mirror of
https://github.com/systemd/systemd
synced 2026-03-23 23:34:52 +01:00
Compare commits
No commits in common. "b4f0261337c91157231452b5a258799391d7ae51" and "f571d9d5f051f7dbaee8d0dbf32e5a93180285e9" have entirely different histories.
b4f0261337
...
f571d9d5f0
2
README
2
README
@ -193,7 +193,7 @@ REQUIREMENTS:
|
||||
python-jinja2
|
||||
python-lxml (optional, required to build the indices)
|
||||
python >= 3.5
|
||||
meson >= 0.47 (>= 0.49 is required to build position-independent executables)
|
||||
meson >= 0.46 (>= 0.49 is required to build position-independent executables)
|
||||
ninja
|
||||
gcc, awk, sed, grep, and similar tools
|
||||
clang >= 10.0, llvm >= 10.0 (optional, required to build BPF programs
|
||||
|
||||
46
meson.build
46
meson.build
@ -10,7 +10,7 @@ project('systemd', 'c',
|
||||
'localstatedir=/var',
|
||||
'warning_level=2',
|
||||
],
|
||||
meson_version : '>= 0.47',
|
||||
meson_version : '>= 0.46',
|
||||
)
|
||||
|
||||
libsystemd_version = '0.32.0'
|
||||
@ -209,11 +209,6 @@ if pamconfdir == ''
|
||||
pamconfdir = join_paths(prefixdir, 'lib/pam.d')
|
||||
endif
|
||||
|
||||
libcryptsetup_plugins_dir = get_option('libcryptsetup-plugins-dir')
|
||||
if libcryptsetup_plugins_dir == ''
|
||||
libcryptsetup_plugins_dir = join_paths(rootlibdir, 'cryptsetup')
|
||||
endif
|
||||
|
||||
memory_accounting_default = get_option('memory-accounting-default')
|
||||
status_unit_format_default = get_option('status-unit-format-default')
|
||||
|
||||
@ -260,7 +255,6 @@ conf.set_quoted('SYSTEMD_SHUTDOWN_BINARY_PATH', join_paths(rootlib
|
||||
conf.set_quoted('SYSTEMD_STDIO_BRIDGE_BINARY_PATH', join_paths(bindir, 'systemd-stdio-bridge'))
|
||||
conf.set_quoted('SYSTEMD_TEST_DATA', join_paths(testsdir, 'testdata'))
|
||||
conf.set_quoted('SYSTEMD_TTY_ASK_PASSWORD_AGENT_BINARY_PATH', join_paths(rootbindir, 'systemd-tty-ask-password-agent'))
|
||||
conf.set_quoted('SYSTEMD_UPDATE_HELPER_PATH', join_paths(rootlibexecdir, 'systemd-update-helper'))
|
||||
conf.set_quoted('SYSTEMD_USERWORK_PATH', join_paths(rootlibexecdir, 'systemd-userwork'))
|
||||
conf.set_quoted('SYSTEMD_VERITYSETUP_PATH', join_paths(rootlibexecdir, 'systemd-veritysetup'))
|
||||
conf.set_quoted('SYSTEM_CONFIG_UNIT_DIR', join_paths(pkgsysconfdir, 'system'))
|
||||
@ -277,7 +271,6 @@ conf.set_quoted('TMPFILES_DIR', tmpfilesdir)
|
||||
conf.set_quoted('UDEVLIBEXECDIR', udevlibexecdir)
|
||||
conf.set_quoted('UDEV_HWDB_DIR', udevhwdbdir)
|
||||
conf.set_quoted('UDEV_RULES_DIR', udevrulesdir)
|
||||
conf.set_quoted('UPDATE_HELPER_USER_TIMEOUT', get_option('update-helper-user-timeout'))
|
||||
conf.set_quoted('USER_CONFIG_UNIT_DIR', join_paths(pkgsysconfdir, 'user'))
|
||||
conf.set_quoted('USER_DATA_UNIT_DIR', userunitdir)
|
||||
conf.set_quoted('USER_ENV_GENERATOR_DIR', userenvgeneratordir)
|
||||
@ -1111,16 +1104,10 @@ endif
|
||||
conf.set10('HAVE_MICROHTTPD', have)
|
||||
|
||||
want_libcryptsetup = get_option('libcryptsetup')
|
||||
want_libcryptsetup_plugins = get_option('libcryptsetup-plugins')
|
||||
|
||||
if want_libcryptsetup_plugins == 'true' and want_libcryptsetup == 'false'
|
||||
error('libcryptsetup-plugins can not be requested without libcryptsetup')
|
||||
endif
|
||||
|
||||
if want_libcryptsetup != 'false' and not skip_deps
|
||||
libcryptsetup = dependency('libcryptsetup',
|
||||
version : want_libcryptsetup_plugins == 'true' ? '>= 2.4.0' : '>= 2.0.1',
|
||||
required : want_libcryptsetup == 'true' or want_libcryptsetup_plugins == 'true')
|
||||
version : '>= 2.0.1',
|
||||
required : want_libcryptsetup == 'true')
|
||||
have = libcryptsetup.found()
|
||||
|
||||
conf.set10('HAVE_CRYPT_SET_METADATA_SIZE',
|
||||
@ -1135,14 +1122,6 @@ else
|
||||
endif
|
||||
conf.set10('HAVE_LIBCRYPTSETUP', have)
|
||||
|
||||
if want_libcryptsetup_plugins != 'false' and not skip_deps
|
||||
have = (cc.has_function('crypt_activate_by_token_pin', dependencies : libcryptsetup) and
|
||||
cc.has_function('crypt_token_external_path', dependencies : libcryptsetup))
|
||||
else
|
||||
have = false
|
||||
endif
|
||||
conf.set10('HAVE_LIBCRYPTSETUP_PLUGINS', have)
|
||||
|
||||
want_libcurl = get_option('libcurl')
|
||||
if want_libcurl != 'false' and not skip_deps
|
||||
libcurl = dependency('libcurl',
|
||||
@ -1695,7 +1674,6 @@ subdir('src/libsystemd')
|
||||
subdir('src/shared')
|
||||
subdir('src/udev')
|
||||
subdir('src/libudev')
|
||||
subdir('src/cryptsetup/cryptsetup-tokens')
|
||||
|
||||
libsystemd = shared_library(
|
||||
'systemd',
|
||||
@ -1772,22 +1750,6 @@ install_libudev_static = static_library(
|
||||
c_args : static_libudev_pic ? [] : ['-fno-PIC'],
|
||||
