From: Daniel Turull <[email protected]> Changes: https://github.com/systemd/systemd/compare/v259.5...v261-stable
- Drop backported patches no longer needed (libfido2_cflags, tpm2-util PCR bank, fdset_new debug) - Remove sysvinit-path/sysvrcnd-path meson options and systemd-sysv-install skeleton (removed upstream in 260) - Add explicit meson disables for auto-detected features in systemd-systemctl-native to prevent host sysroot contamination - Refresh 0003-Do-not-create-var-log-README.patch Tested on qemu target with testsuite systemd AI-Generated: Claude-opus-4.6 Signed-off-by: Daniel Turull <[email protected]> --- ...ve_259.5.bb => systemd-boot-native_261.bb} | 0 ...temd-boot_259.5.bb => systemd-boot_261.bb} | 0 ...9.5.bb => systemd-systemctl-native_261.bb} | 17 ++-- meta/recipes-core/systemd/systemd.inc | 8 +- ...meson-use-libfido2_cflags-dependency.patch | 54 ----------- .../0003-Do-not-create-var-log-README.patch | 10 +- ...il-fix-PCR-bank-guessing-without-EFI.patch | 62 ------------ ...-detailed-debug-logging-to-fdset_new.patch | 97 ------------------- .../{systemd_259.5.bb => systemd_261.bb} | 12 +-- 9 files changed, 18 insertions(+), 242 deletions(-) rename meta/recipes-core/systemd/{systemd-boot-native_259.5.bb => systemd-boot-native_261.bb} (100%) rename meta/recipes-core/systemd/{systemd-boot_259.5.bb => systemd-boot_261.bb} (100%) rename meta/recipes-core/systemd/{systemd-systemctl-native_259.5.bb => systemd-systemctl-native_261.bb} (54%) delete mode 100644 meta/recipes-core/systemd/systemd/0001-meson-use-libfido2_cflags-dependency.patch delete mode 100644 meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch delete mode 100644 meta/recipes-core/systemd/systemd/0018-shared-fdset-add-detailed-debug-logging-to-fdset_new.patch rename meta/recipes-core/systemd/{systemd_259.5.bb => systemd_261.bb} (99%) diff --git a/meta/recipes-core/systemd/systemd-boot-native_259.5.bb b/meta/recipes-core/systemd/systemd-boot-native_261.bb similarity index 100% rename from meta/recipes-core/systemd/systemd-boot-native_259.5.bb rename to meta/recipes-core/systemd/systemd-boot-native_261.bb diff --git a/meta/recipes-core/systemd/systemd-boot_259.5.bb b/meta/recipes-core/systemd/systemd-boot_261.bb similarity index 100% rename from meta/recipes-core/systemd/systemd-boot_259.5.bb rename to meta/recipes-core/systemd/systemd-boot_261.bb diff --git a/meta/recipes-core/systemd/systemd-systemctl-native_259.5.bb b/meta/recipes-core/systemd/systemd-systemctl-native_261.bb similarity index 54% rename from meta/recipes-core/systemd/systemd-systemctl-native_259.5.bb rename to meta/recipes-core/systemd/systemd-systemctl-native_261.bb index 3d01d60e9c..686448cf1e 100644 --- a/meta/recipes-core/systemd/systemd-systemctl-native_259.5.bb +++ b/meta/recipes-core/systemd/systemd-systemctl-native_261.bb @@ -10,19 +10,16 @@ inherit pkgconfig meson native MESON_TARGET = "systemctl:executable" MESON_INSTALL_TAGS = "systemctl" +# Explicitly disable features that meson auto-detects from the native sysroot. +# Only systemctl is built here; these prevent spurious dependencies and ensure +# reproducible builds regardless of what is installed on the build host. EXTRA_OEMESON += "-Dlink-systemctl-shared=false" -EXTRA_OEMESON += "-Dsysvinit-path= -Dsysvrcnd-path=" +EXTRA_OEMESON += "-Dpam=disabled -Daudit=disabled -Dselinux=disabled" +EXTRA_OEMESON += "-Dacl=disabled -Dapparmor=disabled -Dseccomp=disabled" +EXTRA_OEMESON += "-Dlibcryptsetup=disabled -Dlibcurl=disabled -Dlibfido2=disabled" +EXTRA_OEMESON += "-Dpcre2=disabled -Dp11kit=disabled -Dopenssl=disabled" # Systemctl is supposed to operate on