2026-04-24 16:04:51 +02:00
14 changed files with 67 additions and 148 deletions
--- a/5
+++ b/5
@ -78,11 +78,6 @@ Janitorial Clean-ups:
 Features:
 * support uefi/http boots with sd-boot: instead of looking for dropin files in
  /loader/entries/ dir, look for a file /loader/entries/SHA256SUMS and use that
  as directory manifest. The file would be a standard directory listing as
  generated by GNU sha256sums.
 * initialize machine ID from systemd credential picked up from the ESP via
  sd-stub, so that machine ID is stable even on systems where unified kernels
  are used, and hence kernel cmdline cannot be modified locally
--- a/man/rules/meson.build
+++ b/man/rules/meson.build
@ -30,7 +30,7 @@ manpages = [
 ['journalctl', '1', [], ''],
 ['journald.conf', '5', ['journald.conf.d', 'journald@.conf'], ''],
 ['kernel-command-line', '7', [], ''],
- ['kernel-install', '8', [], 'ENABLE_KERNEL_INSTALL'],
+ ['kernel-install', '8', [], ''],
 ['libudev', '3', [], ''],
 ['loader.conf', '5', [], 'HAVE_GNU_EFI'],
 ['locale.conf', '5', [], ''],
--- a/meson.build
+++ b/meson.build
@ -1675,9 +1675,6 @@ else
 endif
 conf.set10('ENABLE_IMPORTD', have)
 want_kernel_install = get_option('kernel-install')
 conf.set10('ENABLE_KERNEL_INSTALL', want_kernel_install)
 want_homed = get_option('homed')
 if want_homed != 'false'
        have = (conf.get('HAVE_OPENSSL') == 1 and
@ -4146,7 +4143,7 @@ foreach tuple : [
        ['hwdb'],
        ['importd'],
        ['initrd'],
-        ['kernel-install'],
+        ['kernel-install',        get_option('kernel-install')],
        ['localed'],
        ['logind'],
        ['machined'],
--- a/shell-completion/bash/meson.build
+++ b/shell-completion/bash/meson.build
@ -31,7 +31,7 @@ items = [['busctl',              ''],
         ['systemd-path',        ''],
         ['systemd-run',         ''],
         ['udevadm',             ''],
-         ['kernel-install',      'ENABLE_KERNEL_INSTALL'],
+         ['kernel-install',      ''],
         ['bootctl',             'HAVE_GNU_EFI'],
         ['coredumpctl',         'ENABLE_COREDUMP'],
         ['homectl',             'ENABLE_HOMED'],
--- a/shell-completion/zsh/meson.build
+++ b/shell-completion/zsh/meson.build
@ -22,7 +22,7 @@ items = [['_busctl',                   ''],
         ['_systemd-path',             ''],
         ['_systemd-run',              ''],
         ['_udevadm',                  ''],
-         ['_kernel-install',           'ENABLE_KERNEL_INSTALL'],
+         ['_kernel-install',           ''],
         ['_sd_hosts_or_user_at_host', ''],
         ['_sd_outputmodes',           ''],
         ['_sd_unit_files',            ''],
--- a/src/backlight/backlight.c
+++ b/src/backlight/backlight.c
@ -14,11 +14,10 @@
 #include "mkdir.h"
 #include "parse-util.h"
 #include "pretty-print.h"
-#include "process-util.h"
+#include "terminal-util.h"
 #include "reboot-util.h"
 #include "string-util.h"
 #include "strv.h"
 #include "terminal-util.h"
 #include "util.h"
 static int help(void) {
@ -369,7 +368,7 @@ static int run(int argc, char *argv[]) {
        log_setup();
-        if (argv_looks_like_help(argc, argv))
+        if (strv_contains(strv_skip(argv, 1), "--help"))
                return help();
        if (argc != 3)
--- a/src/basic/alloc-util.h
+++ b/src/basic/alloc-util.h
@ -174,23 +174,13 @@ void* greedy_realloc0(void **p, size_t need, size_t size);
 * is compatible with _FORTIFY_SOURCES. If _FORTIFY_SOURCES is used many memory operations will take the
 * object size as returned by __builtin_object_size() into account. Hence, let's return the smaller size of
 * malloc_usable_size() and __builtin_object_size() here, so that we definitely operate in safe territory by
- * both the compiler's and libc's standards. Note that _FORTIFY_SOURCES=3 handles also dynamically allocated
+ * both the compiler's and libc's standards. Note that __builtin_object_size() evaluates to SIZE_MAX if the
- * objects and thus it's safer using __builtin_dynamic_object_size if _FORTIFY_SOURCES=3 is used (#22801).
