2026-03-03 19:54:48 +01:00
14 changed files with 60 additions and 79 deletions
--- a/rules.d/60-persistent-input.rules
+++ b/rules.d/60-persistent-input.rules
@ -11,7 +11,6 @@ SUBSYSTEMS=="platform", ENV{ID_BUS}="platform"
 SUBSYSTEMS=="i2c", ENV{ID_BUS}="i2c"
 SUBSYSTEMS=="rmi4", ENV{ID_BUS}="rmi"
 SUBSYSTEMS=="serio", ENV{ID_BUS}="i8042"
-SUBSYSTEMS=="spi", ENV{ID_BUS}="spi"

 SUBSYSTEMS=="usb", ENV{ID_BUS}=="", IMPORT{builtin}="usb_id"

--- a/rules.d/65-integration.rules
+++ b/rules.d/65-integration.rules
@ -6,8 +6,8 @@
 ACTION=="remove", GOTO="integration_end"
 ENV{ID_BUS}=="", GOTO="integration_end"

-# ACPI, platform, PS/2, I2C, RMI, SPI and PCI devices: Internal by default.
-ENV{ID_BUS}=="acpi|platform|i8042|i2c|rmi|spi|pci", ENV{ID_INTEGRATION}="internal"
+# ACPI, platform, PS/2, I2C, RMI and PCI devices: Internal by default.
+ENV{ID_BUS}=="acpi|platform|i8042|i2c|rmi|pci", ENV{ID_INTEGRATION}="internal"

 # Bluetooth devices: External by default.
 ENV{ID_BUS}=="bluetooth", ENV{ID_INTEGRATION}="external"
--- a/src/shared/bootspec.c
+++ b/src/shared/bootspec.c
@ -1020,7 +1020,7 @@ static int pe_find_uki_sections(
                }

                /* Permit "masking" of sections in the base profile */
-                if (le32toh(found->VirtualSize) == 0)
+                if (found->VirtualSize == 0)
                        continue;

                r = pe_read_section_data(fd, found, PE_SECTION_SIZE_MAX, (void**) t->data, /* ret_size= */ NULL);
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@ -883,7 +883,7 @@ int image_find(RuntimeScope scope,
                                        .type_mask = endswith(suffix, ".raw") ? (UINT32_C(1) << DT_REG) | (UINT32_C(1) << DT_BLK) : (UINT32_C(1) << DT_DIR),
                                        .basename = name,
                                        .architecture = _ARCHITECTURE_INVALID,
-                                        .suffix = suffix,
+                                        .suffix = STRV_MAKE(suffix),
                                };

                                _cleanup_(pick_result_done) PickResult result = PICK_RESULT_NULL;
@ -1100,7 +1100,7 @@ int image_discover(
                                                .type_mask = endswith(suffix, ".raw") ? (UINT32_C(1) << DT_REG) | (UINT32_C(1) << DT_BLK) : (UINT32_C(1) << DT_DIR),
                                                .basename = pretty,
                                                .architecture = _ARCHITECTURE_INVALID,
-                                                .suffix = suffix,
+                                                .suffix = STRV_MAKE(suffix),
                                        };

                                        _cleanup_(pick_result_done) PickResult result = PICK_RESULT_NULL;
--- a/src/shared/pe-binary.c
+++ b/src/shared/pe-binary.c
@ -336,7 +336,7 @@ static int hash_file(int fd, EVP_MD_CTX *md_ctx, uint64_t offset, uint64_t size)
 }

 static int section_offset_cmp(const IMAGE_SECTION_HEADER *a, const IMAGE_SECTION_HEADER *b) {
-        return CMP(le32toh(ASSERT_PTR(a)->PointerToRawData), le32toh(ASSERT_PTR(b)->PointerToRawData));
+        return CMP(ASSERT_PTR(a)->PointerToRawData, ASSERT_PTR(b)->PointerToRawData);
 }

 int pe_hash(int fd,
@ -384,7 +384,7 @@ int pe_hash(int fd,
                return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to allocate message digest.");

