vmspawn: try to set up swtpm state for 4K RSA keys support

The next version of swtpm will support RSA4096, but it needs to be called
with a new parameter in order to do so. Try with it first, and if
execution fails, fallback to running without it.

This is especially needed for OBS builds, as the signing key is RSA4096
and cannot be changed by users, so the generated UKIs have RSA4096 signatures
for the pcrsig sections, and swtpm refuses them without the new support.

man/udev_enumerate_new.xml

@@ -52,12 +52,13 @@
   <refsect1>
     <title>Description</title>
 
-    <para><function>udev_enumerate_new()</function> creates an enumeration context to scan /sys.</para>
+    <para><function>udev_enumerate_new()</function> creates an enumeration context to scan
+    <filename>/sys/</filename>.</para>
 
     <para><function>udev_enumerate_ref()</function> takes a reference of an enumeration context.</para>
 
-    <para><function>udev_enumerate_unref()</function> drops a reference of an enumeration context. If the refcount reaches zero,
-    all resources of the enumeration context will be released.</para>
+    <para><function>udev_enumerate_unref()</function> drops a reference of an enumeration context. If the
+    refcount reaches zero, all resources of the enumeration context will be released.</para>
   </refsect1>
 
   <refsect1>

src/core/cgroup.c

@@ -1454,12 +1454,6 @@ static void set_io_weight(Unit *u, uint64_t weight) {
         (void) set_attribute_and_warn(u, "io.weight", buf);
 }
 
-static void cgroup_apply_bpf_foreign_program(Unit *u) {
-        assert(u);
-
-        (void) bpf_foreign_install(u);
-}
-
 static void cgroup_context_apply(
                 Unit *u,
                 CGroupMask apply_mask,
@@ -1609,7 +1603,7 @@ static void cgroup_context_apply(
                 cgroup_apply_firewall(u);
 
         if (apply_mask & CGROUP_MASK_BPF_FOREIGN)
-                cgroup_apply_bpf_foreign_program(u);
+                (void) bpf_foreign_install(u);
 
         if (apply_mask & CGROUP_MASK_BPF_SOCKET_BIND)
                 cgroup_apply_socket_bind(u);

src/core/varlink.c

@@ -425,9 +425,6 @@ static int manager_varlink_init_system(Manager *m) {
 
         assert(m);
 
-        if (!MANAGER_IS_SYSTEM(m))
-                return 0;
-
         r = manager_setup_varlink_server(m);
         if (r < 0)
                 return log_error_errno(r, "Failed to set up varlink server: %m");
@@ -456,9 +453,6 @@ static int manager_varlink_init_user(Manager *m) {
 
         assert(m);
 
-        if (!MANAGER_IS_USER(m))
-                return 0;
-
         if (MANAGER_IS_TEST_RUN(m))
                 return 0;
 

src/shared/generator.c

@@ -161,7 +161,7 @@ static int generator_add_ordering(
         assert(order);
         assert(dst);
 
-        /* Adds in an explicit ordering dependency of type <order> from <src> to <dst>. If <instance> is
+        /* Adds an explicit ordering dependency of type <order> from <src> to <dst>. If <instance> is
          * specified, it is inserted into <dst>. */
 
         if (instance) {

src/ssh-generator/ssh-issue.c

@@ -25,7 +25,7 @@ static enum {
         ACTION_RM_VSOCK,
 } arg_action = ACTION_MAKE_VSOCK;
 
-static char* arg_issue_path = NULL;
+static char *arg_issue_path = NULL;
 static bool arg_issue_stdout = false;
 
 STATIC_DESTRUCTOR_REGISTER(arg_issue_path, freep);

src/vmspawn/vmspawn.c

@@ -1183,7 +1183,15 @@ static int start_tpm(
         if (r < 0)
                 return log_error_errno(r, "Failed to find swtpm_setup binary: %m");
 
-        _cleanup_strv_free_ char **argv = strv_new(swtpm_setup, "--tpm-state", state_dir, "--tpm2", "--pcr-banks", "sha256", "--not-overwrite");
+        /* Try passing --profile-name default-v2 first, in order to support RSA4096 pcrsig keys, which was
+         * added in 0.11. */
+        _cleanup_strv_free_ char **argv = strv_new(
+                        swtpm_setup,
+                        "--tpm-state", state_dir,
+                        "--tpm2",
+                        "--pcr-banks", "sha256",
+                        "--not-overwrite",
+                        "--profile-name", "default-v2");
         if (!argv)
                 return log_oom();
 
@@ -1194,6 +1202,22 @@ static int start_tpm(
                 log_error_errno(errno, "Failed to execute '%s': %m", argv[0]);
                 _exit(EXIT_FAILURE);
         }
+        if (r == -EPROTO) {
+                /* If swtpm_setup fails, try again removing the default-v2 profile, as it might be an older
+                 * version. */
+                strv_remove(argv, "--profile-name");
+                strv_remove(argv, "default-v2");
+
+                r = safe_fork("(swtpm-setup)", FORK_CLOSE_ALL_FDS|FORK_LOG|FORK_WAIT, NULL);
+                if (r == 0) {
+                        /* Child */
+                        execvp(argv[0], argv);
+                        log_error_errno(errno, "Failed to execute '%s': %m", argv[0]);
+                        _exit(EXIT_FAILURE);
+                }
+        }
+        if (r < 0)
+                return log_error_errno(r, "Failed to run swtpm_setup: %m");
 
         strv_free(argv);
         argv = strv_new(sd_socket_activate, "--listen", listen_address, swtpm, "socket", "--tpm2", "--tpmstate");