man/repart.d.xml

@@ -612,10 +612,6 @@
                 <entry><literal>ro</literal></entry>
                 <entry>Make this subvolume read-only.</entry>
               </row>
-              <row id='C'>
-                <entry><literal>nodatacow</literal></entry>
-                <entry>Disable data CoW for this subvolume.</entry>
-              </row>
             </tbody>
           </tgroup>
         </table>

rules.d/60-block.rules

@@ -16,7 +16,7 @@ ACTION!="remove", SUBSYSTEM=="block", \
 ACTION=="change", SUBSYSTEM=="block", KERNEL=="loop*", ENV{DISK_MEDIA_CHANGE}=="1", TEST!="loop/backing_file", GROUP="disk", MODE="660"
 
 # Provide a somewhat cleaned up field indicating the subsystem various
-# 'virtual' block devices belong to, in order to avoid replicating name based
+# 'virtual' block devices belong too, in order to avoid replicating name based
 # pattern matching in every consumer
 ACTION!="remove", SUBSYSTEM=="block", KERNEL=="dm-*", ENV{ID_BLOCK_SUBSYSTEM}="dm"
 ACTION!="remove", SUBSYSTEM=="block", KERNEL=="loop*", ENV{ID_BLOCK_SUBSYSTEM}="loop"

src/basic/btrfs.h

@@ -1,16 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
-#pragma once
 
 #include "basic-forward.h"
 
-typedef enum BtrfsSubvolFlags {
-        BTRFS_SUBVOL_RO               = 1 << 0,
-        BTRFS_SUBVOL_NODATACOW        = 1 << 1,
-        _BTRFS_SUBVOL_FLAGS_MASK      = BTRFS_SUBVOL_NODATACOW|BTRFS_SUBVOL_RO,
-        _BTRFS_SUBVOL_FLAGS_INVALID   = -EINVAL,
-        _BTRFS_SUBVOL_FLAGS_ERRNO_MAX = -ERRNO_MAX, /* Ensure the whole errno range fits into this enum */
-} BtrfsSubvolFlags;
-
 int btrfs_validate_subvolume_name(const char *name);
 
 int btrfs_subvol_make(int dir_fd, const char *path);

src/basic/mkdir.c

@@ -9,7 +9,6 @@
 #include "fd-util.h"
 #include "format-util.h"
 #include "fs-util.h"
-#include "hashmap.h"
 #include "log.h"
 #include "mkdir.h"
 #include "path-util.h"
@@ -203,7 +202,7 @@ int mkdir_p_safe(const char *prefix, const char *path, mode_t mode, uid_t uid, g
         return mkdir_p_internal(prefix, path, mode, uid, gid, flags, mkdirat_errno_wrapper);
 }
 
-int mkdir_p_root_full(const char *root, const char *p, uid_t uid, gid_t gid, mode_t m, usec_t ts, Hashmap *subvolumes) {
+int mkdir_p_root_full(const char *root, const char *p, uid_t uid, gid_t gid, mode_t m, usec_t ts, char **subvolumes) {
         _cleanup_free_ char *pp = NULL, *bn = NULL;
         _cleanup_close_ int dfd = -EBADF;
         int r;
@@ -238,17 +237,10 @@ int mkdir_p_root_full(const char *root, const char *p, uid_t uid, gid_t gid, mod
         if (r < 0)
                 return r;
 
-        XOpenFlags flags = 0;
-        if (hashmap_contains(subvolumes, p)) {
-                flags = XO_SUBVOLUME;
-                if ((PTR_TO_INT(hashmap_get(subvolumes, p)) & BTRFS_SUBVOL_NODATACOW))
-                        flags |= XO_NOCOW;
-        }
-
         _cleanup_close_ int nfd = xopenat_full(
                                 dfd, bn,
                                 O_DIRECTORY|O_CREAT|O_EXCL|O_NOFOLLOW|O_CLOEXEC,
-                                flags,
+                                path_strv_contains(subvolumes, p) ? XO_SUBVOLUME : 0,
                                 m);
         if (nfd == -EEXIST)
                 return 0;

src/basic/mkdir.h

@@ -22,7 +22,7 @@ static inline int mkdir_parents(const char *path, mode_t mode) {
 int mkdir_parents_safe(const char *prefix, const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags);
 int mkdir_p(const char *path, mode_t mode);
 int mkdir_p_safe(const char *prefix, const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags);
-int mkdir_p_root_full(const char *root, const char *p, uid_t uid, gid_t gid, mode_t m, usec_t ts, Hashmap *subvolumes);
+int mkdir_p_root_full(const char *root, const char *p, uid_t uid, gid_t gid, mode_t m, usec_t ts, char **subvolumes);
 static inline int mkdir_p_root(const char *root, const char *p, uid_t uid, gid_t gid, mode_t m) {
         return mkdir_p_root_full(root, p, uid, gid, m, USEC_INFINITY, NULL);
 }

src/bootctl/bootctl-install.c

@@ -623,13 +623,12 @@ static int efi_timestamp(EFI_TIME *ret) {
 
         return 0;
 }
+#endif
 
 static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, EVP_PKEY *private_key) {
+#if HAVE_OPENSSL
         int r;
 
-        if (!arg_secure_boot_auto_enroll)
-                return 0;
-
         _cleanup_free_ uint8_t *dercert = NULL;
         int dercertsz;
         dercertsz = i2d_X509(certificate, &dercert);
@@ -753,8 +752,10 @@ static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, E
         }
 
         return 0;
-}
+#else
+        return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot set up secure boot auto-enrollment.");
 #endif
+}
 
 static bool same_entry(uint16_t id, sd_id128_t uuid, const char *path) {
         _cleanup_free_ char *opath = NULL;
@@ -962,7 +963,6 @@ static int are_we_installed(const char *esp_path) {
         return r == 0;
 }
 
