mkosi: update debian commit reference to efdd7a6377c7251011ca2c1a59115d482d25fe61

* efdd7a6377 Install new file for upstream build
* 9ebdc6099e d/rules: enable 10-systemd-logind-root-ignore-inhibitors.rules.example on Ubuntu
* 1255cc7663 initramfs-tools: only skip chzdev rules if zdev_early=0
* 4675b281ee d/t/boot-and-services: skip apparmor test on armhf
* 214d6e37b2 d/t/boot-and-services: run transient unit to check syslog messages
* f4e196aa26 d/t/boot-and-services: tweak test_rsyslog regex
* dbd366a43e Install new files for upstream build
* bb7f8ef532 Install new files for upstream build
* efa7cee8a7 Install new file for upstream build
* 95aa1d1685 Install new file for upstream build
* b770f0f01b kernel-install: skip 55-initrd.install when an initrd generator is configured
* af8d1e3134 Update changelog for 258.1-2 release
* 2d0e73cd14 d/libnss-systemd.postinst: Ensure module is enabled for all four databases

docs/BACKPORTS.md

@@ -7,20 +7,30 @@ SPDX-License-Identifier: LGPL-2.1-or-later
 
 # Backports
 
-The upstream systemd git repo at [https://github.com/systemd/systemd](https://github.com/systemd/systemd) only contains the main systemd branch that progresses at a quick pace, continuously bringing both bugfixes and new features.
+The upstream systemd git repo at https://github.com/systemd/systemd
+contains the `main` branch that progresses at a quick pace,
+continuously bringing both bugfixes and new features.
+New releases are tagged as `vNNN` on this branch.
 
-Distributions usually prefer basing their releases on stabilized versions branched off from this, that receive the bugfixes but not the features.
+In addition to the `main` branch,
+the repo contains a number of branches for stable point updates for a given release,
+called `vNNN-stable`.
+Stable releases are tagged as `vNNN.X` on those branches.
+See [list of branches](https://github.com/systemd/systemd/branches/all?query=-stable)
+and [pull requests for stable branches](https://github.com/systemd/systemd/pulls?q=is%3Apr+is%3Aopen+label%3Astable-branch).
 
-## Stable Branch Repository
+Distributions usually prefer basing their releases on those stable branches.
+Stable branches are typically managed by distribution maintainers on an as-needed basis.
 
-Stable branches are available from [https://github.com/systemd/systemd-stable](https://github.com/systemd/systemd-stable).
+## Stable Branch Repository for older releases
 
-Stable branches are started for certain releases of systemd and named after them, e.g. v208-stable.
+Stable branches for releases up to 255 are available from
-Stable branches are typically managed by distribution maintainers on an as needed basis.
+[https://github.com/systemd/systemd-stable](https://github.com/systemd/systemd-stable).
 
-For example v208 has been chosen for stable as several distributions are shipping this version and the official/upstream cycle of v208-v209 was a long one due to kdbus work.
+## Policy for backports into stable branches
 
-If you are using a particular version and find yourself backporting several patches, you may consider pushing a stable branch here for that version so others can benefit.
+If you are using a particular version and find yourself backporting several patches,
+consider pushing a stable branch here for that version so others can benefit.
 
 Please contact us if you are interested.
 
@@ -31,5 +41,16 @@ The following types of commits are cherry-picked onto those branches:
 * hardware database additions, especially the keymap updates
 * small non-conflicting features deemed safe to add in a stable release
 
-Please try to ensure that anything backported to the stable repository is done with the `git cherry-pick -x` option such that text stating the original SHA1 is added into the commit message.
+Please try to ensure that anything backported to the stable repository is done
-This makes it easier to check where the code came from (as sometimes it is necessary to add small fixes as new code due to the upstream refactors) that are deemed too invasive to backport as a stable patch.
+with the `git cherry-pick -x` option such that text stating the original SHA1 is added into the commit message.
+This makes it easier to check where the code came from
+(as sometimes it is necessary to add small fixes as new code due to the upstream refactors)
+that are deemed too invasive to backport as a stable patch.
+
+Pull requests for the stable branches should be tagged with `stable-branch`.
+
+Pull requests that shall be backported to stable releases,
+should be tagged with `needs-stable-backport`.
+See [pull requests marked for backporting](https://github.com/systemd/systemd/pulls?q=is%3Apr+label%3Aneeds-stable-backport).
+If only some commits should be backported, this should be mentioned in the pull request.
+If the backport is not obvious, additional justification can also be provided in the pull request.

