Skip to content

systemd: Fix systemd-cryptenroll TPM2 + fix systemd-tmpfiles-setup-dev.service#171242

Closed
dasJ wants to merge 3 commits intoNixOS:stagingfrom
helsinki-systems:fix/systemd-cryptenroll-tpm2
Closed

systemd: Fix systemd-cryptenroll TPM2 + fix systemd-tmpfiles-setup-dev.service#171242
dasJ wants to merge 3 commits intoNixOS:stagingfrom
helsinki-systems:fix/systemd-cryptenroll-tpm2

Conversation

@dasJ
Copy link
Member

@dasJ dasJ commented May 2, 2022

Description of changes
Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@dasJ dasJ added the 6.topic: systemd Software suite that provides an array of system components for Linux operating systems. label May 2, 2022
@dasJ dasJ requested review from K900 and ymatsiuk May 2, 2022 11:34
@dasJ dasJ requested a review from a team as a code owner May 2, 2022 11:34
@dasJ dasJ linked an issue May 2, 2022 that may be closed by this pull request
systemd-cryptsetup is broken when used with tpm2 #167994
Closed
@dasJ dasJ mentioned this pull request May 2, 2022
Closed
K900
K900 approved these changes May 2, 2022
View reviewed changes
Copy link
Contributor

@K900 K900 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, this (partially) fixes systemd-in-stage1 on my setup

@ofborg ofborg bot requested review from Mic92, flokli and kloenk May 2, 2022 11:51
@ofborg ofborg bot added 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels May 2, 2022
flokli
flokli reviewed May 2, 2022
View reviewed changes
flokli
flokli reviewed May 2, 2022
View reviewed changes
pkgs/os-specific/linux/systemd/default.nix
Comment on lines +675 to +676
# Wrap in the correct path for LUKS2 tokens. Must be after the fixup phase
# or the rpath cleanup removes the directories again.
Copy link
Member

@flokli flokli May 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment doesn't look right. Down there, we set LD_LIBRARY_PATH, not set rpath. Also, I'd propose moving the comment above postFixup, so iterating on the comment itself doesn't trigger rebuilds.

pkgs/os-specific/linux/systemd/default.nix
# Wrap in the correct path for LUKS2 tokens. Must be after the fixup phase
# or the rpath cleanup removes the directories again.
for f in lib/systemd/systemd-cryptsetup bin/systemd-cryptenroll; do
wrapProgram $out/$f --prefix LD_LIBRARY_PATH : ${placeholder "out"}/lib/cryptsetup
Copy link
Member

@flokli flokli May 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need to set LD_LIBRARY_PATH? I was under the assumption that ${systemd}/lib being in rpath of all systemd binaries calling out libcryptsetup code is sufficient…

Copy link
Member Author

@dasJ dasJ May 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, ${systemd}/lib is not the same thing as ${systemd}/lib/cryptsetup

Copy link
Member

@flokli flokli May 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So patchelf --add-rpath, and disable the rpath trimming?

Copy link
Contributor

@ElvishJerricco ElvishJerricco May 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. LD_LIBRARY_PATH is not the solution.

Also, in systemdMinimal, these executables don't exist, so the build fails.

@Artturin Artturin added the 12.approvals: 1 This PR was reviewed and approved by one person. label May 4, 2022
ElvishJerricco
ElvishJerricco requested changes May 4, 2022
View reviewed changes
pkgs/os-specific/linux/systemd/default.nix
# Wrap in the correct path for LUKS2 tokens. Must be after the fixup phase
# or the rpath cleanup removes the directories again.
for f in lib/systemd/systemd-cryptsetup bin/systemd-cryptenroll; do
wrapProgram $out/$f --prefix LD_LIBRARY_PATH : ${placeholder "out"}/lib/cryptsetup
Copy link
Contributor

@ElvishJerricco ElvishJerricco May 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. LD_LIBRARY_PATH is not the solution.

Also, in systemdMinimal, these executables don't exist, so the build fails.

@dasJ dasJ closed this May 4, 2022
@flokli
Copy link
Member

flokli commented May 5, 2022

@dasJ is there a follow-up PR on this?

@dasJ
Copy link
Member Author

dasJ commented May 5, 2022

None planned

@K900
Copy link
Contributor

K900 commented May 5, 2022

e01a082 definitely needs to go in one way or another.

@lovesegfault lovesegfault mentioned this pull request May 5, 2022
Merged
13 tasks
@dasJ dasJ deleted the fix/systemd-cryptenroll-tpm2 branch June 3, 2022 13:41
This was referenced Jul 1, 2022
Closed
Closed
@zhaofengli zhaofengli mentioned this pull request Sep 4, 2022
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flokli flokli flokli left review comments

@lovesegfault lovesegfault lovesegfault left review comments

@ElvishJerricco ElvishJerricco ElvishJerricco requested changes

@K900 K900 K900 approved these changes

@ymatsiuk ymatsiuk Awaiting requested review from ymatsiuk

@Mic92 Mic92 Awaiting requested review from Mic92

@kloenk kloenk Awaiting requested review from kloenk

Assignees

No one assigned

Labels

6.topic: systemd Software suite that provides an array of system components for Linux operating systems. 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

systemd in Stage 1
Status: Done
Staging
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

systemd-cryptsetup is broken when used with tpm2

6 participants

@dasJ @flokli @K900 @ElvishJerricco @lovesegfault @Artturin