Devon Pringle
16c89e649d
networkd: add RouteDenyList
...
Allow configuration for IPv6 discovered routes to be ignored instead of
adding them as a route. This can be used to block unwanted routes, for
example, you may wish to not receive some set of routes on an interface
if they are causing issues.
2020-12-18 21:44:32 +09:00
Yu Watanabe
af42881bf9
Merge pull request #18015 from keszybz/dmi-test-mesonification2
...
Dmi test mesonification2
2020-12-18 21:44:00 +09:00
Yu Watanabe
9f62de5762
Merge pull request #18011 from yuwata/trivial-fixes
...
Trivial fixes for recently merged PRs
2020-12-18 20:12:02 +09:00
Yu Watanabe
fd4835bdf8
Merge pull request #17693 from yuwata/tmpfiles-compress-nocow-on-btrfs
...
tmpfiles: try to set file attributes one by one
2020-12-18 16:52:29 +09:00
Yu Watanabe
ee672fd30b
Merge pull request #18009 from poettering/time-set-sync-target
...
tweaks for time-sync.target and time-set.target
2020-12-18 16:02:56 +09:00
Yu Watanabe
eca248640b
netlink: fix size of fib rule messages
2020-12-18 13:27:44 +09:00
Yu Watanabe
8940baac4d
meson: sort files
2020-12-18 13:27:44 +09:00
Yu Watanabe
479667c497
nspawn: sort headers
2020-12-18 13:27:44 +09:00
Yu Watanabe
ce9dc1fd8b
netlink: fix indentation
2020-12-18 13:27:44 +09:00
Yu Watanabe
a73f080727
netlink: drop unnecessary error handling
2020-12-18 13:27:44 +09:00
Yu Watanabe
faa0d69c6c
netlink: use whitespace instead of tab
2020-12-18 13:27:44 +09:00
Yu Watanabe
f6dab7489e
sd-netlink: add several assertions
2020-12-18 13:27:40 +09:00
Yu Watanabe
2d1ad72456
sd-netlink: replace *messages[] -> **messages
2020-12-18 13:11:06 +09:00
Yu Watanabe
ec87f63c0e
meson: add missing headers
2020-12-18 13:05:19 +09:00
Yu Watanabe
517fdd61ed
network: move variable declaration
2020-12-18 13:00:57 +09:00
Yu Watanabe
458610429f
tree-wide: fix typo
2020-12-18 12:59:29 +09:00
Yu Watanabe
94566540e3
tmpfiles: try to set file attributes one by one
...
Closes #17690 .
2020-12-18 12:35:57 +09:00
Yu Watanabe
459631a0f9
chattr-util: introduce fallback mode to set file attributes one by one
2020-12-18 12:33:43 +09:00
Susant Sahani
d7d1d18fd2
network: Allow to configure unreachable/blackhole RoutingPolicyRule ( #17984 )
2020-12-18 12:21:15 +09:00
Lennart Poettering
5cd35a171c
Merge pull request #17741 from poettering/cryptsetup-fido2
...
cryptsetup: add support for unlocking cryptsetup volumes via FIDO2 + TPM2 + add systemd-cryptenroll tool + more
2020-12-17 22:37:22 +01:00
Lennart Poettering
08e77eb88d
man: document that .timer units now have After= on both time-set.target + time-sync.target
2020-12-17 20:26:24 +01:00
Lennart Poettering
fe934b42e4
core: order timer units after both time-sync.target and time-set.target
...
If users do not enable a service like systemd-time-wait-sync.target
(because they don't want to delay boot for external events, such as an
NTP sync), then timers should still take the the weaker time-set.target
feature into account, so that the clock is at least monotonic.
Hence, order timer units after both of the targets: time-sync.target
*and* time-set.target. That way, the right thing will happen regardless
if people have no NTP server (and thus also no
systemd-time-wait-sync.service or equivalent) or, only have an NTP
server (and no systemd-time-wait-sync.service), or have both.
Ordering after time-set.target is basically "free". The logic it is
backed by should be instant, without communication with the outside
going on. It's useful still so that time servers that implement the
timestamp from /var/ logic can run in later boot.
2020-12-17 20:21:46 +01:00
Lennart Poettering
d2004ee568
units: don't pull in time-sync.target from systemd-timesyncd.service
...
systemd-timesyncd.service only applies the much weaker monotonic clock
from file logic, i.e should pull in and order itself before
time-set.target. The strong time-sync.target unit is pulled in by
systemd-time-wait-sync.service.
2020-12-17 20:19:44 +01:00
Lennart Poettering
80670e748d
update TODO
2020-12-17 20:03:04 +01:00
Lennart Poettering
5e85016b1f
mkosi: add TPM2 packages to debian/ubuntu/fedora mkosi files
...