-#if HAVE_OPENSSL
 static int load_secure_boot_auto_enroll(
                 X509 **ret_certificate,
                 EVP_PKEY **ret_private_key) {
@@ -1022,7 +1022,6 @@ static int load_secure_boot_auto_enroll(
 
         return 0;
 }
-#endif
 
 int verb_install(int argc, char *argv[], void *userdata) {
         sd_id128_t uuid = SD_ID128_NULL;
@@ -1038,13 +1037,11 @@ int verb_install(int argc, char *argv[], void *userdata) {
         /* Support graceful mode only for updates, unless forcibly enabled in chroot environments */
         graceful = arg_graceful() == ARG_GRACEFUL_FORCE || (!install && arg_graceful() != ARG_GRACEFUL_NO);
 
-#if HAVE_OPENSSL
         _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL;
         _cleanup_(X509_freep) X509 *certificate = NULL;
         r = load_secure_boot_auto_enroll(&certificate, &private_key);
         if (r < 0)
                 return r;
-#endif
 
         r = acquire_esp(/* unprivileged_mode= */ false, graceful, &part, &pstart, &psize, &uuid, NULL);
         if (graceful && r == -ENOKEY)
@@ -1104,15 +1101,17 @@ int verb_install(int argc, char *argv[], void *userdata) {
                         if (r < 0)
                                 return r;
 
+                        if (arg_install_random_seed) {
                                 r = install_random_seed(arg_esp_path);
                                 if (r < 0)
                                         return r;
+                        }
 
-#if HAVE_OPENSSL
+                        if (arg_secure_boot_auto_enroll) {
                                 r = install_secure_boot_auto_enroll(arg_esp_path, certificate, private_key);
                                 if (r < 0)
                                         return r;
-#endif
+                        }
                 }
 
                 r = install_loader_specification(arg_dollar_boot_path());

src/bootctl/bootctl-random-seed.c

@@ -122,9 +122,6 @@ int install_random_seed(const char *esp) {
 
         assert_cc(RANDOM_EFI_SEED_SIZE == SHA256_DIGEST_SIZE);
 
-        if (!arg_install_random_seed)
-                return 0;
-
         esp_fd = open(esp, O_DIRECTORY|O_RDONLY|O_CLOEXEC);
         if (esp_fd < 0)
                 return log_error_errno(errno, "Failed to open ESP directory '%s': %m", esp);

src/bootctl/bootctl.c

@@ -654,17 +654,11 @@ static int parse_argv(int argc, char *argv[]) {
         if (arg_dry_run && argv[optind] && !STR_IN_SET(argv[optind], "unlink", "cleanup"))
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--dry-run is only supported with --unlink or --cleanup");
 
-        if (arg_secure_boot_auto_enroll) {
+        if (arg_secure_boot_auto_enroll && !arg_certificate)
-#if HAVE_OPENSSL
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no certificate provided");
-                if (!arg_certificate)
-                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no certificate provided.");
 
-                if (!arg_private_key)
+        if (arg_secure_boot_auto_enroll && !arg_private_key)
-                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no private key provided.");
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no private key provided");
-#else
-                return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Secure boot auto-enrollment requested but OpenSSL support is disabled.");
-#endif
-        }
 
         r = sd_varlink_invocation(SD_VARLINK_ALLOW_ACCEPT);
         if (r < 0)

src/repart/repart.c

@@ -332,29 +332,33 @@ static void copy_files_free_many(CopyFiles *f, size_t n) {
         free(f);
 }
 
-static BtrfsSubvolFlags subvolume_flags_from_string_one(const char *s) {
+typedef enum SubvolumeFlags {
+        SUBVOLUME_RO               = 1 << 0,
+        _SUBVOLUME_FLAGS_MASK      = SUBVOLUME_RO,
+        _SUBVOLUME_FLAGS_INVALID   = -EINVAL,
+        _SUBVOLUME_FLAGS_ERRNO_MAX = -ERRNO_MAX, /* Ensure the whole errno range fits into this enum */
+} SubvolumeFlags;
+
+static SubvolumeFlags subvolume_flags_from_string_one(const char *s) {
         /* This is a bitmask (i.e. not dense), hence we don't use the "string-table.h" stuff here. */
 
         assert(s);
 
         if (streq(s, "ro"))
-                return BTRFS_SUBVOL_RO;
+                return SUBVOLUME_RO;
 
-        if (streq(s, "nodatacow"))
+        return _SUBVOLUME_FLAGS_INVALID;
-                return BTRFS_SUBVOL_NODATACOW;
-
-        return _BTRFS_SUBVOL_FLAGS_INVALID;
 }
 
-static BtrfsSubvolFlags subvolume_flags_from_string(const char *s) {
+static SubvolumeFlags subvolume_flags_from_string(const char *s) {
-        BtrfsSubvolFlags flags = 0;
+        SubvolumeFlags flags = 0;
         int r;
 
         assert(s);
 
         for (;;) {
                 _cleanup_free_ char *f = NULL;
-                BtrfsSubvolFlags ff;
+                SubvolumeFlags ff;
 
                 r = extract_first_word(&s, &f, ",", EXTRACT_DONT_COALESCE_SEPARATORS);
                 if (r < 0)
@@ -374,7 +378,7 @@ static BtrfsSubvolFlags subvolume_flags_from_string(const char *s) {
 
 typedef struct Subvolume {
         char *path;
-        BtrfsSubvolFlags flags;
+        SubvolumeFlags flags;
 } Subvolume;
 
 static Subvolume* subvolume_free(Subvolume *s) {
@@ -517,10 +521,8 @@ struct Context {
 
         bool from_scratch;
 
-#if HAVE_OPENSSL
         X509 *certificate;
         EVP_PKEY *private_key;
-#endif
 
         bool defer_partitions_empty;
         bool defer_partitions_factory_reset;
@@ -850,7 +852,11 @@ static Context* context_new(
                 char **definitions,
                 EmptyMode empty,
                 bool dry_run,
-                sd_id128_t seed) {
+                sd_id128_t seed,
+                X509 *certificate,
+                EVP_PKEY *private_key) {
+
+        /* Note: This function takes ownership of the certificate and private_key arguments. */
 