man/custom-entities.ent.in

@@ -18,5 +18,5 @@
 <!ENTITY DEFAULT_TIMEOUT "{{DEFAULT_TIMEOUT_SEC}} s">
 <!ENTITY DEFAULT_USER_TIMEOUT "{{DEFAULT_USER_TIMEOUT_SEC}} s">
 <!ENTITY DEFAULT_KEYMAP "{{SYSTEMD_DEFAULT_KEYMAP}}">
-<!ENTITY fedora_latest_version "42">
+<!ENTITY fedora_latest_version "43">
-<!ENTITY fedora_cloud_release "1.1">
+<!ENTITY fedora_cloud_release "1.6">

mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf.d/pkgenv.conf

@@ -5,5 +5,5 @@ Environment=
         GIT_URL=https://salsa.debian.org/systemd-team/systemd.git
         GIT_SUBDIR=debian
         GIT_BRANCH=debian/master
-        GIT_COMMIT=5650452e6b0b430f44d3d48b7322c2b3c8b9477f
+        GIT_COMMIT=efdd7a6377c7251011ca2c1a59115d482d25fe61
         PKG_SUBDIR=debian

src/basic/basic-forward.h

@@ -117,7 +117,12 @@ typedef struct SocketAddress SocketAddress;
 /* We duplicate various commonly used constants here so we can keep most static inline functions without
  * having to include the full header that provides these constants. */
 
+/* glibc defines AT_FDCWD as -100, but musl defines it as (-100). */
+#ifdef __GLIBC__
 #define AT_FDCWD                -100
+#else
+#define AT_FDCWD                (-100)
+#endif
 #define AT_EMPTY_PATH           0x1000
 #define AT_SYMLINK_FOLLOW       0x400
 #define AT_SYMLINK_NOFOLLOW     0x100

src/boot/linux.c

@@ -113,48 +113,40 @@ static EFI_STATUS load_via_boot_services(
         return log_error_status(err, "Error starting kernel image with shim: %m");
 }
 
-static EFI_STATUS kernel_set_nx(EFI_PHYSICAL_ADDRESS addr, uint64_t length) {
+static EFI_STATUS memory_mark_ro_x(EFI_MEMORY_ATTRIBUTE_PROTOCOL *memory_proto, struct iovec *nx_section) {
-        EFI_MEMORY_ATTRIBUTE_PROTOCOL *memory_proto;
         EFI_STATUS err;
 
-        err = BS->LocateProtocol(MAKE_GUID_PTR(EFI_MEMORY_ATTRIBUTE_PROTOCOL), NULL, (void **) &memory_proto);
+        assert(memory_proto);
-        if (err != EFI_SUCCESS) {
+        assert(nx_section);
-                /* only log if the UEFI should have support in the first place (version >=2.10) */
-                if (ST->Hdr.Revision >= ((2U << 16) | 100U))
-                        log_debug("No EFI_MEMORY_ATTRIBUTE_PROTOCOL found, skipping NX_COMPAT support.");
 
-                return EFI_SUCCESS; /* ignore if firmware lacks support */
+        /* As per MSFT requirement, memory pages need to be marked W^X, so mark code pages RO+X.
-        }
+         * Firmwares will start enforcing this at some point in the near-ish future.
+         * The kernel needs to mark this as supported explicitly, otherwise it will crash.
+         * https://microsoft.github.io/mu/WhatAndWhy/enhancedmemoryprotection/
+         * https://www.kraxel.org/blog/2023/12/uefi-nx-linux-boot/ */
 