pic : static_libudev_pic)
|
||||
|
||||
if conf.get('HAVE_LIBCRYPTSETUP_PLUGINS') == 1
|
||||
if conf.get('HAVE_TPM2') == 1
|
||||
cryptsetup_token_systemd_tpm2 = shared_library(
|
||||
'cryptsetup-token-systemd-tpm2',
|
||||
link_args : ['-shared',
|
||||
'-Wl,--version-script=' + cryptsetup_token_sym_path],
|
||||
dependencies : libshared_deps + [libcryptsetup],
|
||||
link_with : [libshared],
|
||||
link_whole : [cryptsetup_token_systemd_tpm2_static],
|
||||
link_depends : cryptsetup_token_sym,
|
||||
install_rpath : rootlibexecdir,
|
||||
install : true,
|
||||
install_dir : libcryptsetup_plugins_dir)
|
||||
endif
|
||||
endif
|
||||
|
||||
############################################################
|
||||
|
||||
# systemd-analyze requires 'libcore'
|
||||
@ -3783,7 +3745,6 @@ status = [
|
||||
'SysV rc?.d directories: @0@'.format(sysvrcnd_path),
|
||||
'PAM modules directory: @0@'.format(pamlibdir),
|
||||
'PAM configuration directory: @0@'.format(pamconfdir),
|
||||
'libcryptsetup plugins directory: @0@'.format(libcryptsetup_plugins_dir),
|
||||
'RPM macros directory: @0@'.format(rpmmacrosdir),
|
||||
'modprobe.d directory: @0@'.format(modprobedir),
|
||||
'D-Bus policy directory: @0@'.format(dbuspolicydir),
|
||||
@ -3868,7 +3829,6 @@ foreach tuple : [
|
||||
['gnutls'],
|
||||
['libbpf'],
|
||||
['libcryptsetup'],
|
||||
['libcryptsetup-plugins'],
|
||||
['libcurl'],
|
||||
['libfdisk'],
|
||||
['libfido2'],
|
||||
|
||||
@ -182,14 +182,10 @@ option('xinitrcdir', type : 'string', value : '',
|
||||
description : 'directory for xinitrc files')
|
||||
option('rpmmacrosdir', type : 'string', value : 'lib/rpm/macros.d',
|
||||
description : 'directory for rpm macros ["no" disables]')
|
||||
option('update-helper-user-timeout', type : 'string', value : '15s',
|
||||
description : 'how long to wait for user manager operations')
|
||||
option('pamlibdir', type : 'string',
|
||||
description : 'directory for PAM modules')
|
||||
option('pamconfdir', type : 'string',
|
||||
description : 'directory for PAM configuration ["no" disables]')
|
||||
option('libcryptsetup-plugins-dir', type : 'string',
|
||||
description : 'directory for libcryptsetup plugins')
|
||||
option('docdir', type : 'string',
|
||||
description : 'documentation directory')
|
||||
option('install-sysconfdir', type : 'combo', choices : ['true', 'no-samples', 'false'], value : 'true',
|
||||
@ -357,8 +353,6 @@ option('microhttpd', type : 'combo', choices : ['auto', 'true', 'false'],
|
||||
description : 'libµhttpd support')
|
||||
option('libcryptsetup', type : 'combo', choices : ['auto', 'true', 'false'],
|
||||
description : 'libcryptsetup support')
|
||||
option('libcryptsetup-plugins', type : 'combo', choices : ['auto', 'true', 'false'],
|
||||
description : 'libcryptsetup LUKS2 external token handlers support (plugins)')
|
||||
option('libcurl', type : 'combo', choices : ['auto', 'true', 'false'],
|
||||
description : 'libcurl support')
|
||||
option('idn', type : 'boolean',
|
||||
|
||||
@ -1,232 +0,0 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include <errno.h>
|
||||
#include <libcryptsetup.h>
|
||||
|
||||
#include "cryptsetup-token.h"
|
||||
#include "cryptsetup-token-util.h"
|
||||
#include "hexdecoct.h"
|
||||
#include "luks2-tpm2.h"
|
||||
#include "memory-util.h"
|
||||
#include "tpm2-util.h"
|
||||
#include "version.h"
|
||||
|
||||
#define TOKEN_NAME "systemd-tpm2"
|
||||
#define TOKEN_VERSION_MAJOR "1"
|
||||
#define TOKEN_VERSION_MINOR "0"
|
||||
|
||||
/* for libcryptsetup debug purpose */
|
||||
_public_ const char *cryptsetup_token_version(void) {
|
||||
|
||||
return TOKEN_VERSION_MAJOR "." TOKEN_VERSION_MINOR " systemd-v" STRINGIFY(PROJECT_VERSION) " (" GIT_VERSION ")";
|
||||
}
|
||||
|
||||
static int log_debug_open_error(struct crypt_device *cd, int r) {
|
||||
if (r == -EAGAIN) {
|
||||
crypt_log_debug(cd, "TPM2 device not found.");
|
||||
return r;
|
||||
} else if (r == -ENXIO) {
|
||||
crypt_log_debug(cd, "No matching TPM2 token data found.");
|
||||
return r;
|
||||
}
|
||||
|
||||
return crypt_log_debug_errno(cd, r, TOKEN_NAME " open failed: %m.");
|
||||
}
|
||||
|
||||
/*
|
||||
* This function is called from within following libcryptsetup calls
|
||||
* provided conditions further below are met:
|
||||
*
|
||||
* crypt_activate_by_token(), crypt_activate_by_token_type(type == 'systemd-tpm2'):
|
||||
*
|
||||
* - token is assigned to at least one luks2 keyslot eligible to activate LUKS2 device
|
||||
* (alternatively: name is set to null, flags contains CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY
|
||||
* and token is assigned to at least single keyslot).
