2024-03-22 18:19:11 +01:00
|
|
|
From 72d766c5a17fc31902b367e949c4d90193f823b9 Mon Sep 17 00:00:00 2001
|
2024-03-22 14:10:00 +01:00
|
|
|
From: Franck Bui <fbui@suse.com>
|
|
|
|
Date: Fri, 22 Mar 2024 12:07:34 +0100
|
|
|
|
Subject: [PATCH 1/1] Drop support for efivar SystemdOptions
|
|
|
|
|
|
|
|
Upstream deprecated it and plan to drop it in the future.
|
|
|
|
|
|
|
|
Let's get ahead and drop it now as this feature might be used to gain access to
|
|
|
|
encrypted SLEM systems with unattended disk unlock and with secure boot
|
|
|
|
disabled.
|
|
|
|
|
|
|
|
[fbui: fixes bsc#1220338]
|
|
|
|
---
|
2024-03-22 18:19:11 +01:00
|
|
|
src/basic/efivars.c | 27 ++++++--------------------
|
|
|
|
src/boot/bootctl-systemd-efi-options.c | 4 ++++
|
|
|
|
2 files changed, 10 insertions(+), 21 deletions(-)
|
2024-03-22 14:10:00 +01:00
|
|
|
|
|
|
|
diff --git a/src/basic/efivars.c b/src/basic/efivars.c
|
2024-03-22 18:19:11 +01:00
|
|
|
index 9011ae29a3..01ab7e5092 100644
|
2024-03-22 14:10:00 +01:00
|
|
|
--- a/src/basic/efivars.c
|
|
|
|
+++ b/src/basic/efivars.c
|
2024-03-22 18:19:11 +01:00
|
|
|
@@ -351,29 +351,14 @@ SecureBootMode efi_get_secure_boot_mode(void) {
|
2024-03-22 14:10:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
static int read_efi_options_variable(char **ret) {
|
2024-03-22 18:19:11 +01:00
|
|
|
- int r;
|
2024-03-22 14:10:00 +01:00
|
|
|
|
2024-03-22 18:19:11 +01:00
|
|
|
- /* In SecureBoot mode this is probably not what you want. As your cmdline is cryptographically signed
|
|
|
|
- * like when using Type #2 EFI Unified Kernel Images (https://uapi-group.org/specifications/specs/boot_loader_specification)
|
|
|
|
- * The user's intention is then that the cmdline should not be modified. You want to make sure that
|
|
|
|
- * the system starts up as exactly specified in the signed artifact.
|
|
|
|
- *
|
|
|
|
- * (NB: For testing purposes, we still check the $SYSTEMD_EFI_OPTIONS env var before accessing this
|
|
|
|
- * cache, even when in SecureBoot mode.) */
|
|
|
|
- if (is_efi_secure_boot()) {
|
|
|
|
- /* Let's be helpful with the returned error and check if the variable exists at all. If it
|
|
|
|
- * does, let's return a recognizable error (EPERM), and if not ENODATA. */
|
|
|
|
-
|
|
|
|
- if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), F_OK) < 0)
|
|
|
|
- return errno == ENOENT ? -ENODATA : -errno;
|
|
|
|
-
|
|
|
|
- return -EPERM;
|
|
|
|
- }
|
|
|
|
+ /* For SUSE distros, support for SystemdOptions has already been dropped as it might be a security
|
|
|
|
+ * concern for systems with unattended disk unlock and with disabled secure boot. */
|
|
|
|
|
|
|
|
- r = efi_get_variable_string(EFI_SYSTEMD_VARIABLE(SystemdOptions), ret);
|
|
|
|
- if (r == -ENOENT)
|
|
|
|
- return -ENODATA;
|
|
|
|
- return r;
|
|
|
|
+ if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), F_OK) < 0)
|
|
|
|
+ return errno == ENOENT ? -ENODATA : -errno;
|
|
|
|
+
|
|
|
|
+ return log_warning_errno(SYNTHETIC_ERRNO(EPERM), "Boot options passed via SystemdOptions EFI variable is no more supported, ignoring: %m");
|
2024-03-22 14:10:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
int cache_efi_options_variable(void) {
|
|
|
|
diff --git a/src/boot/bootctl-systemd-efi-options.c b/src/boot/bootctl-systemd-efi-options.c
|
|
|
|
index 7f8308fc3d..216b99546f 100644
|
|
|
|
--- a/src/boot/bootctl-systemd-efi-options.c
|
|
|
|
+++ b/src/boot/bootctl-systemd-efi-options.c
|
|
|
|
@@ -6,6 +6,7 @@
|
|
|
|
#include "efi-loader.h"
|
|
|
|
|
|
|
|
int verb_systemd_efi_options(int argc, char *argv[], void *userdata) {
|
|
|
|
+#if 0
|
|
|
|
int r;
|
|
|
|
|
|
|
|
/* This is obsolete and subject to removal */
|
|
|
|
@@ -40,4 +41,7 @@ int verb_systemd_efi_options(int argc, char *argv[], void *userdata) {
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
+#else
|
|
|
|
+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for the SystemdOptions EFI variable has been dropped.");
|
|
|
|
+#endif
|
|
|
|
}
|
|
|
|
--
|
|
|
|
2.35.3
|
|
|
|
|