Public keys and certificates are not the same, as the latter embeds more
information that the former, and other tools like sd-measure have distinct
parameters for each of them.
Add a new --pcr-certificate= parameter to ukify, and use it to pass certs
down to sd-measure, as an alternative to --pcr-public-key=. Do not allow
specifying both.
CLONE_PIDFD was introduced in v5.2 and in sched.h in glibc-2.31 so
without this, building with older version fails with:
src/basic/raw-clone.h:41:108: error: 'CLONE_PIDFD' undeclared (first use in this function); did you mean 'CLONE_FILES'?
While killing cgroup v1 I want to turn all cg_* helpers to take
cgroupfs_fd + cg path, which means all relevant path operations must
support openat() semantics. `removexattrat()` is currently missing. I
took the chance to do a bigger refactor for xattr-util.
The BMAX MaxBook Y14 has 2 acceleromenter sensors, one seems to be in
the display, the other in the base. With the default ACCEL_MOUNT_MATRIX
monitor-sensor would report the display to be rotate of 180 degrees
compared to its real position, i.e. upside down when normal and vice
versa. Left up and right up are also swapped.
Correcting the ACCEL_MOUNT_MATRIX for the display sensor solves the
issue and monitor-sensor reports the correct values.
For the Y13 model the Z axis value was also inverted. For the Y14 to
work correctly, this is not necessary, but I'm not sure how to double
check this.
Sensors info:
P: /devices/pci0000:00/0000:00:15.0/i2c_designware.0/i2c-0/i2c-KIOX010A:00/iio:device0
M: iio:device0
R: 0
U: iio
T: iio_device
D: c 237:0
N: iio:device0
L: 0
E: DEVPATH=/devices/pci0000:00/0000:00:15.0/i2c_designware.0/i2c-0/i2c-KIOX010A:00/iio:device0
E: SUBSYSTEM=iio
E: DEVNAME=/dev/iio:device0
E: DEVTYPE=iio_device
E: MAJOR=237
E: MINOR=0
E: USEC_INITIALIZED=25931869
E: IIO_SENSOR_PROXY_TYPE=iio-poll-accel iio-buffer-accel
E: SYSTEMD_WANTS=iio-sensor-proxy.service
E: TAGS=:systemd:
E: CURRENT_TAGS=:systemd:
P: /devices/pci0000:00/0000:00:15.3/i2c_designware.3/i2c-3/i2c-KIOX020A:00/iio:device1
M: iio:device1
R: 1
U: iio
T: iio_device
D: c 237:1
N: iio:device1
L: 0
E: DEVPATH=/devices/pci0000:00/0000:00:15.3/i2c_designware.3/i2c-3/i2c-KIOX020A:00/iio:device1
E: SUBSYSTEM=iio
E: DEVNAME=/dev/iio:device1
E: DEVTYPE=iio_device
E: MAJOR=237
E: MINOR=1
E: USEC_INITIALIZED=26000295
E: IIO_SENSOR_PROXY_TYPE=iio-poll-accel iio-buffer-accel
E: SYSTEMD_WANTS=iio-sensor-proxy.service
E: TAGS=:systemd:
E: CURRENT_TAGS=:systemd:
accel-display
acpi:KIOX010A:KIOX010A:
dmi:bvnAmericanMegatrendsInternational,LLC.:bvr5.00_002:bd05/13/2024:br5.27:efr1.1:svnAMI:pnIntel:pvrDefaultstring:rvnAMI:rnIntel:rvrDefaultstring:cvnDefaultstring:ct31:cvrDefaultstring:skuH8Y6:
accel-base
acpi:KIOX020A:KIOX020A:
Added in 6140be90ec
However, when O_PATH fds are encountered we'd have to go by
/proc/self/fd/ still, since the kernel people are reluctant
to make the new syscalls work with them
(https://lore.kernel.org/linux-fsdevel/20250206-steril-raumplanung-733224062432@brauner/)
Hence getxattrat() and listxattrat() are not employed.
While at it, remove the discrepancy between path being NULL
and empty - I don't grok the "security issue" claimed earlier,
but nowadays even the kernel treats the two as identical:
e896474fe4
These networks are not connections to upstream routers, but where we are
ourselves are the upstream router, hence it doesn't make too much sense
to require them to be up as default to determine if we are "online",
because they lead "in the wrong direction".
Also, disable DHCP lease persistency for these networks, since
container/VM/namespaces are generally shortlived, and typically have no
persistent identity. Moreover, the IP range we assign each VM/container
connection is just too small to permit persistency, as otherwise we'll
run out of leases way too quickly if VM/containers are restarted a bunch of
times with different MAC addresses (which I ran into).
I think these are better defaults, but of course these are only
defaults.
Update po-file based on latest generated from source
Update systemd.bg.catalog.in based on latest in source
Signed-off-by: Alexander Shopov <ash@kambanaria.org>
This adds `--json=MODE` command line option to `udevadm test`.
This may be useful for parsing e.g. network interface name or device
node symlinks.
Closes#23661.
Follow-up for 97318131fd.
By default, suite of each built test is determined by the directory of
the source file. Hence, before the mentioned commit, all tests in
src/boot/efi/ are in the 'efi' suite. The commit changed the directory
tree, but forgot to update the name of the test suite.
Add a build parameter to take an existing UKI and attach a .pcrsig
section
to it. This allows one to create a UKI with a .pcrpkey section with
--policy-digest to get the json output from sd-measure, sign the digest
offline, and attach the .pcrsig section with the signature later.
This adds --json=MODE option for 'udevadm test' command.
When specified, all messages, except for the final result, will be
written to stderr, and the final result is shown in JSON format to
stdout. It may be useful for parsing the test result.
pefile has an hardcoded limit to 256MB per section:
https://github.com/erocarrera/pefile/issues/396
When building an initrd with large firmware files and
lots of kernel modules, this limit can be reached.
Skip over those warnings.
Add a build parameter to take an existing UKI and attach a .pcrsig section
to it. This allows one to create a UKI with a .pcrpkey section with
--policy-digest to get the json output from sd-measure, sign the digest
offline, and attach the .pcrsig section with the signature later.
