sd-cryptenroll TPM2 PIN protected unlock#22563
Merged
poettering merged 8 commits intosystemd:mainfrom Mar 16, 2022
Merged
Conversation
e9347ca to
d787b1d
Compare
Member
How difficult is it to set this up? Is it supported natively in Ubuntu? |
Contributor
Author
You are talking about swtpm for testing? That is pretty simple. Start swtpm, and make the emulated TPM appear as a real device with the VTPM proxy kernel module. I use this script to start and initialize swtpm. |
Member
Yes - where do you get swtpm from? Is it packaged in Ubuntu? |
Contributor
Author
Sorry, I don't think so. But it should be easy to build, just get it from https://github.com/stefanberger/swtpm? |
Member
|
We don't want to get in the business of manually building dependencies. But it looks like it is there: https://launchpad.net/ubuntu/+source/swtpm I can backport this in the PPA. Is there a minimum version required? |
Contributor
Author
|
I've been using version 0.7.0 of swtpm, but looking at the changelog, version 0.6.1 which the PPA provides should be fine too. |
Member
|
I can get that done - if you want to give a shot to adding a new test, you'd need a setup/runner like this one in a new directory (also remember the Makefile symlink): https://github.com/systemd/systemd/blob/main/test/TEST-50-DISSECT/test.sh Then a boilerplate unit like https://github.com/systemd/systemd/blob/main/test/units/testsuite-50.service which should be pretty simple, and the actual test script ran inside qemu is something like this https://github.com/systemd/systemd/blob/main/test/units/testsuite-50.sh These 4 files are all you need to add a new test, then you can run it locally with |
poettering
requested changes
Feb 18, 2022
Member
|
having a test suite for the TPM2 stuff would be phenomenal, of course. |
Member
This is highly relevant either way. I tried to find some prior art how this is done elsewhere, but couldn't find anything. As it appears most code that uses the intel TPM2 stack does not employ parameter encryption right now. :-( |
Member
Yes, this is a limitation of the Intel stack versus the IBM one (which supports this). But nobody uses the IBM one, and it's largely not maintained in distros. It's really a sad state, especially when you consider how much money and effort has been put into solving this problem by moving the TPM implementation to the firmware (fTPM) or to the CPU (titan, pluton)... all because the Intel stack doesn't implement the on-transit encryption part of the spec |
Member
|
Hmm, so right now you pass the PIN literally to the policy. I wonder if it wouldn't be smarter to hash it first, that way the size limitations on the PIN go away. i.e. this detail of the backing technology should probably be hidden away. we probably should also salt it if we hash it, so that if someone sees the stream of TPM2 commands they at least can't derive the literal password via rainbow tables or so from it. Hence maybe instead of the JSON boolean field, add a subobject that for now just contains one value, the salt in base64. Place 256 bit of randomness in there, append that to the supplied password, and calculate SHA256 of it, then pass that to the TPM2 stack as PIN. For the regular password-based unlocking we allow arbitrary keys after all, and I think given how simple this is we should try to make this behave alike. |
Member
Nah, the intel stack supports it, but noone is using it that I could find at least. See: (which i found via: https://ml01.01.org/hyperkitty/list/tpm2@lists.01.org/message/222E6BUOMPEMU7UFHXDAQFB7LPZERBRT/) |
Member
|
Interesting, I didn't know it was supported |
Contributor
Author
|
Yeah looks like there is some support for parameter encryption in the tpm2-tss stack, but its a whole new can of worms. By the way, there is a free book on TPM 2.0 available. It's still a bit fuzzy to me how parameter encryption actually works even with the details provided there nonetheless. |
Contributor
Author
Yes, I agree. I didn't bother to do it to keep it simple. I'll get to it, sounds like a good and simple improvement.
Or just use HMAC? It's already ready to use in systemd utility functions. |
Contributor
Author
|
By the way, I addressed a bunch of the review issues (thanks for the nice & quick review)! I just added the changes on top for now. Some of the commits I intend to squash into previous commits at the end, but not all. I'm not sure, how important is a "clean history"? |
Member
It's a requirement, please squash in the appropriate commits - also if you rebase on latest main, it should fix the rpm-build Ci issues |
Contributor
Author
|
Thinking about hashing and salting once more, I don't think salting is worth the effort. If an attacker can listen to TPM interface traffic, what's the point of protecting the PIN if the LUKS encryption key is transmitted in plain text, after all? If we want to protect against interface snooping, parameter encryption seems to be the only effective way. |
Member
Sure why not. hmac using the password as key and the salt as message to authenticate sounds great and should be beyond most doubts |
Member
it's nice in case of password reuse? i.e. if the pw is typed in by humans then they might be tempted to reuse the same password on multiple disks. I mean, we kinda push people towards that with the password caching logic in systemd-cryptsetup... so if it might be good that if you listen to TPM2 traffic you will only be able to unlock one disk instead of all that use the same pw |
Contributor
Author
Alright, that makes some sense, I didn't have this scenario in mind. If we want to employ parameter encryption (which we do? I intend to work on this as a follow-up to this PR), I still think we should keep it simple for now (i.e. just use a basic, unsalted hash, to allow long PINs to be used). The PIN salt would be superfluous in that case. |
Member
|
Dunno, I'd use the HMAC stuff, simply because it is easy to do, i.e. we have most stuff in place: the hmac_sha256() call already exists, and we can store the salt nicely via the base64 helpers we already have for the JSON generator/parser. But then again, i'd merge it with a simple unsalted sha256 hash or so, too. |
d9cf760 to
1eadb43
Compare
Contributor
Author
|
I have a couple of tests running now, it was easier than I thought. qemu can directly communicate with swtpm through a socket, so we don't even need the vtpm proxy module. The only problem I can see is that tss2 loads some libraries at runtime, and I haven't found a good way to copy them into place in a portable way. |
bluca
reviewed
Feb 24, 2022
poettering
reviewed
Mar 14, 2022
poettering
requested changes
Mar 14, 2022
Member
|
almost ready |
Member
|
this will unblock #22630 once merged. |
Modify TPM2 authentication policy to optionally include an authValue, i.e. a password/PIN. We use the "PIN" terminology since it's used by other systems such as Windows, even though the PIN is not necessarily numeric. The pin is hashed via SHA256 to allow for arbitrary length PINs. v2: fix tpm2_seal in sd-repart v3: applied review feedback
Add support for PIN enrollment with TPM2. A new "tpm2-pin" field is introduced into metadata to signal that the policy needs to include a PIN. v2: fix tpm2_make_luks2_json in sd-repart
Extend cryptsetup for TPM2 pin entry, similar to FIDO2.
