kairos
kairos copied to clipboard
kairos-io
systemd 256 changes
This is a ticket to provide info about systemd 256 changes that may affect us
with :+1: things that bring improvements to our current state or add things that we want to use with :-1: things that may affect our current state and we need to fix/improve/adapt.
Master Kairos is currently on 255 with ubuntu 24.04 and Fedora 40, so 3.1.x is not affected.
Probably affects our cmdlines :-1: :
* systemd.crash_reboot and related settings are deprecated in favor of
systemd.crash_action=.
networkd changes to VLAN :-1: :
* Previously, systemd-networkd did not explicitly remove any bridge
VLAN IDs assigned on bridge master and ports. Since version 256, if a
.network file for an interface has at least one valid setting in the
[BridgeVLAN] section, then all assigned VLAN IDs on the interface
that are not configured in the .network file are removed.
May affect UKI mounts and EFI non-uki mounts :-1: :
* systemd-gpt-auto-generator will stop generating units for ESP or
XBOOTLDR partitions if it finds mount entries for or below the /boot/
or /efi/ hierarchies in /etc/fstab. This is to prevent the generator
from interfering with systems where the ESP is explicitly configured
to be mounted at some path, for example /boot/efi/ (this type of
setup is obsolete, but still commonly found).
dracut/immucore may be affected :-1: :
* New system manager setting ProtectSystem= has been added. It is
analogous to the unit setting, but applies to the whole system. It is
enabled by default in the initrd.
Note that this means that code executed in the initrd cannot naively
expect to be able to write to /usr/ during boot. This affects
dracut <= 101, which wrote "hooks" to /lib/dracut/hooks/. See
systemd-boot/stub/UKI :+1: :
* systemd-stub will now measure its payload via the new EFI
Confidential Computing APIs (CC), in addition to the pre-existing
measurements to TPM.
dbx auto enrollment support :+1::
* systemd-boot's automatic SecureBoot enrollment support gained support
for enrolling "dbx" too (Previously, only db/KEK/PK enrollment was
supported). It also now supports UEFI "Custom" and "Audit" modes.
pcrlock policy from ESP :+1: :
* The pcrlock policy is saved in an unencrypted credential file
"pcrlock.<entry-token>.cred" under XBOOTLDR/ESP in the
/loader/credentials/ directory. It will be picked up at boot by
systemd-stub and passed t
ucode in UKI files :+1: :
* sd-stub gained support for the new ".ucode" PE section in UKIs, that
may contain CPU microcode data. When control is handed over to the
Linux kernel this data is prepended to the set of initrds passed.
pcrlock stable in 257 :+1: :
* systemd-pcrlock's TPM nvindex access policy has been modified, this
means that previous pcrlock policies stored in nvindexes are
invalidated. They must be removed (systemd-pcrlock remove-policy) and
recreated (systemd-pcrlock make-policy). For the time being
systemd-pcrlock remains an experimental feature, but it is expected
to become stable in the next release, i.e. v257.
cryptenroll disable dictionary attack for non-pin enrollements (possible not locking tpm as easily?) :+1: :
* systemd-cryptenroll will no longer enable Dictionary Attack
Protection (i.e. turn on NO_DA) for TPM enrollments that do not
involve a PIN. DA should not be necessary in that case (since key
entropy is high enough to make this unnecessary), but risks
accidental lock-out in case of unexpected PCR changes.
cryptenroll support to enroll tpm2 slot via tpm2 slot, instead of requiring a password slot in the luks device :+1: :
* systemd-cryptenroll now supports enrolling a new slot while unlocking
the old slot via TPM2 (previously unlocking only worked via password
or FIDO2).
debug tty for boot :+1: :
* A new kernel command-line option systemd.default_debug_tty= can be
used to specify the TTY for the debug shell, independently of
enabling or disabling it.
