From 01d0fd7180c987a500434f769fd682e2f3fcb919 Mon Sep 17 00:00:00 2001 From: Vighnesh Maheshwari Date: Mon, 13 Oct 2025 10:28:40 -0700 Subject: [PATCH 1/8] systemd: update systemd-257 to v257.9 --- packages/systemd-257/Cargo.toml | 4 ++-- packages/systemd-257/systemd-257.spec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/systemd-257/Cargo.toml b/packages/systemd-257/Cargo.toml index 1a74a48dd..6ae1f8b93 100644 --- a/packages/systemd-257/Cargo.toml +++ b/packages/systemd-257/Cargo.toml @@ -12,8 +12,8 @@ path = "../packages.rs" releases-url = "https://github.com/systemd/systemd/releases" [[package.metadata.build-package.external-files]] -url = "https://github.com/systemd/systemd/archive/v257.7/systemd-257.7.tar.gz" -sha512 = "fdc7c0153432b261ad8018c869dc714ce1d6d2a8428bdec46f7c5f120b196d3a553a375ae433f0c166c57b6e8b3c56549f585349b7b6ff83c2a86a32982d8411" +url = "https://github.com/systemd/systemd/archive/v257.9/systemd-257.9.tar.gz" +sha512 = "23b3d2764e0f990d8373068ccb41177793413bc193f7bd34e38b03d6fc3cd32d07c86e9dcbf07e32904075bb5eeca208f65beab04d628ac0e0b81ba87a975c1b" [build-dependencies] glibc = { path = "../glibc" } diff --git a/packages/systemd-257/systemd-257.spec b/packages/systemd-257/systemd-257.spec index ad717708b..08eda08da 100644 --- a/packages/systemd-257/systemd-257.spec +++ b/packages/systemd-257/systemd-257.spec @@ -4,7 +4,7 @@ %global package_priority_epoch 0 Name: %{_cross_os}systemd-257 -Version: 257.7 +Version: 257.9 Release: 1%{?dist} Summary: System and Service Manager License: GPL-2.0-or-later AND GPL-2.0-only AND LGPL-2.1-or-later From d5835882da5c5b363af4be6093847cb6edcd05d9 Mon Sep 17 00:00:00 2001 From: Vighnesh Maheshwari Date: Mon, 13 Oct 2025 10:33:02 -0700 Subject: [PATCH 2/8] systemd: remove openssl/ui support This extends the upstream patch to allow building systemd with openssl drop-ins that don't have UI support --- .../9012-openssl-util-build-without-ui.patch | 53 +++++++++++++++++++ packages/systemd-257/systemd-257.spec | 4 ++ 2 files changed, 57 insertions(+) create mode 100644 packages/systemd-257/9012-openssl-util-build-without-ui.patch diff --git a/packages/systemd-257/9012-openssl-util-build-without-ui.patch b/packages/systemd-257/9012-openssl-util-build-without-ui.patch new file mode 100644 index 000000000..b65e0c47f --- /dev/null +++ b/packages/systemd-257/9012-openssl-util-build-without-ui.patch @@ -0,0 +1,53 @@ +From cbd9ff7231882d22e79c69b333d5394bcdc144e8 Mon Sep 17 00:00:00 2001 +From: Vighnesh Maheshwari +Date: Thu, 16 Oct 2025 10:00:47 -0700 +Subject: [PATCH] openssl-util: build without ui.h + +Remove some code that depends on openssl/ui.h which is not provided by +aws-lc. This can probably be submitted upstream. + +Signed-off-by: Vighnesh Maheshwari +--- + src/shared/openssl-util.