This is unfinished: we don't have any way to actually query for PINs interactively this way. It is similar to FIDO2 and PKCS#11 in this regard. Nonetheless, this code is capable of validating and dumping tokens, so it is already useful as-is.
Handle the case where TPM2 metadata is not available and explicitly provided in crypttab. This adds a new "tpm2-pin" option to crypttab options for this purpose.
Add tests for enrolling and unlocking. Various cases are tested: - Default PCR 7 policy w/o PIN, good and bad cases (wrong PCR) - PCR 7 + PIN policy, good and bad cases (wrong PCR, wrong PIN) - Non-default PCR 0+7 policy w/o PIN, good and bad cases (wrong PCR 0) v2: rename test, fix tss2 library installation, fix CI failures v3: fix ppc64, load module
272ff77 to
fd8b924
Compare
Member
|
excellent work! thanks so much! |
anatol
added a commit
to anatol/booster
that referenced
this pull request
Dec 12, 2022
Counterpart implementation of systemd/systemd#22563 Implements #198
anatol
added a commit
to anatol/booster
that referenced
this pull request
Dec 14, 2022
Counterpart implementation of systemd/systemd#22563 Implements #198
anatol
added a commit
to anatol/booster
that referenced
this pull request
Dec 22, 2022
Counterpart implementation of systemd/systemd#22563 Implements #198
anatol
added a commit
to anatol/booster
that referenced
this pull request
Dec 24, 2022
Counterpart implementation of systemd/systemd#22563 Implements #198
anatol
added a commit
to anatol/booster
that referenced
this pull request
Feb 28, 2023
Counterpart implementation of systemd/systemd#22563 Implements #198
kyllikki
pushed a commit
to pexip/os-systemd
that referenced
this pull request
Nov 10, 2023
systemd (252.17-1~deb12u1) bookworm; urgency=medium
.
* New upstream version 252.17. Fixes minor security issue in arm64
and riscv64 systemd-boot (EFI) with device tree blobs loading:
GHSA-6m6p-rjcq-334c
.
systemd (252.16-1~deb12u1) bookworm; urgency=medium
.
* New upstream version 252.16
* Refresh patches for v252.16
.
systemd (252.14-1~deb12u1) bookworm; urgency=medium
.
* New upstream version 252.14
* Refresh patches for 252.14
.
systemd (252.12-1~deb12u1) bookworm; urgency=medium
.
* New upstream version 252.12
* Refresh patches for v252.12
.
systemd (252.11-1~deb12u1) bookworm; urgency=medium
.
* Upload to bookworm.
.
systemd (252.11-1) unstable; urgency=medium
.
* New upstream version 252.11
* Refresh patches
.
systemd (252.6-1) unstable; urgency=medium
.
* Update timedated autopkgtest. We no longer support /etc/timezone, as
/etc/localtime is always available (cherry picked from commit
6ef7bb0ce0f89e732a8b95624af059e52c3712b5)
* Stop supporting /etc/timezone and just rely on /etc/localtime
* systemd-boot: update on package upgrade, if installed
* Override Lintian warning in systemd-coredump
* d/watch: restrict to v252.x for bookworm
* New upstream version 252.6
* Refresh patches
* systemd-boot: enable on install (Closes: #1031118)
.
systemd (252.5-2) unstable; urgency=medium
.
* Fix boot-and-services autopkgtest.
.
systemd (252.5-1) unstable; urgency=medium
.
[ Nick Rosbrook ]
* debian/tests: remove systemd-fsckd autopkgtest. This test never runs
in Debian autopkgtest because of missing machine isolation
requirements, and it nevers runs in Ubuntu because: SKIP: root file
system is being checked by initramfs already Since the test is not
providing any good feedback, and generally has not been maintained,
let's just remove it.
.
[ Luca Boccassi ]
* New upstream version 252.5
* Drop patches merged in v252.5
* Refresh patches
* Set default status format to 'combined': show both unit name and
description in logs/boot messages
.
systemd (252.4-2) unstable; urgency=medium
.
[ Michael Biebl ]
* Refresh patches
* Tweak description of systemd and systemd-sysv package.
Remove redundancy and de-emphasize sysvinit.
* autopkgtest: add psmsic to upstream suite.
Needed for the killall binary.
See systemd/systemd#24569
* autopkgtest: add xkb-data, locales and locales-all to upstream suite.
Use locales-all so all necessary locales can be installed into the test
image without having to generate them on-the-fly.
See systemd/systemd#23709
* autopkgtest: prefer knot-dnssecutils over knot-dnsutils for upstream
suite.
The kzonecheck utility required by TEST-75-RESOLVED was split out from
knot-dnsutils into knot-dnssecutils so update the test dependencies
accordingly. Keep knot-dnsutils as alternative dependency to make
backports easier.
* Cherry-pick upstream fixes for TEST-74-AUX-UTILS
* Cherry-pick upstream fix for TEST-73-LOCALE
* Skip firstboot --prompt-keymap check in TEST-74-AUX-UTILS.
This test requires compatible keymaps from kbd which are not available
in Debian.
.
[ Luca Boccassi ]
* autopkgtest: add netlabel-tools to networkd-test.py suite.
The netlabelctl tool is needed to test the NetLabel integration.
See systemd/systemd#23888
* autopkgtest: add bsdutils to upstream suite.
The logger utility is now used in TEST-04-JOURNAL.
See systemd/systemd#23086
* autopkgtest: add knot, knot-dnsutils, bind9-dnsutils, bind9-host to
upstream suite.
Needed by TEST-75-RESOLVED.
See systemd/systemd#23104
* autopkgtest: add jq to upstream suite.
Needed by TEST-58-REPART.
See systemd/systemd#24572
* autopkgtest: add mtools to upstream suite.
Needed by TEST-58-REPART.
See systemd/systemd#24944
* autopkgtest: add erofs-utils to upstream suite.
Needed by TEST-58-REPART.
See systemd/systemd#25686
.
systemd (252.4-1) unstable; urgency=medium
.
* Enable p11kit. Backport patch to dlopen-ify p11kit support and enable
it. (Closes: #1023635)
* New upstream version 252.4. (Closes: #1026831 and fixes CVE-2022-4415)
* Refresh patches
* Bump Standards-Version to 4.6.2, no changes
.
systemd (252.3-2) unstable; urgency=medium
.
