Merge edef33b554 into 9bf6ffe166

In the --help text we really should use the official spelling, just like
in the man page.

man/systemd-cryptenroll.xml

@@ -265,32 +265,11 @@
   </refsect1>
 
   <refsect1>
-    <title>Options</title>
+    <title>Unlocking</title>
 
-    <para>The following options are understood:</para>
+    <para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>
 
     <variablelist>
-      <varlistentry>
-        <term><option>--password</option></term>
-
-        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
-        <command>cryptsetup luksAddKey</command>, however may be combined with
-        <option>--wipe-slot=</option> in one call, see below.</para>
-
-        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><option>--recovery-key</option></term>
-
-        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
-        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
-        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
-        </para>
-
-        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>
 
@@ -328,7 +307,45 @@
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
       </varlistentry>
+    </variablelist>
+  </refsect1>
 
+  <refsect1>
+    <title>Simple Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll simple user input based
+    unlocking:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><option>--password</option></term>
+
+        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
+        <command>cryptsetup luksAddKey</command>, however may be combined with
+        <option>--wipe-slot=</option> in one call, see below.</para>
+
+        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--recovery-key</option></term>
+
+        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
+        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
+        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
+        </para>
+
+        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>PKCS#11 Enrollment</title>
+
+    <para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
+
+    <variablelist>
       <varlistentry>
         <term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>
 
@@ -361,7 +378,15 @@
 
         <xi:include href="version-info.xml" xpointer="v248"/></listitem>
       </varlistentry>
+    </variablelist>
+  </refsect1>
 
+  <refsect1>
+    <title>FIDO2 Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
+
+    <variablelist>
       <varlistentry>
         <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
         <listitem><para>Specify COSE algorithm used in credential generation. The default value is
@@ -461,7 +486,15 @@
 
         <xi:include href="version-info.xml" xpointer="v249"/></listitem>
       </varlistentry>
+    </variablelist>
+  </refsect1>
 
+  <refsect1>
+    <title>TPM2 Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll TPM2 devices:</para>
+
+    <variablelist>
       <varlistentry>
         <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
 
@@ -636,7 +669,15 @@
 
         <xi:include href="version-info.xml" xpointer="v255"/></listitem>
       </varlistentry>
+    </variablelist>
+  </refsect1>
 
+  <refsect1>
+    <title>Other Options</title>
+
+    <para>The following additional options are understood:</para>
+
+    <variablelist>
       <varlistentry>
         <term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>
 

man/systemd.netdev.xml

@@ -200,6 +200,9 @@
 
           <row><entry><varname>wlan</varname></entry>
           <entry>A virtual wireless network (WLAN) interface.</entry></row>
+
+          <row><entry><varname>hsr</varname></entry>
+          <entry>IEC 62439 defined High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP).</entry></row>
         </tbody>
       </tgroup>
     </table>
@@ -2760,6 +2763,56 @@
     </variablelist>
   </refsect1>
 
+  <refsect1>
+    <title>[HSR] Section Options</title>
+    <para>The [HSR] section only applies for netdevs of kind <literal>hsr</literal> and accepts the
+    following keys:</para>
+
+    <variablelist class='network-directives'>
+      <varlistentry>
+        <term><varname>SlaveInterface1=</varname></term>
+        <listitem>
+          <para>Name of the first interface bound to the HSR device.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>SlaveInterface2=</varname></term>
+        <listitem>
+          <para>Name of the second interface bound to the HSR device. Must be a different network
+          interface than the one specified in <varname>SlaveInterface1</varname>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>SupervisionTag=</varname></term>
+        <listitem>
+          <para>The last byte of the multicast address used for HSR supervision frames.
+          Takes an integer in the range 0…255. The default value is 0.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>Version=</varname></term>
+        <listitem>
+          <para>The version of the underlying protocol. The default value is 0.
+          This parameter should only be used when <varname>Protocol=HSR</varname>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>Protocol=</varname></term>
+        <listitem>
+          <para>The underlying protocol to use. Possible values are
+          <literal>HSR</literal> (High-availability Seamless Redundancy) and
+          <literal>PRP</literal> (Parallel Redundancy Protocol).
+          The default value is <literal>HSR</literal>.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
   <refsect1>
     <title>Examples</title>
     <example>

