systemd has been recommending against an arrangement like that for a long
time now. These partitions are often fragile (read from bootloader code, or
worse firmware! VFAT has no data integrity), and they really have no reason
to be mounted unless they're about to be accessed. Stacking the mount
On 2/21/24 15:09, Stef Bon wrote:
Hi,
I know that I can use a session file, and I know I can use a pamfile
(I've written one myself) but what I want to know is how can I use
systemd for that? Systemd handles the system, sessions and containers,
so is it for example possible to set some
On 2/21/24 12:57, Stef Bon wrote:
Hi,
maybe this is a question simple to answer.
I want the user sessions to start in a {mount,user} namespace. How can
I do this? I know there is the command systemd-nspawn. But to use this
I have to adjust the first command to start a session. Or is it
You shouldn't be using a linux-generic partition for updates. You need (at
least) two of the same kind of partition to switch between whenever there's
an update
On Mon, Jan 8, 2024, 06:46 Renjaya Raga Zenta wrote:
> Hi,
>
> I've been experimenting with systemd-sysupdate, trying to understand
Hello!
I'm working on passing sd_notify events from systemd-{pull,import} through
sysupdate.
All services that consume sd_notify events (systemd itself, importd,
machined, homed, etc) act as daemons and own a directory in /run. Thus,
they can open a notification socket at, say,
(whoops accidentally send this only to Felix. Resending to the mailing list
too)
I wouldn't bind anything to PCR4, because it'll wipe out your decryption
key on any update of any component in the boot chain. In other words: PCR4
is not rollback prevention, it's also roll forward prevention as
Hello
I've got a problem in my systemd --user instance that I can't quite
grok nor can I explain it very well. Essentially I have no idea what
could possibly be going on. Hoping someone here can help.
Basically, the OS boots and I can log in. Once I do, I experience the
following symptoms:
-
yslot
Any thoughts and ideas about any of this?
Thanks,
Adrian Vovk
For reference, here are some of my previous possible solutions to this
problem, and why I decided they won't work:
1. Is this even a problem? If secure boot is off then it's possible to
spoof the TPM and make it have whate
Whoops, forgot to reply-all and replied directly to Lennart. Forwarding to
the ML
-- Forwarded message -
From: Adrian Vovk
Date: Thu, Mar 2, 2023 at 16:59
Subject: Re: [systemd-devel] Immutable Images: Single Data Patition
To: Lennart Poettering
> /home/ with dm-integr
> I figure this would be a 20 line patch. Would be happy to review a
patch for that.
Got it. That sounds reasonable to me. I'll get you a patch
> wouldn't it make more sense, to allow declaration of a "ReleaseNotes=" link
> inside a sysupdate .conf file, that can optionally take an URL
Gompa wrote:
> On Sat, Feb 25, 2023 at 9:45 AM Lennart Poettering
> wrote:
> >
> > On Di, 21.02.23 16:00, Adrian Vovk (adrianv...@gmail.com) wrote:
> >
> > > Hello all,
> > >
> > > Would you accept a patch to shared/base-filesystem that makes
ed and in /state to the appropriate destination based
on escaped filenames relative to / (e.g. /state/home -> /home,
/state/encrypted/my-fancy-dir -> /my/fancy/dir,
/state/encrypted/fancy\x2ddir -> /fancy-dir, etc).
Thoughts?
Thank you,
Adrian Vovk
[1]: https://github.com/flatpak/flatpa
table sysexts, but that's a different discussion for a different
place I think. As far as I can tell this issue of updating sysexts is
already on your radar.
Thoughts?
Thank you,
Adrian Vovk
0" "usr/lib64\0" to
"usr/lib/"LIB_ARCH_TUPLE"\0" "usr/lib64\0" "usr/lib\0", and ditto for
all the other architectures. That way no matter what, /lib64 always
exists when necessary.
Thank you,
Adrian Vovk
Hi Chengyi,
> In fact, gdm user doesn't need these services
I'm almost certain that this is incorrect. There's a good chance if you
remove the systemd --user instance from GDM, you will end up with a
broken/unbootable system.
Basically, instead of being its own service manager, new versions
write to the home dir is 4 writes to the block device. Am I
mistaken?
Regards,
Adrian
On Thu, Dec 2, 2021 at 6:45 PM Wol wrote:
>
> On 02/12/2021 21:24, Adrian Vovk wrote:
> > Hello Wol,
> >
> > Please, read the blog post I'm responding to for context to what I'm
> &g
Hello Wol,
Please, read the blog post I'm responding to for context to what I'm
saying:
https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html
> dm-integrity is NOT ABOUT authentication
dm-integrity provides authentication when configured to use
sha256-hmac. I am not
Some more thoughts about the usefulness of dm-integrity:
1. There's some past work[1] on authenticated Btrfs, where the whole
filesystem is authenticated w/ a keyed hash algorithm. It's basically
dm-integrity built directly into the filesystem, with none of the
performance and complexity
> Why can't you just enable journalling in systemd-homed, so we have
LUKS+dm-integrity-journalling?
That's why there's two layers of dm-integrity stacked on top of each
other (one protecting the filesystem, one baked into the systemd-homed
LUKS image)
> If the user needs to separate / and
: is there anything protecting the bitmap from arbitrary
modifications?
What are your thoughts on these points? What mode did you plan to have
systemd-homed use?
Regards,
Adrian Vovk
20 matches
Mail list logo