* Skip flaky test_resolved_domain_restricted_dns in networkd-test.py.
This test is part of DnsmasqClientTest and does not work reliably under
LXC/debci, so skip it for the time being. (Closes: #1025908)
.
systemd (252.3-1) unstable; urgency=medium
.
* New upstream version 252.3
* Rebase patches
.
systemd (252.2-2) unstable; urgency=medium
.
* Keep policykit-1 as alternative dependency to polkitd for systemd.
This will make backports easier.
* Update remaining policykit-1 (test) dependencies and prefer polkitd.
Keep the policykit-1 dependency as alternative for easier backports.
(Closes: #1025591)
.
systemd (252.2-1) unstable; urgency=medium
.
[ Helmut Grohne ]
* Explicitly B-D on libcrypt-dev (Closes: #1024646)
.
[ Nick Rosbrook ]
* Add handling for /etc/default/locale to firstboot. The TEST-74-AUX-
UTILS upstream test revealed that firstboot does not currently handle
Debian's /etc/default/locale.
.
[ Luca Boccassi ]
* Build depend on dh-package-notes, sequence was removed. Only the
makefile is in use now, no files are generated at build time as
--package-metadata from the linkers is used now
* New upstream version 252.2
* Refresh patches
.
systemd (252.1-1) unstable; urgency=medium
.
* d/watch: switch back to stable repository
* New upstream version 252.1 (Closes: #1023607 #1023515)
* Drop patches merged upstream
* Refresh patches
* Suggest polkitd instead of policykit-1 (deprecated)
.
systemd (252-3) unstable; urgency=medium
.
* Backport patches to fix tmpfiles error and missing /dev/serial/by-
id/usb-* (Closes: #1023311)
* Drop :native suffix from python3-pyparsing build dependency (Closes:
#1023442)
* Enable support for libqrencode. dlopen() feature so no additional cost.
Allows printing out recovery keys in QR format.
.
systemd (252-2) unstable; urgency=medium
.
[ Jochen Sprickerhof ]
* Let dh_installsysusers fix the /var/log/journal permissions.
dh_installsysusers adds a systemd-sysusers in #DEBHELPER#. Otherwise
it fails with: /usr/lib/tmpfiles.d/systemd.conf:28: Failed to resolve
group 'systemd-journal'. Regression of fa0aade329. (Closes: #1023248)
* Move restarting units after #DEBHELPER#. This makes sure that systemd-
sysusers was executed as well as systemd-tmpfiles to setup proper
permissions for /var/log/journal before systemd-journald is being
restarted.
.
systemd (252-1) unstable; urgency=medium
.
* Use systemd-sysusers to setup systemd users and groups
* New upstream version 252
* Drop patches merged upstream
* libsystemd0: set symbols version to 252
* Drop unused lintian override
.
systemd (252~rc3-2) unstable; urgency=medium
.
* Upload to unstable.
.
systemd (252~rc3-1) experimental; urgency=medium
.
* New upstream version 252~rc3
* Refresh patches
* Backport patches to fix tests without machine-id. Drop out-of-tree
patch and backport upstream fixes.
.
systemd (252~rc2-1) experimental; urgency=medium
.
[ Jan Kiszka ]
* Enable systemd-boot for riscv64. Tested against U-Boot 2022.10 as UEFI
provider on the RZ/Five. Signed-off-by: Jan Kiszka
<jan.kiszka@siemens.com>
.
[ Helmut Grohne ]
* Conditionalize installation of cryptsetup plugins in stage1 using dh-
exec (Closes: #1021821)
.
[ Michael Biebl ]
* Install sysusers.d and tmpfiles.d man pages in standalone packages
(Closes: #1021933)
.
[ Luca Boccassi ]
* d/watch: switch to non-stable repo
* New upstream version 252~rc2
* Drop patches merged upstream
* Refresh patches
* Update symbols file
* Update Lintian overrides
* autopkgtest: update expected output of localectl
.
systemd (251.6-1) unstable; urgency=medium
.
* New upstream version 251.6
* Rebase patches
* Use dh_installsystemd to enable machines.target in systemd-container
.
systemd (251.5-3) unstable; urgency=medium
.
* Update symbol versions for the v251 release
* ata_id: fix getting Response Code from SCSI Sense Data (Closes: #1021579)
* logind: do not emit beep in wall messages (Closes: #1019510)
* logind: remember our idle state and use it to detect idle level
transitions (Closes: #963135)
* logind: fix getting property OnExternalPower via D-Bus (Closes: #1021644)
.
systemd (251.5-2) unstable; urgency=medium
.
[ Luca Boccassi ]
* Build and install libcryptsetup token plugins.
The interfaces are now mature and enabled in Debian/Ubuntu in
libcryptsetup, so enable and ship the plugins
.
[ Michael Biebl ]
* salsa-ci: drop no longer needed workaround for lintian false positives
* udev: fix regression in udev-builtin path_id when processing NVME devices
(Closes: #1021547)
.
[ наб ]
* systemd-sysv.postinst: which -> command -v
.
systemd (251.5-1) unstable; urgency=medium
.
[ Michael Biebl ]
* New upstream version 251.5
* Install NEWS.Debian file into all binary packages.
While it increases the disk footprint a little, it ensures that NEWS
entries are reliably shown by apt-listchanges.
* Handle removal of /var/log/README.
Remove /var/log/README symlink when the systemd package is purged.
This symlink is created via tmpfiles and documents that /var/log no
longer contains the traditional syslog text files. (Closes: #877414)
* Rebase patches
.
[ наб ]
* debian/extra/kernel/postinst.d/systemd-boot: prefix with zz-
Since we explicitly (though this is hidden by indirection through
85-initrd.install) depend on /boot/initrd.img-$1 existing or not existing,
hard-order ourselves at the end. The zz- prefix matches grub.
* debian/extra/kernel-install.d/85-initrd.install: install default initrd
with versioned basename.
This fixes #1020396 in a superior way by using
$KERNEL_INSTALL_STAGING_AREA, available since systemd v251.
By just copying the file we both simplify our code, but defer to
90-loaderentry to correctly permission it, and simply never generate an
unversioned initrd in the first place! (Closes: #1020396)
* debian/extra/kernel-install.d/85-initrd.install: explicitly ignore unknown
verbs
* debian/extra/kernel/postrm.d/systemd-boot: prefix with zz-
Doesn't actually matter, but the kernel handbook says we must and we
already renamed postinst. (Closes: #1014581)
.