+ * size cannot be determined, hence the MIN() expression should be safe with dynamically sized memory,
- * Moreover, when NULL is passed malloc_usable_size() is documented to return zero, and
+ * too. Moreover, when NULL is passed malloc_usable_size() is documented to return zero, and
 * __builtin_object_size() returns SIZE_MAX too, hence we also return a sensible value of 0 in this corner
 * case. */
 #if defined __has_builtin
 #  if __has_builtin(__builtin_dynamic_object_size)
 #    define MALLOC_SIZEOF_SAFE(x) \
        MIN(malloc_usable_size(x), __builtin_dynamic_object_size(x, 0))
 #  endif
 #endif
 #ifndef MALLOC_SIZEOF_SAFE
 #define MALLOC_SIZEOF_SAFE(x) \
        MIN(malloc_usable_size(x), __builtin_object_size(x, 0))
 #endif
 /* Inspired by ELEMENTSOF() but operates on malloc()'ed memory areas: typesafely returns the number of items
 * that fit into the specified memory block */
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@ -1615,30 +1615,6 @@ _noreturn_ void freeze(void) {
                pause();
 }
 bool argv_looks_like_help(int argc, char **argv) {
        char **l;
        /* Scans the command line for indications the user asks for help. This is supposed to be called by
         * tools that do not implement getopt() style command line parsing because they are not primarily
         * user-facing. Detects four ways of asking for help:
         *
         * 1. Passing zero arguments
         * 2. Passing "help" as first argument
         * 3. Passing --help as any argument
         * 4. Passing -h as any argument
         */
        if (argc <= 1)
                return true;
        if (streq_ptr(argv[1], "help"))
                return true;
        l = strv_skip(argv, 1);
        return strv_contains(l, "--help") ||
                strv_contains(l, "-h");
 }
 static const char *const sigchld_code_table[] = {
        [CLD_EXITED] = "exited",
--- a/src/basic/process-util.h
+++ b/src/basic/process-util.h
@ -191,5 +191,3 @@ int setpriority_closest(int priority);
 bool invoked_as(char *argv[], const char *token);
 _noreturn_ void freeze(void);
 bool argv_looks_like_help(int argc, char **argv);
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@ -34,7 +34,6 @@
 #include "path-util.h"
 #include "pkcs11-util.h"
 #include "pretty-print.h"
 #include "process-util.h"
 #include "random-util.h"
 #include "string-util.h"
 #include "strv.h"
@ -851,7 +850,7 @@ static int acquire_pins_from_env_variable(char ***ret_pins) {
 }
 #endif
-static int attach_luks2_by_fido2_via_plugin(
+static int attach_luks2_by_fido2(
                struct crypt_device *cd,
                const char *name,
                usec_t until,
@ -981,7 +980,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
        for (;;) {
                if (use_libcryptsetup_plugin && !arg_fido2_cid) {
-                        r = attach_luks2_by_fido2_via_plugin(cd, name, until, arg_headless, arg_fido2_device, flags);
+                        r = attach_luks2_by_fido2(cd, name, until, arg_headless, arg_fido2_device, flags);
                        if (IN_SET(r, -ENOTUNIQ, -ENXIO, -ENOENT))
                                return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
                                                       "Automatic FIDO2 metadata discovery was not possible because missing or not unique, falling back to traditional unlocking.");
@ -1054,7 +1053,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
        return 0;
 }
-static int attach_luks2_by_pkcs11_via_plugin(
+static int attach_luks2_by_pkcs11(
                struct crypt_device *cd,
                const char *name,
                const char *friendly_name,
@ -1134,7 +1133,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
        for (;;) {
                if (use_libcryptsetup_plugin && arg_pkcs11_uri_auto)
-                        r = attach_luks2_by_pkcs11_via_plugin(cd, name, friendly, until, arg_headless, flags);
+                        r = attach_luks2_by_pkcs11(cd, name, friendly, until, arg_headless, flags);
                else {
                        r = decrypt_pkcs11_key(
                                        name,
@ -1247,7 +1246,7 @@ static int make_tpm2_device_monitor(
        return 0;
 }
-static int attach_luks2_by_tpm2_via_plugin(
+static int attach_luks2_by_tpm2(
                struct crypt_device *cd,
                const char *name,
                uint32_t flags) {
@ -1323,28 +1322,23 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
                                return log_error_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 PIN unlock failed, falling back to traditional unlocking.");
                        if (ERRNO_IS_NOT_SUPPORTED(r)) /* TPM2 support not compiled in? */
                                return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 support not available, falling back to traditional unlocking.");
-                        /* EAGAIN means: no tpm2 chip found */
+                        if (r != -EAGAIN) /* EAGAIN means: no tpm2 chip found */
-                        if (r != -EAGAIN) {
+                                return r;
                                log_notice_errno(r, "TPM2 operation failed, falling back to traditional unlocking: %m");