-        err = memory_proto->SetMemoryAttributes(memory_proto, addr, length, EFI_MEMORY_RO);
+        err = memory_proto->SetMemoryAttributes(memory_proto, POINTER_TO_PHYSICAL_ADDRESS(nx_section->iov_base), nx_section->iov_len, EFI_MEMORY_RO);
         if (err != EFI_SUCCESS)
                 return log_error_status(err, "Cannot make kernel image read-only: %m");
 
-        err = memory_proto->ClearMemoryAttributes(memory_proto, addr, length, EFI_MEMORY_XP);
+        err = memory_proto->ClearMemoryAttributes(memory_proto, POINTER_TO_PHYSICAL_ADDRESS(nx_section->iov_base), nx_section->iov_len, EFI_MEMORY_XP);
         if (err != EFI_SUCCESS)
                 return log_error_status(err, "Cannot make kernel image executable: %m");
 
         return EFI_SUCCESS;
 }
 
-static EFI_STATUS kernel_clear_nx(EFI_PHYSICAL_ADDRESS addr, uint64_t length) {
+static EFI_STATUS memory_mark_rw_nx(EFI_MEMORY_ATTRIBUTE_PROTOCOL *memory_proto, struct iovec *nx_section) {
-        EFI_MEMORY_ATTRIBUTE_PROTOCOL *memory_proto;
         EFI_STATUS err;
 
-        err = BS->LocateProtocol(MAKE_GUID_PTR(EFI_MEMORY_ATTRIBUTE_PROTOCOL), NULL, (void **) &memory_proto);
+        assert(memory_proto);
-        if (err != EFI_SUCCESS) {
+        assert(nx_section);
-                /* only log if the UEFI should have support in the first place (version >=2.10) */
-                if (ST->Hdr.Revision >= ((2U << 16) | 100U))
-                        log_debug("No EFI_MEMORY_ATTRIBUTE_PROTOCOL found, skipping NX_COMPAT support.");
 
-                return EFI_SUCCESS; /* ignore if firmware lacks support */
+        err = memory_proto->SetMemoryAttributes(memory_proto, POINTER_TO_PHYSICAL_ADDRESS(nx_section->iov_base), nx_section->iov_len, EFI_MEMORY_XP);
-        }
-
-        err = memory_proto->SetMemoryAttributes(memory_proto, addr, length, EFI_MEMORY_XP);
         if (err != EFI_SUCCESS)
                 return log_error_status(err, "Cannot make kernel image non-executable: %m");
 
-        err = memory_proto->ClearMemoryAttributes(memory_proto, addr, length, EFI_MEMORY_RO);
+        err = memory_proto->ClearMemoryAttributes(memory_proto, POINTER_TO_PHYSICAL_ADDRESS(nx_section->iov_base), nx_section->iov_len, EFI_MEMORY_RO);
         if (err != EFI_SUCCESS)
                 return log_error_status(err, "Cannot make kernel image writable: %m");
 
@@ -245,15 +237,25 @@ EFI_STATUS linux_exec(
         if (err != EFI_SUCCESS)
                 return err;
 
-        /* As per MSFT requirement, memory pages need to be marked W^X.
+        /* As per MSFT requirement, memory pages need to be marked W^X, so mark code pages RO+X.
          * Firmwares will start enforcing this at some point in the near-ish future.
          * The kernel needs to mark this as supported explicitly, otherwise it will crash.
          * https://microsoft.github.io/mu/WhatAndWhy/enhancedmemoryprotection/
          * https://www.kraxel.org/blog/2023/12/uefi-nx-linux-boot/ */
-        _cleanup_free_ EFI_PHYSICAL_ADDRESS *nx_sections_addrs = NULL;
+        EFI_MEMORY_ATTRIBUTE_PROTOCOL *memory_proto = NULL;
-        _cleanup_free_ uint64_t *nx_sections_lengths = NULL;
+        _cleanup_free_ struct iovec *nx_sections = NULL;
-        size_t nx_sections = 0;
+        size_t n_nx_sections = 0;
-        bool nx_compat = pe_kernel_check_nx_compat(kernel->iov_base);
+
+        if (pe_kernel_check_nx_compat(kernel->iov_base)) {
+                /* LocateProtocol() is not quite that quick if you have many protocols, so only look for it
+                 * if required for NX_COMPAT */
+                err = BS->LocateProtocol(MAKE_GUID_PTR(EFI_MEMORY_ATTRIBUTE_PROTOCOL), /* Registration= */ NULL, (void **) &memory_proto);
+                if (err != EFI_SUCCESS)
+                        /* Only warn if the UEFI should have support in the first place (version >= 2.10) */
+                        log_full(err,
+                                 ST->Hdr.Revision >= ((2U << 16) | 100U) ? LOG_WARNING : LOG_DEBUG,
+                                 "No EFI_MEMORY_ATTRIBUTE_PROTOCOL found, skipping NX_COMPAT support.");
+        }
 
