.github/workflows/coverage.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@9e31235211d975bae25622d6205a8396d104335e
+      - uses: systemd/mkosi@5a476a92deca8ad54869e5d416217aa1bb137b25
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
       # immediately, we remove the files in the background. However, we first move them to a different location

.github/workflows/linter.yml

@@ -38,7 +38,7 @@ jobs:
           LINTER_RULES_PATH: .github/linters
           GITHUB_ACTIONS_CONFIG_FILE: actionlint.yml
 
-      - uses: systemd/mkosi@9e31235211d975bae25622d6205a8396d104335e
+      - uses: systemd/mkosi@5a476a92deca8ad54869e5d416217aa1bb137b25
 
       - name: Check that tabs are not used in Python code
         run: sh -c '! git grep -P "\\t" -- src/core/generate-bpf-delegate-configs.py src/boot/generate-hwids-section.py src/ukify/ukify.py test/integration-tests/integration-test-wrapper.py'

.github/workflows/mkosi.yml

@@ -167,7 +167,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@9e31235211d975bae25622d6205a8396d104335e
+      - uses: systemd/mkosi@5a476a92deca8ad54869e5d416217aa1bb137b25
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
       # immediately, we remove the files in the background. However, we first move them to a different location

mkosi/mkosi.conf

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 [Config]
-MinimumVersion=commit:9e31235211d975bae25622d6205a8396d104335e
+MinimumVersion=commit:5a476a92deca8ad54869e5d416217aa1bb137b25
 Dependencies=
         exitrd
         initrd

mkosi/mkosi.tools.conf/mkosi.conf.d/debian-ubuntu.conf

@@ -8,6 +8,7 @@ Distribution=|ubuntu
 PrepareScripts=%D/mkosi/mkosi.images/build/mkosi.conf.d/debian-ubuntu/mkosi.prepare
 Packages=
         clang-tools
+        gh
         lcov
         mypy
         shellcheck

src/core/service.c

@@ -4116,8 +4116,7 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
         else
                 clean_mode = EXIT_CLEAN_DAEMON;
 
-        /* Our own helper processes are not subject to SuccessExitStatus= as they're opaque to users */
+        if (is_clean_exit(code, status, clean_mode, &s->success_status))
-        if (is_clean_exit(code, status, clean_mode, s->control_pid.pid == pid && s->control_command_id < 0 ? NULL : &s->success_status))
                 f = SERVICE_SUCCESS;
         else if (code == CLD_EXITED)
                 f = SERVICE_FAILURE_EXIT_CODE;

src/shared/tpm2-util.c

@@ -7,7 +7,6 @@
 #include "ansi-color.h"
 #include "bitfield.h"
 #include "boot-entry.h"
-#include "chase.h"
 #include "constants.h"
 #include "creds-util.h"
 #include "cryptsetup-util.h"
@@ -6948,10 +6947,9 @@ static int tpm2_nvpcr_write_anchor_secret(
 
         /* Writes the encrypted credential of the anchor secret to directory 'dir' and file 'fname' */
 
-        _cleanup_close_ int dfd = -EBADF;
+        _cleanup_close_ int dfd = open_mkdir(dir, O_CLOEXEC, 0755);
-        r = chase(dir, /* root= */ NULL, CHASE_MKDIR_0755|CHASE_MUST_BE_DIRECTORY, /* ret_path= */ NULL, &dfd);
+        if (dfd < 0)
-        if (r < 0)
+                return log_error_errno(dfd, "Failed to create '%s' directory: %m", dir);
-                return log_error_errno(r, "Failed to create '%s' directory: %m", dir);
 
         _cleanup_free_ char *joined = path_join(dir, fname);
         if (!joined)

test/units/TEST-70-TPM2.pcrextend.sh

@@ -9,7 +9,7 @@ set -o pipefail
 export SYSTEMD_LOG_LEVEL=debug
 SD_PCREXTEND="/usr/lib/systemd/systemd-pcrextend"
 
-if [[ ! -x "${SD_PCREXTEND:?}" ]] || ! tpm_has_pcr sha256 16 || ! tpm_has_pcr sha256 15; then
+if [[ ! -x "${SD_PCREXTEND:?}" ]] || ! tpm_has_pcr sha256 11 || ! tpm_has_pcr sha256 15; then
     echo "$SD_PCREXTEND or PCR sysfs files not found, skipping PCR extension tests"
     exit 0
 fi
@@ -28,23 +28,23 @@ export SYSTEMD_FORCE_MEASURE=1
 
 "$SD_PCREXTEND" --help
 "$SD_PCREXTEND" --version
-"$SD_PCREXTEND" --pcr=16 foo
+"$SD_PCREXTEND" foo
 "$SD_PCREXTEND" --machine-id
 "$SD_PCREXTEND" --product-id
 "$SD_PCREXTEND" --tpm2-device=list
-"$SD_PCREXTEND" --tpm2-device=auto --pcr=16 foo
+"$SD_PCREXTEND" --tpm2-device=auto foo
-"$SD_PCREXTEND" --tpm2-device=/dev/tpm0 --pcr=16 foo
+"$SD_PCREXTEND" --tpm2-device=/dev/tpm0 foo
-"$SD_PCREXTEND" --bank=sha256 --pcr=16 foo
+"$SD_PCREXTEND" --bank=sha256 foo
-"$SD_PCREXTEND" --bank=sha256 --bank=sha256 --pcr=16 foo
+"$SD_PCREXTEND" --bank=sha256 --bank=sha256 foo
-"$SD_PCREXTEND" --graceful --pcr=16 foo
+"$SD_PCREXTEND" --graceful foo
 "$SD_PCREXTEND" --pcr=15 foo
 "$SD_PCREXTEND" --file-system=/
 "$SD_PCREXTEND" --file-system=/tmp --file-system=/
-"$SD_PCREXTEND" --file-system=/tmp --file-system=/ --pcr=15 --pcr=16
+"$SD_PCREXTEND" --file-system=/tmp --file-system=/ --pcr=15 --pcr=11
 "$SD_PCREXTEND" --nvpcr=hardware foo
 