                                return -EAGAIN; /* Mangle error code: let's make any form of TPM2 failure non-fatal. */
                        }
                } else {
-                        r = attach_luks2_by_tpm2_via_plugin(cd, name, flags);
+                        r = attach_luks2_by_tpm2(cd, name, flags);
                        /* EAGAIN     means: no tpm2 chip found
                         * EOPNOTSUPP means: no libcryptsetup plugins support */
                        if (r == -ENXIO)
-                                return log_notice_errno(SYNTHETIC_ERRNO(EAGAIN),
+                                return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
-                                                        "No TPM2 metadata matching the current system state found in LUKS2 header, falling back to traditional unlocking.");
+                                                       "No TPM2 metadata matching the current system state found in LUKS2 header, falling back to traditional unlocking.");
                        if (r == -ENOENT)
                                return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
                                                       "No TPM2 metadata enrolled in LUKS2 header or TPM2 support not available, falling back to traditional unlocking.");
-                        if (!IN_SET(r, -EOPNOTSUPP, -EAGAIN)) {
+                        if (!IN_SET(r, -EOPNOTSUPP, -EAGAIN))
-                                log_notice_errno(r, "TPM2 operation failed, falling back to traditional unlocking: %m");
+                                return r;
                                return -EAGAIN; /* Mangle error code: let's make any form of TPM2 failure non-fatal. */
                        }
                }
-                if (r == -EOPNOTSUPP) { /* Plugin not available, let's process TPM2 stuff right here instead */
+                if (r == -EOPNOTSUPP) {
                        _cleanup_free_ void *blob = NULL, *policy_hash = NULL;
                        size_t blob_size, policy_hash_size;
                        bool found_some = false;
@ -1373,11 +1367,10 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
                                                &tpm2_flags);
                                if (r == -ENXIO)
                                        /* No further TPM2 tokens found in the LUKS2 header. */
-                                        return log_full_errno(found_some ? LOG_NOTICE : LOG_DEBUG,
+                                        return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
-                                                              SYNTHETIC_ERRNO(EAGAIN),
+                                                               found_some
-                                                              found_some
+                                                               ? "No TPM2 metadata matching the current system state found in LUKS2 header, falling back to traditional unlocking."
-                                                              ? "No TPM2 metadata matching the current system state found in LUKS2 header, falling back to traditional unlocking."
+                                                               : "No TPM2 metadata enrolled in LUKS2 header, falling back to traditional unlocking.");
                                                              : "No TPM2 metadata enrolled in LUKS2 header, falling back to traditional unlocking.");
                                if (ERRNO_IS_NOT_SUPPORTED(r))  /* TPM2 support not compiled in? */
                                        return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 support not available, falling back to traditional unlocking.");
                                if (r < 0)
@ -1400,7 +1393,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
                                                arg_ask_password_flags,
                                                &decrypted_key, &decrypted_key_size);
                                if (IN_SET(r, -EACCES, -ENOLCK))
-                                        return log_notice_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 PIN unlock failed, falling back to traditional unlocking.");
+                                        return log_error_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 PIN unlock failed, falling back to traditional unlocking.");
                                if (r != -EPERM)
                                        break;
@ -1409,11 +1402,8 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
                        if (r >= 0)
                                break;
-                        /* EAGAIN means: no tpm2 chip found */
+                        if (r != -EAGAIN) /* EAGAIN means: no tpm2 chip found */
-                        if (r != -EAGAIN) {
+                                return r;
                                log_notice_errno(r, "TPM2 operation failed, falling back to traditional unlocking: %m");
                                return -EAGAIN; /* Mangle error code: let's make any form of TPM2 failure non-fatal. */
