systemd: build cryptsetup

packages/systemd-257/9012-openssl-util-build-without-ui.patch

@@ -0,0 +1,53 @@
+From cbd9ff7231882d22e79c69b333d5394bcdc144e8 Mon Sep 17 00:00:00 2001
+From: Vighnesh Maheshwari <vighmah@amazon.com>
+Date: Thu, 16 Oct 2025 10:00:47 -0700
+Subject: [PATCH] openssl-util: build without ui.h
+
+Remove some code that depends on openssl/ui.h which is not provided by
+aws-lc. This can probably be submitted upstream.
+
+Signed-off-by: Vighnesh Maheshwari <vighmah@amazon.com>
+---
+ src/shared/openssl-util.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h
+index e25a175a80..784e764058 100644
+--- a/src/shared/openssl-util.h
++++ b/src/shared/openssl-util.h
+@@ -41,6 +41,9 @@ int parse_openssl_key_source_argument(const char *argument, char **private_key_s
+ #  ifndef OPENSSL_NO_UI_CONSOLE
+ #    include <openssl/ui.h>
+ #  endif
++#  ifndef OPENSSL_HMAC_H
++#    include <openssl/hmac.h>
++#  endif
+ #  include <openssl/x509v3.h>
+ #  ifndef OPENSSL_VERSION_MAJOR
+ /* OPENSSL_VERSION_MAJOR macro was added in OpenSSL 3. Thus, if it doesn't exist,  we must be before OpenSSL 3. */
+@@ -151,7 +154,9 @@ int digest_and_sign(const EVP_MD *md, EVP_PKEY *privkey, const void *data, size_
+ typedef struct X509 X509;
+ typedef struct EVP_PKEY EVP_PKEY;
+ typedef struct EVP_MD EVP_MD;
++#  ifndef OPENSSL_NO_UI_CONSOLE
+ typedef struct UI_METHOD UI_METHOD;
++#  endif
+ typedef struct ASN1_TYPE ASN1_TYPE;
+ typedef struct ASN1_STRING ASN1_STRING;
+
+@@ -182,10 +187,16 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY*, EVP_PKEY_free, NULL);
+ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_TYPE*, ASN1_TYPE_free, NULL);
+ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_STRING*, ASN1_STRING_free, NULL);
+
++#ifndef OPENSSL_NO_UI_CONSOLE
+ struct OpenSSLAskPasswordUI {
+         AskPasswordRequest request;
+         UI_METHOD *method;
+ };
++#else
++struct OpenSSLAskPasswordUI {
++        AskPasswordRequest request;
++};
++#endif /* OPENSSL_NO_UI_CONSOLE */
+
+ OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui);

packages/systemd-257/9013-fix-openssl-aws-lc-divergence-in-data-types.patch

@@ -0,0 +1,67 @@
+From 8c72615cbc39cbfeaa907ec70cb8b1ce8ec6d2c3 Mon Sep 17 00:00:00 2001
+From: Vighnesh Maheshwari <vighmah@amazon.com>
+Date: Mon, 30 Jun 2025 21:55:27 +0000
+Subject: [PATCH] move unsigned long to uint32_t - openssl vs aws-lc
+ divergence
+
+Signed-off-by: Vighnesh Maheshwari <vighmah@amazon.com>
+---
+ src/resolve/resolved-dns-dnssec.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
+index 6d32b2d798..2f6f49cc7f 100644
+--- a/src/resolve/resolved-dns-dnssec.c
++++ b/src/resolve/resolved-dns-dnssec.c
+@@ -1,5 +1,7 @@
+ /* SPDX-License-Identifier: LGPL-2.1-or-later */
+
++#include <inttypes.h>
++
+ #include "alloc-util.h"
+ #include "dns-domain.h"
+ #include "fd-util.h"
+@@ -151,7 +153,7 @@ static int dnssec_rsa_verify_raw(
+         r = EVP_PKEY_verify(ctx, signature, signature_size, data, data_size);
+         if (r < 0)
+                 return log_debug_errno(SYNTHETIC_ERRNO(EIO),
+-                                       "Signature verification failed: 0x%lx", ERR_get_error());
++                                       "Signature verification failed: %"PRIx32, ERR_get_error());
+
+ #  pragma GCC diagnostic pop
+ #else
+@@ -338,7 +340,7 @@ static int dnssec_ecdsa_verify_raw(
+
+         if (EC_KEY_set_public_key(eckey, p) <= 0)
+                 return log_debug_errno(SYNTHETIC_ERRNO(EIO),
+-                                       "EC_POINT_bn2point failed: 0x%lx", ERR_get_error());
++                                       "EC_POINT_bn2point failed: %"PRIx32, ERR_get_error());
+
+         assert(EC_KEY_check_key(eckey) == 1);
+
+@@ -363,7 +365,7 @@ static int dnssec_ecdsa_verify_raw(
+         k = ECDSA_do_verify(data, data_size, sig, eckey);
+         if (k < 0)
+                 return log_debug_errno(SYNTHETIC_ERRNO(EIO),
+-                                       "Signature verification failed: 0x%lx", ERR_get_error());
++                                       "Signature verification failed: %"PRIx32, ERR_get_error());
+
+ #  pragma GCC diagnostic pop
+ #else
+@@ -514,7 +516,7 @@ static int dnssec_eddsa_verify_raw(
+         evkey = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, NULL, key, key_size);
+         if (!evkey)
+                 return log_debug_errno(SYNTHETIC_ERRNO(EIO),
+-                                       "EVP_PKEY_new_raw_public_key failed: 0x%lx", ERR_get_error());
++                                       "EVP_PKEY_new_raw_public_key failed: %"PRIx32, ERR_get_error());
+
+         pctx = EVP_PKEY_CTX_new(evkey, NULL);
+         if (!pctx)
+@@ -534,7 +536,7 @@ static int dnssec_eddsa_verify_raw(
+         r = EVP_DigestVerify(ctx, signature, signature_size, data, data_size);
+         if (r < 0)
+                 return log_debug_errno(SYNTHETIC_ERRNO(EIO),
+-                                       "Signature verification failed: 0x%lx", ERR_get_error());
++                                       "Signature verification failed: %"PRIx32, ERR_get_error());
+
+         return r;