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h +index e25a175a80..784e764058 100644 +--- a/src/shared/openssl-util.h ++++ b/src/shared/openssl-util.h +@@ -41,6 +41,9 @@ int parse_openssl_key_source_argument(const char *argument, char **private_key_s + # ifndef OPENSSL_NO_UI_CONSOLE + # include + # endif ++# ifndef OPENSSL_HMAC_H ++# include ++# endif + # include + # ifndef OPENSSL_VERSION_MAJOR + /* OPENSSL_VERSION_MAJOR macro was added in OpenSSL 3. Thus, if it doesn't exist, we must be before OpenSSL 3. */ +@@ -151,7 +154,9 @@ int digest_and_sign(const EVP_MD *md, EVP_PKEY *privkey, const void *data, size_ + typedef struct X509 X509; + typedef struct EVP_PKEY EVP_PKEY; + typedef struct EVP_MD EVP_MD; ++# ifndef OPENSSL_NO_UI_CONSOLE + typedef struct UI_METHOD UI_METHOD; ++# endif + typedef struct ASN1_TYPE ASN1_TYPE; + typedef struct ASN1_STRING ASN1_STRING; + +@@ -182,10 +187,16 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY*, EVP_PKEY_free, NULL); + DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_TYPE*, ASN1_TYPE_free, NULL); + DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_STRING*, ASN1_STRING_free, NULL); + ++#ifndef OPENSSL_NO_UI_CONSOLE + struct OpenSSLAskPasswordUI { + AskPasswordRequest request; + UI_METHOD *method; + }; ++#else ++struct OpenSSLAskPasswordUI { ++ AskPasswordRequest request; ++}; ++#endif /* OPENSSL_NO_UI_CONSOLE */ + + OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui); diff --git a/packages/systemd-257/systemd-257.spec b/packages/systemd-257/systemd-257.spec index 08eda08da..140d4c0ce 100644 --- a/packages/systemd-257/systemd-257.spec +++ b/packages/systemd-257/systemd-257.spec @@ -57,6 +57,10 @@ Patch9010: 9010-meson-replace-openssl-dependency-with-libcrypto.patch # policy Patch9011: 9011-suppress-log-for-units-with-mode-0044.patch +# Remove some code that depends on openssl/ui.h which is not provided by +# aws-lc +Patch9012: 9012-openssl-util-build-without-ui.patch + BuildRequires: gperf BuildRequires: intltool BuildRequires: meson From ba1a2e312bf565f4625ab957854315387b88dc84 Mon Sep 17 00:00:00 2001 From: Vighnesh Maheshwari Date: Mon, 13 Oct 2025 10:38:25 -0700 Subject: [PATCH 3/8] systemd: fix type mismatch between openssl and aws-lc openssl and aws-lc (and boringssl) have diverged wrt the return type of ERR_get_error() and `long unsigned int` has been patched to be `uint32_t` instead --- ...nssl-aws-lc-divergence-in-data-types.patch | 67 +++++++++++++++++++ packages/systemd-257/systemd-257.spec | 3 + 2 files changed, 70 insertions(+) create mode 100644 packages/systemd-257/9013-fix-openssl-aws-lc-divergence-in-data-types.patch diff --git a/packages/systemd-257/9013-fix-openssl-aws-lc-divergence-in-data-types.patch b/packages/systemd-257/9013-fix-openssl-aws-lc-divergence-in-data-types.patch new file mode 100644 index 000000000..0b28c9009 --- /dev/null +++ b/packages/systemd-257/9013-fix-openssl-aws-lc-divergence-in-data-types.patch @@ -0,0 +1,67 @@ +From 8c72615cbc39cbfeaa907ec70cb8b1ce8ec6d2c3 Mon Sep 17 00:00:00 2001 +From: Vighnesh Maheshwari +Date: Mon, 30 Jun 2025 21:55:27 +0000 +Subject: [PATCH] move unsigned long to uint32_t - openssl vs aws-lc + divergence + +Signed-off-by: Vighnesh Maheshwari +--- + src/resolve/resolved-dns-dnssec.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c +index 6d32b2d798..2f6f49cc7f 100644 +--- a/src/resolve/resolved-dns-dnssec.c ++++ b/src/resolve/resolved-dns-dnssec.c +@@ -1,5 +1,7 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + ++#include ++ + #include "alloc-util.h" + #include "dns-domain.h" + #include "fd-util.h" +@@ -151,7 +153,7 @@ static int dnssec_rsa_verify_raw( + r = EVP_PKEY_verify(ctx, signature, signature_size, data, data_size); + if (r < 0) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), +- "Signature verification failed: 0x%lx", ERR_get_error()); ++ "Signature verification failed: %"PRIx32, ERR_get_error()); + + # pragma GCC diagnostic pop + #else +@@ -338,7 +340,7 @@ static int dnssec_ecdsa_verify_raw( + + if (EC_KEY_set_public_key(eckey, p) <= 0) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), +- "EC_POINT_bn2point failed: 0x%lx", ERR_get_error()); ++ "EC_POINT_bn2point failed: %"PRIx32, ERR_get_error()); + + assert(EC_KEY_check_key(eckey) == 1); + +@@ -363,7 +365,7 @@ static int dnssec_ecdsa_verify_raw( + k = ECDSA_do_verify(data, data_size, sig, eckey); + if (k < 0) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), +- "Signature verification failed: 0x%lx", ERR_get_error()); ++ "Signature verification failed: %"PRIx32, ERR_get_error()); + + # pragma GCC diagnostic pop + #else +@@ -514,7 +516,7 @@ static int dnssec_eddsa_verify_raw( + evkey = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, NULL, key, key_size); + if (!evkey) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), +- "EVP_PKEY_new_raw_public_key failed: 0x%lx", ERR_get_error()); ++ "EVP_PKEY_new_raw_public_key failed: %"PRIx32, ERR_get_error()); + + pctx = EVP_PKEY_CTX_new(evkey, NULL); + if (!pctx) +@@ -534,7 +536,7 @@ static int dnssec_eddsa_verify_raw( + r = EVP_DigestVerify(ctx, signature, signature_size, data, data_size); + if (r < 0) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), +- "Signature verification failed: 0x%lx", ERR_get_error()); ++ "Signature verification failed: %"PRIx32, ERR_get_error()); + + return r; diff --git a/packages/systemd-257/systemd-257.spec b/packages/systemd-257/systemd-257.spec index 140d4c0ce..68b8652b7 100644 --- a/packages/systemd-257/systemd-257.spec +++ b/packages/systemd-257/systemd-257.spec @@ -61,6 +61,9 @@ Patch9011: 9011-suppress-log-for-units-with-mode-0044.patch # aws-lc Patch9012: 9012-openssl-util-build-without-ui.patch +# Fix data type mismatch between aws-lc and openssl +Patch9013: 9013-fix-openssl-aws-lc-divergence-in-data-types.patch + BuildRequires: gperf BuildRequires: intltool BuildRequires: meson From 9e69da4f070030ee020cc7dd25830187c749aa21 Mon Sep 17 00:00:00 2001 From: Vighnesh Maheshwari Date: Mon, 13 Oct 2025 10:50:54 -0700 Subject: [PATCH 4/8] systemd: remove unsupported cipher --- .../systemd-257/9014-remove-NID_sm2.patch | 22 +++++++++++++++++++ packages/systemd-257/systemd-257.spec | 3 +++ 2 files changed, 25 insertions(+) create mode 100644 packages/systemd-257/9014-remove-NID_sm2.patch diff --git a/packages/systemd-257/9014-remove-NID_sm2.patch b/packages/systemd-257/9014-remove-NID_sm2.patch new file mode 100644 index 000000000..052640c34 --- /dev/null +++ b/packages/systemd-257/9014-remove-NID_sm2.patch @@ -0,0 +1,22 @@ +From 84cb90f65888d27dadd215c682f990a5f82094c2 Mon Sep 17 00:00:00 2001 +From: Vighnesh Maheshwari +Date: Mon, 16 Jun 2025 22:31:17 +0000 +Subject: [PATCH] remove NID_sm2 support + +Signed-off-by: Vighnesh Maheshwari +--- + src/shared/tpm2-util.