- Add 0001-Drop-support-for-efivar-SystemdOptions.patch (bsc#1220338)

Upstream deprecated it and plan to drop it in the future.
  Let's get ahead and drop it now as this feature is unlikely to be used on SUSE
  distros and it might be used to gain access to encrypted SLEM systems with
  unattended disk unlock and with secure boot disabled.

OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1508

0001-Drop-support-for-efivar-SystemdOptions.patch

@@ -0,0 +1,62 @@
+From e8a3781b91560b2242770cf90d382fe094db6d96 Mon Sep 17 00:00:00 2001
+From: Franck Bui <fbui@suse.com>
+Date: Fri, 22 Mar 2024 12:07:34 +0100
+Subject: [PATCH 1/1] Drop support for efivar SystemdOptions
+
+Upstream deprecated it and plan to drop it in the future.
+
+Let's get ahead and drop it now as this feature might be used to gain access to
+encrypted SLEM systems with unattended disk unlock and with secure boot
+disabled.
+
+[fbui: fixes bsc#1220338]
+---
+ src/basic/efivars.c                    | 4 ++++
+ src/boot/bootctl-systemd-efi-options.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/basic/efivars.c b/src/basic/efivars.c
+index 9011ae29a3..67b0004576 100644
+--- a/src/basic/efivars.c
++++ b/src/basic/efivars.c
+@@ -351,6 +351,7 @@ SecureBootMode efi_get_secure_boot_mode(void) {
+ }
+ 
+ static int read_efi_options_variable(char **ret) {
++#if 0
+         int r;
+ 
+         /* In SecureBoot mode this is probably not what you want. As your cmdline is cryptographically signed
+@@ -374,6 +375,9 @@ static int read_efi_options_variable(char **ret) {
+         if (r == -ENOENT)
+                 return -ENODATA;
+         return r;
++#else
++        return -ENODATA;
++#endif
+ }
+ 
+ int cache_efi_options_variable(void) {
+diff --git a/src/boot/bootctl-systemd-efi-options.c b/src/boot/bootctl-systemd-efi-options.c
+index 7f8308fc3d..216b99546f 100644
+--- a/src/boot/bootctl-systemd-efi-options.c
++++ b/src/boot/bootctl-systemd-efi-options.c
+@@ -6,6 +6,7 @@
+ #include "efi-loader.h"
+ 
+ int verb_systemd_efi_options(int argc, char *argv[], void *userdata) {
++#if 0
+         int r;
+ 
+         /* This is obsolete and subject to removal */
+@@ -40,4 +41,7 @@ int verb_systemd_efi_options(int argc, char *argv[], void *userdata) {
+         }
+ 
+         return 0;
++#else
++        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for the SystemdOptions EFI variable has been dropped.");
++#endif
+ }
+-- 
+2.35.3
+

systemd.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Fri Mar 22 11:28:59 UTC 2024 - Franck Bui <fbui@suse.com>
+
+- Add 0001-Drop-support-for-efivar-SystemdOptions.patch (bsc#1220338)
+
+  Upstream deprecated it and plan to drop it in the future.
+
+  Let's get ahead and drop it now as this feature is unlikely to be used on SUSE
+  distros and it might be used to gain access to encrypted SLEM systems with
+  unattended disk unlock and with secure boot disabled.
+
 -------------------------------------------------------------------
 Thu Mar 21 13:37:16 UTC 2024 - Franck Bui <fbui@suse.com>
 

systemd.spec

@@ -224,6 +224,7 @@ Source213:      files.devel-doc
 # only relevant for SUSE distros. Special rewards for those who will manage to
 # get rid of one of them !
 #
+Patch:          0001-Drop-support-for-efivar-SystemdOptions.patch
 Patch:          0009-pid1-handle-console-specificities-weirdness-for-s390.patch
 %if %{with sysvcompat}
 Patch:          0002-rc-local-fix-ordering-startup-for-etc-init.d-boot.lo.patch