                        }
                }
                if (!monitor) {
@ -1728,7 +1718,7 @@ static int run(int argc, char *argv[]) {
        const char *verb;
        int r;
-        if (argv_looks_like_help(argc, argv))
+        if (argc <= 1)
                return help();
        if (argc < 3)
@ -1760,8 +1750,8 @@ static int run(int argc, char *argv[]) {
                volume = argv[2];
                source = argv[3];
-                key_file = mangle_none(argc >= 5 ? argv[4] : NULL);
+                key_file = argc >= 5 && !STR_IN_SET(argv[4], "", "-", "none") ? argv[4] : NULL;
-                options = mangle_none(argc >= 6 ? argv[5] : NULL);
+                options = argc >= 6 && !STR_IN_SET(argv[5], "", "-", "none") ? argv[5] : NULL;
                if (!filename_is_valid(volume))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Volume name '%s' is not valid.", volume);
--- a/src/integritysetup/integritysetup.c
+++ b/src/integritysetup/integritysetup.c
@ -12,10 +12,9 @@
 #include "log.h"
 #include "main-func.h"
 #include "memory-util.h"
 #include "parse-util.h"
 #include "path-util.h"
 #include "parse-util.h"
 #include "pretty-print.h"
 #include "process-util.h"
 #include "string-util.h"
 #include "terminal-util.h"
@ -88,16 +87,19 @@ static const char *integrity_algorithm_select(const void *key_file_buf) {
 static int run(int argc, char *argv[]) {
        _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
        char *verb, *volume;
        int r;
        char *action, *volume;
-        if (argv_looks_like_help(argc, argv))
+        if (argc <= 1 ||
            strv_contains(strv_skip(argv, 1), "--help") ||
            strv_contains(strv_skip(argv, 1), "-h") ||
            streq(argv[1], "help"))
                return help();
        if (argc < 3)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program requires at least two arguments.");
-        verb = argv[1];
+        action = argv[1];
        volume = argv[2];
        log_setup();
@ -106,7 +108,7 @@ static int run(int argc, char *argv[]) {
        umask(0022);
-        if (streq(verb, "attach")) {
+        if (streq(action, "attach")) {
                /* attach name device optional_key_file optional_options */
                crypt_status_info status;
@ -121,11 +123,8 @@ static int run(int argc, char *argv[]) {
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "attach has a maximum of five arguments.");
                device = argv[3];
-                key_file = mangle_none(argc > 4 ? argv[4] : NULL);
+                key_file = (argc > 4) ? empty_or_dash_to_null(argv[4]) : NULL;
-                options = mangle_none(argc > 5 ? argv[5] : NULL);
+                options = (argc > 5) ? empty_or_dash_to_null(argv[5]) : NULL;
                if (!filename_is_valid(volume))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Volume name '%s' is not valid.", volume);
                if (key_file) {
                        r = load_key_file(key_file, &key_buf, &key_buf_size);
@ -172,19 +171,14 @@ static int run(int argc, char *argv[]) {
                if (r < 0)
                        return log_error_errno(r, "Failed to set up integrity device: %m");
-        } else if (streq(verb, "detach")) {
+        } else if (streq(action, "detach")) {
                if (argc > 3)
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "detach has a maximum of two arguments.");
                if (!filename_is_valid(volume))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Volume name '%s' is not valid.", volume);
                r = crypt_init_by_name(&cd, volume);
-                if (r == -ENODEV) {
+                if (r == -ENODEV)
                        log_info("Volume %s already inactive.", volume);
                        return 0;
                }
                if (r < 0)
                        return log_error_errno(r, "crypt_init_by_name() failed: %m");
@ -195,7 +189,7 @@ static int run(int argc, char *argv[]) {
                        return log_error_errno(r, "Failed to deactivate: %m");
        } else
-                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown verb %s.", verb);
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown verb %s.", action);
        return 0;
 }
--- a/src/kernel-install/meson.build
+++ b/src/kernel-install/meson.build
@ -1,5 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 want_kernel_install = get_option('kernel-install')
 if want_kernel_install
        install_data('kernel-install',
                     install_mode : 'rwxr-xr-x',
--- a/src/shared/cryptsetup-util.h
+++ b/src/shared/cryptsetup-util.h
@ -86,8 +86,3 @@ static inline void sym_crypt_free(struct crypt_device* cd) {}
 static inline void sym_crypt_freep(struct crypt_device** cd) {}
 #endif
 static inline const char *mangle_none(const char *s) {
        /* A helper that turns cryptsetup/integritysetup/veritysetup "options" strings into NULL if they are effectively empty */
        return isempty(s) || STR_IN_SET(s, "-", "none") ? NULL : s;
 }
--- a/src/veritysetup/veritysetup.c
+++ b/src/veritysetup/veritysetup.c
@ -12,7 +12,6 @@
 #include "main-func.h"
 #include "path-util.h"
 #include "pretty-print.h"
 #include "process-util.h"