shell-completion/bash/systemd-cryptenroll

@@ -38,19 +38,12 @@ __get_tpm2_devices() {
     done
 }
 
-__get_block_devices() {
-    local i
-    for i in /dev/*; do
-        [ -b "$i" ] && printf '%s\n' "$i"
-    done
-}
-
 _systemd_cryptenroll() {
     local comps
     local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
     local -A OPTS=(
         [STANDALONE]='-h --help --version
-                     --password --recovery-key'
+                     --password --recovery-key --list-devices'
         [ARG]='--unlock-key-file
                --unlock-fido2-device
                --unlock-tpm2-device
@@ -116,7 +109,7 @@ _systemd_cryptenroll() {
         return 0
     fi
 
-    comps=$(__get_block_devices)
+    comps=$(systemd-cryptenroll --list-devices)
     COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
     return 0
 }

src/core/service.c

@@ -3426,14 +3426,12 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
                         return 0;
                 }
 
-                r = service_add_fd_store(s, fd, fdn, do_poll);
+                r = service_add_fd_store(s, TAKE_FD(fd), fdn, do_poll);
                 if (r < 0) {
                         log_unit_debug_errno(u, r,
                                              "Failed to store deserialized fd '%s', ignoring: %m", fdn);
                         return 0;
                 }
-
-                TAKE_FD(fd);
         } else if (streq(key, "extra-fd")) {
                 _cleanup_free_ char *fdv = NULL, *fdn = NULL;
                 _cleanup_close_ int fd = -EBADF;

src/cryptenroll/cryptenroll.c

@@ -193,7 +193,7 @@ static int help(void) {
                "\n%3$sSimple Enrollment:%4$s\n"
                "     --password        Enroll a user-supplied password\n"
                "     --recovery-key    Enroll a recovery key\n"
-               "\n%3$sPKCS11 Enrollment:%4$s\n"
+               "\n%3$sPKCS#11 Enrollment:%4$s\n"
                "     --pkcs11-token-uri=URI\n"
                "                       Specify PKCS#11 security token URI\n"
                "\n%3$sFIDO2 Enrollment:%4$s\n"

src/libsystemd/sd-netlink/netlink-types-rtnl.c

@@ -239,6 +239,16 @@ static const NLAPolicy rtnl_link_info_data_gre_policies[] = {
         [IFLA_GRE_ERSPAN_HWID]      = BUILD_POLICY(U16),
 };
 
+static const NLAPolicy rtnl_link_info_data_hsr_policies[] = {
+        [IFLA_HSR_SLAVE1]           = BUILD_POLICY(U32),
+        [IFLA_HSR_SLAVE2]           = BUILD_POLICY(U32),
+        [IFLA_HSR_MULTICAST_SPEC]   = BUILD_POLICY(U8),
+        [IFLA_HSR_VERSION]          = BUILD_POLICY(U8),
+        [IFLA_HSR_SUPERVISION_ADDR] = BUILD_POLICY_WITH_SIZE(ETHER_ADDR, ETH_ALEN),
+        [IFLA_HSR_SEQ_NR]           = BUILD_POLICY(U16),
+        [IFLA_HSR_PROTOCOL]         = BUILD_POLICY(U8),
+};
+
 static const NLAPolicy rtnl_link_info_data_ipoib_policies[] = {
         [IFLA_IPOIB_PKEY]           = BUILD_POLICY(U16),
         [IFLA_IPOIB_MODE]           = BUILD_POLICY(U16),
@@ -412,8 +422,8 @@ static const NLAPolicySetUnionElement rtnl_link_info_data_policy_set_union_eleme
         BUILD_UNION_ELEMENT_BY_STRING("gretap",    rtnl_link_info_data_gre),
 /*
         BUILD_UNION_ELEMENT_BY_STRING("gtp",       rtnl_link_info_data_gtp),
-        BUILD_UNION_ELEMENT_BY_STRING("hsr",       rtnl_link_info_data_hsr),
 */
+        BUILD_UNION_ELEMENT_BY_STRING("hsr",       rtnl_link_info_data_hsr),
         BUILD_UNION_ELEMENT_BY_STRING("ip6erspan", rtnl_link_info_data_gre),
         BUILD_UNION_ELEMENT_BY_STRING("ip6gre",    rtnl_link_info_data_gre),
         BUILD_UNION_ELEMENT_BY_STRING("ip6gretap", rtnl_link_info_data_gre),

