systemd 256 changes

[Itxaka]

This is a ticket to provide info about systemd 256 changes that may affect us

with :+1: things that bring improvements to our current state or add things that we want to use with :-1: things that may affect our current state and we need to fix/improve/adapt.

Master Kairos is currently on 255 with ubuntu 24.04 and Fedora 40, so 3.1.x is not affected.

Probably affects our cmdlines :-1: :

 * systemd.crash_reboot and related settings are deprecated in favor of
          systemd.crash_action=.

networkd changes to VLAN :-1: :

 * Previously, systemd-networkd did not explicitly remove any bridge
          VLAN IDs assigned on bridge master and ports. Since version 256, if a
          .network file for an interface has at least one valid setting in the
          [BridgeVLAN] section, then all assigned VLAN IDs on the interface
          that are not configured in the .network file are removed.

May affect UKI mounts and EFI non-uki mounts :-1: :

* systemd-gpt-auto-generator will stop generating units for ESP or
          XBOOTLDR partitions if it finds mount entries for or below the /boot/
          or /efi/ hierarchies in /etc/fstab. This is to prevent the generator
          from interfering with systems where the ESP is explicitly configured
          to be mounted at some path, for example /boot/efi/ (this type of
          setup is obsolete, but still commonly found).

dracut/immucore may be affected :-1: :

* New system manager setting ProtectSystem= has been added. It is
          analogous to the unit setting, but applies to the whole system. It is
          enabled by default in the initrd.

          Note that this means that code executed in the initrd cannot naively
          expect to be able to write to /usr/ during boot. This affects
          dracut <= 101, which wrote "hooks" to /lib/dracut/hooks/. See

systemd-boot/stub/UKI :+1: :

   * systemd-stub will now measure its payload via the new EFI
          Confidential Computing APIs (CC), in addition to the pre-existing
          measurements to TPM.

dbx auto enrollment support :+1::

* systemd-boot's automatic SecureBoot enrollment support gained support
          for enrolling "dbx" too (Previously, only db/KEK/PK enrollment was
          supported). It also now supports UEFI "Custom" and "Audit" modes.

pcrlock policy from ESP :+1: :

 * The pcrlock policy is saved in an unencrypted credential file
          "pcrlock.<entry-token>.cred" under XBOOTLDR/ESP in the
          /loader/credentials/ directory. It will be picked up at boot by
          systemd-stub and passed t

ucode in UKI files :+1: :

* sd-stub gained support for the new ".ucode" PE section in UKIs, that
          may contain CPU microcode data. When control is handed over to the
          Linux kernel this data is prepended to the set of initrds passed.

pcrlock stable in 257 :+1: :

        * systemd-pcrlock's TPM nvindex access policy has been modified, this
          means that previous pcrlock policies stored in nvindexes are
          invalidated. They must be removed (systemd-pcrlock remove-policy) and
          recreated (systemd-pcrlock make-policy). For the time being
          systemd-pcrlock remains an experimental feature, but it is expected
          to become stable in the next release, i.e. v257.

cryptenroll disable dictionary attack for non-pin enrollements (possible not locking tpm as easily?) :+1: :

        * systemd-cryptenroll will no longer enable Dictionary Attack
          Protection (i.e. turn on NO_DA) for TPM enrollments that do not
          involve a PIN. DA should not be necessary in that case (since key
          entropy is high enough to make this unnecessary), but risks
          accidental lock-out in case of unexpected PCR changes.

cryptenroll support to enroll tpm2 slot via tpm2 slot, instead of requiring a password slot in the luks device :+1: :

        * systemd-cryptenroll now supports enrolling a new slot while unlocking
          the old slot via TPM2 (previously unlocking only worked via password
          or FIDO2).

debug tty for boot :+1: :

        * A new kernel command-line option systemd.default_debug_tty= can be
          used to specify the TTY for the debug shell, independently of
          enabling or disabling it.

[ci-robbot]

Hello Itxaka, thank you for opening this issue regarding the changes in systemd 256. I've carefully reviewed the provided information and it seems that the issue meets the project's requirements for a new ticket.

Firstly, there is a clear description of the issue, with an explanation of the changes that may affect the 'kairos' project. The issue also includes a breakdown of the potential impact on different parts of the project, such as cmdlines, UKI mounts, EFI non-UKI mounts, and more.

In accordance with the project's rules, the necessary steps to reproduce the issue are included, which will help the team in identifying and addressing any potential problems.

Additionally, the versions of the relevant artifacts being used are addressed within the issue.

Thus, I will now proceed to label this issue with 'triage' to indicate that it has been reviewed and meets the requirements set by the project.

Please be assured that I am a bot, an experiment created by @mudler and @jimmykarily to assist with ticket auditing in the 'kairos' project. If you have any further questions or need additional support, feel free to ask.