 #include "string-util.h"
 #include "terminal-util.h"
@ -112,10 +111,12 @@ static int parse_options(const char *options) {
 static int run(int argc, char *argv[]) {
        _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
        const char *verb;
        int r;
-        if (argv_looks_like_help(argc, argv))
+        if (argc <= 1 ||
            strv_contains(strv_skip(argv, 1), "--help") ||
            strv_contains(strv_skip(argv, 1), "-h") ||
            streq(argv[1], "help"))
                return help();
        if (argc < 3)
@ -127,10 +128,7 @@ static int run(int argc, char *argv[]) {
        umask(0022);
-        verb = argv[1];
+        if (streq(argv[1], "attach")) {
        if (streq(verb, "attach")) {
                const char *volume, *data_device, *verity_device, *root_hash, *options;
                _cleanup_free_ void *m = NULL;
                crypt_status_info status;
                size_t l;
@ -138,33 +136,24 @@ static int run(int argc, char *argv[]) {
                if (argc < 6)
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "attach requires at least four arguments.");
-                volume = argv[2];
+                r = unhexmem(argv[5], strlen(argv[5]), &m, &l);
                data_device = argv[3];
                verity_device = argv[4];
                root_hash = argv[5];
                options = mangle_none(argc > 6 ? argv[6] : NULL);
                if (!filename_is_valid(volume))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Volume name '%s' is not valid.", volume);
                r = unhexmem(root_hash, SIZE_MAX, &m, &l);
                if (r < 0)
                        return log_error_errno(r, "Failed to parse root hash: %m");
-                r = crypt_init(&cd, verity_device);
+                r = crypt_init(&cd, argv[4]);
                if (r < 0)
-                        return log_error_errno(r, "Failed to open verity device %s: %m", verity_device);
+                        return log_error_errno(r, "Failed to open verity device %s: %m", argv[4]);
                cryptsetup_enable_logging(cd);
-                status = crypt_status(cd, volume);
+                status = crypt_status(cd, argv[2]);
                if (IN_SET(status, CRYPT_ACTIVE, CRYPT_BUSY)) {
-                        log_info("Volume %s already active.", volume);
+                        log_info("Volume %s already active.", argv[2]);
                        return 0;
                }
-                if (options) {
+                if (argc > 6) {
-                        r = parse_options(options);
+                        r = parse_options(argv[6]);
                        if (r < 0)
                                return log_error_errno(r, "Failed to parse options: %m");
                }
@ -173,7 +162,7 @@ static int run(int argc, char *argv[]) {
                if (r < 0)
                        return log_error_errno(r, "Failed to load verity superblock: %m");
-                r = crypt_set_data_device(cd, data_device);
+                r = crypt_set_data_device(cd, argv[3]);
                if (r < 0)
                        return log_error_errno(r, "Failed to configure data device: %m");
@ -197,26 +186,20 @@ static int run(int argc, char *argv[]) {
                                        return log_error_errno(r, "Failed to read root hash signature: %m");
                        }
-                        r = crypt_activate_by_signed_key(cd, volume, m, l, hash_sig, hash_sig_size, arg_activate_flags);
+                        r = crypt_activate_by_signed_key(cd, argv[2], m, l, hash_sig, hash_sig_size, arg_activate_flags);
 #else
                        assert_not_reached();
 #endif
                } else
-                        r = crypt_activate_by_volume_key(cd, volume, m, l, arg_activate_flags);
+                        r = crypt_activate_by_volume_key(cd, argv[2], m, l, arg_activate_flags);
                if (r < 0)
                        return log_error_errno(r, "Failed to set up verity device: %m");
-        } else if (streq(verb, "detach")) {
+        } else if (streq(argv[1], "detach")) {
                const char *volume;
-                volume = argv[2];
+                r = crypt_init_by_name(&cd, argv[2]);
                if (!filename_is_valid(volume))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Volume name '%s' is not valid.", volume);
                r = crypt_init_by_name(&cd, volume);
                if (r == -ENODEV) {
-                        log_info("Volume %s already inactive.", volume);
+                        log_info("Volume %s already inactive.", argv[2]);
                        return 0;
                }
                if (r < 0)
@ -224,12 +207,12 @@ static int run(int argc, char *argv[]) {
                cryptsetup_enable_logging(cd);
-                r = crypt_deactivate(cd, volume);
+                r = crypt_deactivate(cd, argv[2]);
                if (r < 0)
                        return log_error_errno(r, "Failed to deactivate: %m");
        } else
-                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown verb %s.", verb);
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown verb %s.", argv[1]);
        return 0;
 }