packages/systemd-257/9014-remove-NID_sm2.patch

@@ -0,0 +1,22 @@
+From 84cb90f65888d27dadd215c682f990a5f82094c2 Mon Sep 17 00:00:00 2001
+From: Vighnesh Maheshwari <vighmah@amazon.com>
+Date: Mon, 16 Jun 2025 22:31:17 +0000
+Subject: [PATCH] remove NID_sm2 support
+
+Signed-off-by: Vighnesh Maheshwari <vighmah@amazon.com>
+---
+ src/shared/tpm2-util.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git i/src/shared/tpm2-util.c w/src/shared/tpm2-util.c
+index 15dd98f0ab..b2d55a95c3 100644
+--- i/src/shared/tpm2-util.c
++++ w/src/shared/tpm2-util.c
+@@ -4358,7 +4358,6 @@ static const struct {
+         { TPM2_ECC_NIST_P256, NID_X9_62_prime256v1, },
+         { TPM2_ECC_NIST_P384, NID_secp384r1,        },
+         { TPM2_ECC_NIST_P521, NID_secp521r1,        },
+-        { TPM2_ECC_SM2_P256,  NID_sm2,              },
+ };
+
+ static int tpm2_ecc_curve_from_openssl_curve_id(int openssl_ecc_curve_id, TPM2_ECC_CURVE *ret) {

packages/systemd-257/9015-disable-sb-sign.patch

@@ -0,0 +1,47 @@
+From b6338d1be8abd778ca7f23b3b1f620efa15bd545 Mon Sep 17 00:00:00 2001
+From: Vighnesh Maheshwari <vighmah@amazon.com>
+Date: Wed, 2 Jul 2025 17:17:41 +0000
+Subject: [PATCH] Disable systemd-sbsign
+
+Signed-off-by: Vighnesh Maheshwari <vighmah@amazon.com>
+---
+ meson.build            | 1 +
+ meson_options.txt      | 3 +++
+ src/sbsign/meson.build | 1 +
+ 3 files changed, 5 insertions(+)
+
+diff --git a/meson.build b/meson.build
+index 7ede6f7a96..156be96348 100644
+--- a/meson.build
++++ b/meson.build
+@@ -1707,6 +1707,7 @@ foreach term : ['analyze',
+                 'randomseed',
+                 'resolve',
+                 'rfkill',
++                'sbsign',
+                 'smack',
+                 'sysext',
+                 'sysusers',
+diff --git a/meson_options.txt b/meson_options.txt
+index aedc37413d..7a649cc1ba 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -551,3 +551,6 @@ option('vmlinux-h-path', type : 'string', value : '',
+
+ option('default-mountfsd-trusted-directories', type : 'boolean', value: false,
+        description : 'controls whether mountfsd should apply a relaxed policy on DDIs in system DDI directories')
++
++option('sbsign', type : 'boolean', value: false,
++       description : 'controls whether systemd-sbsign is built')
+diff --git a/src/sbsign/meson.build b/src/sbsign/meson.build
+index b6e0dbcde9..261bc4ec42 100644
+--- a/src/sbsign/meson.build
++++ b/src/sbsign/meson.build
+@@ -5,6 +5,7 @@ executables += [
+                 'name' : 'systemd-sbsign',
+                 'conditions' : [
+                         'HAVE_OPENSSL',
++                        'ENABLE_SBSIGN',
+                 ],
+                 'sources' : files('sbsign.c'),
+                 'dependencies' : libopenssl,