[ Luca Boccassi ]
* Enable firstboot, disabled by default on Debian.
Currently the first-boot conditions are not met by any Debian
image (/etc/machine-id with content uninitialized, so we can
just enable the build and ship it in the main package.
This lets image builders (eg: cloud images) tinker with it.
https://www.freedesktop.org/software/systemd/man/machine-id.html#First%20Boot%20Semantics
(Closes: #844528)
.
systemd (251.4-3) unstable; urgency=medium
.
* resolv.conf: take backup as a fallback in case resolved/resolv.conf
is not available, and restore on uninstall, which is necessary for
piuparts checks.
.
systemd (251.4-2) unstable; urgency=medium
.
[ Johannes Schauer Marin Rodrigues ]
* use systemd-sysusers instead of adduser. This allows dropping the
dependency on adduser (reducing the dependency set) and in turn allows
for DPKG_ROOT support of systemd.
* debian/systemd.postinst: add --root argument to systemctl and
systemd-* calls for DPKG_ROOT support
.
[ Luca Boccassi ]
* resolved: use DPKG_ROOT and make postinst shellcheck-happy
* resolved: switch from .links to postinst/rm
* Update Lintian overrides for new incompatible syntax
.
systemd (251.4-1) unstable; urgency=medium
.
* New upstream version 251.4
* Rebase patches
* Rebuild against fixed dh-nss to avoid duplicates in /etc/nsswitch.conf
(Closes: #1017096)
.
systemd (251.3-2) unstable; urgency=medium
.
[ Luca Boccassi ]
* libnss-systemd: also let userdbd manage passwords.
As of upstream commit:
systemd/systemd@f43a19ecd6e3415e
in v249 userdbd can also synthesize shadow/gshadow records,
so add the shadow config to nsswitch.conf on installation.
(Closes: #1004326)
* homed: make PAM rules higher priority than unix users.
Make sure homed is tried first when logging in. This is required
after adding nss-systemd support for 'shadow' in /etc/nsswitch.conf.
See Arch bug: https://bugs.archlinux.org/task/72967
.
[ Gioele Barabucci ]
* d/control: Use dh_installnss
* d/libnss-myhostname.nss: Install NSS service `myhostname` via dh_installnss
* d/libnss-mymaschines.nss: Install NSS service `mymaschines` via dh_installnss
* d/libnss-resolve.nss: Install NSS service `resolve` via dh_installnss
* d/libnss-systemd.nss: Install NSS service `systemd` via dh_installnss
.
systemd (251.3-2~exp2) experimental; urgency=medium
.
* Note in systemd.NEWS that resolved has moved to a new package
* systemd-resolved: move conffile from systemd. Copied from systemd-
timesyncd
.
systemd (251.3-2~exp1) experimental; urgency=medium
.
* Split systemd-resolved into its own package which takes over
/etc/resolv.conf (Closes: #939904)
.
systemd (251.3-1) unstable; urgency=medium
.
* New upstream version 251.3
* Rebase patches
.
systemd (251.2-8) unstable; urgency=medium
.
* autopkgtest: install openssl for upstream test.
Install openssl explicitly and do not rely on other packages, like
swtpm-libs, to pull this dependency for us.
Used by TEST-50-DISSECT, which otherwise just silently skips the test.
* Add versioned dependency on init-system-helpers to systemd-homed.
Ensure that we have a version of deb-systemd-helper which properly
handles loops in Also= dependencies. (Closes: #1014115)
* Demote shlibs dependencies of libsystemd0 from Pre-Depends to Depends.
As systemctl, which is quasi-essential, no longer links against
libsystemd0, we do not need those strict requirements anymore.
* Work around some more dh_installman issues
.
systemd (251.2-7) unstable; urgency=medium
.
[ Luca Boccassi ]
* sd-boot: add kernel hooks scripts
.
[ Andrea Pappacoda ]
* sd-boot: add initramfs hook (Closes: #826045)
.
[ Michael Biebl ]
* sd-boot: exit early in initramfs and kernel hook scripts if package is
removed but not purged
* Do not fail with older binutils.
Test if the linker supports --no-warn-execstack and --no-warn-rwx-segments
before using those flags. (Closes: #1013967)
.
systemd (251.2-6) unstable; urgency=medium
.
[ Helmut Grohne ]
* Mark systemd-userdbd and systemd-homed as !stage1 (Closes: #1012738)
.
[ Luca Boccassi ]
* Remove unused Lintian overrides
* Stop overriding the build directory name.
We don't do a separate udeb build anymore, so there's no need
to specify a separate build directory.
* Use execute_before_/after_ instead of override_
* Add nodoc profile support.
Co-authored-by: Michael Biebl <biebl@debian.org>
.
[ Michael Biebl ]
* Do not fail EFI build with newer binutils (Closes: #1013482)
* shared/microhttp-util: silence gcc warning
* Clarify NEWS message about systemd-boot split (Closes: #1013340)
.
systemd (251.2-5) unstable; urgency=medium
.
* Tweak description of systemd-homed package
* Move shlibs dependencies of libsystemd-shared from Pre-Depends to Depends
(Closes: #1012637)
* Add versioned Breaks against sicherboot for the systemd-boot split
(Closes: #1012625)
* Drop old Conflicts against hal from udev.
The hal package has been gone for several release cycles, so this
Conflicts should not be necessary anymore.
.
systemd (251.2-4) unstable; urgency=medium
.
* Use try-restart in systemd-binfmt dpkg trigger
* Fix bashism in kernel-install
* Upload to unstable
.
systemd (251.2-3) experimental; urgency=medium
.
[ Luca Boccassi ]
* Add systemd-userdbd package. This can be used to synthetize dynamic
user/groups, and can be useful by itself. It will also be used by
homed.
* Add systemd-homed package (Closes: #976960)
* Add systemd-boot-efi multiarch package. Allows EFI binaries for
different architectures to be co-installed. Useful when the EFI has a
different architecture, or to manipulate images. The userspace tooling
doesn't need to match the EFI binaries. Also allows one to reduce the
number of packages and dependencies needed when i386 is not a full
architecture, but a subset for libraries and for EFI support.
.