         _cleanup_strv_free_ char **d = NULL;
         if (!strv_isempty(definitions)) {
@@ -869,6 +875,8 @@ static Context* context_new(
                 .end = UINT64_MAX,
                 .total = UINT64_MAX,
                 .seed = seed,
+                .certificate = certificate,
+                .private_key = private_key,
                 .empty = empty,
                 .dry_run = dry_run,
                 .backing_fd = -EBADF,
@@ -908,10 +916,8 @@ static Context* context_free(Context *context) {
         else
                 free(context->node);
 
-#if HAVE_OPENSSL
         X509_free(context->certificate);
         EVP_PKEY_free(context->private_key);
-#endif
 
         context->link = sd_varlink_unref(context->link);
 
@@ -2321,7 +2327,7 @@ static int config_parse_subvolumes(
                 }
 
                 if (f) {
-                        BtrfsSubvolFlags flags = subvolume_flags_from_string(f);
+                        SubvolumeFlags flags = subvolume_flags_from_string(f);
                         if (flags == -EBADRQC) {
                                 log_syntax(unit, LOG_WARNING, filename, line, r, "Unknown subvolume flag in subvolume, ignoring: %s", f);
                                 continue;
@@ -5490,8 +5496,9 @@ static int partition_format_verity_hash(
 }
 
 static int sign_verity_roothash(
-                Context *context,
                 const struct iovec *roothash,
+                X509 *certificate,
+                EVP_PKEY *private_key,
                 struct iovec *ret_signature) {
 
 #if HAVE_OPENSSL
@@ -5501,10 +5508,8 @@ static int sign_verity_roothash(
         _cleanup_free_ uint8_t *sig = NULL;
         int sigsz;
 
-        assert(context);
-        assert(context->certificate);
-        assert(context->private_key);
         assert(roothash);
+        assert(private_key);
         assert(iovec_is_set(roothash));
         assert(ret_signature);
 
@@ -5516,7 +5521,7 @@ static int sign_verity_roothash(
         if (!rb)
                 return log_oom();
 
-        p7 = PKCS7_sign(context->certificate, context->private_key, NULL, rb, PKCS7_DETACHED|PKCS7_NOATTR|PKCS7_BINARY);
+        p7 = PKCS7_sign(certificate, private_key, NULL, rb, PKCS7_DETACHED|PKCS7_NOATTR|PKCS7_BINARY);
         if (!p7)
                 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to calculate PKCS7 signature: %s",
                                        ERR_error_string(ERR_get_error(), NULL));
@@ -5564,7 +5569,6 @@ static int partition_format_verity_sig(Context *context, Partition *p) {
         Partition *hp, *rp;
         uint8_t fp[X509_FINGERPRINT_SIZE];
         int whole_fd, r;
-        bool has_fp = false;
 
         assert(p->verity == VERITY_SIG);
 
@@ -5581,20 +5585,13 @@ static int partition_format_verity_sig(Context *context, Partition *p) {
 
         verity_settings = lookup_verity_settings_by_uuid_pair(rp->current_uuid, hp->current_uuid);
 
-        if (!verity_settings) {
+        if (!context->private_key && !verity_settings)
-#if HAVE_OPENSSL
-                if (!context->private_key)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                        "Verity signature partition signing requested but no private key provided (--private-key=).");
 
-                if (!context->certificate)
+        if (!context->certificate && !verity_settings)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                        "Verity signature partition signing requested but no PEM certificate provided (--certificate=).");
-#else
-                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
-                                       "Verity signature partition signing requested but OpenSSL support is disabled.");
-#endif
-        }
 
         (void) partition_hint(p, context->node, &hint);
 
@@ -5610,7 +5607,7 @@ static int partition_format_verity_sig(Context *context, Partition *p) {
                         .iov_len = verity_settings->root_hash_size,
                 };
         } else {
-                r = sign_verity_roothash(context, &hp->roothash, &sig_free);
+                r = sign_verity_roothash(&hp->roothash, context->certificate, context->private_key, &sig_free);
                 if (r < 0)
                         return r;
 
@@ -5618,17 +5615,14 @@ static int partition_format_verity_sig(Context *context, Partition *p) {
                 roothash = hp->roothash;
         }
 
-#if HAVE_OPENSSL
         r = x509_fingerprint(context->certificate, fp);
         if (r < 0)
                 return log_error_errno(r, "Unable to calculate X509 certificate fingerprint: %m");
-        has_fp = true;
-#endif
 
         r = sd_json_buildo(
                         &v,
                         SD_JSON_BUILD_PAIR("rootHash", SD_JSON_BUILD_HEX(roothash.iov_base, roothash.iov_len)),
-                        SD_JSON_BUILD_PAIR_CONDITION(has_fp, "certificateFingerprint", SD_JSON_BUILD_HEX(fp, sizeof(fp))),
+                        SD_JSON_BUILD_PAIR("certificateFingerprint", SD_JSON_BUILD_HEX(fp, sizeof(fp))),
                         SD_JSON_BUILD_PAIR("signature", JSON_BUILD_IOVEC_BASE64(&sig)));
         if (r < 0)
                 return log_error_errno(r, "Failed to build verity signature JSON object: %m");
@@ -5979,7 +5973,7 @@ static int make_copy_files_denylist(
         return 0;
 }
 
-static int add_subvolume_path(const char *path, BtrfsSubvolFlags flags, Hashmap **subvolumes) {
+static int add_subvolume_path(const char *path, Set **subvolumes) {
         _cleanup_free_ struct stat *st = NULL;
         int r;
 
@@ -5996,71 +5990,63 @@ static int add_subvolume_path(const char *path, BtrfsSubvolFlags flags, Hashmap
         if (r < 0)
                 return log_error_errno(r, "Failed to stat source file '%s/%s': %m", strempty(arg_copy_source), path);
 
-        r = hashmap_ensure_put(subvolumes, &inode_hash_ops, st, INT_TO_PTR(flags));
+        r = set_ensure_consume(subvolumes, &inode_hash_ops, TAKE_PTR(st));
         if (r < 0)
                 return log_oom();
 
