similarity index 100%
rename from meta/recipes-core/systemd/systemd-boot-native_259.5.bb
rename to meta/recipes-core/systemd/systemd-boot-native_261.bb
similarity index 100%
rename from meta/recipes-core/systemd/systemd-boot_259.5.bb
rename to meta/recipes-core/systemd/systemd-boot_261.bb
similarity index 54%
rename from meta/recipes-core/systemd/systemd-systemctl-native_259.5.bb
rename to meta/recipes-core/systemd/systemd-systemctl-native_261.bb
@@ -10,19 +10,16 @@ inherit pkgconfig meson native
MESON_TARGET = "systemctl:executable"
MESON_INSTALL_TAGS = "systemctl"
+# Explicitly disable features that meson auto-detects from the native sysroot.
+# Only systemctl is built here; these prevent spurious dependencies and ensure
+# reproducible builds regardless of what is installed on the build host.
EXTRA_OEMESON += "-Dlink-systemctl-shared=false"
-EXTRA_OEMESON += "-Dsysvinit-path= -Dsysvrcnd-path="
+EXTRA_OEMESON += "-Dpam=disabled -Daudit=disabled -Dselinux=disabled"
+EXTRA_OEMESON += "-Dacl=disabled -Dapparmor=disabled -Dseccomp=disabled"
+EXTRA_OEMESON += "-Dlibcryptsetup=disabled -Dlibcurl=disabled -Dlibfido2=disabled"
+EXTRA_OEMESON += "-Dpcre2=disabled -Dp11kit=disabled -Dopenssl=disabled"
# Systemctl is supposed to operate on target, but the target sysroot is not
# determined at run-time, but rather set during configure
# More details are here https://github.com/systemd/systemd/issues/35897#issuecomment-2665405887
EXTRA_OEMESON += "--sysconfdir ${sysconfdir_native}"
-
-do_install:append() {
- # Install systemd-sysv-install in /usr/bin rather than /usr/lib/systemd
- # (where it is normally installed) so systemctl can find it in $PATH.
- # It is expected that the use of systemd-sysv-install will be removed
- # with version 259 of systemd and then this, and everything that was
- # added along with it, should be reverted.
- install -Dm 0755 ${S}/src/systemctl/systemd-sysv-install.SKELETON ${D}${bindir}/systemd-sysv-install
-}
@@ -15,14 +15,10 @@ LICENSE:libsystemd = "LGPL-2.1-or-later"
LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=c09786363500a9acc29b147e6e72d2c6 \
file://LICENSE.LGPL2.1;md5=be0aaf4a380f73f7e00b420a007368f2"
-SRCREV = "b3d8fc43e9cb531d958c17ef2cd93b374bc14e8a"
-SRCBRANCH = "v259-stable"
-SRC_URI = "git://github.com/systemd/systemd.git;protocol=https;branch=${SRCBRANCH};tag=v${PV}"
+SRCREV = "de9dbc37ad4aa637e200ac02a0545095997055df"
+SRCBRANCH = "v261-stable"
+SRC_URI = "git://github.com/systemd/systemd.git;protocol=https;branch=${SRCBRANCH}"
CVE_PRODUCT = "systemd"
CVE_STATUS[CVE-2019-3815] = "not-applicable-platform: only applied to RHEL"
-CVE_STATUS[CVE-2026-40223] = "fixed-version: fixed in 259.2"
-CVE_STATUS[CVE-2026-40224] = "fixed-version: fixed in 259.3"
-CVE_STATUS[CVE-2026-40225] = "fixed-version: fixed in 259.5"
-CVE_STATUS[CVE-2026-40226] = "fixed-version: fixed in 259.4"
deleted file mode 100644
@@ -1,54 +0,0 @@
-From 97142fd1db4124de5d5bdd3f49cc5a390286e522 Mon Sep 17 00:00:00 2001
-From: Dan McGregor <danmcgr@protonmail.com>
-Date: Wed, 11 Mar 2026 18:26:05 -0600
-Subject: [PATCH] meson: use libfido2_cflags dependency
-
-Add the libfido2 dependency to cryptenroll and cryptsetup's
-meson files. If libfido2's not installed in the default path
-the build wasn't finding its headers correctly.
-
-Signed-off-by: Dan McGregor <danmcgr@protonmail.com>
-Upstream-Status: Backport [https://github.com/systemd/systemd/commit/9ce905e35f690e7a10cd286be2b50594d0857f5e]
----
- src/cryptenroll/meson.build | 1 +
- src/cryptsetup/cryptsetup-tokens/meson.build | 2 +-
- src/cryptsetup/meson.build | 1 +
- 3 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/cryptenroll/meson.build b/src/cryptenroll/meson.build
-index 488ceea14d..11265c8b41 100644
---- a/src/cryptenroll/meson.build
-+++ b/src/cryptenroll/meson.build
-@@ -23,6 +23,7 @@ executables += [
- 'dependencies' : [
- libcryptsetup,
- libdl,
-+ libfido2_cflags,
- libopenssl,
- libp11kit_cflags,
- ],
-diff --git a/src/cryptsetup/cryptsetup-tokens/meson.build b/src/cryptsetup/cryptsetup-tokens/meson.build
-index 804e18bc67..0fd6309201 100644
---- a/src/cryptsetup/cryptsetup-tokens/meson.build
-+++ b/src/cryptsetup/cryptsetup-tokens/meson.build
-@@ -58,7 +58,7 @@ modules += [
- 'sources' : cryptsetup_token_systemd_fido2_sources,
- 'dependencies' : [
- libcryptsetup,
-- libfido2,
-+ libfido2_cflags,
- ],
- },
- template + {
-diff --git a/src/cryptsetup/meson.build b/src/cryptsetup/meson.build
-index d9778259c2..b36354fb0a 100644
---- a/src/cryptsetup/meson.build
-+++ b/src/cryptsetup/meson.build
-@@ -19,6 +19,7 @@ executables += [
- 'sources' : systemd_cryptsetup_sources,
- 'dependencies' : [
- libcryptsetup,
-+ libfido2_cflags,
- libmount_cflags,
- libopenssl,
- libp11kit_cflags,
@@ -1,7 +1,7 @@
From a7f6a296707642d05463aec22ea3dfce7d06c989 Mon Sep 17 00:00:00 2001
From: Peter Kjellerstedt <pkj@axis.com>
Date: Tue, 21 Jan 2025 05:02:00 +0100
-Subject: [PATCH 03/16] Do not create /var/log/README
+Subject: [PATCH] Do not create /var/log/README
/var/log/README is a link to /usr/share/doc/systemd/README.logs. The
latter is packaged in systemd-doc and likely not installed, which leaves
@@ -15,19 +15,15 @@ Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
1 file changed, 3 deletions(-)
diff --git a/tmpfiles.d/legacy.conf.in b/tmpfiles.d/legacy.conf.in
-index cdef21fa9b..03798c953e 100644
+index cdef21fa9b..7890abcdef 100644
--- a/tmpfiles.d/legacy.conf.in
+++ b/tmpfiles.d/legacy.conf.in
-@@ -13,9 +13,6 @@
+@@ -13,6 +13,3 @@
d /run/lock 0755 root root -
L /var/lock - - - - ../run/lock
-{% if CREATE_LOG_DIRS %}
-L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs
-{% endif %}
-
- {% if HAVE_SYSV_COMPAT %}
- # /run/lock/subsys is used for serializing SysV service execution, and
--
2.34.1
-
deleted file mode 100644
@@ -1,62 +0,0 @@
-From 3cef11c710e95bb5f891181e9b2a6d8f174712c3 Mon Sep 17 00:00:00 2001
-From: Patrick Wicki <patrick.wicki@subset.ch>
-Date: Fri, 20 Mar 2026 15:56:56 +0100
-Subject: [PATCH] tpm2-util: fix PCR bank guessing without EFI
-
-Since 7643e4a89 efi_get_active_pcr_banks() is used to determine the
-active PCR banks. Without EFI support, this returns -EOPNOTSUPP. This in
-turns leads to cryptenroll and cryptsetup attach failures unless the PCR
-bank is explicitly set, i.e.
-
-$ systemd-cryptenroll $LUKS_PART --tpm2-device=auto --tpm2-pcrs='7'
-[...]
-Could not read pcr values: Operation not supported
-
-But it works fine with --tpm2-pcrs='7:sha256'.
-
-Similarly, unsealing during cryptsetup attach also fails if the bank
-needs to be determined:
-
-Failed to unseal secret using TPM2: Operation not supported
-
-Catch the -EOPNOTSUPP and fallback to the guessing strategy.