|
||||
*
|
||||
* - if plugin defines validate funtion (see cryptsetup_token_validate below) it must have
|
||||
* passed the check (aka return 0)
|
||||
*/
|
||||
_public_ int cryptsetup_token_open(
|
||||
struct crypt_device *cd, /* is always LUKS2 context */
|
||||
int token /* is always >= 0 */,
|
||||
char **password, /* freed by cryptsetup_token_buffer_free */
|
||||
size_t *password_len,
|
||||
void *usrptr /* plugin defined parameter passed to crypt_activate_by_token*() API */) {
|
||||
|
||||
int r;
|
||||
const char *json;
|
||||
size_t blob_size, policy_hash_size, decrypted_key_size;
|
||||
uint32_t pcr_mask;
|
||||
systemd_tpm2_plugin_params params = {
|
||||
.search_pcr_mask = UINT32_MAX
|
||||
};
|
||||
_cleanup_free_ void *blob = NULL, *policy_hash = NULL;
|
||||
_cleanup_free_ char *base64_blob = NULL, *hex_policy_hash = NULL;
|
||||
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
|
||||
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
|
||||
|
||||
assert(password);
|
||||
assert(password_len);
|
||||
assert(token >= 0);
|
||||
|
||||
/* This must not fail at this moment (internal error) */
|
||||
r = crypt_token_json_get(cd, token, &json);
|
||||
assert(token == r);
|
||||
assert(json);
|
||||
|
||||
if (usrptr)
|
||||
params = *(systemd_tpm2_plugin_params *)usrptr;
|
||||
|
||||
r = parse_luks2_tpm2_data(json, params.search_pcr_mask, &pcr_mask, &base64_blob, &hex_policy_hash);
|
||||
if (r < 0)
|
||||
return log_debug_open_error(cd, r);
|
||||
|
||||
/* should not happen since cryptsetup_token_validate have passed */
|
||||
r = unbase64mem(base64_blob, SIZE_MAX, &blob, &blob_size);
|
||||
if (r < 0)
|
||||
return log_debug_open_error(cd, r);
|
||||
|
||||
/* should not happen since cryptsetup_token_validate have passed */
|
||||
r = unhexmem(hex_policy_hash, SIZE_MAX, &policy_hash, &policy_hash_size);
|
||||
if (r < 0)
|
||||
return log_debug_open_error(cd, r);
|
||||
|
||||
r = acquire_luks2_key(
|
||||
pcr_mask,
|
||||
params.device,
|
||||
blob,
|
||||
blob_size,
|
||||
policy_hash,
|
||||
policy_hash_size,
|
||||
&decrypted_key,
|
||||
&decrypted_key_size);
|
||||
if (r < 0)
|
||||
return log_debug_open_error(cd, r);
|
||||
|
||||
/* Before using this key as passphrase we base64 encode it, for compat with homed */
|
||||
r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
|
||||
if (r < 0)
|
||||
return log_debug_open_error(cd, r);
|
||||
|
||||
/* free'd automaticaly by libcryptsetup */
|
||||
*password_len = strlen(base64_encoded);
|
||||
*password = TAKE_PTR(base64_encoded);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* libcryptsetup callback for memory deallocation of 'password' parameter passed in
|
||||
* any crypt_token_open_* plugin function
|
||||
*/
|
||||
_public_ void cryptsetup_token_buffer_free(void *buffer, size_t buffer_len) {
|
||||
erase_and_free(buffer);
|
||||
}
|
||||
|
||||
/*
|
||||
* prints systemd-tpm2 token content in crypt_dump().
|
||||
* 'type' and 'keyslots' fields are printed by libcryptsetup
|
||||
*/
|
||||
_public_ void cryptsetup_token_dump(
|
||||
struct crypt_device *cd /* is always LUKS2 context */,
|
||||
const char *json /* validated 'systemd-tpm2' token if cryptsetup_token_validate is defined */) {
|
||||
|
||||
int r;
|
||||
uint32_t i, pcr_mask;
|
||||
size_t decoded_blob_size;
|
||||
_cleanup_free_ char *base64_blob = NULL, *hex_policy_hash = NULL,
|
||||
*pcrs_str = NULL, *blob_str = NULL, *policy_hash_str = NULL;
|
||||
_cleanup_free_ void *decoded_blob = NULL;
|
||||
|
||||
assert(json);
|
||||
|
||||
r = parse_luks2_tpm2_data(json, UINT32_MAX, &pcr_mask, &base64_blob, &hex_policy_hash);
|
||||
if (r < 0)
|
||||
return (void) crypt_log_debug_errno(cd, r, "Failed to parse " TOKEN_NAME " metadata: %m.");
|
||||
|
||||
for (i = 0; i < TPM2_PCRS_MAX; i++) {
|
||||
if ((pcr_mask & (UINT32_C(1) << i)) &&
|
||||
((r = strextendf_with_separator(&pcrs_str, ", ", "%" PRIu32, i)) < 0))
|
||||
return (void) crypt_log_debug_errno(cd, r, "Can not dump " TOKEN_NAME " content: %m");
|
||||
}
|
||||
|
||||
r = unbase64mem(base64_blob, SIZE_MAX, &decoded_blob, &decoded_blob_size);
|
||||
if (r < 0)
|
||||
return (void) crypt_log_debug_errno(cd, r, "Can not dump " TOKEN_NAME " content: %m");
|
||||
|
||||
r = crypt_dump_buffer_to_hex_string(decoded_blob, decoded_blob_size, &blob_str);
|
||||
if (r < 0)
|
||||
return (void) crypt_log_debug_errno(cd, r, "Can not dump " TOKEN_NAME " content: %m");
|
||||
|
||||
r = crypt_dump_hex_string(hex_policy_hash, &policy_hash_str);
|
||||
if (r < 0)
|
||||
return (void) crypt_log_debug_errno(cd, r, "Can not dump " TOKEN_NAME " content: %m");
|
||||
|
||||
crypt_log(cd, "\ttpm2-pcrs: %s\n", pcrs_str ?: "");
|
||||
crypt_log(cd, "\ttmp2-blob: %s\n", blob_str);
|
||||
crypt_log(cd, "\ttmp2-policy-hash:" CRYPT_DUMP_LINE_SEP "%s\n", policy_hash_str);
|
||||
}
|
||||
|
||||
/*
|
||||
* Note:
|
||||
* If plugin is available in library path, it's called in before following libcryptsetup calls:
|
||||
*
|
||||
* crypt_token_json_set, crypt_dump, any crypt_activate_by_token_* flavour
|
||||
*/
|
||||
_public_ int cryptsetup_token_validate(
|
||||
struct crypt_device *cd, /* is always LUKS2 context */
|