-        TAKE_PTR(st);
-
         return 0;
 }
 
-static int make_subvolumes_hashmap(const Partition *p, Hashmap **ret) {
+static int make_subvolumes_strv(const Partition *p, char ***ret) {
-        _cleanup_hashmap_free_ Hashmap *hashmap = NULL;
+        _cleanup_strv_free_ char **subvolumes = NULL;
         Subvolume *subvolume;
         int r;
 
         assert(p);
         assert(ret);
 
-        ORDERED_HASHMAP_FOREACH(subvolume, p->subvolumes) {
+        ORDERED_HASHMAP_FOREACH(subvolume, p->subvolumes)
-                _cleanup_free_ char *path = NULL;
+                if (strv_extend(&subvolumes, subvolume->path) < 0)
-
-                path = strdup(subvolume->path);
-                if (!path)
                         return log_oom();
 
-                r = hashmap_ensure_put(&hashmap, &path_hash_ops_free, path, INT_TO_PTR(subvolume->flags));
-                if (r < 0)
-                        return log_oom();
-
-                TAKE_PTR(path);
-        }
-
         if (p->suppressing) {
-                Hashmap *suppressing;
+                char **suppressing;
 
-                r = make_subvolumes_hashmap(p->suppressing, &suppressing);
+                r = make_subvolumes_strv(p->suppressing, &suppressing);
                 if (r < 0)
                         return r;
 
-                r = hashmap_merge(hashmap, suppressing);
+                r = strv_extend_strv_consume(&subvolumes, suppressing, /* filter_duplicates= */ true);
                 if (r < 0)
                         return log_oom();
         }
 
-        *ret = TAKE_PTR(hashmap);
+        *ret = TAKE_PTR(subvolumes);
         return 0;
 }
 
-static int make_subvolumes_by_source_inode_hashmap(
+static int make_subvolumes_set(
                 const Partition *p,
                 const char *source,
                 const char *target,
-                Hashmap **ret) {
+                Set **ret) {
 
-        _cleanup_hashmap_free_ Hashmap *hashmap = NULL;
+        _cleanup_strv_free_ char **paths = NULL;
-        Subvolume *subvolume;
+        _cleanup_set_free_ Set *subvolumes = NULL;
         int r;
 
         assert(p);
         assert(target);
         assert(ret);
 
-        ORDERED_HASHMAP_FOREACH(subvolume, p->subvolumes) {
+        r = make_subvolumes_strv(p, &paths);
+        if (r < 0)
+                return r;
+
+        STRV_FOREACH(subvolume, paths) {
                 _cleanup_free_ char *path = NULL;
 
-                const char *s = path_startswith(subvolume->path, target);
+                const char *s = path_startswith(*subvolume, target);
                 if (!s)
                         continue;
 
@@ -6068,24 +6054,12 @@ static int make_subvolumes_by_source_inode_hashmap(
                 if (!path)
                         return log_oom();
 
-                r = add_subvolume_path(path, subvolume->flags, &hashmap);
+                r = add_subvolume_path(path, &subvolumes);
                 if (r < 0)
                         return r;
         }
 
-        if (p->suppressing) {
+        *ret = TAKE_PTR(subvolumes);
-                Hashmap *suppressing;
-
-                r = make_subvolumes_by_source_inode_hashmap(p->suppressing, source, target, &suppressing);
-                if (r < 0)
-                        return r;
-
-                r = hashmap_merge(hashmap, suppressing);
-                if (r < 0)
-                        return log_oom();
-        }
-
-        *ret = TAKE_PTR(hashmap);
         return 0;
 }
 
@@ -6153,13 +6127,13 @@ static int file_is_denylisted(const char *source, Hashmap *denylist) {
 }
 
 static int do_copy_files(Context *context, Partition *p, const char *root) {
-        _cleanup_hashmap_free_ Hashmap *subvolumes = NULL;
+        _cleanup_strv_free_ char **subvolumes = NULL;
         int r;
 
         assert(p);
         assert(root);
 
-        r = make_subvolumes_hashmap(p, &subvolumes);
+        r = make_subvolumes_strv(p, &subvolumes);
         if (r < 0)
                 return r;
 
@@ -6203,7 +6177,7 @@ static int do_copy_files(Context *context, Partition *p, const char *root) {
 
         FOREACH_ARRAY(line, copy_files, n_copy_files) {
                 _cleanup_hashmap_free_ Hashmap *denylist = NULL;
-                _cleanup_hashmap_free_ Hashmap *subvolumes_by_source_inode = NULL;
+                _cleanup_set_free_ Set *subvolumes_by_source_inode = NULL;
                 _cleanup_close_ int sfd = -EBADF, pfd = -EBADF, tfd = -EBADF;
                 usec_t ts = epoch_or_infinity();
 
@@ -6213,7 +6187,7 @@ static int do_copy_files(Context *context, Partition *p, const char *root) {
                 if (r > 0)
                         continue;
 
-                r = make_subvolumes_by_source_inode_hashmap(p, line->source, line->target, &subvolumes_by_source_inode);
+                r = make_subvolumes_set(p, line->source, line->target, &subvolumes_by_source_inode);
                 if (r < 0)
                         return r;
 
@@ -6328,14 +6302,14 @@ static int do_copy_files(Context *context, Partition *p, const char *root) {
 }
 
 static int do_make_directories(Partition *p, const char *root) {
-        _cleanup_hashmap_free_ Hashmap *subvolumes = NULL;
+        _cleanup_strv_free_ char **subvolumes = NULL;
         _cleanup_free_ char **override_dirs = NULL;
         int r;
 
         assert(p);
         assert(root);
 
-        r = make_subvolumes_hashmap(p, &subvolumes);
+        r = make_subvolumes_strv(p, &subvolumes);
         if (r < 0)
                 return r;
 
@@ -6381,7 +6355,7 @@ static int make_subvolumes_read_only(Partition *p, const char *root) {
         int r;
 
         ORDERED_HASHMAP_FOREACH(subvolume, p->subvolumes) {
-                if (!FLAGS_SET(subvolume->flags, BTRFS_SUBVOL_RO))
+                if (!FLAGS_SET(subvolume->flags, SUBVOLUME_RO))
                         continue;
 
                 path = path_join(root, subvolume->path);
@@ -6649,7 +6623,7 @@ static int append_btrfs_subvols(char ***l, OrderedHashmap *subvolumes, const cha
                 if (streq_ptr(subvolume->path, default_subvolume) && !strextend(&s, "default"))
                         return log_oom();
 
