From patchwork Fri Jul 3 07:29:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 91621 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF84AC43458 for ; Fri, 3 Jul 2026 07:30:27 +0000 (UTC) Received: from OSPPR02CU001.outbound.protection.outlook.com (OSPPR02CU001.outbound.protection.outlook.com [40.107.159.2]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.87340.1783063820485325733 for ; Fri, 03 Jul 2026 00:30:21 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector2 header.b=f8w5G1JP; spf=pass (domain: ericsson.com, ip: 40.107.159.2, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=p6tsYo2Iuxl+K3RmfUAuBeHl7+563y1R38FIC4C0bP2+1dw4Mh/DIrbSXhuAU2Ors4iDDPJhuyCPp5xgDbB4PNwv3Eab9HgCgozuzjZ0Q2gWhzANhDObccuVn/3slBTFdRNi3QBxvStu4SVj10ct6Z1iCGf/JrTfDAr1NvePho79YxLqXF3nVpiX0GfGBGU9in3sRd8LGLc67PHxXMn1uJlmLv5Q+PXWN7jny1oXCa/BCJZqXj24ksbvpKLR0cRJQyUaZ+Unx6yzF6BGP9t6cDTce87V+a4ms0W28VXSeFi3eOQFATU09vL4ziMhjz17bUnU13P0RkzduCNFIL0acA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Kd8F/39UczCYH43DakJaD072SxQeuiJLZbNKGVPQvCg=; b=pjZEXQLy3P/b1++qzbedbbGrhyrfqsv3ePKhTsAk85qabFxkS2Qg5VgPyr88PPxJXYW1o0UhohUMLwPL5zkeq/XGgyOUBGfUZd3XSOwcfM2HtHRLQKT9YjJjnkJswg2dNBvsHWrgU4qUZZ5cG1F/M0TRnKqPLQVJhyObk19y6nopVwfFozqZRbKyHmkW8XxeoU7SFO+CT5NXkeT1M6uVYL4r0KOJl2yxaco1dahrxUFN6I49AW4UBUizYe6mV/RLt09O1WnUOac+/8nPktJ7uGyxQDiz5olHvCpF64pxN1qqbxJgD1DG6YS9gYWQw9Jigh0cRxpcYrJOxW1lwrsUaQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=arm.com smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Kd8F/39UczCYH43DakJaD072SxQeuiJLZbNKGVPQvCg=; b=f8w5G1JPZM0jq0sLdB03hbCPxIO1+ntPlS0T/9SEr/5/bZzWUxXSjz7QsxLfFRyGfrMYh3rDrNKx/qFanoiEp8cO2QbLZiC8jpVknwIW9tZCh6fwkvFzXALlA/PEpJiFWrt2rznsPuQIcgQtMTL+IDBu3DXHJsAiuObhIps7GL4M21qQgZTCGBXP+OlWbVXfr8SC633gwayfGz0BRlgpt8Z5cZKNqunInBTj/RCUsfyiVyvtuZZfA1SyPZI2s2JoHOIOScBk6/RyI2EBLP1DodZighn6itkbp3KL2rXQiGYpoRCZbJrpeTDqhbr8goYlLra3MqrP2mgWhWNCjDQfeA== Received: from DUZP191CA0049.EURP191.PROD.OUTLOOK.COM (2603:10a6:10:4fa::24) by AM0PR07MB6385.eurprd07.prod.outlook.com (2603:10a6:20b:153::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.181.11; Fri, 3 Jul 2026 07:30:15 +0000 Received: from DB3PEPF00008859.eurprd02.prod.outlook.com (2603:10a6:10:4fa:cafe::20) by DUZP191CA0049.outlook.office365.com (2603:10a6:10:4fa::24) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.181.11 via Frontend Transport; Fri, 3 Jul 2026 07:30:15 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by DB3PEPF00008859.mail.protection.outlook.com (10.167.242.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.181.6 via Frontend Transport; Fri, 3 Jul 2026 07:30:14 +0000 Received: from seroius18814.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.64) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.37; Fri, 3 Jul 2026 09:30:14 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18814.sero.gic.ericsson.se (Postfix) with ESMTP id 4395A4024BAD; Fri, 3 Jul 2026 09:30:07 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id 059FC700DBB0; Fri, 3 Jul 2026 09:30:07 +0200 (CEST) From: To: , , , CC: , , , , Subject: [PATCH v4 1/2] systemd: upgrade to 261 Date: Fri, 3 Jul 2026 09:29:31 +0200 Message-ID: <20260703072948.2939128-2-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260703072948.2939128-1-daniel.turull@ericsson.com> References: <20260703072948.2939128-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB3PEPF00008859:EE_|AM0PR07MB6385:EE_ X-MS-Office365-Filtering-Correlation-Id: 56e5e68d-f15a-47cf-8409-08ded8d4ecb5 X-SMTP-Server: smtp-central.internal.ericsson.com X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|23010399003|82310400026|376014|1800799024|36860700016|6133799003|3023799007|18002099003|22082099003|56012099006|11063799006; X-Microsoft-Antispam-Message-Info: YpvXAZGVkyZ384CiASgMU6L54cofDh0kIpDiUBX3jgu5xVcvAIFbu1909GzJYR+fZeOGymHOIJRrQ3tQPffu1UFfFr4wlSNP6y/HO3W9j1zmy3Hu2i78D1aw8VN1o+FVfuzs4OWGyD2eXXWf2iI5Z3ZigivuOdK99Z3QNiT7+pNeS3C8pRWT8CRqz+Yb7C9oKctrwwFREHexgeEJwHRS9rL0UUy7sLFYBZ0Gq9vBSsYLVttA4PPRnDpXMbho9mMA8Bi5ItVMadvLHkWMGBEnGkOKCTPJGzUf9R8qVXmRw48ZNfPOO88+fuXlIC9vHlBtrhegMdRv66vCI2bl6HBeo11/DpmleTLn5Y1K6bzyvZhBdpzyLPFWMyHQ31sLyznhQOxpUtYeEM1M5D6Tzoud0cl17VkvxAT2U2kLf2SwH0MbdsDs7sepHAtW0gtbWvc/twlsRmiCgEzLiYjMB0ywLKe+esYSOk7T/8bp8amEeJ+DReAeMk/+/iHpNlsPoYg0op6TdpgxI9EBBTOJib2Ftxvc24NqBN/aPVnNn02ywMb4wWf3OUEzjlMJLYzZYgLeW43EbJHhYyiO30HBP0VYYywQNlcdazhf3ydimzdk1Gt0mUq7ZCwnqntIqnyjsZd1qn18BlHCXKK2unv+F0S6dF89g49EpD3BzJDcuWxDMsS/ysWYzmUEAZ2FSgtl6ilHmekdXQLUNVnkH7SN2uz7oA== X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(23010399003)(82310400026)(376014)(1800799024)(36860700016)(6133799003)(3023799007)(18002099003)(22082099003)(56012099006)(11063799006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: IobfZXaMOUu7wFWqrDEDJiwxer8hve4oIuZi7LafaHzY+fUSOzUZ+TYMO1IPvXBLvou3iYBP+Ca2uyVd7lVR7nHozknS0csBp+0cMFB5iL42yLCyvrv8/r6Nf1OVQNvq/tKk2ZIhPVsTirh50lzVoVaUPbGgYX2OqcqU1DPpVwTdFDQ4TEtvhAx5eXInKJek9ZdAtz4VR8Ty5Gn9Oxt+4uhu2D0aNUFxRGH1tyaLhPIcAivu54qI/fwXVWQiiww1FnLjElc3lNMan435YTFb6nM5USrDG/+0HPSsiJ0ztktNajXp+gjieIW45Df4D9If4zSdwR5yp6FQUJD8i7z6PgATIPETj1sArMg9W70G9/xUbfFRVhsfUJKyAOCl8FEbRUGWUknS7McGSauJ4qY1ThInX9ltiYo++BFARHjTOGTUr6pAk6Ehi9D8LWoR2CNh X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Jul 2026 07:30:14.8392 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 56e5e68d-f15a-47cf-8409-08ded8d4ecb5 X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: DB3PEPF00008859.eurprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6385 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 03 Jul 2026 07:30:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240078 From: Daniel Turull Changes: https://github.com/systemd/systemd/compare/v259.5...v261-stable - Drop backported patches no longer needed (libfido2_cflags, tpm2-util PCR bank, fdset_new debug) - Remove sysvinit-path/sysvrcnd-path meson options and systemd-sysv-install skeleton (removed upstream in 260) - Add explicit meson disables for auto-detected features in systemd-systemctl-native to prevent host sysroot contamination - Refresh 0003-Do-not-create-var-log-README.patch Tested on qemu target with testsuite systemd AI-Generated: Claude-opus-4.6 Signed-off-by: Daniel Turull --- ...ve_259.5.bb => systemd-boot-native_261.bb} | 0 ...temd-boot_259.5.bb => systemd-boot_261.bb} | 0 ...9.5.bb => systemd-systemctl-native_261.bb} | 8 +- meta/recipes-core/systemd/systemd.inc | 8 +- ...meson-use-libfido2_cflags-dependency.patch | 54 ----------- .../0003-Do-not-create-var-log-README.patch | 10 +- ...il-fix-PCR-bank-guessing-without-EFI.patch | 62 ------------ ...