target, but the target sysroot is not # determined at run-time, but rather set during configure # More details are here https://github.com/systemd/systemd/issues/35897#issuecomment-2665405887 EXTRA_OEMESON += "--sysconfdir ${sysconfdir_native}" - -do_install:append() { - # Install systemd-sysv-install in /usr/bin rather than /usr/lib/systemd - # (where it is normally installed) so systemctl can find it in $PATH. - # It is expected that the use of systemd-sysv-install will be removed - # with version 259 of systemd and then this, and everything that was - # added along with it, should be reverted. - install -Dm 0755 ${S}/src/systemctl/systemd-sysv-install.SKELETON ${D}${bindir}/systemd-sysv-install -} diff --git a/meta/recipes-core/systemd/systemd.inc b/meta/recipes-core/systemd/systemd.inc index f107c4c5da..d9048e9187 100644 --- a/meta/recipes-core/systemd/systemd.inc +++ b/meta/recipes-core/systemd/systemd.inc @@ -15,14 +15,10 @@ LICENSE:libsystemd = "LGPL-2.1-or-later" LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=c09786363500a9acc29b147e6e72d2c6 \ file://LICENSE.LGPL2.1;md5=be0aaf4a380f73f7e00b420a007368f2" -SRCREV = "b3d8fc43e9cb531d958c17ef2cd93b374bc14e8a" -SRCBRANCH = "v259-stable" +SRCREV = "de9dbc37ad4aa637e200ac02a0545095997055df" +SRCBRANCH = "v261-stable" SRC_URI = "git://github.com/systemd/systemd.git;protocol=https;branch=${SRCBRANCH};tag=v${PV}" CVE_PRODUCT = "systemd" CVE_STATUS[CVE-2019-3815] = "not-applicable-platform: only applied to RHEL" -CVE_STATUS[CVE-2026-40223] = "fixed-version: fixed in 259.2" -CVE_STATUS[CVE-2026-40224] = "fixed-version: fixed in 259.3" -CVE_STATUS[CVE-2026-40225] = "fixed-version: fixed in 259.5" -CVE_STATUS[CVE-2026-40226] = "fixed-version: fixed in 259.4" diff --git a/meta/recipes-core/systemd/systemd/0001-meson-use-libfido2_cflags-dependency.patch b/meta/recipes-core/systemd/systemd/0001-meson-use-libfido2_cflags-dependency.patch deleted file mode 100644 index 4bc1e10ee7..0000000000 --- a/meta/recipes-core/systemd/systemd/0001-meson-use-libfido2_cflags-dependency.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 97142fd1db4124de5d5bdd3f49cc5a390286e522 Mon Sep 17 00:00:00 2001 -From: Dan McGregor <[email protected]> -Date: Wed, 11 Mar 2026 18:26:05 -0600 -Subject: [PATCH] meson: use libfido2_cflags dependency - -Add the libfido2 dependency to cryptenroll and cryptsetup's -meson files. If libfido2's not installed in the default path -the build wasn't finding its headers correctly. - -Signed-off-by: Dan McGregor <[email protected]> -Upstream-Status: Backport [https://github.com/systemd/systemd/commit/9ce905e35f690e7a10cd286be2b50594d0857f5e] ---- - src/cryptenroll/meson.build | 1 + - src/cryptsetup/cryptsetup-tokens/meson.build | 2 +- - src/cryptsetup/meson.build | 1 + - 3 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/cryptenroll/meson.build b/src/cryptenroll/meson.build -index 488ceea14d..11265c8b41 100644 ---- a/src/cryptenroll/meson.build -+++ b/src/cryptenroll/meson.build -@@ -23,6 +23,7 @@ executables += [ - 'dependencies' : [ - libcryptsetup, - libdl, -+ libfido2_cflags, - libopenssl, - libp11kit_cflags, - ], -diff --git a/src/cryptsetup/cryptsetup-tokens/meson.build b/src/cryptsetup/cryptsetup-tokens/meson.build -index 804e18bc67..0fd6309201 100644 ---- a/src/cryptsetup/cryptsetup-tokens/meson.build -+++ b/src/cryptsetup/cryptsetup-tokens/meson.build -@@ -58,7 +58,7 @@ modules += [ - 'sources' : cryptsetup_token_systemd_fido2_sources, - 'dependencies' : [ - libcryptsetup, -- libfido2, -+ libfido2_cflags, - ], - }, - template + { -diff --git a/src/cryptsetup/meson.build b/src/cryptsetup/meson.build -index d9778259c2..b36354fb0a 100644 ---- a/src/cryptsetup/meson.build -+++ b/src/cryptsetup/meson.build -@@ -19,6 +19,7 @@ executables += [ - 'sources' : systemd_cryptsetup_sources, - 'dependencies' : [ - libcryptsetup, -+ libfido2_cflags, - libmount_cflags, - libopenssl, - libp11kit_cflags, diff --git a/meta/recipes-core/systemd/systemd/0003-Do-not-create-var-log-README.patch b/meta/recipes-core/systemd/systemd/0003-Do-not-create-var-log-README.patch index 1d3c4f83c0..0128c83d9f 100644 --- a/meta/recipes-core/systemd/systemd/0003-Do-not-create-var-log-README.patch +++ b/meta/recipes-core/systemd/systemd/0003-Do-not-create-var-log-README.patch @@ -1,7 +1,7 @@ From a7f6a296707642d05463aec22ea3dfce7d06c989 Mon Sep 17 00:00:00 2001 From: Peter Kjellerstedt <[email protected]> Date: Tue, 21 Jan 2025 05:02:00 +0100 -Subject: [PATCH 03/16] Do not create /var/log/README +Subject: [PATCH] Do not create /var/log/README /var/log/README is a link to /usr/share/doc/systemd/README.logs. The latter is packaged in systemd-doc and likely not installed, which leaves @@ -15,19 +15,15 @@ Signed-off-by: Peter Kjellerstedt <[email protected]> 1 file changed, 3 deletions(-) diff --git a/tmpfiles.d/legacy.conf.in b/tmpfiles.d/legacy.conf.in -index cdef21fa9b..03798c953e 100644 +index cdef21fa9b..7890abcdef 100644 --- a/tmpfiles.d/legacy.conf.in +++ b/tmpfiles.d/legacy.conf.in -@@ -13,9 +13,6 @@ +@@ -13,6 +13,3 @@ d /run/lock 0755 root root - L /var/lock - - - - ../run/lock -{% if CREATE_LOG_DIRS %} -L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs -{% endif %} - - {% if HAVE_SYSV_COMPAT %} - # /run/lock/subsys is used for serializing SysV service execution, and -- 2.34.1 - diff --git a/meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch b/meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch deleted file mode 100644 index c590b01cd3..0000000000 --- a/meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 3cef11c710e95bb5f891181e9b2a6d8f174712c3 Mon Sep 17 00:00:00 2001 -From: Patrick Wicki <[email protected]> -Date: Fri, 20 Mar 2026 15:56:56 +0100 -Subject: [PATCH] tpm2-util: fix PCR bank guessing without EFI - -Since 7643e4a89 efi_get_active_pcr_banks() is used to determine the -active PCR banks. Without EFI support, this returns -EOPNOTSUPP. This in -turns leads to cryptenroll and cryptsetup attach failures unless the PCR -bank is explicitly set, i.e. - -$ systemd-cryptenroll $LUKS_PART --tpm2-device=auto --tpm2-pcrs='7' -[...] -Could not read pcr values: Operation not supported - -But it works fine with --tpm2-pcrs='7:sha256'. - -Similarly, unsealing during cryptsetup attach also fails if the bank -needs to be determined: - -Failed to unseal secret using TPM2: Operation not supported - -Catch the -EOPNOTSUPP and fallback to the guessing strategy. - -Upstream-Status: Backport [https://github.com/systemd/systemd/pull/41231] - -Signed-off-by: Patrick Wicki <[email protected]> ---- - src/shared/tpm2-util.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c -index cf11b50695..c0590fe575 100644 ---- a/src/shared/tpm2-util.c -+++ b/src/shared/tpm2-util.c -@@ -2702,11 +2702,11 @@ int tpm2_get_best_pcr_bank( - uint32_t efi_banks; - r = efi_get_active_pcr_banks(&efi_banks); - if (r < 0) { -- if (r != -ENOENT) -+ if (!IN_SET(r, -ENOENT, -EOPNOTSUPP)) - return r; - - /* If variable is not set use guesswork below */ -- log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable, we have to guess the used PCR banks."); -+ log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable or EFI support is unavailable, we have to guess the used PCR banks."); - } else if (efi_banks == UINT32_MAX) - log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to indicate that the GetActivePcrBanks() API is not available in the firmware. We have to guess the used PCR banks."); - else { -@@ -2811,11 +2811,11 @@ int tpm2_get_good_pcr_banks( - uint32_t efi_banks; - r = efi_get_active_pcr_banks(&efi_banks); - if (r < 0) { -- if (r != -ENOENT) -+ if (!IN_SET(r, -ENOENT, -EOPNOTSUPP)) - return r; - - /* If the variable is not set we have to guess via the code below */ -- log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable, we have to guess the used PCR banks."); -+ log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable or EFI support is unavailable, we have to guess the used PCR banks."); - } else if (efi_banks == UINT32_MAX) - log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to indicate that the GetActivePcrBanks() API is not available in the firmware. We have to guess the used PCR banks."); - else { diff --git a/meta/recipes-core/systemd/systemd/0018-shared-fdset-add-detailed-debug-logging-to-fdset_new.patch b/meta/recipes-core/systemd/systemd/0018-shared-fdset-add-detailed-debug-logging-to-fdset_new.patch deleted file mode 100644 index 63fa7fefec..0000000000 --- a/meta/recipes-core/systemd/systemd/0018-shared-fdset-add-detailed-debug-logging-to-fdset_new.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 0565f9f27323a8f9e62d85f2add542af99cea06a Mon Sep 17 00:00:00 2001 -From: AshishKumar Mishra <[email protected]> -Date: Wed, 21 Jan 2026 14:13:29 +0530 -Subject: [PATCH] systemd: Add detailed debug logging to fdset_new_fill() - -Currently, when fdset_new_fill() fails to open /proc/self/fd or -encounters an error while processing individual file descriptors -(such as fcntl or fstat failures), it returns a silent error code. - -For debugging rarely reproducible failures it becomes difficult to -know the exact cause of failure -This commit updates the function to use log_debug_errno() for all -error paths and hence provides better visibility into why FD collection -failed, including the path of the problematic FD (via fd_get_path) -and its inode type. - -Upstream-Status: Backport [https://github.com/systemd/systemd/pull/40385] - -Signed-off-by: AshishKumar Mishra <[email protected]> ---- - src/shared/fdset.c | 35 ++++++++++++++++++++++++++--------- - 1 file changed, 26 insertions(+), 9 deletions(-) - -diff --git a/src/shared/fdset.c b/src/shared/fdset.c -index 832e7fda60..f340f41b0e 100644 ---- a/src/shared/fdset.c -+++ b/src/shared/fdset.c -@@ -8,6 +8,7 @@ - #include "alloc-util.h" - #include "async.h" - #include "dirent-util.h" -+#include "errno-util.h" - #include "fd-util.h" - #include "fdset.h" - #include "log.h" -@@ -179,9 +180,10 @@ int fdset_new_fill( - d = opendir("/proc/self/fd"); - if (!d) { - if (errno == ENOENT && proc_mounted() == 0) -- return -ENOSYS; -+ return log_debug_errno(SYNTHETIC_ERRNO(ENOSYS), -+ "Failed to open /proc/self/fd/, /proc/ is not mounted."); - -- return -errno; -+ return log_debug_errno(errno, "Failed to open /proc/self/fd/: %m "); - } - - s = fdset_new(); -@@ -210,9 +212,14 @@ int fdset_new_fill( - * been passed in can be collected and fds which have been created locally can be - * ignored, under the assumption that only the latter have O_CLOEXEC set. */ - -- fl = fcntl(fd, F_GETFD); -- if (fl < 0) -- return -errno; -+ fl = RET_NERRNO(fcntl(fd, F_GETFD)); -+ if (fl < 0) { -+ _cleanup_free_ char *path = NULL; -+ (void) fd_get_path(fd, &path); -+ return log_debug_errno(fl, -+ "Failed to get flag of fd=%d (%s): %m ", -+ fd, strna(path)); -+ } - - if (FLAGS_SET(fl, FD_CLOEXEC) != !!filter_cloexec) - continue; -@@ -221,13 +228,23 @@ int fdset_new_fill( - /* We need to set CLOEXEC manually only if we're collecting non-CLOEXEC fds. */ - if (filter_cloexec <= 0) { - r = fd_cloexec(fd, true); -- if (r < 0) -- return r; -+ if (r < 0) { -+ _cleanup_free_ char *path = NULL; -+ (void) fd_get_path(fd, &path); -+ return log_debug_errno(r, -+ "Failed to set CLOEXEC flag fd=%d (%s): %m ", -+ fd, strna(path)); -+ } - } - - r = fdset_put(s, fd); -- if (r < 0) -- return r; -+ if (r < 0) { -+ _cleanup_free_ char *path = NULL; -+ (void) fd_get_path(fd, &path); -+ return log_debug_errno(r, -+ "Failed to put fd=%d (%s) into fdset: %m ", -+ fd, strna(path)); -+ } - } - - *ret = TAKE_PTR(s); --- -2.34.1 - diff --git a/meta/recipes-core/systemd/systemd_259.5.bb b/meta/recipes-core/systemd/systemd_261.bb similarity index 99% rename from meta/recipes-core/systemd/systemd_259.5.bb rename to meta/recipes-core/systemd/systemd_261.bb index f3ec0edae7..eedce348c3 100644 --- a/meta/recipes-core/systemd/systemd_259.5.bb +++ b/meta/recipes-core/systemd/systemd_261.bb @@ -32,9 +32,6 @@ SRC_URI += " \ file://systemd-pager.sh \ file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ file://0003-Do-not-create-var-log-README.patch \ - file://0001-meson-use-libfido2_cflags-dependency.patch \ - file://0018-shared-fdset-add-detailed-debug-logging-to-fdset_new.patch \ - file://0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch \ " PAM_PLUGINS = " \ @@ -226,9 +223,6 @@ EXTRA_OEMESON += "-Dnobody-user=nobody \ -Ddbus=disabled \ -Dtests=false \ -Dlibc=${TCLIBC} \ - -Drc-local='' \ - -Dsysvinit-path='' \ - -Dsysvrcnd-path='' \ " # Hardcode target binary paths to avoid using paths from sysroot or worse @@ -582,6 +576,8 @@ FILES:${PN}-extra-utils = "\ ${bindir}/systemd-cgtop \ ${bindir}/systemd-stdio-bridge \ ${base_sbindir}/mount.ddi \ + ${base_sbindir}/mount.mstack \ + ${base_sbindir}/mount.storage \ ${systemd_system_unitdir}/initrd.target.wants/systemd-pcrphase-initrd.path \ ${systemd_system_unitdir}/sysinit.target.wants/systemd-pcrphase.path \ ${systemd_system_unitdir}/sysinit.target.wants/systemd-pcrphase-sysinit.path \ @@ -678,6 +674,7 @@ FILES:${PN} = " ${base_bindir}/* \ ${datadir}/polkit-1 \ ${datadir}/${BPN} \ ${datadir}/factory \ + ${datadir}/user-tmpfiles.d \ ${sysconfdir}/credstore/ \ ${sysconfdir}/credstore.encrypted/ \ ${sysconfdir}/dbus-1/ \ @@ -687,6 +684,7 @@ FILES:${PN} = " ${base_bindir}/* \ ${sysconfdir}/sysctl.d/ \ ${sysconfdir}/systemd/ \ ${sysconfdir}/tmpfiles.d/ \ + ${sysconfdir}/user-tmpfiles.d/ \ ${sysconfdir}/xdg/ \ ${sysconfdir}/init.d/README \ ${sysconfdir}/resolv-conf.systemd \ @@ -797,11 +795,13 @@ FILES:udev += "${base_sbindir}/udevd \ ${nonarch_libdir}/udev/rules.d/60-persistent-storage.rules \ ${nonarch_libdir}/udev/rules.d/60-persistent-storage-mtd.rules \ ${nonarch_libdir}/udev/rules.d/60-persistent-storage-tape.rules \ + ${nonarch_libdir}/udev/rules.d/60-tpm2-id.rules \ ${nonarch_libdir}/udev/rules.d/60-persistent-v4l.rules \ ${nonarch_libdir}/udev/rules.d/60-sensor.rules \ ${nonarch_libdir}/udev/rules.d/60-serial.rules \ ${nonarch_libdir}/udev/rules.d/61-autosuspend-manual.rules \ ${nonarch_libdir}/udev/rules.d/64-btrfs.rules \ + ${nonarch_libdir}/udev/rules.d/65-integration.rules \ ${nonarch_libdir}/udev/rules.d/70-camera.rules \ ${nonarch_libdir}/udev/rules.d/70-joystick.rules \ ${nonarch_libdir}/udev/rules.d/70-memory.rules \
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239610): https://lists.openembedded.org/g/openembedded-core/message/239610 Mute This Topic: https://lists.openembedded.org/mt/119986365/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