As suggested: https://github.com/systemd/systemd/pull/17741#issuecomment-743479834
2020-12-17 20:03:00 +01:00
Lennart Poettering
cf1e172d58
man: document new features
2020-12-17 20:02:32 +01:00
Lennart Poettering
1abaa19781
fido2: when listing fido2/hmac-secret devices, actually validate feature set
2020-12-17 20:02:28 +01:00
Lennart Poettering
a60d5b2f38
test: add tpm2 and fido2 libs to dlopen test
2020-12-17 20:02:24 +01:00
Lennart Poettering
889914ef6c
repart: optionally lock encrypted partitions to TPM2
...
This useful for bootstrapping encrypted systems: on first boot let's
create a /var/ partition that is locked to the local TPM2.
2020-12-17 20:02:20 +01:00
Lennart Poettering
5f0ab16198
string-table: add private version of lookup macro with boolean fallback
2020-12-17 20:02:14 +01:00
Lennart Poettering
18843ecc2a
cryptsetup: add support for TPM2 unlocking of volumes
2020-12-17 20:02:03 +01:00
Lennart Poettering
d2fafc423d
cryptenroll: support listing and wiping tokens
2020-12-17 20:01:52 +01:00
Lennart Poettering
5e521624f2
cryptenroll: add support for TPM2 enrolling
2020-12-17 20:01:31 +01:00
Lennart Poettering
2d64d2b955
json: add APIs for quickly inserting hex blobs into as JSON strings
...
This is similar to the base64 support, but fixed-size hash values are
typically preferably presented as series of hex values, hence store them
here like that too.
2020-12-17 20:01:17 +01:00
Lennart Poettering
1403d48d61
sort-util: make cmp_int() generic, so that we can reuse it elsewhere
2020-12-17 20:01:02 +01:00
Lennart Poettering
8710a6818e
cryptenroll: add new "systemd-cryptenroll" tool for enrolling FIDO2+PKCS#11 security tokens
2020-12-17 20:00:51 +01:00
Lennart Poettering
2bc5c425e6
cryptsetup: add fido2 support
2020-12-17 20:00:41 +01:00
Lennart Poettering
e3fb662b67
fido2: don't use up/uv/rk when device doesn't support it
...
Apparently devices are supposed to generate failures if we try to turn
off features they don't have. Thus don't.
Prompted-by: https://github.com/systemd/systemd/issues/17784#issuecomment-737730395
2020-12-17 20:00:27 +01:00
Lennart Poettering
ebcb3f38d2
homed: split out HMAC-HASH fido2 decode code into src/shared/
...
That way we can use it later on in systemd-cryptsetup to unlock devices
with FIDO2 tokens.
2020-12-17 20:00:15 +01:00
Lennart Poettering
17599e129b
homed: move fido2 setup code to src/shared/
...
That way we can reuse it from systemd-cryptenroll
2020-12-17 20:00:03 +01:00
Lennart Poettering
fb2d839c06
homed: move fido2 device enumeration logic to shared code
2020-12-17 19:59:50 +01:00
Lennart Poettering
69cb28965b
homed: turn libfido2 into a dlopen() type dependency
2020-12-17 19:59:32 +01:00
Lennart Poettering
b8c80b56d1
cryptsetup: split up attach_luks_or_plain_or_bitlk() into smaller functions
...
Just some refactoring.
2020-12-17 19:59:28 +01:00
Lennart Poettering
b997d1115b
cryptsetup: read PKCS#11 key and token info from LUKS2 metadata
...
Optionally, embedd PKCS#11 token URI and encrypted key in LUKS2 JSON
metadata header. That way it becomes very easy to unlock properly set up
PKCS#11-enabled LUKS2 volumes, a simple /etc/crypttab line like the
following suffices:
mytest /dev/disk/by-partuuid/41c1df55-e628-4dbb-8492-bc69d81e172e - pkcs11-uri=auto
Such a line declares that unlocking via PKCS#11 shall be attempted, and
the token URI and the encrypted key shall be read from the LUKS2 header.
An external key file for the encrypted PKCS#11 key is hence no longer
necessary, nor is specifying the precise URI to use.
2020-12-17 19:59:24 +01:00
Lennart Poettering
d3ad474f0c
cryptsetup: be more careful with erasing key material from memory
2020-12-17 19:59:20 +01:00
Lennart Poettering
8414cd48e9
cryptsetup: split code that allocates udev security device monitor into its own function
2020-12-17 19:59:17 +01:00
Lennart Poettering
4760384d53
cryptsetup-util: add helper for setting minimal PBKDF
2020-12-17 19:59:04 +01:00
Lennart Poettering
4098bc134e
cryptsetup-util: add helper call for extracting/parsing token JSON
2020-12-17 19:58:52 +01:00
Lennart Poettering
f240cbb645
homed: move code to list and resolve "auto" pkcs#11 URL into common code
...
That way we can reuse it from systemd-cryptenroll.
2020-12-17 19:58:39 +01:00
Lennart Poettering
d041e4fc4a
homed: split out code that determines suitable LUKS passphrase size from RSA key
...
We can use this in cryptenroll later on, hence let's make this generic.
2020-12-17 19:58:26 +01:00