system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-01 07:34:28 +00:00
Code Issues Projects Releases Wiki Activity

creds-util: add common helper for determinign global boot credentials path

Browse Source 
It's very useful being able to determine the directory where to write
global boot credentials to, that are picked up by all kernels.
This commit is contained in:
Lennart Poettering 2024-06-06 12:14:35 +02:00 committed by Luca Boccassi
parent c29778a100
commit 7d9a8cc4ac
3 changed files with 60 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/pcrlock/pcrlock.c
View File

@ -4293,34 +4293,12 @@ static int determine_boot_policy_file(char **ret) {
assert(ret);
r = find_xbootldr_and_warn(
/* root= */ NULL,
/* path= */ NULL,
/* unprivileged_mode= */ false,
&path,
/* ret_uuid= */ NULL,
/* ret_devid= */ NULL);
if (r < 0) {
if (r != -ENOKEY)
return log_error_errno(r, "Failed to find XBOOTLDR partition: %m");
r = find_esp_and_warn(
/* root= */ NULL,
/* path= */ NULL,
/* unprivileged_mode= */ false,
&path,
/* ret_part= */ NULL,
/* ret_pstart= */ NULL,
/* ret_psize= */ NULL,
/* ret_uuid= */ NULL,
/* ret_devid= */ NULL);
if (r < 0) {
if (r != -ENOKEY)
return log_error_errno(r, "Failed to find ESP partition: %m");
*ret = NULL;
return 0; /* not found! */
}
r = get_global_boot_credentials_path(&path);
if (r < 0)
return r;
if (r == 0) {
*ret = NULL;
return 0; /* not found! */
}
r = sd_id128_get_machine(&machine_id);
@ -4344,7 +4322,7 @@ static int determine_boot_policy_file(char **ret) {
if (!filename_is_valid(fn))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name '%s' would not be a valid file name, refusing.", fn);
joined = path_join(path, "loader/credentials", fn);
joined = path_join(path, fn);
if (!joined)
return log_oom();

51
src/shared/creds-util.c
View File

@ -19,6 +19,7 @@
#include "env-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "find-esp.h"
#include "format-util.h"
#include "fs-util.h"
#include "io-util.h"
@ -1657,6 +1658,56 @@ int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp,
return 0;
}
int get_global_boot_credentials_path(char **ret) {
_cleanup_free_ char *path = NULL;
int r;
assert(ret);
/* Determines where to put global boot credentials in. Returns the path to the "/loader/credentials/"
* directory below the XBOOTLDR or ESP partition. Any credentials placed in this directory can be
* picked up later in the initrd. */
r = find_xbootldr_and_warn(
/* root= */ NULL,
/* path= */ NULL,
/* unprivileged_mode= */ false,
&path,
/* ret_uuid= */ NULL,
/* ret_devid= */ NULL);
if (r < 0) {
if (r != -ENOKEY)
return log_error_errno(r, "Failed to find XBOOTLDR partition: %m");
r = find_esp_and_warn(
/* root= */ NULL,
/* path= */ NULL,
/* unprivileged_mode= */ false,
&path,
/* ret_part= */ NULL,
/* ret_pstart= */ NULL,
/* ret_psize= */ NULL,
/* ret_uuid= */ NULL,
/* ret_devid= */ NULL);
if (r < 0) {
if (r != -ENOKEY)
return log_error_errno(r, "Failed to find ESP partition: %m");
*ret = NULL;
return 0; /* not found! */
}
}
_cleanup_free_ char *joined = path_join(path, "loader/credentials");
if (!joined)
return log_oom();
log_debug("Determined global boot credentials path as: %s", joined);
*ret = TAKE_PTR(joined);
return 1; /* found! */
}
static int pick_up_credential_one(
int credential_dir_fd,
const char *credential_name,

2
src/shared/creds-util.h
View File

@ -94,6 +94,8 @@ int decrypt_credential_and_warn(const char *validate_name, usec_t validate_times
int ipc_encrypt_credential(const char *name, usec_t timestamp, usec_t not_after, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret);
int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret);
int get_global_boot_credentials_path(char **ret);
typedef struct PickUpCredential {
const char *credential_prefix;
const char *target_dir;