[ Michael Biebl ]
* Move homectl and userdbctl to /usr/bin
* Install libsystemd-shared into rootpkglibdir
* Split out libsystemd-shared into its own package. Since libsystem-
shared is an internal implementation detail, do not generate a shlibs
file for it. This means dh_shlibdeps needs to be told explicitly where
it can find libsystemd-shared. Mark this new package as Multi-Arch:
same. (Closes: #990547)
* Split out systemd-boot into its own package
* Add NEWS entry for the systemd-boot package split
.
systemd (251.2-2) unstable; urgency=medium
.
* sha256: fix compilation on efi-ia32
.
systemd (251.2-1) unstable; urgency=medium
.
[ Michael Biebl ]
* New upstream version 251.2
- logind: do not print wall messages to local pseudoterminals
(Closes: #1012155)
* Rebase patches
* Fix parsing of command line options in fsckd (Closes: #1009032)
* Do not require a valid version when parsing sd-boot loader entries
(Closes: #993292)
* Add dpkg file trigger for systemd-binfmt to update binfmt registrations
* Use a single NEWS file shipped in the main systemd package
.
[ Luca Boccassi ]
* autopkgtest: add cryptsetup-initramfs for upstream suite.
Needed for systemd/systemd#23517
.
systemd (251.1-1) unstable; urgency=medium
.
[ Luca Boccassi ]
* Switch from gnutls to openssl. Upstream is slowly phasing out gnutls.
Start switching to openssl. Drops support for '--trust' in the
journal-gatewayd and journal-remote programs.
* New upstream version 251.1
* Add systemd-journal-remote.NEWS to inform about dropping --trust
.
[ Michael Biebl ]
* Enable pager Hyperlink ANSI sequence support. This requires less ≥
563. Add a versioned Breaks accordingly.
* Drop unnecessary version constraints / dependencies
* Update liblz4-dev Build-Depends as per meson.build
.
systemd (251-2) unstable; urgency=medium
.
* Salsa CI: suppress lintian false positive on dbgsym.
* Upload to unstable.
.
systemd (251-1) experimental; urgency=medium
.
* New upstream version 251. For a full list of changes, see:
https://github.com/systemd/systemd/releases/tag/v251
* Refresh patches
* Revert manual removal of ndisc test case, merged upstream
* Bump Standards-Version to 4.6.1, no changes
.
systemd (251~rc3-2) experimental; urgency=medium
.
* Backport removal of ndisc test case, breaks build on armhf/armel.
.
systemd (251~rc3-1) experimental; urgency=medium
.
* autopkgtest: add allow-stderr to boot-and-services. Sometimes we see
some ignored logs, don't fail the test run if that happens
* autopkgtest: disable networkd in rebooting tests. It seems that on
Semaphore CI, running in Bullseye images, having both Network-Manager
and systemd-networkd enabled causes 'systemctl start network-
online.target' to get stuck, and fail the run. Disable networkd in
those tests. See: systemd/systemd#22991
* autopkgtest: mark networkd-test.py as breaks-testbed. It will modify
the network configuration, which will often make the network stop
working. Mark it as breaks-testbed so that a new runner is started.
* autopkgtest: ignore rng-tools-debian failure in boot-and-services. It
seems sometimes it fails, which has happened on jammy-amd64:
https://bugs.debian.org/969568
* New upstream version 251~rc3
* Drop sd-device-always-translate-sysname-to-sysfs-filename.patch,
merged upstream
* Rebase patches
* Update lintian-overrides for false positives
.
systemd (251~rc2-2) experimental; urgency=medium
.
* sd-device: always translate sysname to sysfs filename
.
systemd (251~rc2-1) experimental; urgency=medium
.
* New upstream version 251~rc2
* Rebase patches
* Update symbols file for libsystemd0
.
systemd (251~rc1-3) experimental; urgency=medium
.
[ Luca Boccassi ]
* autopkgtest: install swtpm and tpm2-tools for upstream suite.
Required by systemd/systemd#22563
.
[ Michael Biebl ]
* Do not ship /usr/lib/tmpfiles.d/systemd-resolve.conf in systemd.
It potentially creates a broken symlink if systemd-resolved is not
enabled. For now the symlink to stub-resolv.conf needs to be created
manually. (Closes: #1007018)
* hwdb: fix parsing options (Closes: #1008989)
.
systemd (251~rc1-2) experimental; urgency=medium
.
[ Michael Biebl ]
* Revert "Ignore libsystemd-core in dh_shlibdeps"
This reverts commit c1d5ad5ac989376aa8100dea9ad9d7af0f0408d9.
We need the shlibs dependencies of libsystemd-shared and
libsystemd-core.
* Adjust library search path for dh_shlibdeps.
libsystemd-core uses libsystemd-shared but doesn't have RUNPATH or
RPATH set. So tell dh_shlibdeps where it can find the library.
.
[ Luca Boccassi ]
* autopkgtest: update unit-config test for new relative symlinking.
Required by systemd/systemd#22649
* autopkgtest: install libnss packages for unit-tests suite.
Required to enable nss tests:
systemd/systemd#21975
* autopkgtest: install libnss packages for upstream suite.
Required to enable nss tests:
systemd/systemd#21975
* autopkgtest: install python3-pexpect and screen for upstream suite.
Required for new test:
systemd/systemd#21838
.
systemd (251~rc1-1) experimental; urgency=medium
.
[ Michael Biebl ]
* New upstream version 251~rc1
* Rebase patches
* Update symbols file for libsystemd0
* Install shell completions for oomctl in systemd-oomd
.
[ Luca Boccassi ]
* Ignore libsystemd-core in dh_makeshlibs
* Ignore libsystemd-core in dh_shlibdeps
* Add libsystemd-core to shlibs.local.in
.
systemd (250.4-1) unstable; urgency=medium
.
[ Dimitri John Ledkov ]
* udev-udeb: ship modprobe.d snippet to force scsi_mod.scan=sync in d-i.
.
[ Luca Boccassi ]
* Build with dh_package_notes
* New upstream version 250.4
* Drop patches merged upstream
* Remove unneeded ${shlibs:Depends}
* autopkgtest: add libdw-dev to unit-tests job.
* Rebase patches on top of v250.4
.
systemd (250.3-2) unstable; urgency=medium
.
[ Yu Watanabe ]
* upstream-ci: logind test: use drop-in config
* upstream-ci: logind test: also show logs of systemd-suspend.service
* upstream-ci: logind test: make sure the fake lid switch processed by
udevd. Also, wait for other uevents, which possibly triggered by the
lid switch, being processed.
* upstream-ci: logind test: fix drop-in config.
.