-                if (FLAGS_SET(subvolume->flags, BTRFS_SUBVOL_RO) && !strextend_with_separator(&s, "-", "ro"))
+                if (FLAGS_SET(subvolume->flags, SUBVOLUME_RO) && !strextend_with_separator(&s, "-", "ro"))
                         return log_oom();
 
                 if (!strextend_with_separator(&s, ":", subvolume->path))
@@ -6663,28 +6637,6 @@ static int append_btrfs_subvols(char ***l, OrderedHashmap *subvolumes, const cha
         return 0;
 }
 
-static int append_btrfs_inode_flags(char ***l, OrderedHashmap *subvolumes) {
-        Subvolume *subvolume;
-        int r;
-
-        assert(l);
-
-        ORDERED_HASHMAP_FOREACH(subvolume, subvolumes) {
-                if (!FLAGS_SET(subvolume->flags, BTRFS_SUBVOL_NODATACOW))
-                        continue;
-
-                _cleanup_free_ char *s = strjoin("nodatacow:", subvolume->path);
-                if (!s)
-                        return log_oom();
-
-                r = strv_extend_many(l, "--inode-flags", s);
-                if (r < 0)
-                        return log_oom();
-        }
-
-        return 0;
-}
-
 static int finalize_extra_mkfs_options(const Partition *p, const char *root, char ***ret) {
         _cleanup_strv_free_ char **sv = NULL;
         int r;
@@ -6703,18 +6655,10 @@ static int finalize_extra_mkfs_options(const Partition *p, const char *root, cha
                 if (r < 0)
                         return r;
 
-                r = append_btrfs_inode_flags(&sv, p->subvolumes);
-                if (r < 0)
-                        return r;
-
                 if (p->suppressing) {
                         r = append_btrfs_subvols(&sv, p->suppressing->subvolumes, NULL);
                         if (r < 0)
                                 return r;
-
-                        r = append_btrfs_inode_flags(&sv, p->suppressing->subvolumes);
-                        if (r < 0)
-                                return r;
                 }
         }
 
@@ -8740,57 +8684,6 @@ static int context_minimize(Context *context) {
         return 0;
 }
 
-static int context_load_keys(Context *context) {
-#if HAVE_OPENSSL
-        int r;
-
-        assert(context);
-
-        if (arg_certificate) {
-                if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
-                        r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
-                        if (r < 0)
-                                return r;
-                }
-
-                r = openssl_load_x509_certificate(
-                                arg_certificate_source_type,
-                                arg_certificate_source,
-                                arg_certificate,
-                                &context->certificate);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
-        }
-
-        if (arg_private_key) {
-                if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
-                        r = parse_path_argument(arg_private_key, /*suppress_root=*/ false, &arg_private_key);
-                        if (r < 0)
-                                return r;
-                }
-
-                r = openssl_load_private_key(
-                                arg_private_key_source_type,
-                                arg_private_key_source,
-                                arg_private_key,
-                                &(AskPasswordRequest) {
-                                        .tty_fd = -EBADF,
-                                        .id = "repart-private-key-pin",
-                                        .keyring = arg_private_key,
-                                        .credential = "repart.private-key-pin",
-                                        .until = USEC_INFINITY,
-                                        .hup_fd = -EBADF,
-                                },
-                                &context->private_key,
-                                /* ret_user_interface= */ NULL);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to load private key from %s: %m", arg_private_key);
-        }
-
-#endif
-        return 0;
-}
-
 static int parse_partition_types(const char *p, GptPartitionType **partitions, size_t *n_partitions) {
         int r;
 
@@ -8995,7 +8888,13 @@ static int help(void) {
         return 0;
 }
 
-static int parse_argv(int argc, char *argv[]) {
+static int parse_argv(
+                int argc,
+                char *argv[],
+                X509 **ret_certificate,
+                EVP_PKEY **ret_private_key,
+                OpenSSLAskPasswordUI **ret_ui) {
+
         enum {
                 ARG_VERSION = 0x100,
                 ARG_NO_PAGER,
@@ -9094,11 +8993,17 @@ static int parse_argv(int argc, char *argv[]) {
                 {}
         };
 
+        _cleanup_(X509_freep) X509 *certificate = NULL;
+        _cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
+        _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL;
         bool auto_public_key_pcr_mask = true, auto_pcrlock = true;
         int c, r;
 
         assert(argc >= 0);
         assert(argv);
+        assert(ret_certificate);
+        assert(ret_private_key);
+        assert(ret_ui);
 
         while ((c = getopt_long(argc, argv, "hs:SCP", options, NULL)) >= 0)
 
@@ -9639,6 +9544,47 @@ static int parse_argv(int argc, char *argv[]) {
                         *p = gpt_partition_type_override_architecture(*p, arg_architecture);
         }
 
+        if (arg_certificate) {
+                if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
+                        r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
+                        if (r < 0)
+                                return r;
+                }
+
+                r = openssl_load_x509_certificate(
+                                arg_certificate_source_type,
+                                arg_certificate_source,
+                                arg_certificate,
+                                &certificate);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
+        }
+
+        if (arg_private_key) {
+                if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
+                        r = parse_path_argument(arg_private_key, /*suppress_root=*/ false, &arg_private_key);
+                        if (r < 0)
+                                return r;
+                }
+
+                r = openssl_load_private_key(
+                                arg_private_key_source_type,
+                                arg_private_key_source,
+                                arg_private_key,
+                                &(AskPasswordRequest) {
+                                        .tty_fd = -EBADF,
+                                        .id = "repart-private-key-pin",
+                                        .keyring = arg_private_key,
+                                        .credential = "repart.private-key-pin",
+                                        .until = USEC_INFINITY,
+                                        .hup_fd = -EBADF,
+                                },
+                                &private_key,
+                                &ui);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to load private key from %s: %m", arg_private_key);
+        }
+
         if (arg_append_fstab && !arg_generate_fstab)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No --generate-fstab= specified for --append-fstab=%s.", append_mode_to_string(arg_append_fstab));
 
