morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-15 08:56:15 +09:00
Code Issues Packages Projects Releases Wiki Activity
72,807 Commits 1 Branch 0 Tags
cb835a2ed13604358d356514955b4a2b003dcee6
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Lennart Poettering cb835a2ed1 pcrlock: switch access policy for nvindex to store policy in from PolicyAuthValue to PolicySigned (with an HMAC-SHA256 key) 
So far the nvindex to store the pcrlock policy in was protected via a
PolicyAuthValue policy (i.e. with a simple PIN set on the nvindex).
That's a bad idea however, as it means an attacker can simply remove and
re-create the nvindex and the "name" of the nvindex does not change,
thus defeating the logic. (This is because the authValue is *not* part
of the "name" of an nvindex!).

Fix this by switching from PolicyAuthValue to PolicySigned with an
HMAC-SHA256 key. Behaviour is very similar: however, the PIN is now part
of of the access policy hash, which *is* part of the "name" of an
nvindex. Thus, if an attacker removes and recreates the nvindex it has
to provide the same PIN again or the "name" of the nvindex will change.
Mission accomplished.

I'd like to thank Chris Coulson for finding this issue (and helping me
address it). Thank you!
2024-04-18 18:12:23 +02:00
.clusterfuzzlite
.github
mkosi: Update to latest
2024-04-18 13:26:44 +02:00
.semaphore
semaphore: remove workaround for adduser
2024-03-11 11:15:12 +00:00
catalog
catalog: update Polish translation
2024-03-12 11:37:17 +01:00
coccinelle
docs
Merge pull request #32324 from mrc0mmand/more-website-fixes
2024-04-18 10:55:01 +02:00
factory
hwdb.d
autosuspend: update for v256
2024-04-17 16:23:51 +02:00
LICENSES
tree-wide: drop several remaining license headers
2024-04-08 10:14:50 +02:00
man
man/systemd-stub: fix typo
2024-04-18 18:10:50 +02:00
mime
creds-util: add a concept of "user-scoped" credentials
2024-01-30 17:07:47 +01:00
mkosi.conf.d
Build distribution packages in mkosi
2024-03-07 10:47:19 +01:00
mkosi.images/system
mkosi: undefine FORTIFY_SOURCE instead of setting it zero
2024-04-18 14:35:07 +02:00
modprobe.d
network
nsresourced: add new daemon for granting clients user namespaces and assigning resources to them
2024-04-06 16:08:24 +02:00
pkg
build(deps): bump pkg/debian from e477254 to 30c77a7
2024-04-17 12:25:23 +02:00
po
po: update Japanese translation
2024-04-10 07:07:34 +09:00
presets
mountfsd: add new systemd-mountfsd component
2024-04-06 16:08:24 +02:00
rules.d
udev: permanent symlinks with USB revision for /dev/media*
2024-04-18 14:09:42 +02:00
shell-completion
systemctl: add --clean= values to documentation and shell completion
2024-04-18 14:07:07 +02:00
src
pcrlock: switch access policy for nvindex to store policy in from PolicyAuthValue to PolicySigned (with an HMAC-SHA256 key)
2024-04-18 18:12:23 +02:00
sysctl.d
sysusers.d
test
test: fix typo
2024-04-17 13:29:39 +09:00
tmpfiles.d
ssh-generator: create privsep dir via tmpfiles.d/ if we are told to
2024-04-04 01:01:10 +09:00
tools
Merge pull request #32204 from DaanDeMeyer/post-rewrite
2024-04-10 22:52:45 +01:00
units
units: introduce systemd-udev-load-credentials.service
2024-04-16 09:45:43 +09:00
xorg
.clang-format
Improve the formatting by adding AlignArrayOfStructures and setting it to Right(right justify)
2024-03-06 15:24:23 +01:00
.ctags
.dir-locals.el
.editorconfig
.gitattributes
.gitignore
.gitmodules
Use .git suffix for all submodule urls
2024-03-25 13:27:12 +00:00
.mailmap
.packit.yml
Revert "packit: temporarily build systemd without BPF stuff"
2024-02-11 16:45:03 +01:00
.pylintrc
.vimrc
.ycm_extra_conf.py
LICENSE.GPL2
LICENSE.LGPL2.1
meson_options.txt
mountfsd: add new systemd-mountfsd component
2024-04-06 16:08:24 +02:00
meson.build
mountfsd: add new systemd-mountfsd component
2024-04-06 16:08:24 +02:00
meson.version
meson: Start adding devel and rc suffixes to the project version
2024-02-14 15:36:34 +01:00
mkosi.conf
Update debugging with vscode section
2024-04-16 15:25:34 +02:00
NEWS
NEWS: mention GNOME Foundation in contributors list
2024-04-18 10:46:19 +01:00
README
README: mention fq_codel
2024-02-22 19:14:31 +00:00
README.md
README.md: link bug bounty program
2024-04-11 12:58:53 +02:00
TODO
update TODO
2024-04-15 12:10:46 +02:00

README.md

Systemd

System and Service Manager

Semaphore CI 2.0 Build Status
Coverity Scan Status
OSS-Fuzz Status
CIFuzz
CII Best Practices
CentOS CI - CentOS 9
CentOS CI - Arch
CentOS CI - Arch (sanitizers)
Fossies codespell report
Weblate
Coverage Status
Packaging status
OpenSSF Scorecard

Details

Most documentation is available on systemd's web site.

Assorted, older, general information about systemd can be found in the systemd Wiki.

Information about build requirements is provided in the README file.

Consult our NEWS file for information about what's new in the most recent systemd versions.

Please see the Code Map for information about this repository's layout and content.

Please see the Hacking guide for information on how to hack on systemd and test your modifications.

Please see our Contribution Guidelines for more information about filing GitHub Issues and posting GitHub Pull Requests.

When preparing patches for systemd, please follow our Coding Style Guidelines.

If you are looking for support, please contact our mailing list, join our IRC channel #systemd on libera.chat or Matrix channel

Stable branches with backported patches are available in the stable repo.

We have a security bug bounty program sponsored by the Sovereign Tech Fund hosted on YesWeHack

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 321 MiB
Languages
C 89%
Python 5.1%
Shell 4.5%
Meson 1.2%