||||
const char *json /* contains valid 'type' and 'keyslots' fields. 'type' is 'systemd-tpm2' */) {
|
||||
|
||||
int r;
|
||||
JsonVariant *w, *e;
|
||||
_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
|
||||
|
||||
assert(json);
|
||||
|
||||
r = json_parse(json, 0, &v, NULL, NULL);
|
||||
if (r < 0)
|
||||
return crypt_log_debug_errno(cd, r, "Could not parse " TOKEN_NAME " json object: %m");
|
||||
|
||||
w = json_variant_by_key(v, "tpm2-pcrs");
|
||||
if (!w || !json_variant_is_array(w)) {
|
||||
crypt_log_debug(cd, "TPM2 token data lacks 'tpm2-pcrs' field.");
|
||||
return 1;
|
||||
}
|
||||
|
||||
JSON_VARIANT_ARRAY_FOREACH(e, w) {
|
||||
uintmax_t u;
|
||||
|
||||
if (!json_variant_is_number(e)) {
|
||||
crypt_log_debug(cd, "TPM2 PCR is not a number.");
|
||||
return 1;
|
||||
}
|
||||
|
||||
u = json_variant_unsigned(e);
|
||||
if (u >= TPM2_PCRS_MAX) {
|
||||
crypt_log_debug(cd, "TPM2 PCR number out of range.");
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
w = json_variant_by_key(v, "tpm2-blob");
|
||||
if (!w || !json_variant_is_string(w)) {
|
||||
crypt_log_debug(cd, "TPM2 token data lacks 'tpm2-blob' field.");
|
||||
return 1;
|
||||
}
|
||||
|
||||
r = unbase64mem(json_variant_string(w), SIZE_MAX, NULL, NULL);
|
||||
if (r < 0)
|
||||
return crypt_log_debug_errno(cd, r, "Invalid base64 data in 'tpm2-blob' field: %m");
|
||||
|
||||
w = json_variant_by_key(v, "tpm2-policy-hash");
|
||||
if (!w || !json_variant_is_string(w)) {
|
||||
crypt_log_debug(cd, "TPM2 token data lacks 'tpm2-policy-hash' field.");
|
||||
return 1;
|
||||
}
|
||||
|
||||
r = unhexmem(json_variant_string(w), SIZE_MAX, NULL, NULL);
|
||||
if (r < 0)
|
||||
return crypt_log_debug_errno(cd, r, "Invalid base64 data in 'tpm2-policy-hash' field: %m");
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -1,58 +0,0 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include "cryptsetup-token-util.h"
|
||||
#include "string-util.h"
|
||||
|
||||
int crypt_dump_buffer_to_hex_string(
|
||||
const char *buf,
|
||||
size_t buf_size,
|
||||
char **ret_dump_str) {
|
||||
|
||||
int r;
|
||||
_cleanup_free_ char *dump_str = NULL;
|
||||
|
||||
assert(buf || !buf_size);
|
||||
assert(ret_dump_str);
|
||||
|
||||
for (size_t i = 0; i < buf_size; i++) {
|
||||
/* crypt_dump() breaks line after every
|
||||
* 16th couple of chars in dumped hexstring */
|
||||
r = strextendf_with_separator(
|
||||
&dump_str,
|
||||
(i && !(i % 16)) ? CRYPT_DUMP_LINE_SEP : " ",
|
||||
"%02hhx", buf[i]);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
*ret_dump_str = TAKE_PTR(dump_str);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int crypt_dump_hex_string(const char *hex_str, char **ret_dump_str) {
|
||||
|
||||
int r;
|
||||
size_t len;
|
||||
_cleanup_free_ char *dump_str = NULL;
|
||||
|
||||
assert(hex_str);
|
||||
assert(ret_dump_str);
|
||||
|
||||
len = strlen(hex_str) >> 1;
|
||||
|
||||
for (size_t i = 0; i < len; i++) {
|
||||
/* crypt_dump() breaks line after every
|
||||
* 16th couple of chars in dumped hexstring */
|
||||
r = strextendf_with_separator(
|
||||
&dump_str,
|
||||
(i && !(i % 16)) ? CRYPT_DUMP_LINE_SEP : " ",
|
||||
"%.2s", hex_str + (i<<1));
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
*ret_dump_str = TAKE_PTR(dump_str);
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -1,27 +0,0 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#pragma once
|
||||
|
||||
#include <stddef.h>
|
||||
|
||||
/* crypt_dump() internal indentation magic */
|
||||
#define CRYPT_DUMP_LINE_SEP "\n\t "
|
||||
|
||||
#define crypt_log_debug(cd, ...) crypt_logf(cd, CRYPT_LOG_DEBUG, __VA_ARGS__)
|
||||
#define crypt_log_error(cd, ...) crypt_logf(cd, CRYPT_LOG_ERROR, __VA_ARGS__)
|
||||
#define crypt_log(cd, ...) crypt_logf(cd, CRYPT_LOG_NORMAL, __VA_ARGS__)
|
||||
|
||||
#define crypt_log_debug_errno(cd, e, ...) ({ \
|
||||
int _e = abs(e), _s = errno; \
|
||||
errno = _e; \
|
||||
crypt_logf(cd, CRYPT_LOG_DEBUG, __VA_ARGS__); \
|
||||
errno = _s; \
|
||||
-_e; \
|
||||
})
|
||||
|
||||
int crypt_dump_buffer_to_hex_string(
|
||||
const char *buf,
|
||||
size_t buf_size,
|
||||
char **ret_dump_str);
|
||||
|
||||
int crypt_dump_hex_string(const char *hex_str, char **ret_dump_str);
|
||||
@ -1,15 +0,0 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
/* for more information see libcryptsetup.h crypt-tokens section */
|
||||
|
||||
const char *cryptsetup_token_version(void);
|
||||
|
||||
int cryptsetup_token_open(struct crypt_device *cd, int token,
|
||||
char **password, size_t *password_len, void *usrptr);
|
||||
|
||||
void cryptsetup_token_dump(struct crypt_device *cd, const char *json);
|
||||
|
||||
int cryptsetup_token_validate(struct crypt_device *cd, const char *json);
|
||||
|
||||
void cryptsetup_token_buffer_free(void *buffer, size_t buffer_len);
|
||||
@ -1,18 +0,0 @@
|
||||
/***
|
||||
SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
systemd is free software; you can redistribute it and/or modify it
|
||||
under the terms of the GNU Lesser General Public License as published by
|
||||
the Free Software Foundation; either version 2.1 of the License, or
|
||||
(at your option) any later version.
