The recently merged PR #32295 introduced support for the credProtect
extension, but in doing so, it broke the discoverability of credentials
by setting the policy to FIDO_CRED_PROT_UV_REQUIRED for UV-less,
PIN-protected credentials. This policy would require us to pass the PIN
to the token in the pre-flight request to be able to discover it,
which defeats the purpose of pre-flight requests as they're supposed
to be non-interactive.
This commit restricts the usage of credProtect to UV credentials only.
Previously, _SOURCE_REALTIME_TIMESTAMP was only used for realtime
timestamp, and _SOURCE_MONOTONIC_TIMESTAMP was for monotonic.
This make these journal field used more aggressively. If we need
realtime timestamp, but an entry has only _SOURCE_MONOTONIC_TIMESTAMP,
then now realtime timestamp is calculated based on
_SOURCE_MONOTONIC_TIMESTAMP and the header dual timestamp.
Similary, monotonic timestamp is obtained from
_SOURCE_REALTIME_TIMESTAMP and the header dual timestamp.
This should change shown timestamps not so much in most cases, but may
be improve the situation such as #32492.
- drop unnecessary SYNTHETIC_ERRNO() when the logger does not propagate
error code,
- drop unnecessary '%m' in error message when the error code is
specified with SYNTHETIC_ERRNO(),
- add missing full stop at the end of log message,
- use RET_GATHER(),
- add missing ", ignoring.",
- upeercase the first letter, etc., etc...
If mac_selinux_access_check() or bus_verify_bypass_dump_ratelimit_async()
fail, we goto "ratelimited" where we set a custom D-BUS error. In
"ratelimited", we call sd_bus_error_setf() which eventually hits an
assert_return(!bus_error_is_dirty()). Avoid hitting this assertion by
passing NULL as the error to mac_selinux_access_check() and
bus_verify_bypass_dump_ratelimit_async() since we will override the error
immediately anyway if either fails.
We modify both functions as well to allow passing a NULL error and fix
the argument name as well while we're at it.
We already log to syslog using pam_syslog() for logs generated directly
within our pam plugins. However, any logs generated by our generic logging
macros that are invoked within a pam plugin will log to the console. Let's
make sure our generic logging macros are set up to log to syslog as well.
Previously, if we encountered a non-socket fd we'd return ENOTSOCK the
first time, but the subsequent times we'd return ENOMEDIUM, due to
caching. Let's make sure we return the same errors all the the time.
Replaces #32062
As discussed in #32062, making 'help' the default verb
is not very appealing for two reasons:
1) If the verb is missing, showing a help which is pages long
isn't really helpful to locate the problem.
(https://github.com/systemd/systemd/pull/32062#issuecomment-2064997158)
2) We want to reserve the right to set default verbs to be
more useful ones, instead of help. E.g. 'busctl' lists all
bus peers by default.
So, when there are more than 2 verbs, let's instead add
the list of available verbs to the "Command verb required"
message, that serves as a hint. That way we try to be friendlier
to users, but still make the problem obvious.
We so far just print a short log message that is not very useful, let's
add some recognizable error codes, and output better log messages if we
can't get TPM stuff to work.
Fixes: #31925
If we're already running in a unit with delegation turned on, let's
skip allocation of a scope unit and cgroup subroot. This allows journald
to correctly attribute the logs of all subprocesses spawned by tests such
as test-execute to the test-execute service when the test is running in a service.
Specifically, this will make tests log to the journal if stderr is
connected to the journal. This means we get proper log priorities
and such compared to if we just logged to stderr.
According to copy_file_range (2), errno will be set to EOPNOTSUPP when
the file system does not support copy_file_range(). Since there is
already fallback logic in place here for other kinds of errors, add
-EOPNOTSUPP to the list of ignored errors.
We have now switched from PolicyAuthValue to PolicySigned to control
access to the policy nvindex to. This means there's no point in setting
an authValue on the nvindex anymore, hence drop this.
So far the nvindex to store the pcrlock policy in was protected via a
PolicyAuthValue policy (i.e. with a simple PIN set on the nvindex).
That's a bad idea however, as it means an attacker can simply remove and
re-create the nvindex and the "name" of the nvindex does not change,
thus defeating the logic. (This is because the authValue is *not* part
of the "name" of an nvindex!).
Fix this by switching from PolicyAuthValue to PolicySigned with an
HMAC-SHA256 key. Behaviour is very similar: however, the PIN is now part
of of the access policy hash, which *is* part of the "name" of an
nvindex. Thus, if an attacker removes and recreates the nvindex it has
to provide the same PIN again or the "name" of the nvindex will change.
Mission accomplished.
I'd like to thank Chris Coulson for finding this issue (and helping me
address it). Thank you!
If we load an external key into the TPM we must do so in the NULL
hierarchy. An external key after all is one that is not wrapped by any
hierarchy's seed.
See TPM2 spec, Part 3, Section 12.3.1
Just some renaming. I found the old name a bit confusing since it sounds
as if this would get the pin from somewhere, but it really doesn't. It
just converts a PIN into an auth_value, and I think saying so explicitly
makes things easier to grok.