packages/systemd-257/9016-bootctl-disable-secure-boot-autoenroll.patch

@@ -0,0 +1,23 @@
+From ea520d8acb4dd0e07ddca292d1f502fe3373064c Mon Sep 17 00:00:00 2001
+From: Vighnesh Maheshwari <vighmah@amazon.com>
+Date: Wed, 8 Oct 2025 13:57:12 -0700
+Subject: [PATCH] bootctl: disable secure-boot autoenroll
+
+Signed-off-by: Vighnesh Maheshwari <vighmah@amazon.com>
+---
+ src/bootctl/bootctl-install.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/bootctl/bootctl-install.c b/src/bootctl/bootctl-install.c
+index c2b2faef3b..5960efd055 100644
+--- a/src/bootctl/bootctl-install.c
++++ b/src/bootctl/bootctl-install.c
+@@ -609,7 +609,7 @@ static int efi_timestamp(EFI_TIME *ret) {
+ #endif
+
+ static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, EVP_PKEY *private_key) {
+-#if HAVE_OPENSSL
++#if 0
+         int r;
+
+         _cleanup_free_ uint8_t *dercert = NULL;

packages/systemd-257/9017-meson-set-DOPENSSL_NO_UI_CONSOLE-when-using-openssl.patch

@@ -0,0 +1,39 @@
+From f602a8397813ee3a4c339b108f48bc146185a8be Mon Sep 17 00:00:00 2001
+From: Vighnesh Maheshwari <vighmah@amazon.com>
+Date: Wed, 15 Oct 2025 15:32:19 -0700
+Subject: [PATCH] meson: set DOPENSSL_NO_UI_CONSOLE when using openssl
+
+Signed-off-by: Vighnesh Maheshwari <vighmah@amazon.com>
+---
+ meson.build       | 4 ++++
+ meson_options.txt | 2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/meson.build b/meson.build
+index 103febfd70..ae5cfc0428 100644
+--- a/meson.build
++++ b/meson.build
+@@ -1389,6 +1389,10 @@ libopenssl = dependency('openssl',
+                         required : get_option('openssl'))
+ conf.set10('HAVE_OPENSSL', libopenssl.found())
+
++if get_option('opensslui').disabled()
++        userspace_c_args += '-DOPENSSL_NO_UI_CONSOLE=1'
++endif
++
+ libp11kit = dependency('p11-kit-1',
+                        version : '>= 0.23.3',
+                        required : get_option('p11kit'))
+diff --git a/meson_options.txt b/meson_options.txt
+index aedc37413d..7b17b0c990 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -439,6 +439,8 @@ option('gnutls', type : 'feature', deprecated : { 'true' : 'enabled', 'false' :
+        description : 'gnutls support')
+ option('openssl', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
+        description : 'openssl support')
++option('opensslui', type : 'feature', value : 'disabled',
++       description : 'openssl ui support')
+ option('cryptolib', type : 'combo', choices : ['auto', 'openssl', 'gcrypt'],
+        description : 'whether to use openssl or gcrypt where both are supported')
+ option('p11kit', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },

packages/systemd-257/Cargo.toml

@@ -12,16 +12,19 @@ path = "../packages.rs"
 releases-url = "https://github.com/systemd/systemd/releases"
 
 [[package.metadata.build-package.external-files]]
-url = "https://github.com/systemd/systemd/archive/v257.7/systemd-257.7.tar.gz"
-sha512 = "fdc7c0153432b261ad8018c869dc714ce1d6d2a8428bdec46f7c5f120b196d3a553a375ae433f0c166c57b6e8b3c56549f585349b7b6ff83c2a86a32982d8411"
+url = "https://github.com/systemd/systemd/archive/v257.9/systemd-257.9.tar.gz"
+sha512 = "23b3d2764e0f990d8373068ccb41177793413bc193f7bd34e38b03d6fc3cd32d07c86e9dcbf07e32904075bb5eeca208f65beab04d628ac0e0b81ba87a975c1b"
 
 [build-dependencies]
 glibc = { path = "../glibc" }
 kmod = { path = "../kmod" }
 libacl = { path = "../libacl" }
 libattr = { path = "../libattr" }
 libcap = { path = "../libcap" }
+libcrypto = { path = "../libcrypto" }
+libcryptsetup = { path = "../libcryptsetup" }
 libseccomp = { path = "../libseccomp" }
 libselinux = { path = "../libselinux" }
+libtss2 = { path = "../libtss2" }
 libxcrypt = { path = "../libxcrypt" }
 util-linux = { path = "../util-linux" }