         const PeSectionHeader *headers;
         size_t n_headers;
@@ -284,17 +286,16 @@ EFI_STATUS linux_exec(
                         h->VirtualSize - h->SizeOfRawData);
 
                 /* Not a code section? Nothing to do, leave as-is. */
-                if (nx_compat && ((h->Characteristics & PE_CODE) || (h->Characteristics & PE_EXECUTE))) {
+                if (memory_proto && (h->Characteristics & (PE_CODE|PE_EXECUTE))) {
-                        nx_sections_addrs = xrealloc(nx_sections_addrs, nx_sections * sizeof(EFI_PHYSICAL_ADDRESS), (nx_sections + 1) * sizeof(EFI_PHYSICAL_ADDRESS));
+                        nx_sections = xrealloc(nx_sections, n_nx_sections * sizeof(struct iovec), (n_nx_sections + 1) * sizeof(struct iovec));
-                        nx_sections_lengths = xrealloc(nx_sections_lengths, nx_sections * sizeof(uint64_t), (nx_sections + 1) * sizeof(uint64_t));
+                        nx_sections[n_nx_sections].iov_base = loaded_kernel + h->VirtualAddress - image_base;
-                        nx_sections_addrs[nx_sections] = POINTER_TO_PHYSICAL_ADDRESS(loaded_kernel + h->VirtualAddress - image_base);
+                        nx_sections[n_nx_sections].iov_len = h->VirtualSize;
-                        nx_sections_lengths[nx_sections] = h->VirtualSize;
 
-                        err = kernel_set_nx(nx_sections_addrs[nx_sections], nx_sections_lengths[nx_sections]);
+                        err = memory_mark_ro_x(memory_proto, &nx_sections[n_nx_sections]);
                         if (err != EFI_SUCCESS)
                                 return err;
 
-                        ++nx_sections;
+                        ++n_nx_sections;
                 }
         }
 
@@ -337,8 +338,8 @@ EFI_STATUS linux_exec(
         /* On failure we'll free the buffers. EDK2 requires the memory buffers to be writable and
          * non-executable, as in some configurations it will overwrite them with a fixed pattern, so if the
          * attributes are not restored FreePages() will crash. */
-        for (size_t i = 0; i < nx_sections; i++)
+        for (size_t i = 0; i < n_nx_sections; i++)
-                (void) kernel_clear_nx(nx_sections_addrs[i], nx_sections_lengths[i]);
+                (void) memory_mark_rw_nx(memory_proto, &nx_sections[i]);
 
         return log_error_status(err, "Error starting kernel image: %m");
 }

src/boot/pe.c

@@ -9,7 +9,7 @@
 
 #define DOS_FILE_MAGIC "MZ"
 #define PE_FILE_MAGIC  "PE\0\0"
-#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100
+#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100U
 
 #if defined(__i386__)
 #  define TARGET_MACHINE_TYPE 0x014CU

src/boot/pe.h

@@ -4,8 +4,8 @@
 #include "efi.h"
 
 /* PE flags in the Characteristics attribute of the optional header indicating executable code */
-#define PE_CODE 0x00000020
+#define PE_CODE 0x00000020U
-#define PE_EXECUTE 0x20000000
+#define PE_EXECUTE 0x20000000U
 
 /* This is the actual PE format of the section header */
 typedef struct PeSectionHeader {