From 365e90b946250c5e1aa6b845592b35bab3553db6 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Sun, 10 Mar 2024 16:24:37 +0100 Subject: [PATCH 1/2] systemd-boot: Add support for reading extra kernel cmdline from SMBIOS Same as io.systemd.stub.kernel-cmdline-extra, but for type 1 entries booted by systemd-boot. --- man/smbios-type-11.xml | 10 ++++++++++ man/systemd-boot.xml | 20 ++++++++++++++++++++ src/boot/efi/boot.c | 11 ++++++++++- src/vmspawn/vmspawn.c | 4 ++++ 4 files changed, 44 insertions(+), 1 deletion(-) diff --git a/man/smbios-type-11.xml b/man/smbios-type-11.xml index 93252274da1..2fc215ecbd4 100644 --- a/man/smbios-type-11.xml +++ b/man/smbios-type-11.xml @@ -64,6 +64,16 @@ + + + io.systemd.boot.kernel-cmdline-extra=CMDLINE + + This allows configuration of additional kernel command line options for Boot Loader + Specification Type 1 entries, and is read by systemd-boot. For details see + systemd-boot1. + + + diff --git a/man/systemd-boot.xml b/man/systemd-boot.xml index 74514fb5d06..9ada3f20916 100644 --- a/man/systemd-boot.xml +++ b/man/systemd-boot.xml @@ -561,6 +561,26 @@ url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface. + + SMBIOS Type 11 Strings + + systemd-boot can be configured using SMBIOS Type 11 strings. Applicable strings + consist of a name, followed by =, followed by the value. + systemd-boot will search the table for a string with a specific name, and if found, + use its value. The following strings are read: + + + + io.systemd.boot.kernel-cmdline-extra + If set, the value of this string is added to the list of kernel command line + arguments for Boot Loader Specification Type 1 entries that are measured in PCR12 and passed to the + kernel. + + + + + + Boot Counting diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c index eba8b40e2ff..d64e560a527 100644 --- a/src/boot/efi/boot.c +++ b/src/boot/efi/boot.c @@ -2374,7 +2374,16 @@ static EFI_STATUS image_start( /* If we had to append an initrd= entry to the command line, we have to pass it, and measure it. * Otherwise, only pass/measure it if it is not implicit anyway (i.e. embedded into the UKI or * so). */ - char16_t *options = options_initrd ?: entry->options_implied ? NULL : entry->options; + _cleanup_free_ char16_t *options = xstrdup16(options_initrd ?: entry->options_implied ? NULL : entry->options); + + if (!is_confidential_vm()) { + const char *extra = smbios_find_oem_string("io.systemd.boot.kernel-cmdline-extra"); + if (extra) { + _cleanup_free_ char16_t *tmp = TAKE_PTR(options), *extra16 = xstr8_to_16(extra); + options = xasprintf("%ls %ls", tmp, extra16); + } + } + if (options) { loaded_image->LoadOptions = options; loaded_image->LoadOptionsSize = strsize16(options); diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c index 6197f00a3c1..967f701e05c 100644 --- a/src/vmspawn/vmspawn.c +++ b/src/vmspawn/vmspawn.c @@ -1570,6 +1570,10 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) { r = strv_extendf(&cmdline, "type=11,value=io.systemd.stub.kernel-cmdline-extra=%s", escaped_kcl); if (r < 0) return log_oom(); + + r = strv_extendf(&cmdline, "type=11,value=io.systemd.boot.kernel-cmdline-extra=%s", escaped_kcl); + if (r < 0) + return log_oom(); } else log_warning("Cannot append extra args to kernel cmdline, native architecture doesn't support SMBIOS, ignoring"); } From f71003798442442c57fd0282352dc217e4e36482 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Sun, 10 Mar 2024 21:24:52 +0100 Subject: [PATCH 2/2] man: Mention that SMBIOS type 11 strings are ignored inside CVM --- man/systemd-boot.xml | 3 ++- man/systemd-stub.xml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/man/systemd-boot.xml b/man/systemd-boot.xml index 9ada3f20916..a4d1c003e0a 100644 --- a/man/systemd-boot.xml +++ b/man/systemd-boot.xml @@ -565,7 +565,8 @@ SMBIOS Type 11 Strings systemd-boot can be configured using SMBIOS Type 11 strings. Applicable strings - consist of a name, followed by =, followed by the value. + consist of a name, followed by =, followed by the value. Unless + systemd-boot detects it is running inside a confidential computing environment, systemd-boot will search the table for a string with a specific name, and if found, use its value. The following strings are read: diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml index e489a138d64..756654854ee 100644 --- a/man/systemd-stub.xml +++ b/man/systemd-stub.xml @@ -503,7 +503,8 @@ SMBIOS Type 11 Strings systemd-stub can be configured using SMBIOS Type 11 strings. Applicable strings - consist of a name, followed by =, followed by the value. + consist of a name, followed by =, followed by the value. Unless + systemd-stub detects it is running inside a confidential computing environment, systemd-stub will search the table for a string with a specific name, and if found, use its value. The following strings are read: