To make the generated IDs equivalent when
- sd_device object is not provided,
- sd_device object is provided, but it does not have ID_SERIAL.
Follow-up for abc19a6ffa.
This also fixes missing voidification.
Fixes CID#1524253.
First, check for the cached enabled/disabled, as that's what all the
label functions used to do. Then, if initialization is not done yet,
do not cause the label functions to bail out, as it's expected to
happen at early boot.
Among other things, fixes:
systemd[1]: Failed to compute init label, ignoring.
Follow-up for: 0617da2edb
--tpm2-device-key= requires OpenSSL >= 3 with KDF-SS, so let's skip the
test if we're running with older OpenSSL.
+ systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs=12:sha256=F5A5FD42D16A20302798EF6ED309979B43003D2320D9F0E8EA9831A92759FB4B /tmp/systemd-cryptsetup-H8y.IMAGE
Failed to find TPM2 pcrlock policy file 'pcrlock.json': No such file or directory
Allocating context for crypt device /tmp/systemd-cryptsetup-H8y.IMAGE.
Trying to open and read device /tmp/systemd-cryptsetup-H8y.IMAGE with direct-io.
Trying to open device /tmp/systemd-cryptsetup-H8y.IMAGE without direct-io.
Initialising device-mapper backend library.
Trying to load LUKS2 crypt type from device /tmp/systemd-cryptsetup-H8y.IMAGE.
Crypto backend (OpenSSL 1.1.1k FIPS 25 Mar 2021) initialized in cryptsetup library version 2.3.7.
Detected kernel Linux 4.18.0-521.el8.ppc64le ppc64le.
...
Failed to find TPM PCR public key file 'tpm2-pcr-public-key.pem': No such file or directory
Failed to read TPM2 PCR public key, proceeding without: No such file or directory
Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle
libtss2-esys too old, does not include Esys_TR_GetTpmHandle.
Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle
libtss2-esys too old, does not include Esys_TR_GetTpmHandle.
PolicyPCR calculated digest: 9a1f511fb94f030eb21d0332ef2739727bf0ead4ec26a204d15b09cdeb4b2555
Calculating sealed object.
Calculating encrypted seed for sealed object.
Calculating encrypted seed for ECC sealed object.
Calculating KDFe().
KDF-SS requires openssl >= 3.
Could not calculate KDFe: Operation not supported
Could not calculate encrypted seed: Operation not supported
Failed to seal to TPM2: Operation not supported
don't let the devices to be announced just as model "Linux". Let's instead
propagate the underlying block device's model. Also do something
reasonably smart for the serial and firmware version fields.
Before, handling of global properties (set on systemd-udevd by `udevadm
control -p FOO=foo`) was inconsistent. They were honored in ENV matches,
but not in any assignment. This meant that any use of $env{FOO} (where
FOO was a global property) expanded to an empty string.
Fixup for e87dec82be:
I misunderstood the format. It's actually CBOR, i.e. some binary format.
When trying to show show text we would first check if it's valid UTF-8,
so we would handle this gracefully, i.e. emit a warning and not print
the contents.
The TPM2 tests that genreate an RSA primary key are fast on vtpms, but
very slow on physical TPMs, simply because TPMs aren't precisely fast
devices. It makes sense to keep the tests around however. Hence hide the
test behind the "slow test" logic by default – but only if we run on
physical hw, and keep them in place on VMs (where we'd expect a vtpm, if
any).
The test-tpm2 test multiplexes a bunch of tests from a single
entrypoint test that creates the TPM2 connection. This means we only get
the nice log output which test we are looking for once for the
entrypoint.
Let's add a macro that allows it to nicely generate it for the inner
tests too and use it.
Let's add a new "plymouth-util.c" module with helpers for talking to
plymouth. We so far had three places for this, let's unify the code
doing this a bit.
The meson summary logic checks for ENABLE_* and HAVE_*, but we used a define
with no prefix. Let's make it ENABLE_… for consistency with other config
options. Obviously this also fixes the summary output.
The only way this could be called with an invalid value would be if
somebody forgot to initialize unit type. In such cases, it's better to
fail hard immediately.
Those functions take a pointer to a timestamp and return a timestamp pointer,
so the reader would be justified to think that those are just getters. Rename
them to avoid confusion.
There are draft proposals to embed SBOM metadata in the .sbom section of PE
binaries [1], in the coSWID XML format. Some details of how this is actually
implemented might change, but it seems very likely that both section name and
it being text will stay. Let's show the section as text to make such binaries
easier to inspect. ([1] recommends using 'objcopy -j .sbom' which isn't
particularly readable.) Once there's more standarization of the actual
format, we can add pretty-printing and/or syntax highlighting.
[1] https://uefi.org/blog/firmware-sbom-proposal
[2] https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-21.html
The details of formatting are copied from mkosi. This results in the following:
usage:
ukify build [--linux=LINUX] [--initrd=INITRD] [options…]
ukify genkey [options…]
ukify inspect FILE… [options…]
Build and sign Unified Kernel Images
options:
--version show program's version number and exit
...
I put "[options…]" at the end, because that's what one would generally do
with long options like "--cmdline" and others.
