diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 886f0bc91d..9010b1fcb7 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -76,7 +76,7 @@ jobs:
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
- - uses: systemd/mkosi@c3103868cccc722ef45838fdd37fb462c21948f2
+ - uses: systemd/mkosi@e59f763872e4d5f96acb11b4a77995b986bb31cc
- name: Configure
run: |
@@ -87,7 +87,6 @@ jobs:
[Content]
Environment=CI_BUILD=1
- DEFAULT_TIMEOUT_SEC=180
SLOW_TESTS=true
[Output]
@@ -95,6 +94,8 @@ jobs:
systemd.journald.max_level_console=debug
# udev's debug log output is very verbose, so up it to info in CI.
udev.log_level=info
+ # Root device can take a long time to appear, so let's bump the timeout.
+ systemd.default_device_timeout_sec=180
[Host]
ExtraSearchPaths=!*
diff --git a/man/kernel-command-line.xml b/man/kernel-command-line.xml
index 211ae5ac57..479b482a30 100644
--- a/man/kernel-command-line.xml
+++ b/man/kernel-command-line.xml
@@ -423,6 +423,16 @@
+
+ systemd.default_device_timeout_sec=
+
+
+ Overrides the default device timeout DefaultDeviceTimeoutSec= at boot. For
+ details, see
+ systemd-system.conf5.
+
+
+
systemd.watchdog_device=
diff --git a/meson.build b/meson.build
index 314cbcea89..51a5fc82e3 100644
--- a/meson.build
+++ b/meson.build
@@ -1527,7 +1527,7 @@ conf.set10('HAVE_LIBFIDO2', have)
want_tpm2 = get_option('tpm2')
if want_tpm2 != 'false' and not skip_deps
- tpm2 = dependency('tss2-esys tss2-rc tss2-mu',
+ tpm2 = dependency('tss2-esys tss2-rc tss2-mu tss2-tcti-device',
required : want_tpm2 == 'true')
have = tpm2.found()
have_esys3 = tpm2.version().version_compare('>= 3.0.0')
diff --git a/mkosi.conf.d/10-systemd.conf b/mkosi.conf.d/10-systemd.conf
index 640214c8a3..78b438b5db 100644
--- a/mkosi.conf.d/10-systemd.conf
+++ b/mkosi.conf.d/10-systemd.conf
@@ -11,11 +11,6 @@ OutputDirectory=mkosi.output
BuildDirectory=mkosi.builddir
CacheDirectory=mkosi.cache
-[Validation]
-SecureBoot=yes
-# Disabled until systemd-measure can operate without a TPM device.
-SignExpectedPcr=no
-
[Host]
QemuMem=2G
ExtraSearchPaths=build/
@@ -41,3 +36,6 @@ KernelCommandLineExtra=systemd.crash_shell
systemd.wants=network-online.target
# Make sure we don't load vmw_vmci which messes with virtio vsock.
module_blacklist=vmw_vmci
+ # Lower the default device timeout so we get a shell earlier if the root device does
+ # not appear for some reason.
+ systemd.default_device_timeout_sec=10
diff --git a/mkosi.presets/00-base/mkosi.build b/mkosi.presets/00-base/mkosi.build
index 11e8b1c812..eb18d27577 100755
--- a/mkosi.presets/00-base/mkosi.build
+++ b/mkosi.presets/00-base/mkosi.build
@@ -51,8 +51,6 @@ if [ ! -f "$BUILDDIR"/build.ninja ]; then
CONFIGURE_OPTS=(
-D sysvinit-path="$sysvinit_path"
-D rootprefix="$rootprefix"
- -D default-timeout-sec="${DEFAULT_TIMEOUT_SEC:-10}"
- -D default-user-timeout-sec="${DEFAULT_TIMEOUT_SEC:-10}"
-D man=false
-D translations=false
-D version-tag="${VERSION_TAG}"
diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-centos-fedora.conf b/mkosi.presets/00-base/mkosi.conf.d/10-centos-fedora.conf
index ea31e4da74..ad44d46529 100644
--- a/mkosi.presets/00-base/mkosi.conf.d/10-centos-fedora.conf
+++ b/mkosi.presets/00-base/mkosi.conf.d/10-centos-fedora.conf
@@ -61,6 +61,7 @@ BuildPackages=
pkgconfig(tss2-esys)
pkgconfig(tss2-mu)
pkgconfig(tss2-rc)
+ pkgconfig(tss2-tcti-device)
pkgconfig(valgrind)
pkgconfig(xkbcommon)
rpm
diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf b/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf
index d4cdef12a4..21f620092e 100644
--- a/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf
+++ b/mkosi.presets/00-base/mkosi.conf.d/10-opensuse.conf
@@ -28,8 +28,11 @@ Packages=
libxkbcommon0
libzstd1
pam
- python3-pytest-flakes
shadow
+ libtss2-esys0
+ libtss2-mu0
+ libtss2-rc0
+ libtss2-tcti-device0
tpm2-0-tss
xz
@@ -76,6 +79,7 @@ BuildPackages=
python3-pefile
python3-pyelftools
python3-pytest
+ python3-pytest-flakes
qrencode-devel
shadow
systemd-sysvinit
diff --git a/mkosi.presets/10-initrd/mkosi.postinst b/mkosi.presets/10-initrd/mkosi.postinst
new file mode 100755
index 0000000000..79cce30022
--- /dev/null
+++ b/mkosi.presets/10-initrd/mkosi.postinst
@@ -0,0 +1,7 @@
+#!/bin/sh
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# OpenSUSE insists on blacklisting erofs by default because its supposedly a legacy filesystem.
+# See https://github.com/openSUSE/suse-module-tools/pull/71
+rm -f /usr/lib/modprobe.d/60-blacklist_fs-erofs.conf
diff --git a/mkosi.presets/20-final/mkosi.conf b/mkosi.presets/20-final/mkosi.conf
index ec0a90feff..bb158eb059 100644
--- a/mkosi.presets/20-final/mkosi.conf
+++ b/mkosi.presets/20-final/mkosi.conf
@@ -1,6 +1,7 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Content]
+Autologin=yes
BaseTrees=../../mkosi.output/base
ExtraTrees=../../src:/root/src
Initrds=../../mkosi.output/initrd
@@ -35,4 +36,5 @@ Packages=
zsh
[Validation]
-Autologin=yes
+SecureBoot=yes
+SignExpectedPcr=yes
diff --git a/mkosi.presets/20-final/mkosi.postinst b/mkosi.presets/20-final/mkosi.postinst
index 4339d7fd22..b9a26c3163 100755
--- a/mkosi.presets/20-final/mkosi.postinst
+++ b/mkosi.presets/20-final/mkosi.postinst
@@ -1,5 +1,6 @@
#!/bin/sh
# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
if [ "$1" = "build" ]; then
exit 0
diff --git a/src/core/main.c b/src/core/main.c
index c69f9b9afe..3eb53577eb 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -400,6 +400,18 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
if (arg_default_timeout_start_usec <= 0)
arg_default_timeout_start_usec = USEC_INFINITY;
+ } else if (proc_cmdline_key_streq(key, "systemd.default_device_timeout_sec")) {
+
+ if (proc_cmdline_value_missing(key, value))
+ return 0;
+
+ r = parse_sec(value, &arg_default_device_timeout_usec);
+ if (r < 0)
+ log_warning_errno(r, "Failed to parse default device timeout '%s', ignoring: %m", value);
+
+ if (arg_default_device_timeout_usec <= 0)
+ arg_default_device_timeout_usec = USEC_INFINITY;
+
} else if (proc_cmdline_key_streq(key, "systemd.cpu_affinity")) {
if (proc_cmdline_value_missing(key, value))