81 lines
3.3 KiB
Diff
81 lines
3.3 KiB
Diff
From 91fa48c2d1aac250728379a0c0430f9f7a3c8351 Mon Sep 17 00:00:00 2001
|
|
From: Franck Bui <fbui@suse.com>
|
|
Date: Fri, 22 Mar 2024 12:07:34 +0100
|
|
Subject: [PATCH 1/1] Drop support for efivar SystemdOptions
|
|
|
|
Upstream deprecated it and plan to drop it in the future.
|
|
|
|
Let's get ahead and drop it now as this feature might be used to gain access to
|
|
encrypted SLEM systems with unattended disk unlock and with secure boot
|
|
disabled.
|
|
|
|
[fbui: fixes bsc#1220338]
|
|
---
|
|
src/basic/efivars.c | 27 +++++------------------
|
|
src/bootctl/bootctl-systemd-efi-options.c | 4 ++++
|
|
2 files changed, 10 insertions(+), 21 deletions(-)
|
|
|
|
diff --git a/src/basic/efivars.c b/src/basic/efivars.c
|
|
index 5e04c32212..78bdd28263 100644
|
|
--- a/src/basic/efivars.c
|
|
+++ b/src/basic/efivars.c
|
|
@@ -368,29 +368,14 @@ SecureBootMode efi_get_secure_boot_mode(void) {
|
|
}
|
|
|
|
static int read_efi_options_variable(char **ret) {
|
|
- int r;
|
|
|
|
- /* In SecureBoot mode this is probably not what you want. As your cmdline is cryptographically signed
|
|
- * like when using Type #2 EFI Unified Kernel Images (https://uapi-group.org/specifications/specs/boot_loader_specification)
|
|
- * The user's intention is then that the cmdline should not be modified. You want to make sure that
|
|
- * the system starts up as exactly specified in the signed artifact.
|
|
- *
|
|
- * (NB: For testing purposes, we still check the $SYSTEMD_EFI_OPTIONS env var before accessing this
|
|
- * cache, even when in SecureBoot mode.) */
|
|
- if (is_efi_secure_boot()) {
|
|
- /* Let's be helpful with the returned error and check if the variable exists at all. If it
|
|
- * does, let's return a recognizable error (EPERM), and if not ENODATA. */
|
|
-
|
|
- if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE_STR("SystemdOptions")), F_OK) < 0)
|
|
- return errno == ENOENT ? -ENODATA : -errno;
|
|
-
|
|
- return -EPERM;
|
|
- }
|
|
+ /* For SUSE distros, support for SystemdOptions has already been dropped as it might be a security
|
|
+ * concern for systems with unattended disk unlock and with disabled secure boot. */
|
|
|
|
- r = efi_get_variable_string(EFI_SYSTEMD_VARIABLE_STR("SystemdOptions"), ret);
|
|
- if (r == -ENOENT)
|
|
- return -ENODATA;
|
|
- return r;
|
|
+ if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE_STR("SystemdOptions")), F_OK) < 0)
|
|
+ return errno == ENOENT ? -ENODATA : -errno;
|
|
+
|
|
+ return log_warning_errno(SYNTHETIC_ERRNO(EPERM), "Boot options passed via SystemdOptions EFI variable is no more supported, ignoring: %m");
|
|
}
|
|
|
|
int cache_efi_options_variable(void) {
|
|
diff --git a/src/bootctl/bootctl-systemd-efi-options.c b/src/bootctl/bootctl-systemd-efi-options.c
|
|
index d626d87abc..32b79bd1e1 100644
|
|
--- a/src/bootctl/bootctl-systemd-efi-options.c
|
|
+++ b/src/bootctl/bootctl-systemd-efi-options.c
|
|
@@ -6,6 +6,7 @@
|
|
#include "efi-loader.h"
|
|
|
|
int verb_systemd_efi_options(int argc, char *argv[], void *userdata) {
|
|
+#if 0
|
|
int r;
|
|
|
|
/* This is obsolete and subject to removal */
|
|
@@ -40,4 +41,7 @@ int verb_systemd_efi_options(int argc, char *argv[], void *userdata) {
|
|
}
|
|
|
|
return 0;
|
|
+#else
|
|
+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for the SystemdOptions EFI variable has been dropped.");
|
|
+#endif
|
|
}
|
|
--
|
|
2.43.0
|
|
|