|
||||
***/
|
||||
|
||||
CRYPTSETUP_TOKEN_1.0 {
|
||||
global:
|
||||
cryptsetup_token_open;
|
||||
cryptsetup_token_buffer_free;
|
||||
cryptsetup_token_validate;
|
||||
cryptsetup_token_dump;
|
||||
cryptsetup_token_version;
|
||||
local: *;
|
||||
};
|
||||
@ -1,105 +0,0 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "hexdecoct.h"
|
||||
#include "json.h"
|
||||
#include "luks2-tpm2.h"
|
||||
#include "parse-util.h"
|
||||
#include "random-util.h"
|
||||
#include "tpm2-util.h"
|
||||
|
||||
int acquire_luks2_key(
|
||||
uint32_t pcr_mask,
|
||||
const char *device,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const void *policy_hash,
|
||||
size_t policy_hash_size,
|
||||
void **ret_decrypted_key,
|
||||
size_t *ret_decrypted_key_size) {
|
||||
|
||||
_cleanup_free_ char *auto_device = NULL;
|
||||
int r;
|
||||
|
||||
assert(ret_decrypted_key);
|
||||
assert(ret_decrypted_key_size);
|
||||
|
||||
if (!device) {
|
||||
r = tpm2_find_device_auto(LOG_DEBUG, &auto_device);
|
||||
if (r == -ENODEV)
|
||||
return -EAGAIN; /* Tell the caller to wait for a TPM2 device to show up */
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
device = auto_device;
|
||||
}
|
||||
|
||||
return tpm2_unseal(device, pcr_mask, key_data, key_data_size, policy_hash, policy_hash_size, ret_decrypted_key, ret_decrypted_key_size);
|
||||
}
|
||||
|
||||
/* this function expects valid "systemd-tpm2" in json */
|
||||
int parse_luks2_tpm2_data(
|
||||
const char *json,
|
||||
uint32_t search_pcr_mask,
|
||||
uint32_t *ret_pcr_mask,
|
||||
char **ret_base64_blob,
|
||||
char **ret_hex_policy_hash) {
|
||||
|
||||
int r;
|
||||
JsonVariant *w, *e;
|
||||
uint32_t pcr_mask = 0;
|
||||
_cleanup_free_ char *base64_blob = NULL, *hex_policy_hash = NULL;
|
||||
_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
|
||||
|
||||
assert(json);
|
||||
assert(ret_base64_blob);
|
||||
assert(ret_hex_policy_hash);
|
||||
assert(ret_pcr_mask);
|
||||
|
||||
r = json_parse(json, 0, &v, NULL, NULL);
|
||||
if (r < 0)
|
||||
return -EINVAL;
|
||||
|
||||
w = json_variant_by_key(v, "tpm2-pcrs");
|
||||
if (!w || !json_variant_is_array(w))
|
||||
return -EINVAL;
|
||||
|
||||
JSON_VARIANT_ARRAY_FOREACH(e, w) {
|
||||
uintmax_t u;
|
||||
|
||||
if (!json_variant_is_number(e))
|
||||
return -EINVAL;
|
||||
|
||||
u = json_variant_unsigned(e);
|
||||
if (u >= TPM2_PCRS_MAX)
|
||||
return -EINVAL;
|
||||
|
||||
pcr_mask |= UINT32_C(1) << u;
|
||||
}
|
||||
|
||||
if (search_pcr_mask != UINT32_MAX &&
|
||||
search_pcr_mask != pcr_mask)
|
||||
return -ENXIO;
|
||||
|
||||
w = json_variant_by_key(v, "tpm2-blob");
|
||||
if (!w || !json_variant_is_string(w))
|
||||
return -EINVAL;
|
||||
|
||||
base64_blob = strdup(json_variant_string(w));
|
||||
if (!base64_blob)
|
||||
return -ENOMEM;
|
||||
|
||||
w = json_variant_by_key(v, "tpm2-policy-hash");
|
||||
if (!w || !json_variant_is_string(w))
|
||||
return -EINVAL;
|
||||
|
||||
hex_policy_hash = strdup(json_variant_string(w));
|
||||
if (!hex_policy_hash)
|
||||
return -ENOMEM;
|
||||
|
||||
*ret_pcr_mask = pcr_mask;
|
||||
*ret_base64_blob = TAKE_PTR(base64_blob);
|
||||
*ret_hex_policy_hash = TAKE_PTR(hex_policy_hash);
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -1,22 +0,0 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#pragma once
|
||||
|
||||
struct crypt_device;
|
||||
|
||||
int acquire_luks2_key(
|
||||
uint32_t pcr_mask,
|
||||
const char *device,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const void *policy_hash,
|
||||
size_t policy_hash_size,
|
||||
void **ret_decrypted_key,
|
||||
size_t *ret_decrypted_key_size);
|
||||
|
||||
int parse_luks2_tpm2_data(
|
||||
const char *json,
|
||||
uint32_t search_pcr_mask,
|
||||
uint32_t *ret_pcr_mask,
|
||||
char **ret_base64_blob,
|
||||
char **ret_hex_policy_hash);
|
||||
@ -1,28 +0,0 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
if conf.get('HAVE_LIBCRYPTSETUP_PLUGINS') == 1
|
||||
|
||||
cryptsetup_token_c_args = ['-fvisibility=hidden']
|
||||
|
||||
cryptsetup_token_sym = files('cryptsetup-token.sym')
|
||||
cryptsetup_token_sym_path = join_paths(meson.current_source_dir(), 'cryptsetup-token.sym')
|
||||
|
||||
if conf.get('HAVE_TPM2') == 1
|
||||
cryptsetup_token_systemd_tpm2_sources = files('''
|
||||
cryptsetup-token-systemd-tpm2.c
|
||||
cryptsetup-token.h
|
||||
cryptsetup-token-util.h
|
||||
cryptsetup-token-util.c
|
||||
luks2-tpm2.c
|
||||
luks2-tpm2.h
|
||||
'''.split())
|
||||
|
||||
cryptsetup_token_systemd_tpm2_static = static_library(
|
||||
'cryptsetup-token-systemd-tpm2_static',
|
||||
cryptsetup_token_systemd_tpm2_sources,
|
||||
include_directories : includes,
|
||||
dependencies : libshared_deps + [libcryptsetup],
|
||||
c_args : cryptsetup_token_c_args)
|
||||
endif
|
||||
|
||||
endif
|
||||
@ -1041,33 +1041,6 @@ static int make_tpm2_device_monitor(sd_event *event, sd_device_monitor **ret) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int attach_luks2_by_tpm2(
|
||||
struct crypt_device *cd,
|
||||
const char *name,
|
||||
uint32_t flags) {
|
||||
|
||||
#if HAVE_LIBCRYPTSETUP_PLUGINS
|
||||
int r;
|
||||
|
||||
systemd_tpm2_plugin_params params = {
|
||||
.search_pcr_mask = arg_tpm2_pcr_mask,
|
||||
.device = arg_tpm2_device
|
||||
};
|
||||
|
||||
if (crypt_token_external_path() == NULL)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||
"Libcryptsetup has external plugins support disabled.");
|
||||
|
||||
r = crypt_activate_by_token_pin(cd, name, "systemd-tpm2", CRYPT_ANY_TOKEN, NULL, 0, ¶ms, flags);
|
||||
if (r > 0) /* returns unlocked keyslot id on success */
|
||||
r = 0;
|
||||
|
||||
return r;
|
||||
#else
|
||||
return -EOPNOTSUPP;
|
