The systemd 261 release brings a software TPM, new OS installer
Linux distributions that ship systemd as their init system now have a new version to track. The systemd 261 update adds a cloud metadata subsystem, carries process state through kexec reboots, and continues a long-running effort to load external libraries on demand.
Cloud metadata gets a local interface
systemd 261 adds an IMDS subsystem for cloud instance metadata. A daemon, systemd-imdsd, provides a local Varlink API that gives programs access to instance metadata services. A hardware database file recognizes public clouds by their SMBIOS information and records how to reach metadata on each node. The recognized clouds include Amazon EC2, Microsoft Azure, Google Compute Engine, Hetzner, Oracle Cloud, Scaleway, Tencent Cloud, Alibaba ECS, and Vultr.
A companion tool, systemd-imds, acts as a client and imports metadata fields into system credentials for later services to consume. Acquired metadata is measured before import. Operators can lock down network access to cloud metadata services through a build option.
State survives a kexec reboot
PID1 now supports the kernel’s Live Update Orchestration and Kexec Handover mechanisms when they are present and enabled. System units’ file descriptor stores can persist through a kexec, and units receive their stashed file descriptors back afterward where the kernel supports the descriptor type. Units enable this by setting FileDescriptorStorePreserve=yes. User session managers and systemd-nspawn containers gained matching support, letting user units and container payloads carry state across session restarts and kexec reboots.
TPM and boot changes
A new service, systemd-tpm2-swtpm.service, can run IBM’s swtpm as a software TPM for systems that lack physical hardware, gated behind a kernel command line option. A new condition, ConditionSecurity=measured-os, checks whether a system booted with measured-boot semantics. systemd-stub maintains a boot secret derived from a persistent EFI variable and passes it to the OS, for fallback codepaths where a local TPM is absent. systemd-boot now stores the prior boot loader binary as a fallback when installing a new version.
Other additions
A new component, systemd-sysinstall, implements a textual OS installer built on Varlink calls to systemd-repart, bootctl, and systemd-creds. systemd-sysupdate left experimental status and moved to /usr/bin/. systemd-oomd gained support for OOM rulesets. The manager exposes a ReloadCount property over D-Bus and Varlink. systemd-networkd added a DHCP relay backend and a networkctl command to dump acquired DHCP leases.
Removals and dependency work
Most external library linking now happens through dlopen(), covering libgnutls, libcurl, libcrypto, libssl, libcryptsetup, and others, leaving libc as the remaining direct external link. Support for udev’s database version 0 was removed, which ends support for live upgrades from releases older than v247. systemd-nspawn’s –user= option was renamed to –uid=, with the old form deprecated. The required musl version rose to 1.2.6 for builds that use it. The project plans to remove the /run/boot-loader-entries/ directory support and the experimental systemd-sysupdated D-Bus API in the 262 release.
Must read:
- 25 open-source cybersecurity tools that don’t care about your budget
- GitHub CISO on security strategy and collaborating with the open-source community
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!