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git i/src/shared/tpm2-util.c w/src/shared/tpm2-util.c +index 15dd98f0ab..b2d55a95c3 100644 +--- i/src/shared/tpm2-util.c ++++ w/src/shared/tpm2-util.c +@@ -4358,7 +4358,6 @@ static const struct { + { TPM2_ECC_NIST_P256, NID_X9_62_prime256v1, }, + { TPM2_ECC_NIST_P384, NID_secp384r1, }, + { TPM2_ECC_NIST_P521, NID_secp521r1, }, +- { TPM2_ECC_SM2_P256, NID_sm2, }, + }; + + static int tpm2_ecc_curve_from_openssl_curve_id(int openssl_ecc_curve_id, TPM2_ECC_CURVE *ret) { diff --git a/packages/systemd-257/systemd-257.spec b/packages/systemd-257/systemd-257.spec index 68b8652b7..495415b4a 100644 --- a/packages/systemd-257/systemd-257.spec +++ b/packages/systemd-257/systemd-257.spec @@ -64,6 +64,9 @@ Patch9012: 9012-openssl-util-build-without-ui.patch # Fix data type mismatch between aws-lc and openssl Patch9013: 9013-fix-openssl-aws-lc-divergence-in-data-types.patch +# Remove unsupported NID_sm2 cipher +Patch9014: 9014-remove-NID_sm2.patch + BuildRequires: gperf BuildRequires: intltool BuildRequires: meson From 26e7c12bd199b6a4bcb43bb792e983a45e9b4fe8 Mon Sep 17 00:00:00 2001 From: Vighnesh Maheshwari Date: Mon, 13 Oct 2025 10:54:10 -0700 Subject: [PATCH 5/8] systemd: disable systemd-sb-sign sb-sign has a dependency on PKCS7 which is not provided by aws-lc. Adding a new meson option to prevent it from being built --- .../systemd-257/9015-disable-sb-sign.patch | 47 +++++++++++++++++++ packages/systemd-257/systemd-257.spec | 4 ++ 2 files changed, 51 insertions(+) create mode 100644 packages/systemd-257/9015-disable-sb-sign.patch diff --git a/packages/systemd-257/9015-disable-sb-sign.patch b/packages/systemd-257/9015-disable-sb-sign.patch new file mode 100644 index 000000000..7d500cb32 --- /dev/null +++ b/packages/systemd-257/9015-disable-sb-sign.patch @@ -0,0 +1,47 @@ +From b6338d1be8abd778ca7f23b3b1f620efa15bd545 Mon Sep 17 00:00:00 2001 +From: Vighnesh Maheshwari +Date: Wed, 2 Jul 2025 17:17:41 +0000 +Subject: [PATCH] Disable systemd-sbsign + +Signed-off-by: Vighnesh Maheshwari +--- + meson.build | 1 + + meson_options.txt | 3 +++ + src/sbsign/meson.build | 1 + + 3 files changed, 5 insertions(+) + +diff --git a/meson.build b/meson.build +index 7ede6f7a96..156be96348 100644 +--- a/meson.build ++++ b/meson.build +@@ -1707,6 +1707,7 @@ foreach term : ['analyze', + 'randomseed', + 'resolve', + 'rfkill', ++ 'sbsign', + 'smack', + 'sysext', + 'sysusers', +diff --git a/meson_options.txt b/meson_options.txt +index aedc37413d..7a649cc1ba 100644 +--- a/meson_options.txt ++++ b/meson_options.txt +@@ -551,3 +551,6 @@ option('vmlinux-h-path', type : 'string', value : '', + + option('default-mountfsd-trusted-directories', type : 'boolean', value: false, + description : 'controls whether mountfsd should apply a relaxed policy on DDIs in system DDI directories') ++ ++option('sbsign', type : 'boolean', value: false, ++ description : 'controls whether systemd-sbsign is built') +diff --git a/src/sbsign/meson.build b/src/sbsign/meson.build +index b6e0dbcde9..261bc4ec42 100644 +--- a/src/sbsign/meson.build ++++ b/src/sbsign/meson.build +@@ -5,6 +5,7 @@ executables += [ + 'name' : 'systemd-sbsign', + 'conditions' : [ + 'HAVE_OPENSSL', ++ 'ENABLE_SBSIGN', + ], + 'sources' : files('sbsign.c'), + 'dependencies' : libopenssl, diff --git a/packages/systemd-257/systemd-257.spec b/packages/systemd-257/systemd-257.spec index 495415b4a..2c494299f 100644 --- a/packages/systemd-257/systemd-257.spec +++ b/packages/systemd-257/systemd-257.spec @@ -67,6 +67,10 @@ Patch9013: 9013-fix-openssl-aws-lc-divergence-in-data-types.patch # Remove unsupported NID_sm2 cipher Patch9014: 9014-remove-NID_sm2.patch +# Disable sb-sign since that has a dependency on PKCS7 which is not provided +# by aws-lc +Patch9015: 9015-disable-sb-sign.patch + BuildRequires: gperf BuildRequires: intltool BuildRequires: meson From 2de36c9543a143be9280d1eb923c22c6ebb1cb57 Mon Sep 17 00:00:00 2001 From: Vighnesh Maheshwari Date: Mon, 13 Oct 2025 10:56:07 -0700 Subject: [PATCH 6/8] systemd: stub out an unsupported method in bootctl Stub out install_secure_boot_auto_enroll since it depends on PKCS7. Instead default to the EOPNOTSUPP condition with a debug log --- ...otctl-disable-secure-boot-autoenroll.patch | 23 +++++++++++++++++++ packages/systemd-257/systemd-257.spec | 4 ++++ 2 files changed, 27 insertions(+) create mode 100644 packages/systemd-257/9016-bootctl-disable-secure-boot-autoenroll.patch diff --git a/packages/systemd-257/9016-bootctl-disable-secure-boot-autoenroll.patch b/packages/systemd-257/9016-bootctl-disable-secure-boot-autoenroll.patch new file mode 100644 index 000000000..0db98ffdc --- /dev/null +++ b/packages/systemd-257/9016-bootctl-disable-secure-boot-autoenroll.patch @@ -0,0 +1,23 @@ +From ea520d8acb4dd0e07ddca292d1f502fe3373064c Mon Sep 17 00:00:00 2001 +From: Vighnesh Maheshwari +Date: Wed, 8 Oct 2025 13:57:12 -0700 +Subject: [PATCH] bootctl: disable secure-boot autoenroll + +Signed-off-by: Vighnesh Maheshwari +--- + src/bootctl/bootctl-install.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/bootctl/bootctl-install.c b/src/bootctl/bootctl-install.c +index c2b2faef3b..5960efd055 100644 +--- a/src/bootctl/bootctl-install.c ++++ b/src/bootctl/bootctl-install.c +@@ -609,7 +609,7 @@ static int efi_timestamp(EFI_TIME *ret) { + #endif + + static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, EVP_PKEY *private_key) { +-#if HAVE_OPENSSL ++#if 0 + int r; + + _cleanup_free_ uint8_t *dercert = NULL; diff --git a/packages/systemd-257/systemd-257.spec b/packages/systemd-257/systemd-257.spec index 2c494299f..afb9a50b1 100644 --- a/packages/systemd-257/systemd-257.spec +++ b/packages/systemd-257/systemd-257.spec @@ -71,6 +71,10 @@ Patch9014: 9014-remove-NID_sm2.patch # by aws-lc Patch9015: 9015-disable-sb-sign.patch +# Stub out install_secure_boot_auto_enroll since it depends on PKCS7. Instead +# default to the EOPNOTSUPP condition with a debug log +Patch9016: 9016-bootctl-disable-secure-boot-autoenroll.patch + BuildRequires: gperf BuildRequires: intltool BuildRequires: meson From 