        /* Everything from beginning of file to CheckSum field in PE header */
-        p = (uint64_t) le32toh(dos_header->e_lfanew) +
+        p = (uint64_t) dos_header->e_lfanew +
                offsetof(PeHeader, optional.CheckSum);
        r = hash_file(fd, mdctx, 0, p);
        if (r < 0)
@ -392,7 +392,7 @@ int pe_hash(int fd,
        p += sizeof(le32_t);

        /* Everything between the CheckSum field and the Image Data Directory Entry for the Certification Table */
-        q = (uint64_t) le32toh(dos_header->e_lfanew) +
+        q = (uint64_t) dos_header->e_lfanew +
                PE_HEADER_OPTIONAL_FIELD_OFFSET(pe_header, DataDirectory[IMAGE_DATA_DIRECTORY_INDEX_CERTIFICATION_TABLE]);
        r = hash_file(fd, mdctx, p, q - p);
        if (r < 0)
@ -400,7 +400,7 @@ int pe_hash(int fd,
        q += sizeof(IMAGE_DATA_DIRECTORY);

        /* The rest of the header + the section table */
-        p = le32toh(pe_header->optional.SizeOfHeaders);
+        p = pe_header->optional.SizeOfHeaders;
        if (p < q)
                return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "SizeOfHeaders too short.");
        r = hash_file(fd, mdctx, q, p - q);
@ -411,19 +411,19 @@ int pe_hash(int fd,
        typesafe_qsort(sections, le16toh(pe_header->pe.NumberOfSections), section_offset_cmp);

        FOREACH_ARRAY(section, sections, le16toh(pe_header->pe.NumberOfSections)) {
-                r = hash_file(fd, mdctx, le32toh(section->PointerToRawData), le32toh(section->SizeOfRawData));
+                r = hash_file(fd, mdctx, section->PointerToRawData, section->SizeOfRawData);
                if (r < 0)
                        return r;

-                p += le32toh(section->SizeOfRawData);
+                p += section->SizeOfRawData;
        }

        if ((uint64_t) st.st_size > p) {

-                if ((uint64_t) st.st_size - p < le32toh(certificate_table->Size))
+                if (st.st_size - p < certificate_table->Size)
                        return log_debug_errno(errno, "No space for certificate table, refusing.");

-                r = hash_file(fd, mdctx, p, st.st_size - p - le32toh(certificate_table->Size));
+                r = hash_file(fd, mdctx, p, st.st_size - p - certificate_table->Size);
                if (r < 0)
                        return r;

@ -560,13 +560,13 @@ int uki_hash(int fd,
                if (EVP_DigestInit_ex(mdctx, md, NULL) != 1)
                        return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to allocate message digest.");

-                r = hash_file(fd, mdctx, le32toh(section->PointerToRawData), MIN(le32toh(section->VirtualSize), le32toh(section->SizeOfRawData)));
+                r = hash_file(fd, mdctx, section->PointerToRawData, MIN(section->VirtualSize, section->SizeOfRawData));
                if (r < 0)
                        return r;

-                if (le32toh(section->SizeOfRawData) < le32toh(section->VirtualSize)) {
+                if (section->SizeOfRawData < section->VirtualSize) {
                        uint8_t zeroes[1024] = {};
-                        size_t remaining = le32toh(section->VirtualSize) - le32toh(section->SizeOfRawData);
+                        size_t remaining = section->VirtualSize - section->SizeOfRawData;

                        while (remaining > 0) {
                                size_t sz = MIN(sizeof(zeroes), remaining);
--- a/src/shared/vpick.c
+++ b/src/shared/vpick.c
@ -13,6 +13,7 @@
 #include "recurse-dir.h"
 #include "stat-util.h"
 #include "string-util.h"
+#include "strv.h"
 #include "vpick.h"

 void pick_result_done(PickResult *p) {
@ -85,6 +86,8 @@ static int format_fname(

        if (FLAGS_SET(flags, PICK_TRIES) || !filter->version) /* Underspecified? */
                return -ENOEXEC;
+        if (strv_length(filter->suffix) > 1) /* suffix is not deterministic? */
+                return -ENOEXEC;

