This reenables epoll_pwait2() use, i.e. undoes the effect of
39f756d3ae.
Instead of just reverting that, this PR will change things so that we
strictly rely on glibc's new epoll_pwait2() wrapper (which was added
earlier this year), and drop our own manual fallback syscall wrapper.
That should nicely side-step any issues with correct syscall wrapping
definitions (which on some arch seem not to be easy, given the sigset_t
size final argument), by making this a glibc problem, not ours.
Given that the only benefit this delivers are time-outs more granular
than msec, it shouldn't really matter that we'll miss out on support
for this on systems with older glibcs.
The compiler should recognize that these are constant expressions, but
let's better make this explicit, so that the linker can safely share the
initializations all over the place.
The second argument to _printf_() specifies where the arguments start. We need to
use 0 in two cases: when the args in a va_list and can't be checked, and with journald
logging functions which accept multiple format strings with multiple argument sets,
which the _printf_ checker does not understand. But strv_extendf() can be checked.
Instead of having fopen_temporary() create the file either next
to an existing file or in tmp/, let's split this up clearly into
two different functions, one for creating temporary files next to
existing files, and one for creating a temporary file in a directory.
Rather than passing seeds up to userspace via EFI variables, pass seeds
directly to the kernel's EFI stub loader, via LINUX_EFI_RANDOM_SEED_TABLE_GUID.
EFI variables can potentially leak and suffer from forward secrecy
issues, and processing these with userspace means that they are
initialized much too late in boot to be useful. In contrast,
LINUX_EFI_RANDOM_SEED_TABLE_GUID uses EFI configuration tables, and so
is hidden from userspace entirely, and is parsed extremely early on by
the kernel, so that every single call to get_random_bytes() by the
kernel is seeded.
In order to do this properly, we use a bit more robust hashing scheme,
and make sure that each input is properly memzeroed out after use. The
scheme is:
key = HASH(LABEL || sizeof(input1) || input1 || ... || sizeof(inputN) || inputN)
new_disk_seed = HASH(key || 0)
seed_for_linux = HASH(key || 1)
The various inputs are:
- LINUX_EFI_RANDOM_SEED_TABLE_GUID from prior bootloaders
- 256 bits of seed from EFI's RNG
- The (immutable) system token, from its EFI variable
- The prior on-disk seed
- The UEFI monotonic counter
- A timestamp
This also adjusts the secure boot semantics, so that the operation is
only aborted if it's not possible to get random bytes from EFI's RNG or
a prior boot stage. With the proper hashing scheme, this should make
boot seeds safe even on secure boot.
There is currently a bug in Linux's EFI stub in which if the EFI stub
manages to generate random bytes on its own using EFI's RNG, it will
ignore what the bootloader passes. That's annoying, but it means that
either way, via systemd-boot or via EFI stub's mechanism, the RNG *does*
get initialized in a good safe way. And this bug is now fixed in the
efi.git tree, and will hopefully be backported to older kernels.
As the kernel recommends, the resultant seeds are 256 bits and are
allocated using pool memory of type EfiACPIReclaimMemory, so that it
gets freed at the right moment in boot.
This is useful when operating in the ESP, which is untrusted territory,
and where under no circumstances we should be tricked by symlinks into
doing anything we don't want to.
Let's change the return semantics of strv_make_nulstr() so that we can
properly distuingish the case where we have a no entries in the nulstr
from the case where we have a single empty string in a nulstr.
Previously we couldn't distuingish those, we'd in both cases return a
size of zero, and a buffer with two NUL bytes.
With this change, we'll still return a buffer with two NULL bytes, but
for the case where no entries are defined we'll return a size of zero,
and where we have two a size of one.
This is a good idea, as it makes sure we can properly handle all corner
cases.
Nowadays the function is used by one place only: ask-password-api.c. The
corner case never mattered there, since it was used to serialize
passwords, and it was known that there was exactly one password, not
less. But let's clean this up. This means the subtraction of the final
NUL byte now happens in ask-password-api.c instead.
if the nulstr is not nul-terminated, we shouldn't use strndup() but
memdup_suffix0(), to not trip up static analyzers which imply we are
duping a string here.
strv_make_nulstr() is documented to always return a valid nulstr,
but if the input is `NULL` we return a string terminated with only
a single NUL terminator, so let's fix that and always terminate the
resulting string with two NUL bytes.
This is useful to force off fancy unicode glyph use (i.e. use "->"
instead of "→"), which is useful in tests where locales might be
missing, and thus control via $LC_CTYPE is not reliable.
Use this in TEST-58, to ensure the output checks we do aren't confused
by missing these glyphs being unicode or not.