||||
#endif
|
||||
}
|
||||
|
||||
static int attach_luks_or_plain_or_bitlk_by_tpm2(
|
||||
struct crypt_device *cd,
|
||||
const char *name,
|
||||
@ -1114,20 +1087,6 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
|
||||
if (r != -EAGAIN) /* EAGAIN means: no tpm2 chip found */
|
||||
return r;
|
||||
} else {
|
||||
r = attach_luks2_by_tpm2(cd, name, flags);
|
||||
/* EAGAIN means: no tpm2 chip found
|
||||
* EOPNOTSUPP means: no libcryptsetup plugins support */
|
||||
if (r == -ENXIO)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
|
||||
"No TPM2 metadata matching the current system state found in LUKS2 header, falling back to traditional unlocking.");
|
||||
if (r == -ENOENT)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
|
||||
"No TPM2 metadata enrolled in LUKS2 header or TPM2 support not available, falling back to traditional unlocking.");
|
||||
if (!IN_SET(r, -EOPNOTSUPP, -EAGAIN))
|
||||
return r;
|
||||
}
|
||||
|
||||
if (r == -EOPNOTSUPP) {
|
||||
_cleanup_free_ void *blob = NULL, *policy_hash = NULL;
|
||||
size_t blob_size, policy_hash_size;
|
||||
bool found_some = false;
|
||||
|
||||
@ -46,33 +46,31 @@ OrderWithRequires(postun): systemd \
|
||||
|
||||
%systemd_post() \
|
||||
%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_post}} \
|
||||
if [ $1 -eq 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
|
||||
if [ $1 -eq 1 ] && [ -x %{_bindir}/systemctl ]; then \
|
||||
# Initial installation \
|
||||
{{SYSTEMD_UPDATE_HELPER_PATH}} install-system-units %{?*} || : \
|
||||
%{_bindir}/systemctl --no-reload preset %{?*} || : \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
%systemd_user_post() \
|
||||
%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_post}} \
|
||||
if [ $1 -eq 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
|
||||
# Initial installation \
|
||||
{{SYSTEMD_UPDATE_HELPER_PATH}} install-user-units %{?*} || : \
|
||||
fi \
|
||||
%{nil}
|
||||
%systemd_user_post() %{expand:%systemd_post \\--global %%{?*}}
|
||||
|
||||
%systemd_preun() \
|
||||
%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_preun}} \
|
||||
if [ $1 -eq 0 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
|
||||
if [ $1 -eq 0 ] && [ -x %{_bindir}/systemctl ]; then \
|
||||
# Package removal, not upgrade \
|
||||
{{SYSTEMD_UPDATE_HELPER_PATH}} remove-system-units %{?*} || : \
|
||||
if [ -d /run/systemd/system ]; then \
|
||||
%{_bindir}/systemctl --no-reload disable --now %{?*} || : \
|
||||
else \
|
||||
%{_bindir}/systemctl --no-reload disable %{?*} || : \
|
||||
fi \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
%systemd_user_preun() \
|
||||
%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_preun}} \
|
||||
if [ $1 -eq 0 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
|
||||
if [ $1 -eq 0 ] && [ -x %{_bindir}/systemctl ]; then \
|
||||
# Package removal, not upgrade \
|
||||
{{SYSTEMD_UPDATE_HELPER_PATH}} remove-user-units %{?*} || : \
|
||||
%{_bindir}/systemctl --global disable %{?*} || : \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
@ -86,18 +84,16 @@ fi \
|
||||
|
||||
%systemd_postun_with_restart() \
|
||||
%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_postun_with_restart}} \
|
||||
if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
|
||||
if [ $1 -ge 1 ] && [ -x %{_bindir}/systemctl ]; then \
|
||||
# Package upgrade, not uninstall \
|
||||
{{SYSTEMD_UPDATE_HELPER_PATH}} mark-restart-system-units %{?*} || : \
|
||||
for unit in %{?*}; do \
|
||||
%{_bindir}/systemctl set-property $unit Markers=+needs-restart || : \
|
||||
done \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
%systemd_user_postun_with_restart() \
|
||||
%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_postun_with_restart}} \
|
||||
if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \
|
||||
# Package upgrade, not uninstall \
|
||||
{{SYSTEMD_UPDATE_HELPER_PATH}} mark-restart-user-units %{?*} || : \
|
||||
fi \
|
||||
%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_postun_with_restart}} \
|
||||
%{nil}
|
||||
|
||||
%udev_hwdb_update() %{nil}
|
||||
@ -109,17 +105,17 @@ fi \
|
||||
# Deprecated. Use %tmpfiles_create_package instead
|
||||
%tmpfiles_create() \
|
||||
%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# tmpfiles_create}} \
|
||||
command -v systemd-tmpfiles >/dev/null && systemd-tmpfiles --create %{?*} || : \
|
||||
[ -x %{_bindir}/systemd-tmpfiles ] && %{_bindir}/systemd-tmpfiles --create %{?*} || : \
|
||||
%{nil}
|
||||
|
||||
# Deprecated. Use %sysusers_create_package instead
|
||||
%sysusers_create() \
|
||||
%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# sysusers_create}} \
|
||||
command -v systemd-sysusers >/dev/null && systemd-sysusers %{?*} || : \
|
||||
[ -x %{_bindir}/systemd-sysusers ] && %{_bindir}/systemd-sysusers %{?*} || : \
|
||||
%{nil}
|
||||
|
||||
%sysusers_create_inline() \
|
||||
command -v systemd-sysusers >/dev/null && systemd-sysusers - <<SYSTEMD_INLINE_EOF || : \
|
||||
[ -x %{_bindir}/systemd-sysusers ] && %{_bindir}/systemd-sysusers - <<SYSTEMD_INLINE_EOF || : \
|
||||
%{?*} \
|
||||
SYSTEMD_INLINE_EOF\
|
||||
%{nil}
|
||||
|
||||
@ -1,13 +1,9 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
in_files = [
|
||||
['macros.systemd', rpmmacrosdir != 'no', rpmmacrosdir],
|
||||
|
||||
# we conditionalize on rpmmacrosdir, but install into rootlibexecdir
|
||||
['systemd-update-helper', rpmmacrosdir != 'no', rootlibexecdir, 'rwxr-xr-x'],
|
||||
|
||||
['triggers.systemd', false],
|
||||
['triggers.systemd.sh', false]]
|
||||
['macros.systemd', rpmmacrosdir != 'no'],
|
||||
['triggers.systemd', false],
|
||||
['triggers.systemd.sh', false]]