-
-Upstream-Status: Backport [https://github.com/systemd/systemd/pull/41231]
-
-Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com>
----
- src/shared/tpm2-util.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
-index cf11b50695..c0590fe575 100644
---- a/src/shared/tpm2-util.c
-+++ b/src/shared/tpm2-util.c
-@@ -2702,11 +2702,11 @@ int tpm2_get_best_pcr_bank(
- uint32_t efi_banks;
- r = efi_get_active_pcr_banks(&efi_banks);
- if (r < 0) {
-- if (r != -ENOENT)
-+ if (!IN_SET(r, -ENOENT, -EOPNOTSUPP))
- return r;
-
- /* If variable is not set use guesswork below */
-- log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable, we have to guess the used PCR banks.");
-+ log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable or EFI support is unavailable, we have to guess the used PCR banks.");
- } else if (efi_banks == UINT32_MAX)
- log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to indicate that the GetActivePcrBanks() API is not available in the firmware. We have to guess the used PCR banks.");
- else {
-@@ -2811,11 +2811,11 @@ int tpm2_get_good_pcr_banks(
- uint32_t efi_banks;
- r = efi_get_active_pcr_banks(&efi_banks);
- if (r < 0) {
-- if (r != -ENOENT)
-+ if (!IN_SET(r, -ENOENT, -EOPNOTSUPP))
- return r;
-
- /* If the variable is not set we have to guess via the code below */
-- log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable, we have to guess the used PCR banks.");
-+ log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable or EFI support is unavailable, we have to guess the used PCR banks.");
- } else if (efi_banks == UINT32_MAX)
- log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to indicate that the GetActivePcrBanks() API is not available in the firmware. We have to guess the used PCR banks.");
- else {
deleted file mode 100644
@@ -1,97 +0,0 @@
-From 0565f9f27323a8f9e62d85f2add542af99cea06a Mon Sep 17 00:00:00 2001
-From: AshishKumar Mishra <ashishkumar.mishra@bmwtechworks.in>
-Date: Wed, 21 Jan 2026 14:13:29 +0530
-Subject: [PATCH] systemd: Add detailed debug logging to fdset_new_fill()
-
-Currently, when fdset_new_fill() fails to open /proc/self/fd or
-encounters an error while processing individual file descriptors
-(such as fcntl or fstat failures), it returns a silent error code.
-
-For debugging rarely reproducible failures it becomes difficult to
-know the exact cause of failure
-This commit updates the function to use log_debug_errno() for all
-error paths and hence provides better visibility into why FD collection
-failed, including the path of the problematic FD (via fd_get_path)
-and its inode type.
-
-Upstream-Status: Backport [https://github.com/systemd/systemd/pull/40385]
-
-Signed-off-by: AshishKumar Mishra <ashishkumar.mishra@bmwtechworks.in>
----
- src/shared/fdset.c | 35 ++++++++++++++++++++++++++---------
- 1 file changed, 26 insertions(+), 9 deletions(-)
-
-diff --git a/src/shared/fdset.c b/src/shared/fdset.c
-index 832e7fda60..f340f41b0e 100644
---- a/src/shared/fdset.c
-+++ b/src/shared/fdset.c
-@@ -8,6 +8,7 @@
- #include "alloc-util.h"
- #include "async.h"
- #include "dirent-util.h"
-+#include "errno-util.h"
- #include "fd-util.h"
- #include "fdset.h"
- #include "log.h"
-@@ -179,9 +180,10 @@ int fdset_new_fill(
- d = opendir("/proc/self/fd");
- if (!d) {
- if (errno == ENOENT && proc_mounted() == 0)
-- return -ENOSYS;
-+ return log_debug_errno(SYNTHETIC_ERRNO(ENOSYS),
-+ "Failed to open /proc/self/fd/, /proc/ is not mounted.");
-
-- return -errno;
-+ return log_debug_errno(errno, "Failed to open /proc/self/fd/: %m ");
- }
-
- s = fdset_new();
-@@ -210,9 +212,14 @@ int fdset_new_fill(