[ Luca Boccassi ]
* Add myself to Uploaders
* systemd-tests: ignore hardening-no-relro too. Test binaries, we don't
care about hardening flags
* Backport patches to fix build reproducibility. EFI binaries have the
path embedded which breaks reproducibility, backport patches from
upstream to fix it.
.
[ Michael Biebl ]
* Add Recommends: dbus-user-session to libpam-systemd. For a fully
functioning systemd --user instance we want dbus-user-session
installed.
* Report status of dbus-user-session in systemd reportbug template. Most
users will likely file bugs for systemd --user related issues against
the main systemd package and not libpam-systemd.
.
systemd (250.3-1) unstable; urgency=medium
.
[ Luca Boccassi ]
* Update d/copyright listing for debian/*
Fixes Lintian warning: update-debian-copyright
* d/copyright: remove unused GPL-2 stanza
* d/watch: bump to version 4
* d/control: drop redundant Section/Priority fields.
Fixes Lintian warning: installable-field-mirrors-source
* d/control: extend descriptions of libudev and libsystemd
* systemd-oomd: add dependency on adduser.
Needed by postinst script.
* systemd-oomd: fix description-synopsis-starts-with-article Lintian warning
* systemd-standalone-*: copy manpages too
* Lintian: ignore very-long-line-length-in-source-file.
It's not a useful check, and it flags test data and such.
* Lintian: ignore source-contains-data-from-ieee-data-oui-db.
Data formats are not compatible, this is for hwdb.
* Lintian: ignore systemd-service-file-missing-install-key.
If we don't add [Install], it's because we don't want it and the units are
events-driven or enabled statically.
* Lintian: ignore spare-manual-page.
Lintian is not really good at associating manpages to package contents,
so just ignore this, as we have and will keep adding docs related
to unit types and so on.
* Lintian: ignore package-supports-alternative-init-but-no-init.d-script.
Well, duh!
* Lintian: ignore package-contains-documentation-outside-usr-share-doc.
False positives on test data and a web page.
* Lintian: ignore current set of package-contains-empty-directory.
These are shipped to provide a skeleton installation.
* Update Lintian override for
systemd-service-file-refers-to-unusual-wantedby-target
* Lintian: ignore systemd: shared-library-lacks-prerequisites false positive
on EFI binary
* Lintian: ignore maintainer-script-calls-systemctl in more packages
* Lintian: ignore executable-not-elf-or-script false positives for EFI
binaries
* Lintian: ignore spellcheck false positives
* Lintian: ignore hardening-no-fortify-functions for test binaries
* Ignore blhc false positives.
blhc hits false positives due to EFI PE-COFF binaries,
c++ fuzzing binaries and meson flags listings, ignore them.
* Add d/gitlab-ci.yml.
Disable unit tests, as some are failing due to the build environment.
.
[ Michael Biebl ]
* New upstream version 250.3
- network: wireguard: do not add routes to AllowedIPs= by default.
(Closes: #1003955)
* Add Recommends: libdw1 to systemd-coredump.
Starting with v250, systemd-coredump will use libdw/libelf via dlopen()
rather than directly linking against it. It is not a hard dependency but
we want to have it installed by default.
While hard-coding the library name is not ideal, we currently don't have
better means to derive this information automatically. (Closes: #1003879)
.
systemd (250.2-3) unstable; urgency=medium
.
[ Luca Boccassi ]
* Build with and suggest fido2 and tpm libraries.
These are used via dlopen only if available by some tools like
systemd-cryptsetup, systemd-cryptenroll and systemd-repart,
with graceful fallbacks if they are not found.
Build-depend on them so that the features get compiled in
(apart from stage1 builds), and add appropriate Suggests.
(Closes: #991129, #1003383)
* Disable libcryptsetup-plugins.
They are new, and might not even be supported by libcryptsetup yet
* Build-depend on libssl-dev.
Required to use libfido2-dev until #1003699 is fixed
.
[ Michael Biebl ]
* Don't stop systemd-oomd.socket during upgrades.
This works around an issue in systemd which doesn't process multiple
units that are passed to systemctl as a single transaction with the
correct ordering. (Closes: #1003641)
.
systemd (250.2-2) unstable; urgency=medium
.
* Ship systemd-oomd.socket in correct systemd-oomd package
* Don't install dbus-org.freedesktop.oom1.service symlink (Closes: #1003580)
.
systemd (250.2-1) unstable; urgency=medium
.
* New upstream version 250.2
- shared/rm-rf: loop over nested directories instead of recursing.
Fixes uncontrolled recursion in systemd-tmpfiles.
(CVE-2021-3997, Closes: #1003467)
* test: explicitly configure oomd stuff via dropins
* autopkgtest: add systemd-oomd dependency to upstream test.
We want systemd-oomd to be tested via the upstream provided
TEST-55-OOMD.
* Rebase patches
* Upload to unstable
.
systemd (250.1-2) experimental; urgency=medium
.
[ Lukas Märdian ]
* d/rules: Enable build of systemd-oomd
* d/control: Ship oomd in a systemd-oomd package.
Deploying the default configuration as used in Fedora.
* Start systemd-oomd.service after package installation
.
[ Michael Biebl ]
* oomd: move oomctl to bindir
* Enable systemd-repart and ship it in the main systemd package.
Add fdisk as test dependency, needed by test-repart which calls sfdisk.
* test-repart: append /sbin and /usr/sbin to $PATH= so sfdisk can be found
.
systemd (250.1-1) experimental; urgency=medium
.
* New upstream version 250.1
* Rebase patches
.
systemd (250-2) experimental; urgency=medium
.
* Drop separate udeb build.
The only real benefit from a separate build apparently is that udev does
not get a dependency on libacl and libselinux. But we have udebs for
those dependencies anyway.
Dropping the separate build basically cuts the build times in half and
simplifies debian/rules quite a bit.
It also brings udev as used in d-i closer to what is actually used in
the installed system, which is a good thing.
* Cherry-pick various fixes targeted for v250-stable
.
systemd (250-1) experimental; urgency=medium
.
* New upstream version 250
* Rebase patches
* Update symbol versions for the v250 release
.
systemd (250~rc3-1) experimental; urgency=medium
.
[ Michael Biebl ]
* New upstream version 250~rc3
* Switch debian-branch to experimental
* Bump meson Build-Depends to (>= 0.53.2)
* Rebase patches
* Update symbols file for libsystemd0
* Update removal of upstream provided license files
* Use -Durlify=false instead of shipping an upstream revert patch
* Explicitly disable OpenSSL support.
