9bd6ee8d5d
Merge pull request #15531 from felipeborges/add-device-model-field-to-hostnamed
...
hostnamed: Add "Model" field
2020-12-18 14:26:32 +01:00
16c89e649d
networkd: add RouteDenyList
...
Allow configuration for IPv6 discovered routes to be ignored instead of
adding them as a route. This can be used to block unwanted routes, for
example, you may wish to not receive some set of routes on an interface
if they are causing issues.
2020-12-18 21:44:32 +09:00
af42881bf9
Merge pull request #18015 from keszybz/dmi-test-mesonification2
...
Dmi test mesonification2
2020-12-18 21:44:00 +09:00
9f62de5762
Merge pull request #18011 from yuwata/trivial-fixes
...
Trivial fixes for recently merged PRs
2020-12-18 20:12:02 +09:00
fd4835bdf8
Merge pull request #17693 from yuwata/tmpfiles-compress-nocow-on-btrfs
...
tmpfiles: try to set file attributes one by one
2020-12-18 16:52:29 +09:00
ee672fd30b
Merge pull request #18009 from poettering/time-set-sync-target
...
tweaks for time-sync.target and time-set.target
2020-12-18 16:02:56 +09:00
eca248640b
netlink: fix size of fib rule messages
2020-12-18 13:27:44 +09:00
8940baac4d
meson: sort files
2020-12-18 13:27:44 +09:00
479667c497
nspawn: sort headers
2020-12-18 13:27:44 +09:00
ce9dc1fd8b
netlink: fix indentation
2020-12-18 13:27:44 +09:00
a73f080727
netlink: drop unnecessary error handling
2020-12-18 13:27:44 +09:00
faa0d69c6c
netlink: use whitespace instead of tab
2020-12-18 13:27:44 +09:00
f6dab7489e
sd-netlink: add several assertions
2020-12-18 13:27:40 +09:00
2d1ad72456
sd-netlink: replace *messages[] -> **messages
2020-12-18 13:11:06 +09:00
ec87f63c0e
meson: add missing headers
2020-12-18 13:05:19 +09:00
517fdd61ed
network: move variable declaration
2020-12-18 13:00:57 +09:00
458610429f
tree-wide: fix typo
2020-12-18 12:59:29 +09:00
94566540e3
tmpfiles: try to set file attributes one by one
...
Closes #17690 .
2020-12-18 12:35:57 +09:00
459631a0f9
chattr-util: introduce fallback mode to set file attributes one by one
2020-12-18 12:33:43 +09:00
d7d1d18fd2
network: Allow to configure unreachable/blackhole RoutingPolicyRule ( #17984 )
2020-12-18 12:21:15 +09:00
5cd35a171c
Merge pull request #17741 from poettering/cryptsetup-fido2
...
cryptsetup: add support for unlocking cryptsetup volumes via FIDO2 + TPM2 + add systemd-cryptenroll tool + more
2020-12-17 22:37:22 +01:00
08e77eb88d
man: document that .timer units now have After= on both time-set.target + time-sync.target
2020-12-17 20:26:24 +01:00
fe934b42e4
core: order timer units after both time-sync.target and time-set.target
...
If users do not enable a service like systemd-time-wait-sync.target
(because they don't want to delay boot for external events, such as an
NTP sync), then timers should still take the the weaker time-set.target
feature into account, so that the clock is at least monotonic.
Hence, order timer units after both of the targets: time-sync.target
*and* time-set.target. That way, the right thing will happen regardless
if people have no NTP server (and thus also no
systemd-time-wait-sync.service or equivalent) or, only have an NTP
server (and no systemd-time-wait-sync.service), or have both.
Ordering after time-set.target is basically "free". The logic it is
backed by should be instant, without communication with the outside
going on. It's useful still so that time servers that implement the
timestamp from /var/ logic can run in later boot.
2020-12-17 20:21:46 +01:00
d2004ee568
units: don't pull in time-sync.target from systemd-timesyncd.service
...
systemd-timesyncd.service only applies the much weaker monotonic clock
from file logic, i.e should pull in and order itself before
time-set.target. The strong time-sync.target unit is pulled in by
systemd-time-wait-sync.service.
2020-12-17 20:19:44 +01:00
80670e748d
update TODO
2020-12-17 20:03:04 +01:00
5e85016b1f
mkosi: add TPM2 packages to debian/ubuntu/fedora mkosi files
...