8dbef99e09bdb91362c5555ebfd6d9e142466f8a Mon Sep 17 00:00:00 2001 From: Vighnesh Maheshwari Date: Thu, 16 Oct 2025 10:28:26 -0700 Subject: [PATCH 7/8] systemd: add meson option to set openssl ui cargs Add a patch to extend meson options to set OPENSSL_NO_UI_CONSOLE=1 during build. The option can be controlled with the CONFIGURE_OPTS in the specfile --- ...SSL_NO_UI_CONSOLE-when-using-openssl.patch | 39 +++++++++++++++++++ packages/systemd-257/systemd-257.spec | 3 ++ 2 files changed, 42 insertions(+) create mode 100644 packages/systemd-257/9017-meson-set-DOPENSSL_NO_UI_CONSOLE-when-using-openssl.patch diff --git a/packages/systemd-257/9017-meson-set-DOPENSSL_NO_UI_CONSOLE-when-using-openssl.patch b/packages/systemd-257/9017-meson-set-DOPENSSL_NO_UI_CONSOLE-when-using-openssl.patch new file mode 100644 index 000000000..d83fd3885 --- /dev/null +++ b/packages/systemd-257/9017-meson-set-DOPENSSL_NO_UI_CONSOLE-when-using-openssl.patch @@ -0,0 +1,39 @@ +From f602a8397813ee3a4c339b108f48bc146185a8be Mon Sep 17 00:00:00 2001 +From: Vighnesh Maheshwari +Date: Wed, 15 Oct 2025 15:32:19 -0700 +Subject: [PATCH] meson: set DOPENSSL_NO_UI_CONSOLE when using openssl + +Signed-off-by: Vighnesh Maheshwari +--- + meson.build | 4 ++++ + meson_options.txt | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/meson.build b/meson.build +index 103febfd70..ae5cfc0428 100644 +--- a/meson.build ++++ b/meson.build +@@ -1389,6 +1389,10 @@ libopenssl = dependency('openssl', + required : get_option('openssl')) + conf.set10('HAVE_OPENSSL', libopenssl.found()) + ++if get_option('opensslui').disabled() ++ userspace_c_args += '-DOPENSSL_NO_UI_CONSOLE=1' ++endif ++ + libp11kit = dependency('p11-kit-1', + version : '>= 0.23.3', + required : get_option('p11kit')) +diff --git a/meson_options.txt b/meson_options.txt +index aedc37413d..7b17b0c990 100644 +--- a/meson_options.txt ++++ b/meson_options.txt +@@ -439,6 +439,8 @@ option('gnutls', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : + description : 'gnutls support') + option('openssl', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' }, + description : 'openssl support') ++option('opensslui', type : 'feature', value : 'disabled', ++ description : 'openssl ui support') + option('cryptolib', type : 'combo', choices : ['auto', 'openssl', 'gcrypt'], + description : 'whether to use openssl or gcrypt where both are supported') + option('p11kit', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' }, diff --git a/packages/systemd-257/systemd-257.spec b/packages/systemd-257/systemd-257.spec index afb9a50b1..282ea0a13 100644 --- a/packages/systemd-257/systemd-257.spec +++ b/packages/systemd-257/systemd-257.spec @@ -75,6 +75,9 @@ Patch9015: 9015-disable-sb-sign.patch # default to the EOPNOTSUPP condition with a debug log Patch9016: 9016-bootctl-disable-secure-boot-autoenroll.patch +# Patch meson to set OPENSSL_NO_UI_CONSOLE CFLAGS for the build +Patch9017: 9017-meson-set-DOPENSSL_NO_UI_CONSOLE-when-using-openssl.patch + BuildRequires: gperf BuildRequires: intltool BuildRequires: meson From aa360e9ac191963ddc2d4ecb05b212572a36e0ad Mon Sep 17 00:00:00 2001 From: Vighnesh