We don't want to pick up an OpenSSL dependency in a tainted build
environment and pull a second crypto stack into systemd's dependencies.
* autopkgtest: install dbus-user-session for upstream test.
Required by TEST-43-PRIVATEUSER-UNPRIV and TEST-20-MAINPIDGAMES.
* Revert "Temporarily disable LTO"
* Small updates to debian/copyright
* Remove dbus introspection files
.
[ Luca Boccassi ]
* autopkgtest: install libdw and libelf for upstream test.
Pulled in via dlopen since systemd/systemd#21454
.
systemd (249.7-1) unstable; urgency=medium
.
* New upstream version 249.7
* Rebase patches
.
systemd (249.6-3) unstable; urgency=medium
.
* scope: count successful cgroup additions when delegating via D-Bus
(Closes: #999745)
.
systemd (249.6-2) unstable; urgency=medium
.
* Consider dbus-broker in systemd-logind.service Condition check
(Closes: #999569)
* Temporarily disable LTO.
This is a test to see if it fixes the failure to build reproducibly on
arm*.
* sysusers: split up systemd.conf (Closes: #990349)
.
systemd (249.6-1) unstable; urgency=medium
.
[ Michael Biebl ]
* New upstream version 249.6
* Rebase patches
* test: use kbd-mode-map we ship in one more test case
* Bump Standards-Version to 4.6.0
* Drop obsolete C/R upstart from systemd-sysv
* Drop obsolete dpkg (>= 1.19.3) | systemd-sysv dependency from udev.
It was added to ensure we have a dpkg with --notify-await which is now
satisfied by a dpkg from oldstable.
* Make the C/R against systemd versioned in
systemd-standalone-{sysusers,tmpfiles}
Those were added to facilitate an upgrade from bullseye. The version
makes it more explicit.
* Drop obsolete migration code for RAMTMP, TPMTIME and UTC
.
[ Luca Boccassi ]
* Depend on default-dbus-system-bus | dbus-system-bus.
Allows users to install only a single system bus implementation.
Prefer the default (dbus-daemon).
.
systemd (249.5-2) unstable; urgency=medium
.
[ Helmut Grohne ]
* Fix FTCBFS: Annotate python3-jinja2 dependency with :native
(Closes: #996501)
.
[ Michael Biebl ]
* hwdb: Allow console users access to media* nodes (Closes: #996749)
.
systemd (249.5-1) unstable; urgency=medium
.
* New upstream version 249.5
* Rebase patches
* Update debian/copyright
* Clean up lintian overrides
.
systemd (249.4-2) unstable; urgency=medium
.
* Upload to unstable
* Remove unused initialize_coredump() function
* Fix #993738 by pulling the patches from upstream PR#20603
.
systemd (249.4-1) experimental; urgency=medium
.
* New upstream version 249.4
* Rebase patches
.
systemd (249.3-4) experimental; urgency=medium
.
* Add Conflicts/Replaces: systemd to systemd-standalone-{sysusers,tmpfiles}
This allows upgrades from older systemd versions which do not have
Provides: systemd-{sysusers,tmpfiles}. (Closes: #992376)
.
systemd (249.3-3) experimental; urgency=medium
.
* Use C/R/P for systemd-sysusers and systemd-tmpfiles.
It's an interface/facility that can only be provided by a single package
at a time.
.
systemd (249.3-2) experimental; urgency=medium
.
* Provide standalone binaries for sysusers and tmpfiles (Closes: #946456)
* Fix test dependencies of upstream test.
After splitting out the standalone binaries for sysusers and tmpfiles
into separate packages (which conflict with the main systemd package),
we can no longer use the '@' notation in the upstream test.
This reverts commit 5eeeb1b562a1a9802df105091bda4741c263336d and also
adds systemd-tests and systemd-timesyncd to the upstream test
dependencies.
.
systemd (249.3-1) experimental; urgency=medium
.
* New upstream version 249.3
* Rebase patches
* Remove obsolete systemd-resolve compat symlink
.
systemd (249.2-2) experimental; urgency=medium
.
* Remove obsolete upgrade code from maintainer scripts
* Clean up old versions from maintscript files
* Drop obsolete systemd Breaks/Replaces
* Drop obsolete python-dbusmock Breaks
* Turn versioned systemd-shim Breaks into unversioned Conflicts.
There never was a fixed systemd-shim version before it was removed from
the archive.
* Drop patches which are no longer needed after bullseye
* Stop setting up device symlinks for CD-RW/DVD drives.
Those udev rules were a Debian specific workaround that were mainly
added for compat with older software which wasn't able to automatically
discover those types of devices. Those rules didn't provide
stable/predictable names though, so remove them. (Closes: #991639)
* autopkgtest: add systemd-timesyncd dependency to timedated test.
We need systemd-timesyncd in the timedated test, not just an arbitrary
provider of time-daemon.
* autopkgtest: clean up dependencies of boot-smoke test.
A lot of the dependencies are not needed but were originally added to
avoid a testbed reset and make it possible to reuse the testbed of the
upstream test. This turned out to be a maintenance problem and the
dependencies were not updated accordingly. Instead of trying to keep the
two tests in sync, trim down the boot-smoke dependencies to its bare
minimum.
.
systemd (249.2-1) experimental; urgency=medium
.
* New upstream version 249.2
* Rebase patches
.
systemd (249.1-1) experimental; urgency=medium
.
* New upstream version 249.1
- basic/unit-name: do not use strdupa() on a path (CVE-2021-33910)
.
systemd (249-1) experimental; urgency=medium
.
* New upstream version 249
* Rebase patches
* Update symbol versions for the v249 release
* Fix removal of systemd-hwdb-update.service.
As we don't support factory-reset, we don't need this service.
In Debian, the hwdb binary database is updated via a dpkg file trigger.
.
systemd (249~rc3-1) experimental; urgency=medium
.
* New upstream version 249~rc3
* Rebase patches
.
systemd (249~rc2-1) experimental; urgency=medium
.
* New upstream version 249~rc2
* Rebase patches
.
systemd (249~rc1-1) experimental; urgency=medium
.
[ Michael Biebl ]
* New upstream version 249~rc1
* Rebase patches
* Replace m4 Build-Depends with python3-jinja2
* Update symbols file for libsystemd0
* test: do not run 'meson configure' if NO_BUILD is set
* test: drop the mawk-incompatible expression
* Add gawk <!nocheck> to Build-Depends.