src/network/meson.build

@@ -10,6 +10,7 @@ sources = files(
         'netdev/dummy.c',
         'netdev/fou-tunnel.c',
         'netdev/geneve.c',
+        'netdev/hsr.c',
         'netdev/ifb.c',
         'netdev/ipoib.c',
         'netdev/ipvlan.c',

src/network/netdev/hsr.c

@@ -0,0 +1,142 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <net/if.h>
+#include <netinet/in.h>
+#include <linux/if_arp.h>
+
+#include "hsr.h"
+#include "string-table.h"
+
+static const char* const hsr_protocol_table[_NETDEV_HSR_PROTOCOL_MAX] = {
+        [NETDEV_HSR_PROTOCOL_HSR] = "HSR",
+        [NETDEV_HSR_PROTOCOL_PRP] = "PRP",
+};
+
+DEFINE_STRING_TABLE_LOOKUP(hsr_protocol, HsrProtocol);
+DEFINE_CONFIG_PARSE_ENUM(config_parse_hsr_protocol, hsr_protocol, HsrProtocol,
+                         "Failed to parse Protocol=");
+
+static int netdev_hsr_get_iface_indexes(Hsr *hsr, int *indexes) {
+        Link *link = NULL;
+        int r, i;
+
+        assert(hsr);
+
+        for (i = 0; i < _NETDEV_HSR_SLAVE_MAX; i++) {
+                r = link_get_by_name(hsr->meta.manager, hsr->slave_ifaces[i], &link);
+                if (r < 0)
+                        return r;
+
+                if (indexes)
+                        indexes[i] = link->ifindex;
+        }
+
+        return 0;
+}
+
+static int netdev_hsr_fill_message_create(NetDev *netdev, Link *link, sd_netlink_message *m) {
+        Hsr *hsr;
+        int indexes[_NETDEV_HSR_SLAVE_MAX];
+        int r;
+
+        assert(netdev);
+        assert(!link);
+        assert(m);
+
+        hsr = HSR(netdev);
+
+        assert(hsr);
+
+        r = netdev_hsr_get_iface_indexes(hsr, indexes);
+        if (r < 0)
+                return r;
+
+        r = sd_netlink_message_append_u32(m, IFLA_HSR_SLAVE1, indexes[NETDEV_HSR_SLAVE1]);
+        if (r < 0)
+                return r;
+
+        r = sd_netlink_message_append_u32(m, IFLA_HSR_SLAVE2, indexes[NETDEV_HSR_SLAVE2]);
+        if (r < 0)
+                return r;
+
+        r = sd_netlink_message_append_u8(m, IFLA_HSR_MULTICAST_SPEC, hsr->multicast_spec);
+        if (r < 0)
+                return r;
+
+        /* Protocol version is not supported by kernel module when PRP is used. */
+        if (hsr->protocol == NETDEV_HSR_PROTOCOL_HSR) {
+                r = sd_netlink_message_append_u8(m, IFLA_HSR_VERSION, hsr->version);
+                if (r < 0)
+                        return r;
+        }
+
+        r = sd_netlink_message_append_u8(m, IFLA_HSR_PROTOCOL, hsr->protocol);
+        if (r < 0)
+                return r;
+
+        return 0;
+}
+
+static int netdev_hsr_verify(NetDev *netdev, const char *filename) {
+        Hsr *hsr;
+        int i;
+
+        assert(netdev);
+        assert(filename);
+
+        hsr = HSR(netdev);
+
+        assert(hsr);
+
+        for (i = 0; i < _NETDEV_HSR_SLAVE_MAX; i++) {
+                if (!hsr->slave_ifaces[i])
+                        return log_netdev_warning_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
+                                                        "HSR without SlaveInterface%d= configured in %s. Ignoring",
+                                                        (i + 1), filename);
+        }
+
+        if (streq(hsr->slave_ifaces[NETDEV_HSR_SLAVE1], hsr->slave_ifaces[NETDEV_HSR_SLAVE2]))
+                return log_netdev_warning_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
+                                                "SlaveInterface1= and SlaveInterface2= must be different in %s. Ignoring",
+                                                filename);
+
+        return 0;
+}
+
+static int netdev_hsr_is_ready_to_create(NetDev *netdev, Link *link) {
+        Hsr *hsr;
+
+        assert(netdev);
+
+        hsr = HSR(netdev);
+
+        assert(hsr);
+
+        return netdev_hsr_get_iface_indexes(hsr, NULL) >= 0;
+}
+
+static void netdev_hsr_done(NetDev *netdev) {
+        Hsr *hsr;
+        int i;
+
+        assert(netdev);
+
+        hsr = HSR(netdev);
+
+        assert(hsr);
+
+        for (i = 0; i < _NETDEV_HSR_SLAVE_MAX; i++)
+                free(hsr->slave_ifaces[i]);
+}
+
+const NetDevVTable hsr_vtable = {
+        .object_size = sizeof(Hsr),
+        .sections = NETDEV_COMMON_SECTIONS "HSR\0",
+        .fill_message_create = netdev_hsr_fill_message_create,
+        .config_verify = netdev_hsr_verify,
+        .is_ready_to_create = netdev_hsr_is_ready_to_create,
+        .done = netdev_hsr_done,
+        .create_type = NETDEV_CREATE_INDEPENDENT,
+        .iftype = ARPHRD_ETHER,
+        .generate_mac = true,
+};