        /* The format for names we match goes like this:
         *
@ -136,8 +139,8 @@ static int format_fname(
                        return -ENOMEM;
        }

-        if (!isempty(filter->suffix))
-                if (!strextend(&fn, filter->suffix))
+        if (!strv_isempty(filter->suffix))
+                if (!strextend(&fn, filter->suffix[0]))
                        return -ENOMEM;

        if (!filename_is_valid(fn))
@ -404,8 +407,8 @@ static int make_choice(
                } else
                        e = dname;

-                if (!isempty(filter->suffix)) {
-                        char *sfx = endswith(e, filter->suffix);
+                if (!strv_isempty(filter->suffix)) {
+                        char *sfx = endswith_strv(e, filter->suffix);
                        if (!sfx)
                                continue;

@ -508,6 +511,7 @@ static int path_pick_one(
                PickResult *ret) {

        _cleanup_free_ char *filter_bname = NULL, *dir = NULL, *parent = NULL, *fname = NULL;
+        char * const *filter_suffix_strv = NULL;
        const char *filter_suffix = NULL, *enumeration_path;
        uint32_t filter_type_mask;
        int r;
@ -565,13 +569,11 @@ static int path_pick_one(
                        return -ENOMEM;

                /* Chop off suffix, if specified */
-                if (!isempty(filter->suffix)) {
-                        char *f = endswith(filter_bname, filter->suffix);
-                        if (f)
-                                *f = 0;
-                }
+                char *f = endswith_strv(filter_bname, filter->suffix);
+                if (f)
+                        *f = 0;

-                filter_suffix = filter->suffix;
+                filter_suffix_strv = filter->suffix;
                filter_type_mask = filter->type_mask;

                enumeration_path = path;
@ -631,7 +633,7 @@ static int path_pick_one(
                                .basename = filter_bname,
                                .version = filter->version,
                                .architecture = filter->architecture,
-                                .suffix = filter_suffix,
+                                .suffix = filter_suffix_strv ?: STRV_MAKE(filter_suffix),
                        },
                        flags,
                        ret);
@ -788,7 +790,7 @@ const PickFilter pick_filter_image_raw[1] = {
        {
                .type_mask = (UINT32_C(1) << DT_REG) | (UINT32_C(1) << DT_BLK),
                .architecture = _ARCHITECTURE_INVALID,
-                .suffix = ".raw",
+                .suffix = STRV_MAKE(".raw"),
        },
 };

--- a/src/shared/vpick.h
+++ b/src/shared/vpick.h
@ -17,7 +17,7 @@ typedef struct PickFilter {
        const char *basename;         /* Can be overridden by search pattern */
        const char *version;
        Architecture architecture;
-        const char *suffix;           /* Can be overridden by search pattern */
+        char * const *suffix;         /* Can be overridden by search pattern */
 } PickFilter;

 typedef struct PickResult {
--- a/src/test/test-vpick.c
+++ b/src/test/test-vpick.c
@ -44,7 +44,7 @@ TEST(path_pick) {

        PickFilter filter = {
                .architecture = _ARCHITECTURE_INVALID,
-                .suffix = ".raw",
+                .suffix = STRV_MAKE(".raw"),
        };

        if (IN_SET(native_architecture(), ARCHITECTURE_X86, ARCHITECTURE_X86_64)) {
--- a/src/vpick/vpick-tool.c
+++ b/src/vpick/vpick-tool.c
@ -245,7 +245,7 @@ static int run(int argc, char *argv[]) {
                                      .basename = arg_filter_basename,
                                      .version = arg_filter_version,
                                      .architecture = arg_filter_architecture,
-                                      .suffix = arg_filter_suffix,
+                                      .suffix = STRV_MAKE(arg_filter_suffix),
                                      .type_mask = arg_filter_type_mask,
                              },
                              /* n_filters= */ 1,
--- a/test/units/TEST-50-DISSECT.sh
+++ b/test/units/TEST-50-DISSECT.sh
@ -37,7 +37,13 @@ trap at_exit EXIT
 # For unprivileged tests
 loginctl enable-linger testuser