|
||||
|
||||
# The last two don't get installed anywhere, one of them needs to included in
|
||||
# the rpm spec file definition instead.
|
||||
@ -21,7 +17,6 @@ foreach tuple : in_files
|
||||
command : [meson_render_jinja2, config_h, '@INPUT@'],
|
||||
capture : true,
|
||||
install : tuple[1],
|
||||
install_dir : tuple.length() > 2 ? tuple[2] : '',
|
||||
install_mode : tuple.length() > 3 ? tuple[3] : false,
|
||||
install_dir : rpmmacrosdir,
|
||||
build_by_default : true)
|
||||
endforeach
|
||||
|
||||
@ -1,116 +0,0 @@
|
||||
#!/bin/bash
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
command="${1:?}"
|
||||
shift
|
||||
|
||||
command -v systemctl >/dev/null || exit 0
|
||||
|
||||
case "$command" in
|
||||
install-system-units)
|
||||
systemctl --no-reload preset "$@"
|
||||
;;
|
||||
|
||||
install-user-units)
|
||||
systemctl --no-reload preset --global "$@"
|
||||
;;
|
||||
|
||||
remove-system-units)
|
||||
if [ -d /run/systemd/system ]; then
|
||||
systemctl --no-reload disable --now "$@"
|
||||
else
|
||||
systemctl --no-reload disable "$@"
|
||||
fi
|
||||
;;
|
||||
|
||||
remove-user-units)
|
||||
systemctl --global disable "$@"
|
||||
|
||||
[ -d /run/systemd/system ] || exit 0
|
||||
|
||||
users=$(systemctl list-units 'user@*' --legend=no | sed -n -r 's/.*user@([0-9]+).service.*/\1/p')
|
||||
for user in $users; do
|
||||
SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \
|
||||
systemctl --user -M "$user@" disable --now "$@" &
|
||||
done
|
||||
wait
|
||||
;;
|
||||
|
||||
mark-restart-system-units)
|
||||
[ -d /run/systemd/system ] || exit 0
|
||||
|
||||
for unit in "$@"; do
|
||||
systemctl set-property "$unit" Markers=+needs-restart &
|
||||
done
|
||||
wait
|
||||
;;
|
||||
|
||||
mark-restart-user-units)
|
||||
[ -d /run/systemd/system ] || exit 0
|
||||
|
||||
users=$(systemctl list-units 'user@*' --legend=no | sed -n -r 's/.*user@([0-9]+).service.*/\1/p')
|
||||
for user in $users; do
|
||||
SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \
|
||||
systemctl --user -M "$user@" set-property "$unit" Markers=+needs-restart &
|
||||
done
|
||||
wait
|
||||
;;
|
||||
|
||||
system-reload-restart|system-reload|system-restart)
|
||||
if [ -n "$*" ]; then
|
||||
echo "Unexpected arguments for '$command': $*"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
[ -d /run/systemd/system ] || exit 0
|
||||
|
||||
if [[ "$command" =~ reload ]]; then
|
||||
systemctl daemon-reload
|
||||
fi
|
||||
|
||||
if [[ "$command" =~ restart ]]; then
|
||||
systemctl reload-or-restart --marked
|
||||
fi
|
||||
;;
|
||||
|
||||
user-reload-restart|user-reload|user-restart|user-reexec)
|
||||
if [ -n "$*" ]; then
|
||||
echo "Unexpected arguments for '$command': $*"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
[ -d /run/systemd/system ] || exit 0
|
||||
|
||||
users=$(systemctl list-units 'user@*' --legend=no | sed -n -r 's/.*user@([0-9]+).service.*/\1/p')
|
||||
|
||||
if [[ "$command" =~ reexec ]]; then
|
||||
for user in $users; do
|
||||
SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \
|
||||
systemctl --user -M "$user@" daemon-reexec &
|
||||
done
|
||||
wait
|
||||
fi
|
||||
|
||||
if [[ "$command" =~ reload ]]; then
|
||||
for user in $users; do
|
||||
SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \
|
||||
systemctl --user -M "$user@" daemon-reload &
|
||||
done
|
||||
wait
|
||||
fi
|
||||
|
||||
if [[ "$command" =~ restart ]]; then
|
||||
for user in $users; do
|
||||
SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \
|
||||
systemctl --user -M "$user@" reload-or-restart --marked &
|
||||
done
|
||||
wait
|
||||
fi
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Unknown verb '$command'"
|
||||
exit 3
|
||||
;;
|
||||
esac
|
||||
@ -13,19 +13,20 @@
|
||||
-- upgraded. We care about the case where a package is initially
|
||||
-- installed, because other cases are covered by the *un scriptlets,
|
||||
-- so sometimes we will reload needlessly.
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "system-reload-restart"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
end
|
||||
if posix.access("/run/systemd/system") then
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
end
|
||||
|
||||
%transfiletriggerin -P 900899 -p <lua> -- {{USER_DATA_UNIT_DIR}} /etc/systemd/user
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "user-reload-restart"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.exec("%{_bindir}/systemctl", "reload-or-restart", "--marked"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
end
|
||||
end
|
||||
|
||||
%transfiletriggerpostun -P 1000100 -p <lua> -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
|
||||
@ -34,38 +35,24 @@ end
|
||||
-- On upgrade, we need to run daemon-reload after any new unit files
|
||||
-- have been installed, but before %postun scripts in packages get
|
||||
-- executed.
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "system-reload"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
end
|
||||
|
||||
%transfiletriggerpostun -P 1000100 -p <lua> -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
|
||||
-- Execute daemon-reload in user managers.
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "user-reload"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
if posix.access("/run/systemd/system") then
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
end
|
||||
end
|
||||
|
||||
%transfiletriggerpostun -P 10000 -p <lua> -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
|
||||
-- We restart remaining system services that should be restarted here.
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "system-restart"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
end
|
||||
|
||||
%transfiletriggerpostun -P 9999 -p <lua> -- {{USER_DATA_UNIT_DIR}} /etc/systemd/user
|
||||
-- We restart remaining user services that should be restarted here.
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.exec("{{SYSTEMD_UPDATE_HELPER_PATH}}", "user-restart"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
-- We restart remaining services that should be restarted here.
|
||||
if posix.access("/run/systemd/system") then
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.exec("%{_bindir}/systemctl", "reload-or-restart", "--marked"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
end
|
||||
end
|
||||
|
||||
%transfiletriggerin -P 100700 -p <lua> -- {{SYSUSERS_DIR}}
|
||||
@ -75,7 +62,7 @@ end
|
||||
if posix.access("/run/systemd/system") then
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.execp("systemd-sysusers"))
|
||||
assert(posix.exec("%{_bindir}/systemd-sysusers"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
end
|
||||
@ -87,7 +74,7 @@ end
|
||||
if posix.access("/run/systemd/system") then
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.execp("systemd-hwdb", "update"))
|
||||
assert(posix.exec("%{_bindir}/systemd-hwdb", "update"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
end
|
||||
@ -99,7 +86,7 @@ end
|
||||
if posix.access("/run/systemd/system") then
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.execp("journalctl", "--update-catalog"))
|
||||
assert(posix.exec("%{_bindir}/journalctl", "--update-catalog"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
end
|
||||
@ -124,7 +111,7 @@ end
|
||||
if posix.access("/run/systemd/system") then
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.execp("systemd-tmpfiles", "--create"))
|
||||
assert(posix.exec("%{_bindir}/systemd-tmpfiles", "--create"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
end
|
||||
@ -136,7 +123,7 @@ end
|
||||
if posix.access("/run/systemd/system") then
|
||||
pid = posix.fork()
|
||||
if pid == 0 then
|
||||
assert(posix.execp("udevadm", "control", "--reload"))
|
||||
assert(posix.exec("%{_bindir}/udevadm", "control", "--reload"))
|
||||
elseif pid > 0 then
|
||||
posix.wait(pid)