-if tpm_has_pcr sha1 16; then
+if tpm_has_pcr sha1 11; then
-    "$SD_PCREXTEND" --bank=sha1 --pcr=16 foo
+    "$SD_PCREXTEND" --bank=sha1 --pcr=11 foo
 fi
 
 (! "$SD_PCREXTEND")
@@ -88,9 +88,9 @@ DIGEST_CURRENT="$(jq --seq --slurp --raw-output ".[$RECORD_COUNT].digests[] | se
 test "$DIGEST_EXPECTED" == "$DIGEST_CURRENT"
 
 RECORD_COUNT=$((RECORD_COUNT + 1))
-# And similar for a string measurement into PCR 16
+# And similar for the boot phase measurement into PCR 11
-tpm2_pcrread sha256:16 -Q -o /tmp/oldpcr16
+tpm2_pcrread sha256:11 -Q -o /tmp/oldpcr11
-# Do the equivalent of 'SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" --pcr=16 foobar' via Varlink, just to test the Varlink logic (but first we need to patch out the conditionalization...)
+# Do the equivalent of 'SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" foobar' via Varlink, just to test the Varlink logic (but first we need to patch out the conditionalization...)
 mkdir -p /run/systemd/system/systemd-pcrextend.socket.d
 cat >/run/systemd/system/systemd-pcrextend.socket.d/50-no-condition.conf <<EOF
 [Unit]
@@ -99,14 +99,14 @@ ConditionSecurity=
 EOF
 systemctl daemon-reload
 systemctl restart systemd-pcrextend.socket
-varlinkctl call /run/systemd/io.systemd.PCRExtend io.systemd.PCRExtend.Extend '{"pcr":16,"text":"foobar"}'
+varlinkctl call /run/systemd/io.systemd.PCRExtend io.systemd.PCRExtend.Extend '{"pcr":11,"text":"foobar"}'
-tpm2_pcrread sha256:16 -Q -o /tmp/newpcr16
+tpm2_pcrread sha256:11 -Q -o /tmp/newpcr11
 
-diff /tmp/newpcr16 \
+diff /tmp/newpcr11 \
-    <(cat /tmp/oldpcr16 <(echo -n "foobar" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)
+    <(cat /tmp/oldpcr11 <(echo -n "foobar" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)
 
 # Check the event log for the 2nd new record since $RECORD_COUNT
-test "$(jq --seq --slurp ".[$RECORD_COUNT].pcr" </run/log/systemd/tpm2-measure.log)" == "$(printf '\x1e16')"
+test "$(jq --seq --slurp ".[$RECORD_COUNT].pcr" </run/log/systemd/tpm2-measure.log)" == "$(printf '\x1e11')"
 DIGEST_EXPECTED="$(echo -n "foobar" | openssl dgst -hex -sha256 -r)"
 DIGEST_CURRENT="$(jq --seq --slurp --raw-output ".[$RECORD_COUNT].digests[] | select(.hashAlg == \"sha256\").digest" </run/log/systemd/tpm2-measure.log) *stdin"
 test "$DIGEST_EXPECTED" == "$DIGEST_CURRENT"
@@ -124,4 +124,4 @@ tpm2_pcrread sha256:15 -Q -o /tmp/newpcr15
 diff /tmp/newpcr15 \
      <(cat /tmp/oldpcr15 <(echo -n "file-system:$FS_WORD" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)
 
-rm -f /tmp/oldpcr{16,15} /tmp/newpcr{16,15}
+rm -f /tmp/oldpcr{11,15} /tmp/newpcr{11,15}

test/units/TEST-70-TPM2.pcrlock.sh

@@ -42,9 +42,6 @@ PCRS="1+2+3+4+5+16"
 # (as the PCR values simply won't match the log).
 rm -f /run/log/systemd/tpm2-measure.log
 
-# Reset TPM PCR 16 ("debug") explicitly, so that we can use it in a known good state
-tpm2_pcrreset 16
-
 # Ensure a truncated log doesn't crash pcrlock
 echo -n -e \\x1e >/tmp/borked
 set +e

test/units/TEST-70-TPM2.tpm2-setup.sh

@@ -11,6 +11,16 @@ if [[ ! -x "${SD_TPM2SETUP:?}" ]]; then
     exit 0
 fi
 
+. /etc/os-release
+if [[ "${ID_LIKE:-}" == alpine ]]; then
+    # For some unknown reasons, the test fails with the following:
+    # --------
+    # Couldn't find signature for this PCR bank, PCR index and public key.
+    # Failed to unseal secret using TPM2: No such device or address
+    # --------
+    exit 0
+fi
+
 "$SD_TPM2SETUP" --help
 "$SD_TPM2SETUP" --version
 "$SD_TPM2SETUP" --tpm2-device=list