diff --git a/0001-Drop-support-for-efivar-SystemdOptions.patch b/0001-Drop-support-for-efivar-SystemdOptions.patch new file mode 100644 index 0000000..aed6b17 --- /dev/null +++ b/0001-Drop-support-for-efivar-SystemdOptions.patch @@ -0,0 +1,62 @@ +From e8a3781b91560b2242770cf90d382fe094db6d96 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Fri, 22 Mar 2024 12:07:34 +0100 +Subject: [PATCH 1/1] Drop support for efivar SystemdOptions + +Upstream deprecated it and plan to drop it in the future. + +Let's get ahead and drop it now as this feature might be used to gain access to +encrypted SLEM systems with unattended disk unlock and with secure boot +disabled. + +[fbui: fixes bsc#1220338] +--- + src/basic/efivars.c | 4 ++++ + src/boot/bootctl-systemd-efi-options.c | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/src/basic/efivars.c b/src/basic/efivars.c +index 9011ae29a3..67b0004576 100644 +--- a/src/basic/efivars.c ++++ b/src/basic/efivars.c +@@ -351,6 +351,7 @@ SecureBootMode efi_get_secure_boot_mode(void) { + } + + static int read_efi_options_variable(char **ret) { ++#if 0 + int r; + + /* In SecureBoot mode this is probably not what you want. As your cmdline is cryptographically signed +@@ -374,6 +375,9 @@ static int read_efi_options_variable(char **ret) { + if (r == -ENOENT) + return -ENODATA; + return r; ++#else ++ return -ENODATA; ++#endif + } + + int cache_efi_options_variable(void) { +diff --git a/src/boot/bootctl-systemd-efi-options.c b/src/boot/bootctl-systemd-efi-options.c +index 7f8308fc3d..216b99546f 100644 +--- a/src/boot/bootctl-systemd-efi-options.c ++++ b/src/boot/bootctl-systemd-efi-options.c +@@ -6,6 +6,7 @@ + #include "efi-loader.h" + + int verb_systemd_efi_options(int argc, char *argv[], void *userdata) { ++#if 0 + int r; + + /* This is obsolete and subject to removal */ +@@ -40,4 +41,7 @@ int verb_systemd_efi_options(int argc, char *argv[], void *userdata) { + } + + return 0; ++#else ++ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for the SystemdOptions EFI variable has been dropped."); ++#endif + } +-- +2.35.3 + diff --git a/systemd.changes b/systemd.changes index 4767ab3..4f511f2 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Fri Mar 22 11:28:59 UTC 2024 - Franck Bui + +- Add 0001-Drop-support-for-efivar-SystemdOptions.patch (bsc#1220338) + + Upstream deprecated it and plan to drop it in the future. + + Let's get ahead and drop it now as this feature is unlikely to be used on SUSE + distros and it might be used to gain access to encrypted SLEM systems with + unattended disk unlock and with secure boot disabled. + ------------------------------------------------------------------- Thu Mar 21 13:37:16 UTC 2024 - Franck Bui diff --git a/systemd.spec b/systemd.spec index 6d5f10f..c7a1316 100644 --- a/systemd.spec +++ b/systemd.spec @@ -224,6 +224,7 @@ Source213: files.devel-doc # only relevant for SUSE distros. Special rewards for those who will manage to # get rid of one of them ! # +Patch: 0001-Drop-support-for-efivar-SystemdOptions.patch Patch: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch %if %{with sysvcompat} Patch: 0002-rc-local-fix-ordering-startup-for-etc-init.d-boot.lo.patch