The block is reordered and split to have:
1. description + documentation
2. (optionally) conditions
3. all the dependencies
I think it's easier to read the units this way.
Also, the Conflicts+Before is seperated out to separate lines.
The ordering dependency is "fake", because it could just as well be
After=, we are adding it to force ordering wrt. shutdown.target, and
it plays a different role than the other Before=, which are about a
real ordering on boot.
The Acer Aspire One AOD270 and the same hardware rebranded as
Packard Bell Dot SC need a couple of keymap fixups:
1. The switch-video-mode key does not do anything. Standard acer-wmi
maps scancode 0x61 to KEY_IGNORE since typically these events are
duplicate with the ACPI video bus. But on these models the ACPI video
bus does not send events for this key, so map it.
2. The Brightness up / down hotkeys send atkbd scancode 0xce / 0xef
which by default are mapped to KEY_KPPLUSMINUS and KEY_MACRO.
These actually are duplicate events with the ACPI video bus,
so map these to KEY_IGNORE.
Before removing symlinks that stores watch handles, this makes udev
worker check if the symlink is owned by the processing device.
Then, we can avoid TOCTOU and drop the try-and-wait loop.
This partially reverts 2d3af41f0e.
Let's parse the resolved JSON notifications via `jq` and check them in a
bit more "controlled" manner - e.g. until now the `grep` was checking just
a one gigantic JSON string, as all received notifications via the
varlink socket are terminated by a NUL character, not a newline.
Also, as the notification delivery is asynchronous, retry the check
a couple of times if it fails (spotted in C8S jobs):
```
[ 2891.935879] testsuite-75.sh[36]: + : '--- nss-resolve/nss-myhostname tests'
[ 2891.935988] testsuite-75.sh[36]: + run getent -s resolve hosts ns1.unsigned.test
[ 2891.936542] testsuite-75.sh[177]: + getent -s resolve hosts ns1.unsigned.test
[ 2891.937499] testsuite-75.sh[178]: + tee /tmp/tmp.pqjNvbQ2eS
[ 2891.939977] testsuite-75.sh[178]: 10.0.0.1 ns1.unsigned.test
[ 2891.940258] testsuite-75.sh[36]: + grep -qE '^10\.0\.0\.1\s+ns1\.unsigned\.test' /tmp/tmp.pqjNvbQ2eS
[ 2891.942235] testsuite-75.sh[189]: + grep -qF '[10,0,0,1]'
[ 2891.942577] testsuite-75.sh[188]: + grep -aF ns1.unsigned.test /tmp/notifications.txt
[ 2891.943978] systemd[1]: testsuite-75.service: Child 36 belongs to testsuite-75.service.
[ 2891.944112] systemd[1]: testsuite-75.service: Main process exited, code=exited, status=1/FAILURE
[ 2891.944215] systemd[1]: testsuite-75.service: Failed with result 'exit-code'.
```
Then, the test can fail earlier than the timeout of the whole test
specified by $QEMU_TIMEOUT=.
This is useful when we try to run the test multiple times.
Workaround for issue #24147.
We support PCR measurements for both classic TPM1.2 and TPM2, hence just
say "TPM" generically in that context. But the signed policies are
exclusive to TPM2, hence always say TPM2 there.
We mostly got that right, except at one place. Fix that.
Now that sd-stub will place the PCR signature and its public key in
the initrd's /.extra/ directory, let's copy it from there into /run/
from userspace. This is done because /.extra/ is on the initrd's tmpfs
which will be emptied during the initrd → host transition. Since we want
these two files to survive we'll copy them – if they exist – into /run/
where they will survive the transition.
Thus, with this last change the files will have safely propagated from
their PE sections into files in /run/ where userspace can find them
The paths in /run/ happen to be the exact ones that
systemd-cryptenroll/systemd-cryptsetup/systemd-creds look for them.
Pick up the two new sections in sd-stub and pass them as initrds into
the booted kernels, where they'll show up as
/.extra/tpm2-pcr-signature.json and /.extra/tpm2-pcr-public-key.pem in
the initrd file system.
The initrd is then supposed to pick these files up from there and save
them at a place that will survive into the host OS.
These aren't wired up yet to do anything useful. For now we just define
them.
This sections are supposed to carry a signature for expected
measurements on PCR 11 if this kernel is booted, in the JSON format
"systemd-measure sign" generates, and the public key used for the
signature.
The idea is to embedd the signature and the public key in unified
kernels and making them available to userspace, so that userspace can
easily access them and enroll (for which the public key is needed) or
unlock (for which the PCR signature is needed) LUKS2 volumes and
credentials that are bound to the currently used kernel version stream.
Why put these files in PE sections rather than just into simple files in
the initrd or into the host fs?
The signature cannot be in the initrd, since it is after all covering
the initrd, and thus the initrd as input for the calculation cannot
carry the result of the calculation. Putting the signature onto the root
fs sucks too, since we typically want to unlock the root fs with it,
hence it would be inaccessible for it's primary purpose then.
The public key could be in the initrd or in the root fs, there's no
technical restriction for that. However, I still think it's a good idea
to put it in a PE section as well, because this means the piece of code
that attaches the signature can also attach the public key easily in one
step, which is nice since it allows separating the roles of the
kernel/initrd/root fs builder, and the role of the signer, and the
former doesn't have to have knowledge about what the latter is going to
add to the image.
Note that the signature section is excluded from the TPM measurements
sd-stub does about its resource sections, since – as mentioned – it's
the expected output of the signing operation whose input are the
measurements, hence it cannot also be input to them. The public key
section is included in the measurements however.