@@ -9650,6 +9596,10 @@ static int parse_argv(int argc, char *argv[]) {
                 arg_pager_flags |= PAGER_DISABLE;
         }
 
+        *ret_certificate = TAKE_PTR(certificate);
+        *ret_private_key = TAKE_PTR(private_key);
+        *ret_ui = TAKE_PTR(ui);
+
         return 1;
 }
 
@@ -10270,7 +10220,9 @@ static int vl_method_run(
                         p.definitions,
                         p.empty,
                         p.dry_run,
-                        p.seed);
+                        p.seed,
+                        /* certificate= */ NULL,
+                        /* private_key= */ NULL);
         if (!context)
                 return log_oom();
 
@@ -10409,6 +10361,9 @@ static int vl_server(void) {
 }
 
 static int run(int argc, char *argv[]) {
+        _cleanup_(X509_freep) X509 *certificate = NULL;
+        _cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
+        _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL;
         _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
         _cleanup_(umount_and_freep) char *mounted_dir = NULL;
         _cleanup_(context_freep) Context* context = NULL;
@@ -10417,7 +10372,7 @@ static int run(int argc, char *argv[]) {
 
         log_setup();
 
-        r = parse_argv(argc, argv);
+        r = parse_argv(argc, argv, &certificate, &private_key, &ui);
         if (r <= 0)
                 return r;
 
@@ -10483,13 +10438,14 @@ static int run(int argc, char *argv[]) {
                         arg_definitions,
                         arg_empty,
                         arg_dry_run,
-                        arg_seed);
+                        arg_seed,
+                        certificate,
+                        private_key);
         if (!context)
                 return log_oom();
 
-        r = context_load_keys(context);
+        TAKE_PTR(certificate);
-        if (r < 0)
+        TAKE_PTR(private_key);
-                return r;
 
         context->defer_partitions_empty = arg_defer_partitions_empty;
         context->defer_partitions_factory_reset = arg_defer_partitions_factory_reset;

src/resolve/resolvectl.c

@@ -1014,7 +1014,6 @@ static int verb_service(int argc, char **argv, void *userdata) {
                 return resolve_service(bus, argv[1], argv[2], argv[3]);
 }
 
-#if HAVE_OPENSSL
 static int resolve_openpgp(sd_bus *bus, const char *address) {
         int r;
 
@@ -1054,7 +1053,7 @@ static int resolve_openpgp(sd_bus *bus, const char *address) {
                         arg_class ?: DNS_CLASS_IN,
                         arg_type ?: DNS_TYPE_OPENPGPKEY,
                         /* warn_missing= */ false);
-        if (!IN_SET(r, -ENXIO, -ESRCH)) /* Not NXDOMAIN or NODATA? Then fail immediately. */
+        if (!IN_SET(r, -ENXIO, -ESRCH)) /* Not NXDOMAIN or NODATA? Then fail immedately. */
                 return r;
 
         hashed = mfree(hashed);
@@ -1075,10 +1074,8 @@ static int resolve_openpgp(sd_bus *bus, const char *address) {
                         arg_type ?: DNS_TYPE_OPENPGPKEY,
                         /* warn_missing= */ true);
 }
-#endif
 
 static int verb_openpgp(int argc, char **argv, void *userdata) {
-#if HAVE_OPENSSL
         _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
         int r, ret = 0;
 
@@ -1093,9 +1090,6 @@ static int verb_openpgp(int argc, char **argv, void *userdata) {
                 RET_GATHER(ret, resolve_openpgp(bus, *p));
 
         return ret;
-#else
-        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL support is disabled, cannot query Open PGP keys.");
-#endif
 }
 
 static int resolve_tlsa(sd_bus *bus, const char *family, const char *address) {

src/shared/copy.c

@@ -12,7 +12,6 @@
 #include <unistd.h>
 
 #include "alloc-util.h"
-#include "btrfs.h"
 #include "chattr-util.h"
 #include "copy.h"
 #include "dirent-util.h"
@@ -892,7 +891,7 @@ static int fd_copy_tree_generic(
                 gid_t override_gid,
                 CopyFlags copy_flags,
                 Hashmap *denylist,
-                Hashmap *subvolumes,
+                Set *subvolumes,
                 HardlinkContext *hardlink_context,
                 const char *display_path,
                 copy_progress_path_t progress_path,
@@ -1112,7 +1111,7 @@ static int fd_copy_directory(
                 gid_t override_gid,
                 CopyFlags copy_flags,
                 Hashmap *denylist,
-                Hashmap *subvolumes,
+                Set *subvolumes,
                 HardlinkContext *hardlink_context,
                 const char *display_path,
                 copy_progress_path_t progress_path,
@@ -1161,16 +1160,9 @@ static int fd_copy_directory(
 
         exists = r >= 0;
 
-        XOpenFlags flags = copy_flags & COPY_MAC_CREATE ? XO_LABEL : 0;
-        if (hashmap_contains(subvolumes, st)) {
-                flags |= XO_SUBVOLUME;
-                if ((PTR_TO_INT(hashmap_get(subvolumes, st)) & BTRFS_SUBVOL_NODATACOW))
-                        flags |= XO_NOCOW;
-        }
-
         fdt = xopenat_lock_full(dt, to,
                                 O_RDONLY|O_DIRECTORY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|(exists ? 0 : O_CREAT|O_EXCL),
-                                flags,
+                                (copy_flags & COPY_MAC_CREATE ? XO_LABEL : 0)|(set_contains(subvolumes, st) ? XO_SUBVOLUME : 0),
                                 st->st_mode & 07777,
                                 copy_flags & COPY_LOCK_BSD ? LOCK_BSD : LOCK_NONE,
                                 LOCK_EX);
@@ -1339,7 +1331,7 @@ static int fd_copy_tree_generic(
                 gid_t override_gid,
                 CopyFlags copy_flags,
                 Hashmap *denylist,
-                Hashmap *subvolumes,
+                Set *subvolumes,
                 HardlinkContext *hardlink_context,
                 const char *display_path,
                 copy_progress_path_t progress_path,
@@ -1388,7 +1380,7 @@ int copy_tree_at_full(
                 gid_t override_gid,
                 CopyFlags copy_flags,
                 Hashmap *denylist,
-                Hashmap *subvolumes,
+                Set *subvolumes,
                 copy_progress_path_t progress_path,
                 copy_progress_bytes_t progress_bytes,
                 void *userdata) {

src/shared/copy.h

@@ -80,11 +80,11 @@ static inline int copy_file_atomic(const char *from, const char *to, mode_t mode
         return copy_file_atomic_full(from, to, mode, 0, 0, copy_flags, NULL, NULL);
 }
 