src/network/netdev/hsr.h

@@ -0,0 +1,38 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+typedef struct Hsr Hsr;
+
+#include "netdev.h"
+
+typedef enum HsrSlave {
+        NETDEV_HSR_SLAVE1,
+        NETDEV_HSR_SLAVE2,
+        _NETDEV_HSR_SLAVE_MAX,
+        _NETDEV_HSR_SLAVE_INVALID = -EINVAL,
+} HsrSlave;
+
+typedef enum HsrProtocol {
+        NETDEV_HSR_PROTOCOL_HSR = HSR_PROTOCOL_HSR,
+        NETDEV_HSR_PROTOCOL_PRP = HSR_PROTOCOL_PRP,
+        _NETDEV_HSR_PROTOCOL_MAX,
+        _NETDEV_HSR_PROTOCOL_INVALID = -EINVAL,
+} HsrProtocol;
+
+struct Hsr {
+        NetDev meta;
+
+        char *slave_ifaces[_NETDEV_HSR_SLAVE_MAX];
+        uint8_t multicast_spec;
+
+        HsrProtocol protocol;
+        uint8_t version;
+};
+
+DEFINE_NETDEV_CAST(HSR, Hsr);
+extern const NetDevVTable hsr_vtable;
+
+const char *hsr_protocol_to_string(HsrProtocol d) _const_;
+HsrProtocol hsr_protocol_from_string(const char *d) _pure_;
+
+CONFIG_PARSER_PROTOTYPE(config_parse_hsr_protocol);