Maheshwari Date: Mon, 13 Oct 2025 10:58:01 -0700 Subject: [PATCH 8/8] systemd: build cryptsetup --- Cargo.lock | 3 ++ packages/systemd-257/Cargo.toml | 3 ++ packages/systemd-257/systemd-257.spec | 61 ++++++++++++++++++++++++--- 3 files changed, 62 insertions(+), 5 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 330a7c673..d49d7969c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1038,8 +1038,11 @@ dependencies = [ "libacl", "libattr", "libcap", + "libcrypto", + "libcryptsetup", "libseccomp", "libselinux", + "libtss2", "libxcrypt", "util-linux", ] diff --git a/packages/systemd-257/Cargo.toml b/packages/systemd-257/Cargo.toml index 6ae1f8b93..dfbc2f3c8 100644 --- a/packages/systemd-257/Cargo.toml +++ b/packages/systemd-257/Cargo.toml @@ -21,7 +21,10 @@ kmod = { path = "../kmod" } libacl = { path = "../libacl" } libattr = { path = "../libattr" } libcap = { path = "../libcap" } +libcrypto = { path = "../libcrypto" } +libcryptsetup = { path = "../libcryptsetup" } libseccomp = { path = "../libseccomp" } libselinux = { path = "../libselinux" } +libtss2 = { path = "../libtss2" } libxcrypt = { path = "../libxcrypt" } util-linux = { path = "../util-linux" } diff --git a/packages/systemd-257/systemd-257.spec b/packages/systemd-257/systemd-257.spec index 282ea0a13..7319041b5 100644 --- a/packages/systemd-257/systemd-257.spec +++ b/packages/systemd-257/systemd-257.spec @@ -87,10 +87,13 @@ BuildRequires: %{_cross_os}libacl-devel BuildRequires: %{_cross_os}libattr-devel BuildRequires: %{_cross_os}libblkid-devel BuildRequires: %{_cross_os}libcap-devel +BuildRequires: %{_cross_os}libcrypto-devel +BuildRequires: %{_cross_os}libcryptsetup-devel BuildRequires: %{_cross_os}libfdisk-devel BuildRequires: %{_cross_os}libmount-devel BuildRequires: %{_cross_os}libseccomp-devel BuildRequires: %{_cross_os}libselinux-devel +BuildRequires: %{_cross_os}libtss2-devel BuildRequires: %{_cross_os}libuuid-devel BuildRequires: %{_cross_os}libxcrypt-devel @@ -99,10 +102,13 @@ Requires: %{_cross_os}libacl Requires: %{_cross_os}libattr Requires: %{_cross_os}libblkid Requires: %{_cross_os}libcap +Requires: %{_cross_os}libcrypto +Requires: %{_cross_os}libcryptsetup Requires: %{_cross_os}libfdisk Requires: %{_cross_os}libmount Requires: %{_cross_os}libseccomp Requires: %{_cross_os}libselinux +Requires: %{_cross_os}libtss2 Requires: %{_cross_os}libuuid Requires: %{_cross_os}libxcrypt @@ -305,11 +311,13 @@ CONFIGURE_OPTS=( -Dstoragetm=false -Dukify=disabled - -Dlibcryptsetup=disabled - -Dlibcryptsetup-plugins=disabled - -Dopenssl=disabled - -Dtpm2=disabled - -Dtpm=false + -Dlibcryptsetup=enabled + -Dlibcryptsetup-plugins=enabled + -Dopenssl=enabled + -Dtpm2=enabled + -Dtpm=true + -Dsbsign=false + -Dopensslui=disabled ) %cross_meson "${CONFIGURE_OPTS[@]}" @@ -598,6 +606,8 @@ install -p -m 0644 %{S:2} %{buildroot}%{_cross_bootconfigdir}/21-cgroup-enable-l # Exclude remote filesystem targets. %exclude %{_cross_unitdir}/remote-fs-pre.target %exclude %{_cross_unitdir}/remote-fs.target +%exclude %{_cross_unitdir}/remote-cryptsetup.target +%exclude %{_cross_unitdir}/remote-veritysetup.target # Exclude user-related