-if machine_supports_verity_keyring; then
+# Requires kernel built with certain kconfigs, as listed in README:
+# https://oracle.github.io/kconfigs/?config=UTS_RELEASE&config=DM_VERITY_VERIFY_ROOTHASH_SIG&config=DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING&config=DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING&config=IMA_ARCH_POLICY&config=INTEGRITY_MACHINE_KEYRING
+if grep -q "$(openssl x509 -noout -subject -in /usr/share/mkosi.crt | sed 's/^.*CN=//')" /proc/keys && \
+        ( . /etc/os-release; [ "$ID" != "centos" ] || systemd-analyze compare-versions "$VERSION_ID" ge 10 ) && \
+        ( . /etc/os-release; [ "$ID" != "debian" ] || [ -z "${VERSION_ID:-}" ] || systemd-analyze compare-versions "$VERSION_ID" ge 13 ) && \
+        ( . /etc/os-release; [ "$ID" != "ubuntu" ] || systemd-analyze compare-versions "$VERSION_ID" ge 24.04 ) && \
+        systemd-analyze compare-versions "$(cryptsetup --version | sed 's/^cryptsetup \([0-9]*\.[0-9]*\.[0-9]*\) .*/\1/')" ge 2.3.0; then
    export VERITY_SIG_SUPPORTED=1
 else
    export VERITY_SIG_SUPPORTED=0
--- a/test/units/TEST-70-TPM2.nvpcr.sh
+++ b/test/units/TEST-70-TPM2.nvpcr.sh
@ -54,20 +54,11 @@ DIGEST_MEASURED2="$(echo -n "schnurz" | openssl dgst -sha256 -hex -r | cut -d' '
 DIGEST_EXPECTED2="$(echo "$DIGEST_EXPECTED$DIGEST_MEASURED2" | tr '[:lower:]' '[:upper:]' | basenc --base16 -d | openssl dgst -sha256 -hex -r | cut -d' ' -f1)"
 test "$DIGEST_ACTUAL2" = "$DIGEST_EXPECTED2"

-mkdir -p /tmp/nvpcr/tree
-touch /tmp/nvpcr/tree/file
+mkdir /tmp/nvpcr

-if machine_supports_verity_keyring; then
-    SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs \
-        systemd-repart -P \
-                    -s /tmp/nvpcr/tree \
-                    --certificate=/usr/share/mkosi.crt \
-                    --private-key=/usr/share/mkosi.key \
-                    /var/tmp/nvpcr.raw
-else
-    OPENSSL_CONFIG="/tmp/nvpcr/opensslconfig"
-    # Unfortunately OpenSSL insists on reading some config file, hence provide one with mostly placeholder contents
-    cat >"${OPENSSL_CONFIG:?}" <<EOF
+OPENSSL_CONFIG="/tmp/nvpcr/opensslconfig"
+# Unfortunately OpenSSL insists on reading some config file, hence provide one with mostly placeholder contents
+cat >"${OPENSSL_CONFIG:?}" <<EOF
 [ req ]
 prompt = no
 distinguished_name = req_distinguished_name
@ -82,20 +73,22 @@ CN = Common Name
 emailAddress = test@email.com
 EOF

-    openssl req -config "$OPENSSL_CONFIG" -subj="/CN=waldo" \
-                -x509 -sha256 -nodes -days 365 -newkey rsa:4096 \
-                -keyout /tmp/nvpcr/test-70-nvpcr.key -out /tmp/nvpcr/test-70-nvpcr.crt
+openssl req -config "$OPENSSL_CONFIG" -subj="/CN=waldo" \
+            -x509 -sha256 -nodes -days 365 -newkey rsa:4096 \
+            -keyout /tmp/nvpcr/test-70-nvpcr.key -out /tmp/nvpcr/test-70-nvpcr.crt

-    SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs \
-        systemd-repart -P \
-                    -s /tmp/nvpcr/tree \
-                    --certificate=/tmp/nvpcr/test-70-nvpcr.crt \
-                    --private-key=/tmp/nvpcr/test-70-nvpcr.key \
-                    /var/tmp/nvpcr.raw
+mkdir /tmp/nvpcr/tree
+touch /tmp/nvpcr/tree/file

