Systemd 261 Adds Software TPM and New OS Installer

The latest iteration of the systemd init system, version 261, has arrived with a focus on cloud integration, process resilience, and modular dependencies. Linux distributions relying on systemd now have a significant update to incorporate, one that introduces a dedicated cloud metadata subsystem, preserves process state during kexec reboots, and advances the ongoing shift toward on-demand library loading.

Cloud metadata gains a local interface. A new daemon, systemd-imdsd, provides a local Varlink API for accessing cloud instance metadata. A hardware database file identifies public clouds by their SMBIOS information and maps how to reach their metadata endpoints. Supported providers include Amazon EC2, Microsoft Azure, Google Compute Engine, Hetzner, Oracle Cloud, Scaleway, Tencent Cloud, Alibaba ECS, and Vultr. A companion client tool, systemd-imds, imports metadata fields into system credentials for downstream services, with acquired metadata measured before import. Operators can restrict network access to cloud metadata services via a build-time option.

State survives a kexec reboot. PID1 now supports the kernel’s Live Update Orchestration and Kexec Handover mechanisms when present. System units can persist their file descriptor stores through a kexec, and those descriptors are returned to units afterward where the kernel supports the type. Units enable this with the new FileDescriptorStorePreserve=yes setting. User session managers and systemd-nspawn containers have also been updated, allowing user units and container payloads to retain state across session restarts and kexec reboots.

TPM and boot changes. A new service, systemd-tpm2-swtpm.service, runs IBM’s swtpm as a software TPM for systems lacking physical hardware, gated behind a kernel command line option. A new condition, ConditionSecurity=measured-os, checks whether the system booted with measured-boot semantics. systemd-stub now maintains a boot secret derived from a persistent EFI variable, passing it to the OS as a fallback when no local TPM is available. systemd-boot stores the prior boot loader binary as a fallback when installing a new version.

Other additions. A new component, systemd-sysinstall, implements a textual OS installer built on Varlink calls to systemd-repart, bootctl, and systemd-creds. systemd-sysupdate has left experimental status and moved to `/usr/bin/`. systemd-oomd now supports OOM rulesets. The manager exposes a ReloadCount property over D-Bus and Varlink. systemd-networkd added a DHCP relay backend and a networkctl command to dump acquired DHCP leases.

Removals and dependency work. Most external library linking now happens through dlopen(), covering libgnutls, libcurl, libcrypto, libssl, libcryptsetup, and others, leaving libc as the sole direct external link. Support for udev’s database version 0 has been removed, ending live upgrades from releases older than v247. systemd-nspawn’s `–user=` option has been renamed to `–uid=`, with the old form deprecated. The required musl version has risen to 1.2.6 for builds using it. The project plans to remove the `/run/boot-loader-entries/` directory support and the experimental systemd-sysupdated D-Bus API in the 262 release.

To stay informed on essential open-source cybersecurity tools, subscribe to the Help Net Security ad-free monthly newsletter.