Subject: [PATCH] [BZ 184396] zipl: correct secure boot config handling From: Stefan Haberland Description: zipl: fix secure boot config handling Symptom: The config file parsing for secure boot worked not as it was expected to be. For example a config section setting was not evaluated properly. It is not possible to specify command line option -S without other options. Additionally the man page showed an invalid example. Problem: The config file parsing was not implemented properly. Solution: The hierarchy of the secure boot settings in the config file is: defaultboot > menu > section Allow that --secure or -S is specified on command line without the need to allow all options on the command line. Also ensure that the command line option overrules the config option and correctly ensure that secure boot is only set for SCSI devices. Fix man page example. Reproduction: Run zipl with a secure= setting in a configuration section or specify -S on command line. Upstream-ID: 6f9337d1016e00f360cf4a81d39a42df5184b3a2 Problem-ID: 184396 Upstream-Description: zipl: correct secure boot config handling The hierarchy of the secure boot settings in the config file should be: defaultboot > menu > section This patch implements this hierarchy and adds a check if a valid option is specified and prints an error message otherwise. Signed-off-by: Stefan Haberland Reviewed-by: Philipp Rudo Signed-off-by: Jan Hoeppner Signed-off-by: Stefan Haberland --- zipl/include/job.h | 1 + zipl/include/zipl.h | 1 + zipl/src/bootmap.c | 8 +++++++- zipl/src/job.c | 29 ++++++++++++++++++++++++++--- 4 files changed, 35 insertions(+), 4 deletions(-) --- a/zipl/include/job.h +++ b/zipl/include/job.h @@ -94,6 +94,7 @@ struct job_menu_entry { char* name; enum job_id id; union job_menu_entry_data data; + int is_secure; }; struct job_menu_data { --- a/zipl/include/zipl.h +++ b/zipl/include/zipl.h @@ -57,6 +57,7 @@ #define MAX_DUMP_VOLUMES 32 +#define SECURE_BOOT_UNDEFINED -1 #define SECURE_BOOT_DISABLED 0 #define SECURE_BOOT_ENABLED 1 #define SECURE_BOOT_AUTO 2 --- a/zipl/src/bootmap.c +++ b/zipl/src/bootmap.c @@ -945,6 +945,7 @@ build_program_table(int fd, struct job_d { disk_blockptr_t* table; int entries, component_header; + int is_secure; int i; int rc; @@ -1016,13 +1017,18 @@ build_program_table(int fd, struct job_d component_header_ipl; printf("\n"); } + if (job->is_secure != SECURE_BOOT_UNDEFINED) + is_secure = job->is_secure; + else + is_secure = + job->data.menu.entry[i].is_secure; rc = add_ipl_program(fd, &job->data.menu.entry[i].data.ipl, &table[job->data.menu.entry[i].pos], verbose || job->command_line, job->add_files, component_header, info, &job->target, - job->is_secure); + is_secure); break; case job_print_usage: case job_print_version: --- a/zipl/src/job.c +++ b/zipl/src/job.c @@ -119,6 +119,7 @@ get_command_line(int argc, char* argv[], memset((void *) &cmdline, 0, sizeof(struct command_line)); cmdline.type = section_invalid; is_keyword = 0; + cmdline.is_secure = SECURE_BOOT_UNDEFINED; /* Process options */ do { opt = getopt_long(argc, argv, option_string, options, NULL); @@ -1055,6 +1056,21 @@ check_job_mvdump_data(struct job_mvdump_ return 0; } +static int +check_secure_boot(struct job_data *job) +{ + switch (job->is_secure) { + case SECURE_BOOT_UNDEFINED: + case SECURE_BOOT_DISABLED: + case SECURE_BOOT_ENABLED: + case SECURE_BOOT_AUTO: + return 0; + default: + error_reason("Invalid secure boot setting '%d'", + job->is_secure); + return -1; + } +} static int check_job_data(struct job_data* job) @@ -1099,6 +1115,8 @@ check_job_data(struct job_data* job) case job_mvdump: rc = check_job_mvdump_data(&job->data.mvdump, job->name); } + if (!rc) + rc = check_secure_boot(job); return rc; } @@ -1594,6 +1612,7 @@ get_menu_job(struct scan_token* scan, ch sizeof(struct job_menu_entry) * job->data.menu.num); /* Fill in data */ current = 0; + job->data.menu.entry->is_secure = SECURE_BOOT_UNDEFINED; for (i=index+1; (scan[i].id != scan_id_empty) && (scan[i].id != scan_id_section_heading) && (scan[i].id != scan_id_menu_heading); i++) { @@ -1625,6 +1644,7 @@ get_menu_job(struct scan_token* scan, ch if (temp_job == NULL) return -1; memset((void *) temp_job, 0, sizeof(struct job_data)); + temp_job->is_secure = SECURE_BOOT_UNDEFINED; rc = get_job_from_section_data(data, temp_job, job->data.menu.entry[current].name); if (rc) { @@ -1637,6 +1657,8 @@ get_menu_job(struct scan_token* scan, ch job->data.menu.entry[current].id = job_ipl; job->data.menu.entry[current].data.ipl = temp_job->data.ipl; + job->data.menu.entry[current].is_secure = + temp_job->is_secure; memset((void *) &temp_job->data.ipl, 0, sizeof(struct job_ipl_data)); break; @@ -1874,6 +1896,7 @@ job_get(int argc, char* argv[], struct j job->add_files = cmdline.add_files; job->data.mvdump.force = cmdline.force; job->dry_run = cmdline.dry_run; + job->is_secure = SECURE_BOOT_UNDEFINED; /* Get job data from user input */ if (cmdline.help) { job->command_line = 1; @@ -1892,10 +1915,10 @@ job_get(int argc, char* argv[], struct j job_free(job); return rc; } - if (cmdline.is_secure) + if (cmdline.is_secure != SECURE_BOOT_UNDEFINED) job->is_secure = cmdline.is_secure; - else - job->is_secure = job->is_secure ? : SECURE_BOOT_AUTO; + else if (job->id != job_menu && job->is_secure == SECURE_BOOT_UNDEFINED) + job->is_secure = SECURE_BOOT_AUTO; /* Check job data for validity */ rc = check_job_data(job);