update 0001-Drop-support-for-efivar-SystemdOptions.patch in order to log when SystemdOptions exists

OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1509
This commit is contained in:
Franck Bui 2024-03-22 17:19:11 +00:00 committed by Git OBS Bridge
parent 835a4faaf0
commit 26fa9133ac

View File

@ -1,4 +1,4 @@
From e8a3781b91560b2242770cf90d382fe094db6d96 Mon Sep 17 00:00:00 2001
From 72d766c5a17fc31902b367e949c4d90193f823b9 Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Fri, 22 Mar 2024 12:07:34 +0100
Subject: [PATCH 1/1] Drop support for efivar SystemdOptions
@ -11,29 +11,47 @@ disabled.
[fbui: fixes bsc#1220338]
---
src/basic/efivars.c | 4 ++++
src/boot/bootctl-systemd-efi-options.c | 4 ++++
2 files changed, 8 insertions(+)
src/basic/efivars.c | 27 ++++++--------------------
src/boot/bootctl-systemd-efi-options.c | 4 ++++
2 files changed, 10 insertions(+), 21 deletions(-)
diff --git a/src/basic/efivars.c b/src/basic/efivars.c
index 9011ae29a3..67b0004576 100644
index 9011ae29a3..01ab7e5092 100644
--- a/src/basic/efivars.c
+++ b/src/basic/efivars.c
@@ -351,6 +351,7 @@ SecureBootMode efi_get_secure_boot_mode(void) {
@@ -351,29 +351,14 @@ SecureBootMode efi_get_secure_boot_mode(void) {
}
static int read_efi_options_variable(char **ret) {
+#if 0
int r;
- int r;
/* In SecureBoot mode this is probably not what you want. As your cmdline is cryptographically signed
@@ -374,6 +375,9 @@ static int read_efi_options_variable(char **ret) {
if (r == -ENOENT)
return -ENODATA;
return r;
+#else
+ return -ENODATA;
+#endif
- /* In SecureBoot mode this is probably not what you want. As your cmdline is cryptographically signed
- * like when using Type #2 EFI Unified Kernel Images (https://uapi-group.org/specifications/specs/boot_loader_specification)
- * The user's intention is then that the cmdline should not be modified. You want to make sure that
- * the system starts up as exactly specified in the signed artifact.
- *
- * (NB: For testing purposes, we still check the $SYSTEMD_EFI_OPTIONS env var before accessing this
- * cache, even when in SecureBoot mode.) */
- if (is_efi_secure_boot()) {
- /* Let's be helpful with the returned error and check if the variable exists at all. If it
- * does, let's return a recognizable error (EPERM), and if not ENODATA. */
-
- if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), F_OK) < 0)
- return errno == ENOENT ? -ENODATA : -errno;
-
- return -EPERM;
- }
+ /* For SUSE distros, support for SystemdOptions has already been dropped as it might be a security
+ * concern for systems with unattended disk unlock and with disabled secure boot. */
- r = efi_get_variable_string(EFI_SYSTEMD_VARIABLE(SystemdOptions), ret);
- if (r == -ENOENT)
- return -ENODATA;
- return r;
+ if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), F_OK) < 0)
+ return errno == ENOENT ? -ENODATA : -errno;
+
+ return log_warning_errno(SYNTHETIC_ERRNO(EPERM), "Boot options passed via SystemdOptions EFI variable is no more supported, ignoring: %m");
}
int cache_efi_options_variable(void) {