-detailed-debug-logging-to-fdset_new.patch | 97 ------------------- .../{systemd_259.5.bb => systemd_261.bb} | 12 +-- 9 files changed, 18 insertions(+), 233 deletions(-) rename meta/recipes-core/systemd/{systemd-boot-native_259.5.bb => systemd-boot-native_261.bb} (100%) rename meta/recipes-core/systemd/{systemd-boot_259.5.bb => systemd-boot_261.bb} (100%) rename meta/recipes-core/systemd/{systemd-systemctl-native_259.5.bb => systemd-systemctl-native_261.bb} (54%) delete mode 100644 meta/recipes-core/systemd/systemd/0001-meson-use-libfido2_cflags-dependency.patch delete mode 100644 meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch delete mode 100644 meta/recipes-core/systemd/systemd/0018-shared-fdset-add-detailed-debug-logging-to-fdset_new.patch rename meta/recipes-core/systemd/{systemd_259.5.bb => systemd_261.bb} (99%) diff --git a/meta/recipes-core/systemd/systemd-boot-native_259.5.bb b/meta/recipes-core/systemd/systemd-boot-native_261.bb similarity index 100% rename from meta/recipes-core/systemd/systemd-boot-native_259.5.bb rename to meta/recipes-core/systemd/systemd-boot-native_261.bb diff --git a/meta/recipes-core/systemd/systemd-boot_259.5.bb b/meta/recipes-core/systemd/systemd-boot_261.bb similarity index 100% rename from meta/recipes-core/systemd/systemd-boot_259.5.bb rename to meta/recipes-core/systemd/systemd-boot_261.bb diff --git a/meta/recipes-core/systemd/systemd-systemctl-native_259.5.bb b/meta/recipes-core/systemd/systemd-systemctl-native_261.bb similarity index 54% rename from meta/recipes-core/systemd/systemd-systemctl-native_259.5.bb rename to meta/recipes-core/systemd/systemd-systemctl-native_261.bb index bf9c9f4776..28fddc79df 100644 --- a/meta/recipes-core/systemd/systemd-systemctl-native_259.5.bb +++ b/meta/recipes-core/systemd/systemd-systemctl-native_261.bb @@ -10,8 +10,14 @@ inherit pkgconfig meson native MESON_TARGET = "systemctl" MESON_INSTALL_TAGS = "systemctl" +# Explicitly disable features that meson auto-detects from the native sysroot. +# Only systemctl is built here; these prevent spurious dependencies and ensure +# reproducible builds regardless of what is installed on the build host. EXTRA_OEMESON += "-Dlink-systemctl-shared=false" -EXTRA_OEMESON += "-Dsysvinit-path= -Dsysvrcnd-path=" +EXTRA_OEMESON += "-Dpam=disabled -Daudit=disabled -Dselinux=disabled" +EXTRA_OEMESON += "-Dacl=disabled -Dapparmor=disabled -Dseccomp=disabled" +EXTRA_OEMESON += "-Dlibcryptsetup=disabled -Dlibcurl=disabled -Dlibfido2=disabled" +EXTRA_OEMESON += "-Dpcre2=disabled -Dp11kit=disabled -Dopenssl=disabled" # Systemctl is supposed to operate on target, but the target sysroot is not # determined at run-time, but rather set during configure diff --git a/meta/recipes-core/systemd/systemd.inc b/meta/recipes-core/systemd/systemd.inc index f107c4c5da..d9048e9187 100644 --- a/meta/recipes-core/systemd/systemd.inc +++ b/meta/recipes-core/systemd/systemd.inc @@ -15,14 +15,10 @@ LICENSE:libsystemd = "LGPL-2.1-or-later" LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=c09786363500a9acc29b147e6e72d2c6 \ file://LICENSE.LGPL2.1;md5=be0aaf4a380f73f7e00b420a007368f2" -SRCREV = "b3d8fc43e9cb531d958c17ef2cd93b374bc14e8a" -SRCBRANCH = "v259-stable" +SRCREV = "de9dbc37ad4aa637e200ac02a0545095997055df" +SRCBRANCH = "v261-stable" SRC_URI = "git://github.com/systemd/systemd.git;protocol=https;branch=${SRCBRANCH};tag=v${PV}" CVE_PRODUCT = "systemd" CVE_STATUS[CVE-2019-3815] = "not-applicable-platform: only applied to RHEL" -CVE_STATUS[CVE-2026-40223] = "fixed-version: fixed in 259.2" -CVE_STATUS[CVE-2026-40224] = "fixed-version: fixed in 259.3" -CVE_STATUS[CVE-2026-40225] = "fixed-version: fixed in 259.5" -CVE_STATUS[CVE-2026-40226] = "fixed-version: fixed in 259.4" diff --git a/meta/recipes-core/systemd/systemd/0001-meson-use-libfido2_cflags-dependency.patch b/meta/recipes-core/systemd/systemd/0001-meson-use-libfido2_cflags-dependency.patch deleted file mode 100644 index 4bc1e10ee7..0000000000 --- a/meta/recipes-core/systemd/systemd/0001-meson-use-libfido2_cflags-dependency.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 97142fd1db4124de5d5bdd3f49cc5a390286e522 Mon Sep 17 00:00:00 2001 -From: Dan McGregor -Date: Wed, 11 Mar 2026 18:26:05 -0600 -Subject: [PATCH] meson: use libfido2_cflags dependency - -Add the libfido2 dependency to cryptenroll and cryptsetup's -meson files. If libfido2's not installed in the default path -the build wasn't finding its headers correctly. - -Signed-off-by: Dan McGregor -Upstream-Status: Backport [https://github.com/systemd/systemd/commit/9ce905e35f690e7a10cd286be2b50594d0857f5e] ---- - src/cryptenroll/meson.build | 1 + - src/cryptsetup/cryptsetup-tokens/meson.build | 2 +- - src/cryptsetup/meson.build | 1 + - 3 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/cryptenroll/meson.build b/src/cryptenroll/meson.build -index 488ceea14d..11265c8b41 100644 ---- a/src/cryptenroll/meson.build -+++ b/src/cryptenroll/meson.build -@@ -23,6 +23,7 @@ executables += [ - 'dependencies' : [ - libcryptsetup, - libdl, -+ libfido2_cflags, - libopenssl, - libp11kit_cflags, - ], -diff --git a/src/cryptsetup/cryptsetup-tokens/meson.build b/src/cryptsetup/cryptsetup-tokens/meson.build -index 804e18bc67..0fd6309201 100644 ---- a/src/cryptsetup/cryptsetup-tokens/meson.build -+++ b/src/cryptsetup/cryptsetup-tokens/meson.build -@@ -58,7 +58,7 @@ modules += [ - 'sources' : cryptsetup_token_systemd_fido2_sources, - 'dependencies' : [ - libcryptsetup, -- libfido2, -+ libfido2_cflags, - ], - }, - template + { -diff --git a/src/cryptsetup/meson.build b/src/cryptsetup/meson.build -index d9778259c2..b36354fb0a 100644 ---- a/src/cryptsetup/meson.build -+++ b/src/cryptsetup/meson.build -@@ -19,6 +19,7 @@ executables += [ - 'sources' : systemd_cryptsetup_sources, - 'dependencies' : [ - libcryptsetup, -+ libfido2_cflags, - libmount_cflags, - libopenssl, - libp11kit_cflags, diff --git a/meta/recipes-core/systemd/systemd/0003-Do-not-create-var-log-README.patch b/meta/recipes-core/systemd/systemd/0003-Do-not-create-var-log-README.patch index 1d3c4f83c0..0128c83d9f 100644 --- a/meta/recipes-core/systemd/systemd/0003-Do-not-create-var-log-README.patch +++ b/meta/recipes-core/systemd/systemd/0003-Do-not-create-var-log-README.patch @@ -1,7 +1,7 @@ From a7f6a296707642d05463aec22ea3dfce7d06c989 Mon Sep 17 00:00:00 2001 From: Peter Kjellerstedt Date: Tue, 21 Jan 2025 05:02:00 +0100 -Subject: [PATCH 03/16] Do not create /var/log/README +Subject: [PATCH] Do not create /var/log/README /var/log/README is a link to /usr/share/doc/systemd/README.logs. The latter is packaged in systemd-doc and likely not installed, which leaves @@ -15,19 +15,15 @@ Signed-off-by: Peter Kjellerstedt 1 file changed, 3 deletions(-) diff --git a/tmpfiles.d/legacy.conf.in b/tmpfiles.d/legacy.conf.in -index cdef21fa9b..03798c953e 100644 +index cdef21fa9b..7890abcdef 100644 --- a/tmpfiles.d/legacy.conf.in +++ b/tmpfiles.d/legacy.conf.in -@@ -13,9 +13,6 @@ +@@ -13,6 +13,3 @@ d /run/lock 0755 root root - L /var/lock - - - - ../run/lock -{% if CREATE_LOG_DIRS %} -L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs -{% endif %} - - {% if HAVE_SYSV_COMPAT %} - # /run/lock/subsys is used for serializing SysV service execution, and -- 2.34.1 - diff --git a/meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch b/meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch deleted file mode 100644 index c590b01cd3..0000000000 --- a/meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 3cef11c710e95bb5f891181e9b2a6d8f174712c3 Mon Sep 17 00:00:00 2001 -From: Patrick Wicki -Date: Fri, 20 Mar 2026 15:56:56 +0100 -Subject: [PATCH] tpm2-util: fix PCR bank guessing without EFI - -Since 7643e4a89 efi_get_active_pcr_banks() is used to determine the -active PCR banks. Without EFI support, this returns -EOPNOTSUPP. This in -turns leads to cryptenroll and cryptsetup attach failures unless the PCR -bank is explicitly set, i.e. - -$ systemd-cryptenroll $LUKS_PART --tpm2-device=auto --tpm2-pcrs='7' -[...] -Could not read pcr values: Operation not supported - -But it works fine with --tpm2-pcrs='7:sha256'. - -Similarly, unsealing during cryptsetup attach also fails if the bank -needs to be determined: - -Failed to unseal secret using TPM2: Operation not supported - -Catch the -EOPNOTSUPP and fallback to the guessing strategy. - -Upstream-Status: Backport [https://github.com/systemd/systemd/pull/41231] - -Signed-off-by: Patrick Wicki ---- - src/shared/tpm2-util.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c -index cf11b50695..c0590fe575 100644 ---- a/src/shared/tpm2-util.c -+++ b/src/shared/tpm2-util.c -@@ -2702,11 +2702,11 @@ int tpm2_get_best_pcr_bank( - uint32_t efi_banks; - r = efi_get_active_pcr_banks(&efi_banks); - if (r < 0) { -- if (r != -ENOENT) -+ if (!IN_SET(r, -ENOENT, -EOPNOTSUPP)) - return r; - - /* If variable is not set use guesswork below */ -- log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable, we have to guess the used PCR banks."); -+ log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable or EFI support is unavailable, we have to guess the used PCR banks."); - } else if (efi_banks == UINT32_MAX) - log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to indicate that the GetActivePcrBanks() API is not available in the firmware. We have to guess the used PCR banks."); - else { -@@ -2811,11 +2811,11 @@ int tpm2_get_good_pcr_banks( - uint32_t efi_banks; - r = efi_get_active_pcr_banks(&efi_banks); - if (r < 0) { -- if (r != -ENOENT) -+ if (!IN_SET(r, -ENOENT, -EOPNOTSUPP)) - return r; - - /* If the variable is not set we have to guess via the code below */ -- log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable, we have to guess the used PCR banks."); -+ log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable or EFI support is unavailable, we have to guess the used PCR banks."); - } else if (efi_banks == UINT32_MAX) - log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to indicate that the GetActivePcrBanks() API is not available in the firmware. We have to guess the used PCR banks."); - else { diff --git a/meta/recipes-core/systemd/systemd/0018-shared-fdset-add-detailed-debug-logging-to-fdset_new.patch b/meta/recipes-core/systemd/systemd/0018-shared-fdset-add-detailed-debug-logging-to-fdset_new.patch deleted file mode 100644 index 63fa7fefec..0000000000 --- a/meta/recipes-core/systemd/systemd/0018-shared-fdset-add-detailed-debug-logging-to-fdset_new.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 0565f9f27323a8f9e62d85f2add542af99cea06a Mon Sep 17 00:00:00 2001 -From: AshishKumar Mishra -Date: Wed, 21 Jan 2026 14:13:29 +0530 -Subject: [PATCH] systemd: Add detailed debug logging to fdset_new_fill() - -Currently, when fdset_new_fill() fails to open /proc/self/fd or -encounters an error while processing individual file descriptors -(such as fcntl or fstat failures), it returns a silent error code. - -For debugging rarely reproducible failures it becomes difficult to -know the exact cause of failure -This commit updates the function to use log_debug_errno() for all -error paths and hence provides better visibility into why FD collection -failed, including the path of the problematic FD (via fd_get_path) -and its inode type. - -Upstream-Status: Backport [https://github.com/systemd/systemd/pull/40385] - -Signed-off-by: AshishKumar Mishra ---- - src/shared/fdset.c | 35 ++++++++++++++++++++++++++--------- - 1 file changed, 26 insertions(+), 9 deletions(-) - -diff --git a/src/shared/fdset.c b/src/shared/fdset.c -index 832e7fda60..f340f41b0e 100644 ---- a/src/shared/fdset.c -+++ b/src/shared/fdset.c -@@ -8,6 +8,7 @@ - #include "alloc-util.h" - #include "async.h" - #include "dirent-util.h" -+#include "errno-util.h" - #include "fd-util.h" - #include "fdset.h" - #include "log.h" -@@ -179,9 +180,10 @@ int fdset_new_fill( - d = opendir("/proc/self/fd"); - if (!d) { - if (errno == ENOENT && proc_mounted() == 0) -- return -ENOSYS; -+ return log_debug_errno(SYNTHETIC_ERRNO(ENOSYS), -+ "Failed to open /proc/self/fd/, /proc/ is not mounted."); - -- return -errno; -+ return log_debug_errno(errno, "Failed to open /proc/self/fd/: %m "); - } - - s = fdset_new(); -@@ -210,9 +212,14 @@ int fdset_new_fill( - * been passed in can be collected and fds which have been created locally can be - * ignored, under the assumption that only the latter have O_CLOEXEC set. */ - -- fl = fcntl(fd, F_GETFD); -- if (fl < 0) -- return -errno; -+ fl = RET_NERRNO(fcntl(fd, F_GETFD)); -+ if (fl < 0) { -+ _cleanup_free_ char *path = NULL; -+ (void) fd_get_path(fd, &path); -+ return log_debug_errno(fl, -+ "Failed to get flag of fd=%d (%s): %m ", -+ fd, strna(path)); -+ } - - if (FLAGS_SET(fl, FD_CLOEXEC) != !!filter_cloexec) - continue; -@@ -221,13 +228,23 @@ int fdset_new_fill( - /* We need to set CLOEXEC manually only if we're collecting non-CLOEXEC fds. */ - if (filter_cloexec <= 0) { - r = fd_cloexec(fd, true); -- if (r < 0) -- return r; -+ if (r < 0) { -+ _cleanup_free_ char *path = NULL; -+ (void) fd_get_path(fd, &path); -+ return log_debug_errno(r, -+ "Failed to set CLOEXEC flag fd=%d (%s): %m ", -+ fd, strna(path)); -+ } - } - - r = fdset_put(s, fd); -- if (r < 0) -- return r; -+ if (r < 0) { -+ _cleanup_free_ char *path = NULL; -+ (void) fd_get_path(fd, &path); -+ return log_debug_errno(r, -+ "Failed to put fd=%d (%s) into fdset: %m ", -+ fd, strna(path)); -+ } - } - - *ret = TAKE_PTR(s); --- -2.34.1 - diff --git a/meta/recipes-core/systemd/systemd_259.5.bb b/meta/recipes-core/systemd/systemd_261.bb similarity index 99% rename from meta/recipes-core/systemd/systemd_259.5.bb rename to meta/recipes-core/systemd/systemd_261.bb index f3ec0edae7..eedce348c3 100644 --- a/meta/recipes-core/systemd/systemd_259.5.bb +++ b/meta/recipes-core/systemd/systemd_261.bb @@ -32,9 +32,6 @@ SRC_URI += " \ file://systemd-pager.sh \ file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ file://0003-Do-not-create-var-log-README.patch \ - file://0001-meson-use-libfido2_cflags-dependency.patch \ - file://0018-shared-fdset-add-detailed-debug-logging-to-fdset_new.patch \ - file://0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch \ " PAM_PLUGINS = " \ @@ -226,9 +223,6 @@ EXTRA_OEMESON += "-Dnobody-user=nobody \ -Ddbus=disabled \ -Dtests=false \ -Dlibc=${TCLIBC} \ - -Drc-local='' \ - -Dsysvinit-path='' \ - -Dsysvrcnd-path='' \ " # Hardcode target binary paths to avoid using paths from sysroot or worse @@ -582,6 +576,8 @@ FILES:${PN}-extra-utils = "\ ${bindir}/systemd-cgtop \ ${bindir}/systemd-stdio-bridge \ ${base_sbindir}/mount.ddi \ + ${base_sbindir}/mount.mstack \ + ${base_sbindir}/mount.storage \ ${systemd_system_unitdir}/initrd.target.wants/systemd-pcrphase-initrd.path \ ${systemd_system_unitdir}/sysinit.target.wants/systemd-pcrphase.path \ ${systemd_system_unitdir}/sysinit.target.wants/systemd-pcrphase-sysinit.path \ @@ -678,6 +674,7 @@ FILES:${PN} = " ${base_bindir}/* \ ${datadir}/polkit-1 \ ${datadir}/${BPN} \ ${datadir}/factory \ + ${datadir}/user-tmpfiles.d \ ${sysconfdir}/credstore/ \ ${sysconfdir}/credstore.encrypted/ \ ${sysconfdir}/dbus-1/ \ @@ -687,6 +684,7 @@ FILES:${PN} = " ${base_bindir}/* \ ${sysconfdir}/sysctl.d/ \ ${sysconfdir}/systemd/ \ ${sysconfdir}/tmpfiles.d/ \ + ${sysconfdir}/user-tmpfiles.d/ \ ${sysconfdir}/xdg/ \ ${sysconfdir}/init.d/README \ ${sysconfdir}/resolv-conf.systemd \ @@ -797,11 +795,13 @@ FILES:udev += "${base_sbindir}/udevd \ ${nonarch_libdir}/udev/rules.d/60-persistent-storage.rules \ ${nonarch_libdir}/udev/rules.d/60-persistent-storage-mtd.rules \ ${nonarch_libdir}/udev/rules.d/60-persistent-storage-tape.rules \ + ${nonarch_libdir}/udev/rules.d/60-tpm2-id.rules \ ${nonarch_libdir}/udev/rules.d/60-persistent-v4l.rules \ ${nonarch_libdir}/udev/rules.d/60-sensor.rules \ ${nonarch_libdir}/udev/rules.d/60-serial.rules \ ${nonarch_libdir}/udev/rules.d/61-autosuspend-manual.rules \ ${nonarch_libdir}/udev/rules.d/64-btrfs.rules \ + ${nonarch_libdir}/udev/rules.d/65-integration.rules \ ${nonarch_libdir}/udev/rules.d/70-camera.rules \ ${nonarch_libdir}/udev/rules.d/70-joystick.rules \ ${nonarch_libdir}/udev/rules.d/70-memory.rules \ From patchwork Fri Jul 3 07:29:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 91622 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C14A9C43458 for ; Fri, 3 Jul 2026 07:30:47 +0000 (UTC) Received: from AM0PR02CU008.outbound.protection.outlook.com (AM0PR02CU008.outbound.protection.outlook.com [52.101.72.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.88142.1783063844629708801 for ; Fri, 03 Jul 2026 00:30:45 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector2 header.b=ZiEuxwCw; spf=pass (domain: ericsson.com, ip: 52.101.72.53, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dIq0YpQcHyb3xvopvlDdgGL4hNYN6KQluWBN9GUprWD/ODLXC5MZdiop8zBc1MoaFzEjKLSZadCcpP9zRjo0fhbum5QhRmg1V+SMJ2vQE9hkumPgpZPgFuSFFM/qGa2Vgxokzs+4obPEJrlo+IERNBeMKq3yuwILuqRj1UdtqEGm6eQesSh0ilDesGGdvNsT/9ZBJQ5qxbRcOBWm/c9b5Pl4/hSNl2FpV/bqMgh9yWQP1tu05K69q589ckoUO7D97XAaW150NFKnHJnLaZiV0uRutso62rGJocf9PB0+7Qdbq6Eov+gLpTUcSJhj96xwc3jIjIr5ZJmC5GJo28NRjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Lb9z5DqKKXW8mkL9/MxfHyfVPFH5+Yy3gvqDNne75Y8=; b=D74zKyHT2Ws4HEXclct83NFOV1ZRoc7nKkO2DzGTVTge0je1gK8b6E+nq6FcjwaXEwdCFEPhBo+sah1kTXWbYm+hTh3jgPrIFMqp4WbyQdmgV7V2HAPYc2PjC8snk5dyJpuLWwsxaXMw5HQGQSoaS0buvHwtcMsQ3vFDHmqR6MpK5zIYgnBpKdnKi+koM6XFQu0WmKHkmGvDY5O86SbNm83hK1YAiIJPx+s7ilzqmd/wjLS551kAZXNxpnAdekMH4FUYbnoJ+/vev6odYpNTmxpuCd0MoLflho7dYMaim2LnSArWLPW8fH8r5/rMDxBERhg7mnC7btFFLcCnU7a6kw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=arm.com smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Lb9z5DqKKXW8mkL9/MxfHyfVPFH5+Yy3gvqDNne75Y8=; b=ZiEuxwCw91Z4YgBhcGiYeLrbnj7Zw0TO0yv2J5d7dEYlPFYPH6EhxUC9VNtaBmlpFFaKkuQnQvrtR+CEZYPyBXn4s92hHUD5tmHwxmO3ZuFokP/HaY1dKGq9sYD0otyomLEzA3dRufxIO3dOGp7WC8CbjihPFJuJ5ign9aDWFByA7FnNBREpRFYrGsyiqW9/OWK4YD6XeXGP4G371T9KPCUxgSgNwggh7hwaYmPoBLKi1GJvQqvHK5dNAR6pMsVkslhfhXQwJTp5yV+vPbJK7Lrx+yuDDmpgwZnk3E2a0PH5woER35XvPmQhX/fYcqyKXCfnVjJIuv1iHLKRnzYu5A== Received: from DUZPR01CA0291.eurprd01.prod.exchangelabs.com (2603:10a6:10:4b7::9) by DB9PR07MB8524.eurprd07.prod.outlook.com (2603:10a6:10:368::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.181.10; Fri, 3 Jul 2026 07:30:37 +0000 Received: from DB1PEPF000509F7.eurprd02.prod.outlook.com (2603:10a6:10:4b7:cafe::1f) by DUZPR01CA0291.outlook.office365.com (2603:10a6:10:4b7::9) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.181.11 via Frontend Transport; Fri, 3 Jul 2026 07:30:37 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by DB1PEPF000509F7.mail.protection.outlook.com (10.167.242.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.181.6 via Frontend Transport; Fri, 3 Jul 2026 07:30:37 +0000 Received: from seroius18813.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.65) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.37; Fri, 3 Jul 2026 09:30:36 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18813.sero.gic.ericsson.se (Postfix) with ESMTP id D14206BEF5; Fri, 3 Jul 2026 09:30:11 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id 39E86700DBB0; Fri, 3 Jul 2026 09:30:09 +0200 (CEST) From: To: , , , CC: , , , , Subject: [PATCH v4 2/2] systemd: add native hwdb generator via merged systemd-tools-native Date: Fri, 3 Jul 2026 09:29:32 +0200 Message-ID: <20260703072948.2939128-3-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260703072948.2939128-1-daniel.turull@ericsson.com> References: <20260703072948.2939128-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509F7:EE_|DB9PR07MB8524:EE_ X-MS-Office365-Filtering-Correlation-Id: c08926d0-4a8b-45ca-6efb-08ded8d4fa0e X-SMTP-Server: smtp-central.internal.ericsson.com X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700016|1800799024|23010399003|376014|82310400026|18002099003|22082099003|56012099006|11063799006|6133799003|3023799007|13003099007; X-Microsoft-Antispam-Message-Info: 4ufoilx7ahOfX5vbrJgsLI6nV74Xb6si727kby2gK5wXSp+JS79t4sDRXF98pwQ9OgKAcWnnzqjE+mA3GjbaQUSA1ipFYCSUDq0WOvSNb63/V2Fy9bQ9gyWH9hrusxlCCsyNh43v8nbLlA3cX3N9bVV/ir+c+snDsOEqG7fnoEtWsp/jIXPOKVU93wmQ8Yd5l+kIUH9BqmrhLOLbGHGxq19nHP9vyfyhebIhcnEzoNzml4ki/+81b23CPoJ1DoMpXG/xv0FzABpmrOI3m5e5T7jXsO7xKWe8/e/INsRaWP5VC63BsK4MJKkRzfLry474sUo5mSYToidqlQQifBSNhazp7OXygX3JRhSq7BnSwGKpnkpH9MYfLdupJhmC/K6buiIJWeulFm/rNkwplPTPu7VjRS0SlB2fgajT9mujkaw3vBJGldI3jig1KmRi2meobxtOVAaDGqmJ2oBLadC8xyToQaffc7m2NvVVegiIZBi/MlXoR8hPNNIAW8syOD/jN25B+xaOqtplbbY6DtJXZaivLCvE0CPZlATWKZpdxG0aHFQQNtiNRzaRd46OtSPdFJezPB+lZ+QSgS0NIWp85IIARj1p/gi7MywECkLCk/kwLYcN6KJw36DxUIvTJPFJIll0aE8VDOfdzCFw6RKD2fVLnZd4xBB9xj05LmL7X4xP98ro4h/KR12Z/H5fVEwSz/YizyeL6QAY7m+v1hdGPQ== X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(36860700016)(1800799024)(23010399003)(376014)(82310400026)(18002099003)(22082099003)(56012099006)(11063799006)(6133799003)(3023799007)(13003099007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 2MfaAyzKMsT+JUQ30px8DdhfE9A6ovDLc9I2db1BWBB8AqnWdsfTPDO2qLqfJuFvOyORtfsdJW/jms8TEq983XD3q8ehOjHkmxLozUD6+1xl07+Wj2hxLXGY31IFIDgmYksgpDzbcffL10mfRaEY2GoPb1dcK8ugVDZYR2dkoBvcZau9rc8Hw8hfbjTw83RmIeDeL3NBbkpdmubVwgfotct2IMEXM3wyBLa/dD20zMQF5JCjXyw+AYAqCf1mJgYrk3CxL37yLAInCFXvo0XmeQM9Ys8PYba/CQ1gO4oFgQQ7fTg5IKBNloTK0NqwBPJnaZ3SBNN2CGfaSGxAUaPZz1WF4wg2jkBFyQCECVsydOlFoJpYY13sDtbovKIvYmTqjlVLkVVLgFNYn/8szdsTE9fNp8gWJ4YOHkV8H9s999RfYUNjs6RhWf+zWWWvU1LP X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Jul 2026 07:30:37.2282 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c08926d0-4a8b-45ca-6efb-08ded8d4fa0e X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509F7.eurprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB8524 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 03 Jul 2026 07:30:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/240080 From: Daniel Turull systemd 261 requires STATX_MNT_ID (kernel >= 5.8) for path resolution. On older hosts (e.g. RHEL 8 with kernel 4.18), the QEMU-emulated udevadm hwdb fails during image construction. Build systemd-hwdb natively so image construction no longer depends on QEMU-emulated udevadm on such hosts, with: - A patch restoring /proc/self/fdinfo mount-ID fallback for kernels lacking STATX_MNT_ID (applied only to the native tools recipe) - A patch forcing compat mode in hwdb generation to avoid embedding build-host paths in hwdb.bin (reproducibility) Update the update_udev_hwdb intercept to prefer the native systemd-hwdb over QEMU emulation, with a test -s check to catch silent failures from either path. Rather than add a second native recipe, merge systemctl and systemd-hwdb into a single systemd-tools-native recipe that builds both tools from one meson configure. Both are satisfied by target-absolute paths (--prefix /usr for hwdb's UDEVLIBEXECDIR, --sysconfdir /etc for systemctl); systemctl --root enable/disable and hwdb generation were verified to behave identically to the previous separate builds. All in-tree consumers (systemd.bbclass, systemd_261.bb, keymaps, initscripts, modutils-initscripts) are updated to the new name. Tested on RHEL 8.10 and Ubuntu 22.04.5 AI-Generated: Claude-opus-4.6 Signed-off-by: Daniel Turull --- systemd-tools-native is assigned to Chen Qi in maintainers.inc, matching the rest of the systemd recipes; adjust if a different owner is preferred. --- meta/classes-recipe/systemd.bbclass | 4 +- meta/conf/distro/include/maintainers.inc | 2 +- meta/recipes-bsp/keymaps/keymaps_1.0.bb | 2 +- .../initscripts/initscripts_1.0.bb | 2 +- .../systemd/systemd-systemctl-native_261.bb | 25 --- .../systemd/systemd-tools-native_261.bb | 42 +++++ ...idfd_open-and-STATX_MNT_ID-on-older-.patch | 176 ++++++++++++++++++ ...t-mode-for-reproducible-cross-builds.patch | 36 ++++ meta/recipes-core/systemd/systemd_261.bb | 2 +- .../modutils-initscripts.bb | 2 +- scripts/postinst-intercepts/update_udev_hwdb | 24 ++- 11 files changed, 281 insertions(+), 36 deletions(-) delete mode 100644 meta/recipes-core/systemd/systemd-systemctl-native_261.bb create mode 100644 meta/recipes-core/systemd/systemd-tools-native_261.bb create mode 100644 meta/recipes-core/systemd/systemd/Handle-missing-pidfd_open-and-STATX_MNT_ID-on-older-.patch create mode 100644 meta/recipes-core/systemd/systemd/hwdb-use-compat-mode-for-reproducible-cross-builds.patch diff --git a/meta/classes-recipe/systemd.bbclass b/meta/classes-recipe/systemd.bbclass index 26eaaf1922..8c6b6cae36 100644 --- a/meta/classes-recipe/systemd.bbclass +++ b/meta/classes-recipe/systemd.bbclass @@ -21,8 +21,8 @@ python __anonymous() { # Inhibit update-rcd from doing any work so that systemd images don't have # redundant init files. if bb.utils.contains('DISTRO_FEATURES', 'systemd', True, False, d): - d.appendVar("DEPENDS", " systemd-systemctl-native") - d.appendVar("PACKAGE_WRITE_DEPS", " systemd-systemctl-native") + d.appendVar("DEPENDS", " systemd-tools-native") + d.appendVar("PACKAGE_WRITE_DEPS", " systemd-tools-native") d.setVar("INHIBIT_UPDATERCD_BBCLASS", "1") } diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 4c6307086c..53a274c0a2 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -833,7 +833,7 @@ RECIPE_MAINTAINER:pn-systemd-bootconf = "Chen Qi " RECIPE_MAINTAINER:pn-systemd-conf = "Chen Qi " RECIPE_MAINTAINER:pn-systemd-machine-units = "Chen Qi " RECIPE_MAINTAINER:pn-systemd-serialgetty = "Chen Qi " -RECIPE_MAINTAINER:pn-systemd-systemctl-native = "Chen Qi " +RECIPE_MAINTAINER:pn-systemd-tools-native = "Chen Qi " RECIPE_MAINTAINER:pn-systemtap = "Victor Kamensky " RECIPE_MAINTAINER:pn-systemtap-native = "Victor Kamensky " RECIPE_MAINTAINER:pn-sysvinit = "Ross Burton " diff --git a/meta/recipes-bsp/keymaps/keymaps_1.0.bb b/meta/recipes-bsp/keymaps/keymaps_1.0.bb index b7e6ef6cb1..171f7f7c0b 100644 --- a/meta/recipes-bsp/keymaps/keymaps_1.0.bb +++ b/meta/recipes-bsp/keymaps/keymaps_1.0.bb @@ -36,7 +36,7 @@ do_install () { fi } -PACKAGE_WRITE_DEPS:append = " ${@bb.utils.contains('DISTRO_FEATURES','systemd sysvinit','systemd-systemctl-native','',d)}" +PACKAGE_WRITE_DEPS:append = " ${@bb.utils.contains('DISTRO_FEATURES','systemd sysvinit','systemd-tools-native','',d)}" pkg_postinst:${PN} () { if ${@bb.utils.contains('DISTRO_FEATURES','systemd sysvinit','true','false',d)}; then if [ -n "$D" ]; then diff --git a/meta/recipes-core/initscripts/initscripts_1.0.bb b/meta/recipes-core/initscripts/initscripts_1.0.bb index 23411b6a71..48c1b6244f 100644 --- a/meta/recipes-core/initscripts/initscripts_1.0.bb +++ b/meta/recipes-core/initscripts/initscripts_1.0.bb @@ -41,7 +41,7 @@ S = "${UNPACKDIR}" KERNEL_VERSION = "" DEPENDS:append = " update-rc.d-native" -PACKAGE_WRITE_DEPS:append = " ${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd-systemctl-native','',d)}" +PACKAGE_WRITE_DEPS:append = " ${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd-tools-native','',d)}" PACKAGES =+ "${PN}-functions ${PN}-sushell" RDEPENDS:${PN} = "initd-functions \ diff --git a/meta/recipes-core/systemd/systemd-systemctl-native_261.bb b/meta/recipes-core/systemd/systemd-systemctl-native_261.bb deleted file mode 100644 index 28fddc79df..0000000000 --- a/meta/recipes-core/systemd/systemd-systemctl-native_261.bb +++ /dev/null @@ -1,25 +0,0 @@ -FILESEXTRAPATHS:prepend := "${THISDIR}/systemd:" - -SUMMARY = "Systemctl executable from systemd" - -require systemd.inc - -DEPENDS = "gperf-native libcap-native util-linux-native python3-jinja2-native" - -inherit pkgconfig meson native - -MESON_TARGET = "systemctl" -MESON_INSTALL_TAGS = "systemctl" -# Explicitly disable features that meson auto-detects from the native sysroot. -# Only systemctl is built here; these prevent spurious dependencies and ensure -# reproducible builds regardless of what is installed on the build host. -EXTRA_OEMESON += "-Dlink-systemctl-shared=false" -EXTRA_OEMESON += "-Dpam=disabled -Daudit=disabled -Dselinux=disabled" -EXTRA_OEMESON += "-Dacl=disabled -Dapparmor=disabled -Dseccomp=disabled" -EXTRA_OEMESON += "-Dlibcryptsetup=disabled -Dlibcurl=disabled -Dlibfido2=disabled" -EXTRA_OEMESON += "-Dpcre2=disabled -Dp11kit=disabled -Dopenssl=disabled" - -# Systemctl is supposed to operate on target, but the target sysroot is not -# determined at run-time, but rather set during configure -# More details are here https://github.com/systemd/systemd/issues/35897#issuecomment-2665405887 -EXTRA_OEMESON += "--sysconfdir ${sysconfdir_native}" diff --git a/meta/recipes-core/systemd/systemd-tools-native_261.bb b/meta/recipes-core/systemd/systemd-tools-native_261.bb new file mode 100644 index 0000000000..82700442eb --- /dev/null +++ b/meta/recipes-core/systemd/systemd-tools-native_261.bb @@ -0,0 +1,42 @@ +# SPDX-License-Identifier: MIT +FILESEXTRAPATHS:prepend := "${THISDIR}/systemd:" + +SUMMARY = "systemd native tools (systemctl and systemd-hwdb)" + +require systemd.inc + +DEPENDS = "gperf-native libcap-native util-linux-native python3-jinja2-native" + +# TODO: Remove STATX_MNT_ID patch once minimum supported build host kernel is >= 5.8 (RHEL 8 EOL: 2029) +SRC_URI += "file://Handle-missing-pidfd_open-and-STATX_MNT_ID-on-older-.patch \ + file://hwdb-use-compat-mode-for-reproducible-cross-builds.patch \ + " + +inherit pkgconfig meson native + +# Build both tools from a single configured tree. +MESON_TARGET = "systemctl systemd-hwdb" + +# Target-absolute paths that satisfy both tools from one meson configure: +# - systemd-hwdb needs prefix=/usr so the compiled-in UDEVLIBEXECDIR +# (/usr/lib/udev) matches the target rootfs layout, letting +# "update --root $D --usr" find hwdb.d sources and write hwdb.bin there. +# - systemctl needs sysconfdir=/etc; it operates on the target rootfs but the +# sysroot is fixed at configure time rather than run time. +# See https://github.com/systemd/systemd/issues/35897#issuecomment-2665405887 +EXTRA_OEMESON += "--prefix /usr --sysconfdir /etc" +EXTRA_OEMESON += "-Dhwdb=true -Dlink-udev-shared=false -Dlink-systemctl-shared=false" + +# Explicitly disable features that meson auto-detects from the native sysroot. +# These prevent spurious dependencies and ensure reproducible builds regardless +# of what is installed on the build host. +EXTRA_OEMESON += "-Dpam=disabled -Daudit=disabled -Dselinux=disabled" +EXTRA_OEMESON += "-Dacl=disabled -Dapparmor=disabled -Dseccomp=disabled" +EXTRA_OEMESON += "-Dlibcryptsetup=disabled -Dlibcurl=disabled -Dlibfido2=disabled" +EXTRA_OEMESON += "-Dpcre2=disabled -Dp11kit=disabled -Dopenssl=disabled" + +do_install() { + install -d ${D}${bindir} + install -m 0755 ${B}/systemctl ${D}${bindir}/systemctl + install -m 0755 ${B}/systemd-hwdb ${D}${bindir}/systemd-hwdb +} diff --git a/meta/recipes-core/systemd/systemd/Handle-missing-pidfd_open-and-STATX_MNT_ID-on-older-.patch b/meta/recipes-core/systemd/systemd/Handle-missing-pidfd_open-and-STATX_MNT_ID-on-older-.patch new file mode 100644 index 0000000000..65866fa01a --- /dev/null +++ b/meta/recipes-core/systemd/systemd/Handle-missing-pidfd_open-and-STATX_MNT_ID-on-older-.patch @@ -0,0 +1,176 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Turull +Date: Mon, 23 Jun 2026 12:00:00 +0200 +Subject: [PATCH] Handle missing pidfd_open and STATX_MNT_ID on older kernels + +On hosts lacking pidfd_open (kernel < 5.3) or STATX_MNT_ID (kernel < 5.8, +e.g. RHEL 8), native tools (systemctl --root, systemd-hwdb --root) fail +during path resolution. Fix by: + +- Treating ENOSYS/EOPNOTSUPP from pidfd_open as graceful fallback. +- Adding fd_get_mount_id() to read mnt_id from /proc/self/fdinfo (available + since kernel 3.15) and using it as fallback when statx returns -EUNATCH in + fds_inode_and_mount_same() and chase_statx(). + +This restores the /proc/self/fdinfo fallback that existed in systemd 259 +(fd_fdinfo_mnt_id in mountpoint-util.c) but was removed upstream in 260+. + +This patch is only applied to the native tools recipe +(systemd-tools-native) where /proc/self/fdinfo is guaranteed available. +Do NOT apply to the target systemd recipe. + +Upstream-Status: Inappropriate [oe specific] + +Assisted-by: kiro:claude-opus-4.6 +Signed-off-by: Daniel Turull +--- + src/basic/chase.c | 20 ++++++++++++++- + src/basic/fd-util.c | 63 +++++++++++++++++++++++++++++++++++++++++++-- + src/basic/fd-util.h | 1 + + src/basic/pidref.c | 4 +-- + 4 files changed, 83 insertions(+), 5 deletions(-) + +--- a/src/basic/pidref.c 2026-06-25 14:01:12.007875484 +0200 ++++ b/src/basic/pidref.c 2026-06-25 14:01:55.098770206 +0200 +@@ -106,8 +106,8 @@ int pidref_set_pid(PidRef *pidref, pid_t + + fd = pidfd_open(pid, 0); + if (fd < 0) { +- /* Graceful fallback in case the kernel is out of fds */ +- if (!ERRNO_IS_RESOURCE(errno)) ++ /* Graceful fallback in case the kernel is out of fds or lacks pidfd support */ ++ if (!ERRNO_IS_RESOURCE(errno) && !ERRNO_IS_NOT_SUPPORTED(errno)) + return log_debug_errno(errno, "Failed to open pidfd for pid " PID_FMT ": %m", pid); + + fd = -EBADF; +--- a/src/basic/fd-util.h 2026-06-25 14:01:12.009875526 +0200 ++++ b/src/basic/fd-util.h 2026-06-25 14:01:20.909060415 +0200 +@@ -188,6 +188,7 @@ static inline int dir_fd_is_root_or_cwd( + } + + int fds_inode_and_mount_same(int fd1, int fd2); ++int fd_get_mount_id(int fd, uint64_t *ret); + + int resolve_xat_fdroot(int *fd, const char **path, char **ret_buffer); + +--- a/src/basic/fd-util.c 2026-06-25 14:01:12.011875567 +0200 ++++ b/src/basic/fd-util.c 2026-06-25 14:01:40.007456905 +0200 +@@ -1082,6 +1082,38 @@ int path_is_root_at(int dir_fd, const ch + return fds_inode_and_mount_same(dir_fd, XAT_FDROOT); + } + ++int fd_get_mount_id(int fd, uint64_t *ret) { ++ char path[STRLEN("/proc/self/fdinfo/") + DECIMAL_STR_MAX(int)]; ++ _cleanup_close_ int real_fd = -EBADF; ++ _cleanup_free_ char *p = NULL; ++ uint64_t mnt_id; ++ int r; ++ ++ assert(ret); ++ ++ /* /proc/self/fdinfo/ requires a real fd; resolve AT_FDCWD/XAT_FDROOT via O_PATH. */ ++ if (fd == AT_FDCWD || fd == XAT_FDROOT) { ++ real_fd = open(fd == XAT_FDROOT ? "/" : ".", O_PATH|O_CLOEXEC); ++ if (real_fd < 0) ++ return -errno; ++ fd = real_fd; ++ } ++ ++ assert(fd >= 0); ++ xsprintf(path, "/proc/self/fdinfo/%i", fd); ++ ++ r = get_proc_field(path, "mnt_id", &p); ++ if (r < 0) ++ return r; ++ ++ r = safe_atou64(p, &mnt_id); ++ if (r < 0) ++ return r; ++ ++ *ret = mnt_id; ++ return 0; ++} ++ + int fds_inode_and_mount_same(int fd1, int fd2) { + struct statx sx1, sx2; + int r; +@@ -1092,7 +1124,20 @@ int fds_inode_and_mount_same(int fd1, in + r = xstatx(fd1, /* path = */ NULL, AT_EMPTY_PATH, + STATX_TYPE|STATX_INO|STATX_MNT_ID, + &sx1); +- if (r < 0) ++ if (r == -EUNATCH) { ++ uint64_t mnt_id; ++ ++ /* Kernel lacks STATX_MNT_ID; fall back to /proc/self/fdinfo. */ ++ r = xstatx(fd1, /* path = */ NULL, AT_EMPTY_PATH, ++ STATX_TYPE|STATX_INO, &sx1); ++ if (r < 0) ++ return r; ++ r = fd_get_mount_id(fd1, &mnt_id); ++ if (r < 0) ++ return r; ++ sx1.stx_mnt_id = mnt_id; ++ sx1.stx_mask |= STATX_MNT_ID; ++ } else if (r < 0) + return r; + + if (fd1 == fd2) /* Shortcut