Merge pull request #31706 from DaanDeMeyer/smbios

systemd-boot: Add support for reading extra kernel cmdline from SMBIOS
2024-07-21 18:24:38 +00:00 · 2024-03-11 10:44:11 +00:00 · 2024-03-11 10:44:11 +00:00 · 03292f9663
parent 3b5512b973 f710037984
commit 03292f9663
5 changed files with 47 additions and 2 deletions
--- a/man/smbios-type-11.xml
+++ b/man/smbios-type-11.xml
@ -64,6 +64,16 @@

        <xi:include href="version-info.xml" xpointer="v254"/></listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><varname>io.systemd.boot.kernel-cmdline-extra=</varname><replaceable>CMDLINE</replaceable></term>
+
+        <listitem><para>This allows configuration of additional kernel command line options for Boot Loader
+        Specification Type 1 entries, and is read by <command>systemd-boot</command>. For details see
+        <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/man/systemd-boot.xml
+++ b/man/systemd-boot.xml
@ -561,6 +561,27 @@
    url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>.</para>
  </refsect1>

+  <refsect1>
+    <title>SMBIOS Type 11 Strings</title>
+
+    <para><command>systemd-boot</command> can be configured using SMBIOS Type 11 strings. Applicable strings
+    consist of a name, followed by <literal>=</literal>, followed by the value. Unless
+    <command>systemd-boot</command> detects it is running inside a confidential computing environment,
+    <command>systemd-boot</command> will search the table for a string with a specific name, and if found,
+    use its value. The following strings are read:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><varname>io.systemd.boot.kernel-cmdline-extra</varname></term>
+        <listitem><para>If set, the value of this string is added to the list of kernel command line
+        arguments for Boot Loader Specification Type 1 entries that are measured in PCR12 and passed to the
+        kernel.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1>
    <title>Boot Counting</title>

--- a/man/systemd-stub.xml
+++ b/man/systemd-stub.xml
@ -503,7 +503,8 @@
    <title>SMBIOS Type 11 Strings</title>

    <para><command>systemd-stub</command> can be configured using SMBIOS Type 11 strings. Applicable strings
-    consist of a name, followed by <literal>=</literal>, followed by the value.
+    consist of a name, followed by <literal>=</literal>, followed by the value. Unless
+    <command>systemd-stub</command> detects it is running inside a confidential computing environment,
    <command>systemd-stub</command> will search the table for a string with a specific name, and if found,
    use its value. The following strings are read:</para>

--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@ -2374,7 +2374,16 @@ static EFI_STATUS image_start(
        /* If we had to append an initrd= entry to the command line, we have to pass it, and measure it.
         * Otherwise, only pass/measure it if it is not implicit anyway (i.e. embedded into the UKI or
         * so). */
-        char16_t *options = options_initrd ?: entry->options_implied ? NULL : entry->options;
+        _cleanup_free_ char16_t *options = xstrdup16(options_initrd ?: entry->options_implied ? NULL : entry->options);
+
+        if (!is_confidential_vm()) {
+                const char *extra = smbios_find_oem_string("io.systemd.boot.kernel-cmdline-extra");
+                if (extra) {
+                        _cleanup_free_ char16_t *tmp = TAKE_PTR(options), *extra16 = xstr8_to_16(extra);
+                        options = xasprintf("%ls %ls", tmp, extra16);
+                }
+        }
+
        if (options) {
                loaded_image->LoadOptions = options;
                loaded_image->LoadOptionsSize = strsize16(options);
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@ -1570,6 +1570,10 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
                                r = strv_extendf(&cmdline, "type=11,value=io.systemd.stub.kernel-cmdline-extra=%s", escaped_kcl);
                                if (r < 0)
                                        return log_oom();
+
+                                r = strv_extendf(&cmdline, "type=11,value=io.systemd.boot.kernel-cmdline-extra=%s", escaped_kcl);
+                                if (r < 0)
+                                        return log_oom();
                        } else
                                log_warning("Cannot append extra args to kernel cmdline, native architecture doesn't support SMBIOS, ignoring");
                }