-int copy_tree_at_full(int fdf, const char *from, int fdt, const char *to, uid_t override_uid, gid_t override_gid, CopyFlags copy_flags, Hashmap *denylist, Hashmap *subvolumes, copy_progress_path_t progress_path, copy_progress_bytes_t progress_bytes, void *userdata);
+int copy_tree_at_full(int fdf, const char *from, int fdt, const char *to, uid_t override_uid, gid_t override_gid, CopyFlags copy_flags, Hashmap *denylist, Set *subvolumes, copy_progress_path_t progress_path, copy_progress_bytes_t progress_bytes, void *userdata);
-static inline int copy_tree_at(int fdf, const char *from, int fdt, const char *to, uid_t override_uid, gid_t override_gid, CopyFlags copy_flags, Hashmap *denylist, Hashmap *subvolumes) {
+static inline int copy_tree_at(int fdf, const char *from, int fdt, const char *to, uid_t override_uid, gid_t override_gid, CopyFlags copy_flags, Hashmap *denylist, Set *subvolumes) {
         return copy_tree_at_full(fdf, from, fdt, to, override_uid, override_gid, copy_flags, denylist, subvolumes, NULL, NULL, NULL);
 }
-static inline int copy_tree(const char *from, const char *to, uid_t override_uid, gid_t override_gid, CopyFlags copy_flags, Hashmap *denylist, Hashmap *subvolumes) {
+static inline int copy_tree(const char *from, const char *to, uid_t override_uid, gid_t override_gid, CopyFlags copy_flags, Hashmap *denylist, Set *subvolumes) {
         return copy_tree_at_full(AT_FDCWD, from, AT_FDCWD, to, override_uid, override_gid, copy_flags, denylist, subvolumes, NULL, NULL, NULL);
 }
 

src/shared/openssl-util.c

@@ -1644,20 +1644,25 @@ static int load_x509_certificate_from_provider(const char *provider, const char
         return -EOPNOTSUPP;
 #endif
 }
+#endif
 
 OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui) {
+#if HAVE_OPENSSL && !defined(OPENSSL_NO_UI_CONSOLE)
         if (!ui)
                 return NULL;
 
-#ifndef OPENSSL_NO_UI_CONSOLE
         assert(UI_get_default_method() == ui->method);
         UI_set_default_method(UI_OpenSSL());
         UI_destroy_method(ui->method);
-#endif
         return mfree(ui);
+#else
+        assert(ui == NULL);
+        return NULL;
+#endif
 }
 
 int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) {
+#if HAVE_OPENSSL
         _cleanup_free_ uint8_t *der = NULL;
         int dersz;
 
@@ -1669,6 +1674,9 @@ int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) {
 
         sha256_direct(der, dersz, buffer);
         return 0;
+#else
+        return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot calculate X509 fingerprint.");
+#endif
 }
 
 int openssl_load_x509_certificate(
@@ -1676,7 +1684,7 @@ int openssl_load_x509_certificate(
                 const char *certificate_source,
                 const char *certificate,
                 X509 **ret) {
-
+#if HAVE_OPENSSL
         int r;
 
         assert(certificate);
@@ -1700,6 +1708,9 @@ int openssl_load_x509_certificate(
                                 certificate_source);
 
         return 0;
+#else
+        return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot load X509 certificate.");
+#endif
 }
 
 int openssl_load_private_key(
@@ -1709,7 +1720,7 @@ int openssl_load_private_key(
                 const AskPasswordRequest *request,
                 EVP_PKEY **ret_private_key,
                 OpenSSLAskPasswordUI **ret_user_interface) {
-
+#if HAVE_OPENSSL
         int r;
 
         assert(private_key);
@@ -1752,8 +1763,10 @@ int openssl_load_private_key(
         }
 
         return 0;
-}
+#else
+        return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot load private key.");
 #endif
+}
 
 int parse_openssl_certificate_source_argument(
                 const char *argument,

src/shared/openssl-util.h

@@ -55,24 +55,22 @@ int parse_openssl_key_source_argument(const char *argument, char **private_key_s
 #  endif
 
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_MACRO(void*, OPENSSL_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_OCTET_STRING*, ASN1_OCTET_STRING_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509_NAME*, X509_NAME_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_TIME*, ASN1_TIME_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY_CTX*, EVP_PKEY_CTX_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free_all, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_POINT*, EC_POINT_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_GROUP*, EC_GROUP_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIGNUM*, BN_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BN_CTX*, BN_CTX_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_GROUP*, EC_GROUP_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_POINT*, EC_POINT_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ECDSA_SIG*, ECDSA_SIG_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY*, EVP_PKEY_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY_CTX*, EVP_PKEY_CTX_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7*, PKCS7_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7_SIGNER_INFO*, PKCS7_SIGNER_INFO_free, NULL);
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509_NAME*, X509_NAME_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free_all, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_OCTET_STRING*, ASN1_OCTET_STRING_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_TIME*, ASN1_TIME_free, NULL);
 
 static inline STACK_OF(X509_ALGOR) *x509_algor_free_many(STACK_OF(X509_ALGOR) *attrs) {
         if (!attrs)
@@ -172,13 +170,44 @@ int digest_and_sign(const EVP_MD *md, EVP_PKEY *privkey, const void *data, size_
 int pkcs7_new(X509 *certificate, EVP_PKEY *private_key, const char *hash_algorithm, PKCS7 **ret_p7, PKCS7_SIGNER_INFO **ret_si);
 
 int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret);
-static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) {
+
-        return string_hashsum(s, len, "SHA224", ret);
+#else
+
+typedef struct X509 X509;
+typedef struct EVP_PKEY EVP_PKEY;
+typedef struct EVP_MD EVP_MD;
+typedef struct UI_METHOD UI_METHOD;
+typedef struct ASN1_TYPE ASN1_TYPE;
+typedef struct ASN1_STRING ASN1_STRING;
+
+static inline void* X509_free(X509 *p) {
+        assert(p == NULL);
+        return NULL;
 }
-static inline int string_hashsum_sha256(const char *s, size_t len, char **ret) {
+
-        return string_hashsum(s, len, "SHA256", ret);
+static inline void* EVP_PKEY_free(EVP_PKEY *p) {
+        assert(p == NULL);
+        return NULL;
 }
 