- * been passed in can be collected and fds which have been created locally can be
- * ignored, under the assumption that only the latter have O_CLOEXEC set. */
-
-- fl = fcntl(fd, F_GETFD);
-- if (fl < 0)
-- return -errno;
-+ fl = RET_NERRNO(fcntl(fd, F_GETFD));
-+ if (fl < 0) {
-+ _cleanup_free_ char *path = NULL;
-+ (void) fd_get_path(fd, &path);
-+ return log_debug_errno(fl,
-+ "Failed to get flag of fd=%d (%s): %m ",
-+ fd, strna(path));
-+ }
-
- if (FLAGS_SET(fl, FD_CLOEXEC) != !!filter_cloexec)
- continue;
-@@ -221,13 +228,23 @@ int fdset_new_fill(
- /* We need to set CLOEXEC manually only if we're collecting non-CLOEXEC fds. */
- if (filter_cloexec <= 0) {
- r = fd_cloexec(fd, true);
-- if (r < 0)
-- return r;
-+ if (r < 0) {
-+ _cleanup_free_ char *path = NULL;
-+ (void) fd_get_path(fd, &path);
-+ return log_debug_errno(r,
-+ "Failed to set CLOEXEC flag fd=%d (%s): %m ",
-+ fd, strna(path));
-+ }
- }
-
- r = fdset_put(s, fd);
-- if (r < 0)
-- return r;
-+ if (r < 0) {
-+ _cleanup_free_ char *path = NULL;
-+ (void) fd_get_path(fd, &path);
-+ return log_debug_errno(r,
-+ "Failed to put fd=%d (%s) into fdset: %m ",
-+ fd, strna(path));
-+ }
- }
-
- *ret = TAKE_PTR(s);
-2.34.1
-
similarity index 99%
rename from meta/recipes-core/systemd/systemd_259.5.bb
rename to meta/recipes-core/systemd/systemd_261.bb
@@ -32,9 +32,6 @@ SRC_URI += " \
file://systemd-pager.sh \
file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
file://0003-Do-not-create-var-log-README.patch \
- file://0001-meson-use-libfido2_cflags-dependency.patch \
- file://0018-shared-fdset-add-detailed-debug-logging-to-fdset_new.patch \
- file://0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch \
"
PAM_PLUGINS = " \
@@ -226,9 +223,6 @@ EXTRA_OEMESON += "-Dnobody-user=nobody \
-Ddbus=disabled \
-Dtests=false \
-Dlibc=${TCLIBC} \
- -Drc-local='' \
- -Dsysvinit-path='' \
- -Dsysvrcnd-path='' \
"
# Hardcode target binary paths to avoid using paths from sysroot or worse
@@ -582,6 +576,8 @@ FILES:${PN}-extra-utils = "\
${bindir}/systemd-cgtop \
${bindir}/systemd-stdio-bridge \
${base_sbindir}/mount.ddi \
+ ${base_sbindir}/mount.mstack \
+ ${base_sbindir}/mount.storage \
${systemd_system_unitdir}/initrd.target.wants/systemd-pcrphase-initrd.path \
${systemd_system_unitdir}/sysinit.target.wants/systemd-pcrphase.path \
${systemd_system_unitdir}/sysinit.target.wants/systemd-pcrphase-sysinit.path \
@@ -678,6 +674,7 @@ FILES:${PN} = " ${base_bindir}/* \
${datadir}/polkit-1 \
${datadir}/${BPN} \
${datadir}/factory \
+ ${datadir}/user-tmpfiles.d \
${sysconfdir}/credstore/ \
${sysconfdir}/credstore.encrypted/ \
${sysconfdir}/dbus-1/ \
@@ -687,6 +684,7 @@ FILES:${PN} = " ${base_bindir}/* \
${sysconfdir}/sysctl.d/ \
${sysconfdir}/systemd/ \
${sysconfdir}/tmpfiles.d/ \
+ ${sysconfdir}/user-tmpfiles.d/ \
${sysconfdir}/xdg/ \
${sysconfdir}/init.d/README \
${sysconfdir}/resolv-conf.systemd \
@@ -797,11 +795,13 @@ FILES:udev += "${base_sbindir}/udevd \
${nonarch_libdir}/udev/rules.d/60-persistent-storage.rules \
${nonarch_libdir}/udev/rules.d/60-persistent-storage-mtd.rules \
${nonarch_libdir}/udev/rules.d/60-persistent-storage-tape.rules \
+ ${nonarch_libdir}/udev/rules.d/60-tpm2-id.rules \
${nonarch_libdir}/udev/rules.d/60-persistent-v4l.rules \
${nonarch_libdir}/udev/rules.d/60-sensor.rules \
${nonarch_libdir}/udev/rules.d/60-serial.rules \
${nonarch_libdir}/udev/rules.d/61-autosuspend-manual.rules \
${nonarch_libdir}/udev/rules.d/64-btrfs.rules \
+ ${nonarch_libdir}/udev/rules.d/65-integration.rules \
${nonarch_libdir}/udev/rules.d/70-camera.rules \
${nonarch_libdir}/udev/rules.d/70-joystick.rules \
${nonarch_libdir}/udev/rules.d/70-memory.rules \