);
@ -192,6 +200,9 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
if (!uid_range_covers(p, i->first, i->last - i->first + 1)) if (!uid_range_covers(p, i->first, i->last - i->first + 1))
continue; continue;
if (i->test && !i->test())
continue;
name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN), name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
" begin ", i->name, " users ", " begin ", i->name, " users ",
special_glyph(SPECIAL_GLYPH_ARROW_DOWN)); special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@ -249,9 +260,11 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
TABLE_INT, 1); /* sort after any other entry with the same UID */ TABLE_INT, 1); /* sort after any other entry with the same UID */
if (r < 0) if (r < 0)
return table_log_add_error(r); return table_log_add_error(r);
n_added += 2;
} }
return ELEMENTSOF(uid_range_table) * 2; return n_added;
} }
static int add_unavailable_uid(Table *table, uid_t start, uid_t end) { static int add_unavailable_uid(Table *table, uid_t start, uid_t end) {
@ -565,16 +578,22 @@ static int show_group(GroupRecord *gr, Table *table) {
} }
static int table_add_gid_boundaries(Table *table, const UIDRange *p) { static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
int r; int r, n_added = 0;
assert(table); assert(table);
FOREACH_ELEMENT(i, uid_range_table) { FOREACH_ELEMENT(i, uid_range_table) {
_cleanup_free_ char *name = NULL, *comment = NULL; _cleanup_free_ char *name = NULL, *comment = NULL;
if (!FLAGS_SET(arg_disposition_mask, UINT64_C(1) << i->disposition))
continue;
if (!uid_range_covers(p, i->first, i->last - i->first + 1)) if (!uid_range_covers(p, i->first, i->last - i->first + 1))
continue; continue;
if (i->test && !i->test())
continue;
name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN), name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
" begin ", i->name, " groups ", " begin ", i->name, " groups ",
special_glyph(SPECIAL_GLYPH_ARROW_DOWN)); special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@ -626,9 +645,11 @@ static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
TABLE_INT, 1); /* sort after any other entry with the same GID */ TABLE_INT, 1); /* sort after any other entry with the same GID */
if (r < 0) if (r < 0)
return table_log_add_error(r); return table_log_add_error(r);
n_added += 2;
} }
return ELEMENTSOF(uid_range_table) * 2; return n_added;
} }
static int add_unavailable_gid(Table *table, uid_t start, uid_t end) { static int add_unavailable_gid(Table *table, uid_t start, uid_t end) {

View File

@ -13,11 +13,12 @@
d /run/lock 0755 root root - d /run/lock 0755 root root -
L /var/lock - - - - ../run/lock L /var/lock - - - - ../run/lock
{% if HAVE_SYSV_COMPAT %}
{% if CREATE_LOG_DIRS %} {% if CREATE_LOG_DIRS %}
L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs
{% endif %} {% endif %}
{% if HAVE_SYSV_COMPAT %}
# /run/lock/subsys is used for serializing SysV service execution, and # /run/lock/subsys is used for serializing SysV service execution, and
# hence without use on SysV-less systems. # hence without use on SysV-less systems.
d /run/lock/subsys 0755 root root - d /run/lock/subsys 0755 root root -