+static inline int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret) {
+        return -EOPNOTSUPP;
+}
+
+#endif
+
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY*, EVP_PKEY_free, NULL);
+
+struct OpenSSLAskPasswordUI {
+        AskPasswordRequest request;
+        UI_METHOD *method;
+};
+
+OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui);
+
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OpenSSLAskPasswordUI*, openssl_ask_password_ui_free, NULL);
+
 int x509_fingerprint(X509 *cert, uint8_t buffer[static X509_FINGERPRINT_SIZE]);
 
 int openssl_load_x509_certificate(
@@ -195,13 +224,10 @@ int openssl_load_private_key(
                 EVP_PKEY **ret_private_key,
                 OpenSSLAskPasswordUI **ret_user_interface);
 
-struct OpenSSLAskPasswordUI {
+static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) {
-        AskPasswordRequest request;
+        return string_hashsum(s, len, "SHA224", ret);
-#ifndef OPENSSL_NO_UI_CONSOLE
+}
-        UI_METHOD *method;
-#endif
-};
 
-OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui);
+static inline int string_hashsum_sha256(const char *s, size_t len, char **ret) {
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OpenSSLAskPasswordUI*, openssl_ask_password_ui_free, NULL);
+        return string_hashsum(s, len, "SHA256", ret);
-#endif
+}

src/shared/pe-binary.c

@@ -336,12 +336,13 @@ static int hash_file(int fd, EVP_MD_CTX *md_ctx, uint64_t offset, uint64_t size)
 static int section_offset_cmp(const IMAGE_SECTION_HEADER *a, const IMAGE_SECTION_HEADER *b) {
         return CMP(ASSERT_PTR(a)->PointerToRawData, ASSERT_PTR(b)->PointerToRawData);
 }
+#endif
 
 int pe_hash(int fd,
             const EVP_MD *md,
             void **ret_hash,
             size_t *ret_hash_size) {
-
+#if HAVE_OPENSSL
         _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *mdctx = NULL;
         _cleanup_free_ IMAGE_SECTION_HEADER *sections = NULL;
         _cleanup_free_ IMAGE_DOS_HEADER *dos_header = NULL;
@@ -448,6 +449,9 @@ int pe_hash(int fd,
         *ret_hash_size = hash_size;
 
         return 0;
+#else
+        return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot calculate PE hash.");
+#endif
 }
 
 int pe_checksum(int fd, uint32_t *ret) {
@@ -499,6 +503,7 @@ int pe_checksum(int fd, uint32_t *ret) {
         return 0;
 }
 
+#if HAVE_OPENSSL
 typedef void* SectionHashArray[_UNIFIED_SECTION_MAX];
 
 static void section_hash_array_done(SectionHashArray *array) {
@@ -507,12 +512,13 @@ static void section_hash_array_done(SectionHashArray *array) {
         for (size_t i = 0; i < _UNIFIED_SECTION_MAX; i++)
                 free((*array)[i]);
 }
+#endif
 
 int uki_hash(int fd,
              const EVP_MD *md,
              void* ret_hashes[static _UNIFIED_SECTION_MAX],
              size_t *ret_hash_size) {
-
+#if HAVE_OPENSSL
         _cleanup_(section_hash_array_done) SectionHashArray hashes = {};
         _cleanup_free_ IMAGE_SECTION_HEADER *sections = NULL;
         _cleanup_free_ IMAGE_DOS_HEADER *dos_header = NULL;
@@ -599,5 +605,7 @@ int uki_hash(int fd,
         *ret_hash_size = (unsigned) hsz;
 
         return 0;
-}
+#else
+        return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot calculate UKI hash.");
 #endif
+}

src/shared/pe-binary.h

@@ -151,11 +151,8 @@ bool pe_is_addon(const PeHeader *pe_header, const IMAGE_SECTION_HEADER *sections
 bool pe_is_native(const PeHeader *pe_header);
 int pe_is_native_fd(int fd);
 
-#if HAVE_OPENSSL
 int pe_hash(int fd, const EVP_MD *md, void **ret_hash, size_t *ret_hash_size);
 
-/* This does not depend on OpenSSL, but is currently only used by sbsign which requires OpenSSL. */
 int pe_checksum(int fd, uint32_t *ret);
 
 int uki_hash(int fd, const EVP_MD *md, void *ret_hashes[static _UNIFIED_SECTION_MAX], size_t *ret_hash_size);
-#endif

src/shared/varlink-io.systemd.Repart.c

@@ -114,7 +114,7 @@ SD_VARLINK_DEFINE_INTERFACE(
                 &vl_error_ConflictingDiskLabelPresent,
                 SD_VARLINK_SYMBOL_COMMENT("The target disk has insufficient free space to fit all requested partitions. (But the disk would fit, if emptied.)"),
                 &vl_error_InsufficientFreeSpace,
-                SD_VARLINK_SYMBOL_COMMENT("The target disk is too small to fit the installation. (Regardless if emptied or not.)"),
+                SD_VARLINK_SYMBOL_COMMENT("The target disk is too small to fit the installation. (Regardless if emtied or not.)"),
                 &vl_error_DiskTooSmall,
 
                 SD_VARLINK_SYMBOL_COMMENT("Return a list of candidate block devices, i.e. that support partition scanning and other requirements for successful operation."),