things if fds are the same (only after validating the fd) */ +@@ -1101,7 +1146,19 @@ int fds_inode_and_mount_same(int fd1, in + r = xstatx(fd2, /* path = */ NULL, AT_EMPTY_PATH, + STATX_TYPE|STATX_INO|STATX_MNT_ID, + &sx2); +- if (r < 0) ++ if (r == -EUNATCH) { ++ uint64_t mnt_id; ++ ++ r = xstatx(fd2, /* path = */ NULL, AT_EMPTY_PATH, ++ STATX_TYPE|STATX_INO, &sx2); ++ if (r < 0) ++ return r; ++ r = fd_get_mount_id(fd2, &mnt_id); ++ if (r < 0) ++ return r; ++ sx2.stx_mnt_id = mnt_id; ++ sx2.stx_mask |= STATX_MNT_ID; ++ } else if (r < 0) + return r; + + r = statx_mount_same(&sx1, &sx2); +--- a/src/basic/chase.c 2026-06-25 14:01:12.013875609 +0200 ++++ b/src/basic/chase.c 2026-06-25 14:01:47.117604514 +0200 +@@ -40,7 +40,9 @@ + (CHASE_MUST_BE_DIRECTORY|CHASE_MUST_BE_REGULAR|CHASE_MUST_BE_SOCKET) + + static int chase_statx(int fd, struct statx *ret) { +- return xstatx_full(fd, ++ int r; ++ ++ r = xstatx_full(fd, + /* path= */ NULL, + /* statx_flags= */ 0, + XSTATX_MNT_ID_BEST, +@@ -48,6 +50,23 @@ static int chase_statx(int fd, struct st + /* optional_mask= */ 0, + /* mandatory_attributes= */ 0, + ret); ++ if (r == -EUNATCH) { ++ uint64_t mnt_id; ++ ++ /* Kernel lacks STATX_MNT_ID; fall back to /proc/self/fdinfo. */ ++ r = xstatx(fd, /* path= */ NULL, /* statx_flags= */ 0, ++ STATX_TYPE|STATX_UID|STATX_INO, ++ ret); ++ if (r < 0) ++ return r; ++ r = fd_get_mount_id(fd, &mnt_id); ++ if (r < 0) ++ return r; ++ ret->stx_mnt_id = mnt_id; ++ ret->stx_mask |= STATX_MNT_ID; ++ } ++ ++ return r; + } + + static int chase_openat2(int root_fd, int dir_fd, const char *path, ChaseFlags chase_flags) { diff --git a/meta/recipes-core/systemd/systemd/hwdb-use-compat-mode-for-reproducible-cross-builds.patch b/meta/recipes-core/systemd/systemd/hwdb-use-compat-mode-for-reproducible-cross-builds.patch new file mode 100644 index 0000000000..bb90105cbd --- /dev/null +++ b/meta/recipes-core/systemd/systemd/hwdb-use-compat-mode-for-reproducible-cross-builds.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Turull +Date: Wed, 25 Jun 2026 10:00:00 +0200 +Subject: [PATCH] hwdb: use compat mode to avoid embedding source paths + +Use compat=true in systemd-hwdb's verb_update() so that source +filenames, line numbers, and priorities are not embedded in hwdb.bin. + +Without this, when --root $D is used during cross-compilation, the +absolute build paths (e.g. /tmp/work/.../rootfs/usr/lib/udev/hwdb.d/...) +are written into the database, causing: +- Non-reproducible builds (different TMPDIR → different hwdb.bin) +- Build directory path leakage into the target image + +The compat format matches what udevadm hwdb (the deprecated path) +has always produced, and is the expected format for cross-built images. + +Upstream-Status: Inappropriate [oe specific] + +AI-Generated: Claude Opus 4.6 +Signed-off-by: Daniel Turull +--- + src/hwdb/hwdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/hwdb/hwdb.c ++++ b/src/hwdb/hwdb.c +@@ -27,7 +27,7 @@ static int verb_update(int argc, char *argv[], uintptr_t _data, void *userdata) + if (hwdb_bypass()) + return 0; + +- return hwdb_update(arg_root, arg_hwdb_bin_dir, arg_strict, false); ++ return hwdb_update(arg_root, arg_hwdb_bin_dir, arg_strict, true); + } + + static int help(void) { diff --git a/meta/recipes-core/systemd/systemd_261.bb b/meta/recipes-core/systemd/systemd_261.bb index eedce348c3..05440e92bb 100644 --- a/meta/recipes-core/systemd/systemd_261.bb +++ b/meta/recipes-core/systemd/systemd_261.bb @@ -910,7 +910,7 @@ pkg_prerm:${PN}:libc-glibc () { fi } -PACKAGE_WRITE_DEPS += "qemuwrapper-cross" +PACKAGE_WRITE_DEPS += "qemuwrapper-cross systemd-tools-native" pkg_postinst:udev-hwdb () { if test -n "$D"; then diff --git a/meta/recipes-kernel/modutils-initscripts/modutils-initscripts.bb b/meta/recipes-kernel/modutils-initscripts/modutils-initscripts.bb index fb7b09393a..a1b70b9219 100644 --- a/meta/recipes-kernel/modutils-initscripts/modutils-initscripts.bb +++ b/meta/recipes-kernel/modutils-initscripts/modutils-initscripts.bb @@ -19,7 +19,7 @@ do_install () { install -m 0755 ${S}/modutils.sh ${D}${sysconfdir}/init.d/ } -PACKAGE_WRITE_DEPS:append = " ${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd-systemctl-native','',d)}" +PACKAGE_WRITE_DEPS:append = " ${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd-tools-native','',d)}" pkg_postinst:${PN} () { if type systemctl >/dev/null 2>/dev/null; then if [ -n "$D" ]; then diff --git a/scripts/postinst-intercepts/update_udev_hwdb b/scripts/postinst-intercepts/update_udev_hwdb index 8b3f5de791..d7a4ffc294 100644 --- a/scripts/postinst-intercepts/update_udev_hwdb +++ b/scripts/postinst-intercepts/update_udev_hwdb @@ -19,7 +19,23 @@ case "${PREFERRED_PROVIDER_udev}" in ;; esac -rm -f $D${UDEVLIBDIR}/udev/hwdb.bin -PSEUDO_UNLOAD=1 ${binprefix}qemuwrapper -L $D $D${UDEVADM} hwdb --update --root $D ${UDEV_EXTRA_ARGS} || - PSEUDO_UNLOAD=1 qemuwrapper -L $D $D${UDEVADM} hwdb --update --root $D ${UDEV_EXTRA_ARGS} -chown root:root $D${UDEVLIBDIR}/udev/hwdb.bin +hwdb_bin="$D${UDEVLIBDIR}/udev/hwdb.bin" +rm -f "$hwdb_bin" + +# Use native systemd-hwdb to generate hwdb.bin at build time. +# This avoids QEMU user-mode emulation and works on host kernels < 5.8 +# (e.g. RHEL 8) where systemd 261+ would fail due to missing STATX_MNT_ID. +NATIVE_HWDB="${STAGING_DIR_NATIVE}/usr/bin/systemd-hwdb" +if test -x "$NATIVE_HWDB" && test "${PREFERRED_PROVIDER_udev}" = "systemd"; then + PSEUDO_UNLOAD=1 $NATIVE_HWDB update --root $D ${UDEV_EXTRA_ARGS} +else + PSEUDO_UNLOAD=1 ${binprefix}qemuwrapper -L $D $D${UDEVADM} hwdb --update --root $D ${UDEV_EXTRA_ARGS} || + PSEUDO_UNLOAD=1 qemuwrapper -L $D $D${UDEVADM} hwdb --update --root $D ${UDEV_EXTRA_ARGS} +fi + +if ! test -s "$hwdb_bin"; then + echo "ERROR: hwdb.bin was not created at $hwdb_bin" >&2 + echo "The hwdb generation command exited successfully but produced no output." >&2 + exit 1 +fi +chown root:root "$hwdb_bin"