From 271b558d5b7b11aa2216cb0ea02f4874350a0defa4fa4f3e911ad6f70ddb7151 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Fri, 22 Mar 2024 17:19:11 +0000 Subject: [PATCH] update 0001-Drop-support-for-efivar-SystemdOptions.patch in order to log when SystemdOptions exists OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1509 --- ...op-support-for-efivar-SystemdOptions.patch | 50 +++++++++++++------ 1 file changed, 34 insertions(+), 16 deletions(-) diff --git a/0001-Drop-support-for-efivar-SystemdOptions.patch b/0001-Drop-support-for-efivar-SystemdOptions.patch index aed6b170..ce25da4a 100644 --- a/0001-Drop-support-for-efivar-SystemdOptions.patch +++ b/0001-Drop-support-for-efivar-SystemdOptions.patch @@ -1,4 +1,4 @@ -From e8a3781b91560b2242770cf90d382fe094db6d96 Mon Sep 17 00:00:00 2001 +From 72d766c5a17fc31902b367e949c4d90193f823b9 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Fri, 22 Mar 2024 12:07:34 +0100 Subject: [PATCH 1/1] Drop support for efivar SystemdOptions @@ -11,29 +11,47 @@ disabled. [fbui: fixes bsc#1220338] --- - src/basic/efivars.c | 4 ++++ - src/boot/bootctl-systemd-efi-options.c | 4 ++++ - 2 files changed, 8 insertions(+) + src/basic/efivars.c | 27 ++++++-------------------- + src/boot/bootctl-systemd-efi-options.c | 4 ++++ + 2 files changed, 10 insertions(+), 21 deletions(-) diff --git a/src/basic/efivars.c b/src/basic/efivars.c -index 9011ae29a3..67b0004576 100644 +index 9011ae29a3..01ab7e5092 100644 --- a/src/basic/efivars.c +++ b/src/basic/efivars.c -@@ -351,6 +351,7 @@ SecureBootMode efi_get_secure_boot_mode(void) { +@@ -351,29 +351,14 @@ SecureBootMode efi_get_secure_boot_mode(void) { } static int read_efi_options_variable(char **ret) { -+#if 0 - int r; +- int r; - /* In SecureBoot mode this is probably not what you want. As your cmdline is cryptographically signed -@@ -374,6 +375,9 @@ static int read_efi_options_variable(char **ret) { - if (r == -ENOENT) - return -ENODATA; - return r; -+#else -+ return -ENODATA; -+#endif +- /* In SecureBoot mode this is probably not what you want. As your cmdline is cryptographically signed +- * like when using Type #2 EFI Unified Kernel Images (https://uapi-group.org/specifications/specs/boot_loader_specification) +- * The user's intention is then that the cmdline should not be modified. You want to make sure that +- * the system starts up as exactly specified in the signed artifact. +- * +- * (NB: For testing purposes, we still check the $SYSTEMD_EFI_OPTIONS env var before accessing this +- * cache, even when in SecureBoot mode.) */ +- if (is_efi_secure_boot()) { +- /* Let's be helpful with the returned error and check if the variable exists at all. If it +- * does, let's return a recognizable error (EPERM), and if not ENODATA. */ +- +- if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), F_OK) < 0) +- return errno == ENOENT ? -ENODATA : -errno; +- +- return -EPERM; +- } ++ /* For SUSE distros, support for SystemdOptions has already been dropped as it might be a security ++ * concern for systems with unattended disk unlock and with disabled secure boot. */ + +- r = efi_get_variable_string(EFI_SYSTEMD_VARIABLE(SystemdOptions), ret); +- if (r == -ENOENT) +- return -ENODATA; +- return r; ++ if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), F_OK) < 0) ++ return errno == ENOENT ? -ENODATA : -errno; ++ ++ return log_warning_errno(SYNTHETIC_ERRNO(EPERM), "Boot options passed via SystemdOptions EFI variable is no more supported, ignoring: %m"); } int cache_efi_options_variable(void) {