-    mkdir -p /run/verity.d
-    cp /tmp/nvpcr/test-70-nvpcr.crt /run/verity.d/
-fi
+SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs \
+    systemd-repart -P \
+                   -s /tmp/nvpcr/tree \
+                   --certificate=/tmp/nvpcr/test-70-nvpcr.crt \
+                   --private-key=/tmp/nvpcr/test-70-nvpcr.key \
+                   /var/tmp/nvpcr.raw
+
+mkdir -p /run/verity.d
+cp /tmp/nvpcr/test-70-nvpcr.crt /run/verity.d/

 cp /run/log/systemd/tpm2-measure.log /tmp/nvpcr/log-before

--- a/test/units/TEST-86-MULTI-PROFILE-UKI.sh
+++ b/test/units/TEST-86-MULTI-PROFILE-UKI.sh
@ -5,11 +5,6 @@ set -o pipefail

 export SYSTEMD_LOG_LEVEL=debug

-if ! systemd-analyze has-tpm2; then
-    echo "Full TPM2 support not available, skipping the test"
-    exit 0
-fi
-
 bootctl

 CURRENT_UKI=$(bootctl --print-stub-path)
--- a/test/units/TEST-88-UPGRADE.sh
+++ b/test/units/TEST-88-UPGRADE.sh
@ -84,7 +84,7 @@ timer2=$(systemctl show -P NextElapseUSecRealtime upgrade_timer_test.timer)
 # FIXME: See https://github.com/systemd/systemd/pull/39293
 systemctl stop systemd-networkd-resolve-hook.socket || true

-dnf downgrade --no-gpgchecks -y --allowerasing --disablerepo '*' "$pkgdir"/distro/*.rpm
+dnf downgrade -y --allowerasing --disablerepo '*' "$pkgdir"/distro/*.rpm

 # Some distros don't ship networkd, so the test will always fail
 if command -v networkctl >/dev/null; then
@ -105,7 +105,7 @@ fi
 check_sd

 # Finally test the upgrade
-dnf -y upgrade --no-gpgchecks --disablerepo '*' "$pkgdir"/devel/*.rpm
+dnf -y upgrade --disablerepo '*' "$pkgdir"/devel/*.rpm

 # TODO: sanity checks
 check_sd
--- a/test/units/util.sh
+++ b/test/units/util.sh
@ -285,20 +285,6 @@ kernel_supports_lsm() {
    return 1
 }

-machine_supports_verity_keyring() {
-    # Requires kernel built with certain kconfigs, as listed in README:
-    # https://oracle.github.io/kconfigs/?config=UTS_RELEASE&config=DM_VERITY_VERIFY_ROOTHASH_SIG&config=DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING&config=DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING&config=IMA_ARCH_POLICY&config=INTEGRITY_MACHINE_KEYRING
-    if grep -q "$(openssl x509 -noout -subject -in /usr/share/mkosi.crt | sed 's/^.*CN=//')" /proc/keys && \
-            ( . /etc/os-release; [ "$ID" != "centos" ] || systemd-analyze compare-versions "$VERSION_ID" ge 10 ) && \
-            ( . /etc/os-release; [ "$ID" != "debian" ] || [ -z "${VERSION_ID:-}" ] || systemd-analyze compare-versions "$VERSION_ID" ge 13 ) && \
-            ( . /etc/os-release; [ "$ID" != "ubuntu" ] || systemd-analyze compare-versions "$VERSION_ID" ge 24.04 ) && \
-            systemd-analyze compare-versions "$(cryptsetup --version | sed 's/^cryptsetup \([0-9]*\.[0-9]*\.[0-9]*\) .*/\1/')" ge 2.3.0; then
-        return 0
-    fi
-
-    return 1
-}
-
 install_extension_images() {
        local os_release
        os_release="$(test -e /etc/os-release && echo /etc/os-release || echo /usr/lib/os-release)"