As suggested: https://github.com/systemd/systemd/pull/17741#issuecomment-743479834
2020-12-17 20:03:00 +01:00
cf1e172d58
man: document new features
2020-12-17 20:02:32 +01:00
1abaa19781
fido2: when listing fido2/hmac-secret devices, actually validate feature set
2020-12-17 20:02:28 +01:00
a60d5b2f38
test: add tpm2 and fido2 libs to dlopen test
2020-12-17 20:02:24 +01:00
889914ef6c
repart: optionally lock encrypted partitions to TPM2
...
This useful for bootstrapping encrypted systems: on first boot let's
create a /var/ partition that is locked to the local TPM2.
2020-12-17 20:02:20 +01:00
5f0ab16198
string-table: add private version of lookup macro with boolean fallback
2020-12-17 20:02:14 +01:00
18843ecc2a
cryptsetup: add support for TPM2 unlocking of volumes
2020-12-17 20:02:03 +01:00
d2fafc423d
cryptenroll: support listing and wiping tokens
2020-12-17 20:01:52 +01:00
5e521624f2
cryptenroll: add support for TPM2 enrolling
2020-12-17 20:01:31 +01:00
2d64d2b955
json: add APIs for quickly inserting hex blobs into as JSON strings
...
This is similar to the base64 support, but fixed-size hash values are
typically preferably presented as series of hex values, hence store them
here like that too.
2020-12-17 20:01:17 +01:00
1403d48d61
sort-util: make cmp_int() generic, so that we can reuse it elsewhere
2020-12-17 20:01:02 +01:00
8710a6818e
cryptenroll: add new "systemd-cryptenroll" tool for enrolling FIDO2+PKCS#11 security tokens
2020-12-17 20:00:51 +01:00
2bc5c425e6
cryptsetup: add fido2 support
2020-12-17 20:00:41 +01:00
e3fb662b67
fido2: don't use up/uv/rk when device doesn't support it
...
Apparently devices are supposed to generate failures if we try to turn
off features they don't have. Thus don't.
Prompted-by: https://github.com/systemd/systemd/issues/17784#issuecomment-737730395
2020-12-17 20:00:27 +01:00
ebcb3f38d2
homed: split out HMAC-HASH fido2 decode code into src/shared/
...
That way we can use it later on in systemd-cryptsetup to unlock devices
with FIDO2 tokens.
2020-12-17 20:00:15 +01:00
17599e129b
homed: move fido2 setup code to src/shared/
...
That way we can reuse it from systemd-cryptenroll
2020-12-17 20:00:03 +01:00
fb2d839c06
homed: move fido2 device enumeration logic to shared code
2020-12-17 19:59:50 +01:00
69cb28965b
homed: turn libfido2 into a dlopen() type dependency
2020-12-17 19:59:32 +01:00
b8c80b56d1
cryptsetup: split up attach_luks_or_plain_or_bitlk() into smaller functions
...
Just some refactoring.
2020-12-17 19:59:28 +01:00
b997d1115b
cryptsetup: read PKCS#11 key and token info from LUKS2 metadata
...
Optionally, embedd PKCS#11 token URI and encrypted key in LUKS2 JSON
metadata header. That way it becomes very easy to unlock properly set up
PKCS#11-enabled LUKS2 volumes, a simple /etc/crypttab line like the
following suffices:
mytest /dev/disk/by-partuuid/41c1df55-e628-4dbb-8492-bc69d81e172e - pkcs11-uri=auto
Such a line declares that unlocking via PKCS#11 shall be attempted, and
the token URI and the encrypted key shall be read from the LUKS2 header.
An external key file for the encrypted PKCS#11 key is hence no longer
necessary, nor is specifying the precise URI to use.
2020-12-17 19:59:24 +01:00
d3ad474f0c
cryptsetup: be more careful with erasing key material from memory
2020-12-17 19:59:20 +01:00
8414cd48e9
cryptsetup: split code that allocates udev security device monitor into its own function
2020-12-17 19:59:17 +01:00
4760384d53
cryptsetup-util: add helper for setting minimal PBKDF
2020-12-17 19:59:04 +01:00
4098bc134e
cryptsetup-util: add helper call for extracting/parsing token JSON
2020-12-17 19:58:52 +01:00
f240cbb645
homed: move code to list and resolve "auto" pkcs#11 URL into common code
...
That way we can reuse it from systemd-cryptenroll.
2020-12-17 19:58:39 +01:00
Lennart Poettering