src/network/netdev/netdev-gperf.gperf

@@ -11,6 +11,7 @@ _Pragma("GCC diagnostic ignored \"-Wimplicit-fallthrough\"")
 #include "conf-parser.h"
 #include "fou-tunnel.h"
 #include "geneve.h"
+#include "hsr.h"
 #include "ipoib.h"
 #include "ipvlan.h"
 #include "l2tp-tunnel.h"
@@ -276,3 +277,8 @@ IPoIB.IgnoreUserspaceMulticastGroups,     config_parse_tristate,
 WLAN.PhysicalDevice,                      config_parse_wiphy,                        0,                             0
 WLAN.Type,                                config_parse_wlan_iftype,                  0,                             offsetof(WLan, iftype)
 WLAN.WDS,                                 config_parse_tristate,                     0,                             offsetof(WLan, wds)
+HSR.SlaveInterface1,                      config_parse_ifname,                       0,                             offsetof(Hsr, slave_ifaces[NETDEV_HSR_SLAVE1])
+HSR.SlaveInterface2,                      config_parse_ifname,                       0,                             offsetof(Hsr, slave_ifaces[NETDEV_HSR_SLAVE2])
+HSR.SupervisionTag,                       config_parse_uint8,                        0,                             offsetof(Hsr, multicast_spec)
+HSR.Version,                              config_parse_uint8,                        0,                             offsetof(Hsr, version)
+HSR.Protocol,                             config_parse_hsr_protocol,                 0,                             offsetof(Hsr, protocol)

src/network/netdev/netdev.c

@@ -18,6 +18,7 @@
 #include "fd-util.h"
 #include "fou-tunnel.h"
 #include "geneve.h"
+#include "hsr.h"
 #include "ifb.h"
 #include "ipoib.h"
 #include "ipvlan.h"
@@ -65,6 +66,7 @@ const NetDevVTable * const netdev_vtable[_NETDEV_KIND_MAX] = {
         [NETDEV_KIND_GENEVE]    = &geneve_vtable,
         [NETDEV_KIND_GRE]       = &gre_vtable,
         [NETDEV_KIND_GRETAP]    = &gretap_vtable,
+        [NETDEV_KIND_HSR]       = &hsr_vtable,
         [NETDEV_KIND_IFB]       = &ifb_vtable,
         [NETDEV_KIND_IP6GRE]    = &ip6gre_vtable,
         [NETDEV_KIND_IP6GRETAP] = &ip6gretap_vtable,
@@ -106,6 +108,7 @@ static const char* const netdev_kind_table[_NETDEV_KIND_MAX] = {
         [NETDEV_KIND_GENEVE]    = "geneve",
         [NETDEV_KIND_GRE]       = "gre",
         [NETDEV_KIND_GRETAP]    = "gretap",
+        [NETDEV_KIND_HSR]       = "hsr",
         [NETDEV_KIND_IFB]       = "ifb",
         [NETDEV_KIND_IP6GRE]    = "ip6gre",
         [NETDEV_KIND_IP6GRETAP] = "ip6gretap",

src/network/netdev/netdev.h

@@ -24,6 +24,7 @@
         "-Bridge\0"                               \
         "-FooOverUDP\0"                           \
         "-GENEVE\0"                               \
+        "-HSR\0"                                  \
         "-IPoIB\0"                                \
         "-IPVLAN\0"                               \
         "-IPVTAP\0"                               \
@@ -59,6 +60,7 @@ typedef enum NetDevKind {
         NETDEV_KIND_GENEVE,
         NETDEV_KIND_GRE,
         NETDEV_KIND_GRETAP,
+        NETDEV_KIND_HSR,
         NETDEV_KIND_IFB,
         NETDEV_KIND_IP6GRE,
         NETDEV_KIND_IP6GRETAP,