|
||||
end
|
||||
|
||||
@ -14,10 +14,10 @@
|
||||
# upgraded. We care about the case where a package is initially
|
||||
# installed, because other cases are covered by the *un scriptlets,
|
||||
# so sometimes we will reload needlessly.
|
||||
{{SYSTEMD_UPDATE_HELPER_PATH}} system-reload-restart || :
|
||||
|
||||
%transfiletriggerin -P 900899 -- {{USER_DATA_UNIT_DIR}} /etc/systemd/user
|
||||
{{SYSTEMD_UPDATE_HELPER_PATH}} user-reload-restart || :
|
||||
if test -d "/run/systemd/system"; then
|
||||
%{_bindir}/systemctl daemon-reload || :
|
||||
%{_bindir}/systemctl reload-or-restart --marked || :
|
||||
fi
|
||||
|
||||
%transfiletriggerpostun -P 1000100 -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
|
||||
# On removal, we need to run daemon-reload after any units have been
|
||||
@ -25,40 +25,36 @@
|
||||
# On upgrade, we need to run daemon-reload after any new unit files
|
||||
# have been installed, but before %postun scripts in packages get
|
||||
# executed.
|
||||
{{SYSTEMD_UPDATE_HELPER_PATH}} system-reload || :
|
||||
|
||||
%transfiletriggerpostun -P 1000099 -- {{USER_DATA_UNIT_DIR}} /etc/systemd/user
|
||||
# Execute daemon-reload in user managers.
|
||||
{{SYSTEMD_UPDATE_HELPER_PATH}} user-reload || :
|
||||
if test -d "/run/systemd/system"; then
|
||||
%{_bindir}/systemctl daemon-reload || :
|
||||
fi
|
||||
|
||||
%transfiletriggerpostun -P 10000 -- {{SYSTEM_DATA_UNIT_DIR}} /etc/systemd/system
|
||||
# We restart remaining system services that should be restarted here.
|
||||
{{SYSTEMD_UPDATE_HELPER_PATH}} system-restart || :
|
||||
|
||||
%transfiletriggerpostun -P 9999 -- {{USER_DATA_UNIT_DIR}} /etc/systemd/user
|
||||
# We restart remaining user services that should be restarted here.
|
||||
{{SYSTEMD_UPDATE_HELPER_PATH}} user-restart || :
|
||||
# We restart remaining services that should be restarted here.
|
||||
if test -d "/run/systemd/system"; then
|
||||
%{_bindir}/systemctl reload-or-restart --marked || :
|
||||
fi
|
||||
|
||||
%transfiletriggerin -P 1000700 -- {{SYSUSERS_DIR}}
|
||||
# This script will process files installed in {{SYSUSERS_DIR}} to create
|
||||
# specified users automatically. The priority is set such that it
|
||||
# will run before the tmpfiles file trigger.
|
||||
if test -d "/run/systemd/system"; then
|
||||
systemd-sysusers || :
|
||||
%{_bindir}/systemd-sysusers || :
|
||||
fi
|
||||
|
||||
%transfiletriggerin -P 1000700 udev -- {{UDEV_HWDB_DIR}}
|
||||
# This script will automatically invoke hwdb update if files have been
|
||||
# installed or updated in {{UDEV_HWDB_DIR}}.
|
||||
if test -d "/run/systemd/system"; then
|
||||
systemd-hwdb update || :
|
||||
%{_bindir}/systemd-hwdb update || :
|
||||
fi
|
||||
|
||||
%transfiletriggerin -P 1000700 -- {{SYSTEMD_CATALOG_DIR}}
|
||||
# This script will automatically invoke journal catalog update if files
|
||||
# have been installed or updated in {{SYSTEMD_CATALOG_DIR}}.
|
||||
if test -d "/run/systemd/system"; then
|
||||
journalctl --update-catalog || :
|
||||
%{_bindir}/journalctl --update-catalog || :
|
||||
fi
|
||||
|
||||
%transfiletriggerin -P 1000700 -- {{BINFMT_DIR}}
|
||||
@ -75,14 +71,14 @@ fi
|
||||
# tmpfiles automatically. The priority is set such that it will run
|
||||
# after the sysusers file trigger, but before any other triggers.
|
||||
if test -d "/run/systemd/system"; then
|
||||
systemd-tmpfiles --create || :
|
||||
%{_bindir}/systemd-tmpfiles --create || :
|
||||
fi
|
||||
|
||||
%transfiletriggerin -P 1000600 udev -- {{UDEV_RULES_DIR}}
|
||||
# This script will automatically update udev with new rules if files
|
||||
# have been installed or updated in {{UDEV_RULES_DIR}}.
|
||||
if test -e /run/udev/control; then
|
||||
udevadm control --reload || :
|
||||
%{_bindir}/udevadm control --reload || :
|
||||
fi
|
||||
|
||||
%transfiletriggerin -P 1000500 -- {{SYSCTL_DIR}}
|
||||
|
||||
@ -49,8 +49,3 @@ int tpm2_make_luks2_json(int keyslot, uint32_t pcr_mask, const void *blob, size_
|
||||
|
||||
/* Default to PCR 7 only */
|
||||
#define TPM2_PCR_MASK_DEFAULT (UINT32_C(1) << 7)
|
||||
|
||||
typedef struct {
|
||||
uint32_t search_pcr_mask;
|
||||
const char *device;
|
||||
} systemd_tpm2_plugin_params;
|
||||
|
||||
@ -28,12 +28,10 @@ static int builtin_net_setup_link(sd_device *dev, int argc, char **argv, bool te
|
||||
|
||||
r = link_config_get(ctx, dev, &link);
|
||||
if (r < 0) {
|
||||
if (r == -ENOENT)
|
||||
return log_device_debug_errno(dev, r, "No matching link configuration found.");
|
||||
if (r == -ENODEV)
|
||||
return log_device_debug_errno(dev, r, "Link vanished while searching for configuration for it.");
|
||||
if (r == -ENOENT) {
|
||||
log_device_debug_errno(dev, r, "No matching link configuration found, ignoring device.");
|
||||
return 0;
|
||||
}
|
||||
|
||||
return log_device_error_errno(dev, r, "Failed to get link config: %m");
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user