It is used in tools/check-directives.sh which is run during "meson test".
* autopkgtest: add udev dependency to unit-tests.
Without a properly set up hwdb the test-sd-hwdb test is skipped.
.
[ Luca Boccassi ]
* autopkgtest: add dependency on dosfstools for upstream test.
Needed to create EFI partition (vfat)
.
systemd (248.3-1) experimental; urgency=medium
.
[ Michael Biebl ]
* New upstream version 248.3
* Rebase patches
.
[ Dan Streetman ]
* d/t: replace 'root-unittests' shell script with simple call to upstream script.
The upstream test runner script is much better, as it only prints failing test
output, and gives a summary of the test results at the end.
.
systemd (248.2-1) experimental; urgency=medium
.
* New upstream version 248.2
.
systemd (248.1-1) experimental; urgency=medium
.
[ Michael Biebl ]
* New upstream version 248.1
* Rebase patches
* d/e/checkout-upstream: switch to main branch
* Update make-fbdev-blacklist to not blacklist hyperv_fb
.
[ Luca Boccassi ]
* systemd.install: catch all files installed in usr/bin and bin.
At the moment, individual binaries are mentioned specifically in the
install file. When new binaries are added, manual work is needed to get
them packaged, which affects the upstream autopkgtest-based CI.
Change systemd.install to instead pick up everything from usr/bin and bin.
* upstream suite: add build-dep on vim-tiny.
Required by some of the images in the upstream test suite
.
[ Zbigniew Jędrzejewski-Szmek ]
* Let "upstream" test use upstream test runner
.
[ Dan Streetman ]
* Slight adjustments to previous patch for deny/black-list naming.
Also add in two vars used by the integration runner script
* d/t/upstream: use NO_BUILD=1.
Also don't bother sed-modifying test-functions file, as the NO_BUILD
changes remove the need for that.
* d/t/control: install all binary packages for upstream test.
With the change to just call the upstream script to run the integration
tests, the packages to test need to be installed so the test-function
script can list out the files each package contains, and copy those files
into each nspawn and/or qemu testbed. Without all packages installed,
some tests fail; specifically TEST-30 currently requires systemd-timesyncd
which was not previously installed for the 'upstream' test suite.
This changes the control file to just install all binary packages, using
the '@' notation.
* d/t/boot-smoke: update test to avoid false negatives
.
[ Frantisek Sumsal ]
* upstream-ci: fix test_no_failed() check.
Without `--plain` `systemctl` prints a circle (●) in the first column
for each failed service, which with the current code interferes with
attempted journal listing for each such service.
.
systemd (248-1) experimental; urgency=medium
.
[ Balint Reczey ]
* New upstream version 248
- add support for answering DNSSEC questions on the stub resolver
(Closes: #988132)
- turn off DNSSEC validation when timesyncd resolves hostnames
(Closes: #898530)
- add networkd/nspawn nftables backend
(Closes: #934584)
- support ipv6 for masquerade and dnat in nspawn and networkd
(Closes: #934676)
* Refresh patches
* debian/rules: Enable new systemd-sysext tool
* debian/rules: Build support for flushing of the nscd caches
* debian/rules: Build translations for debs but not for udebs
* debian/rules: Build without TPM2 support.
This is a new feature and needs further review.
* Ship systemd-cryptenroll in systemd package
* Update symbols file for libsystemd0
* debian/tests/control: Upstream test depends on attr
* debian/udev.postinst: Create the sgx system group.
Intel SGX enclave device nodes are now owned by this group.
* debian/rules: Don't ship README files in (/usr)/lib/*.d.
README files are typically shipped in /usr/share/doc.
* Revert "pager: stop disabling urlification under a pager"
Debian and Ubuntu do not yet have a less version that supports
urlification. This requires less 563 or later.
.
systemd (247.9-4) unstable; urgency=medium
.
* Revert "tests/udev-test.pl: add multiple device test"
Follow-up to make sure the udev autopkgtest passes successfully again
after reverting the multipath symlink race fix.
* test: Fix flakiness in TEST-10-ISSUE-2467
* autopktest: Fix timedated test dependencies.
Add an explicit systemd-timesyncd dependency as it is required by the
timedated test.
* autopkgtest: Merge configuration of logind test with timedated and related
tests.
They share the same restrictions and merging them avoids a bit of
duplication.
* Revert "test: disable DnsmasqClientTest.test_resolved_etc_hosts in
networkd-test.py"
Let's see if this test is still flaky on debci.
* networkd-test: fix resolved_domain_restricted_dns.
Cherry-pick upstream commit which hopefully fixes the flakiness in
DnsmasqClientTest.test_resolved_domain_restricted_dns.
.
systemd (247.9-3) unstable; urgency=medium
.
* Revert multipath symlink race fix.
Revert upstream commits which caused a regression in udev resulting in
long delays when processing partitions with the same label.
(Closes: #993738)
.
systemd (247.9-2) unstable; urgency=medium
.
* Demote systemd-timesyncd from Depends to Recommends.
This avoids a dependency cycle between systemd and systemd-timesyncd and
thus makes dist upgrades more predictable and robust.
It also allows minimal, systemd based containers where no NTP client is
strictly necessary.
To ensure that systemd-timesyncd is installed in a default installation
created by d-i, bump its priority to standard. (Closes: #986651, #993947)
.
systemd (247.9-1) unstable; urgency=medium
.
[ Michael Biebl ]
* New upstream version 247.9
* Rebase patches
* Fix removal of systemd-hwdb-update.service.
As we don't support factory-reset, we don't need this service.
In Debian, the hwdb binary database is updated via a dpkg file trigger.
.
[ Balint Reczey ]
* debian/rules: Don't ship README files in (/usr)/lib/*.d.
README files are typically shipped in /usr/share/doc.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds an optional PIN/password protection for TPM2 unlock. The basic operation is simple: We add an authValue to the keyed hash object when sealing it, and the policy is extended to check the authValue in addition to PCRs. When unsealing, the object is associated with the authValue after it is loaded. LUKS2 metadata is extended with a "tpm2-pin" bool to signal that the modified policy shall be used.
cryptenroll/cryptsetup tools are extended to query PINs for enrollment and unlock, as needed. Non-interactive testing is possible with the new
PINandNEWPINenvironment variables.Out of scope for now:
This has been tested with the swtpm TPM emulator and a discrete Nuvoton TPM. Integration tests are included, using qemu together with swtpm.
Fixes #19229.