functionality. %exclude %{_cross_unitdir}/user-runtime-dir@.service @@ -611,6 +621,7 @@ install -p -m 0644 %{S:2} %{buildroot}%{_cross_bootconfigdir}/21-cgroup-enable-l %exclude %{_cross_libdir}/systemd/user-preset/90-systemd.preset # Exclude units related to the initrd. +%exclude %{_cross_unitdir}/initrd-root-device.target.wants %exclude %{_cross_unitdir}/initrd-root-fs.target.wants # Exclude repart service since we have custom repart logic. @@ -633,6 +644,21 @@ install -p -m 0644 %{S:2} %{buildroot}%{_cross_bootconfigdir}/21-cgroup-enable-l %exclude %{_cross_unitdir}/system-update.target %exclude %{_cross_unitdir}/systemd-update-done.service +# Exclude functionality related to pcrextend +%exclude %{_cross_libdir}/pcrlock.d/350-action-efi-application.pcrlock +%exclude %{_cross_libdir}/pcrlock.d/400-secureboot-separator.pcrlock.d/300-0x00000000.pcrlock +%exclude %{_cross_libdir}/pcrlock.d/400-secureboot-separator.pcrlock.d/600-0xffffffff.pcrlock +%exclude %{_cross_libdir}/pcrlock.d/500-separator.pcrlock.d/300-0x00000000.pcrlock +%exclude %{_cross_libdir}/pcrlock.d/500-separator.pcrlock.d/600-0xffffffff.pcrlock +%exclude %{_cross_libdir}/pcrlock.d/700-action-efi-exit-boot-services.pcrlock.d/300-present.pcrlock +%exclude %{_cross_libdir}/pcrlock.d/700-action-efi-exit-boot-services.pcrlock.d/600-absent.pcrlock +%exclude %{_cross_libdir}/pcrlock.d/750-enter-initrd.pcrlock +%exclude %{_cross_libdir}/pcrlock.d/800-leave-initrd.pcrlock +%exclude %{_cross_libdir}/pcrlock.d/850-sysinit.pcrlock +%exclude %{_cross_libdir}/pcrlock.d/900-ready.pcrlock +%exclude %{_cross_libdir}/pcrlock.d/950-shutdown.pcrlock +%exclude %{_cross_libdir}/pcrlock.d/990-final.pcrlock + %dir %{_cross_libdir}/udev %{_cross_libdir}/udev/ata_id %{_cross_libdir}/udev/cdrom_id @@ -806,3 +832,28 @@ install -p -m 0644 %{S:2} %{buildroot}%{_cross_bootconfigdir}/21-cgroup-enable-l %{_cross_datadir}/dbus-1/system.d/org.freedesktop.resolve1.conf %exclude %{_cross_bindir}/systemd-resolve %exclude %{_cross_sbindir}/resolvconf + +%files cryptsetup +%{_cross_bindir}/systemd-cryptenroll +%{_cross_bindir}/systemd-cryptsetup +%{_cross_libdir}/cryptsetup/libcryptsetup-token-systemd-tpm2.so +%{_cross_libdir}/systemd/systemd-cryptsetup +%{_cross_libdir}/systemd/systemd-integritysetup +%{_cross_libdir}/systemd/systemd-keyutil +%{_cross_libdir}/systemd/systemd-measure +%{_cross_libdir}/systemd/systemd-pcrlock +%{_cross_libdir}/systemd/systemd-veritysetup +%{_cross_systemdgeneratordir}/systemd-cryptsetup-generator +%{_cross_systemdgeneratordir}/systemd-integritysetup-generator +%{_cross_systemdgeneratordir}/systemd-veritysetup-generator +%{_cross_unitdir}/cryptsetup.target +%{_cross_unitdir}/cryptsetup-pre.target +%{_cross_unitdir}/integritysetup.target +%{_cross_unitdir}/integritysetup-pre.target +%{_cross_unitdir}/veritysetup.target +%{_cross_unitdir}/veritysetup-pre.target +%{_cross_unitdir}/*cryptsetup.slice +%{_cross_unitdir}/sysinit.target.wants/cryptsetup.target +%{_cross_unitdir}/sysinit.target.wants/integritysetup.target +%{_cross_unitdir}/sysinit.target.wants/veritysetup.target +%{_cross_unitdir}/system-systemd\x2dveritysetup.slice