diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c index 997ace5d3c3..935d60d3db7 100644 --- a/src/pcrlock/pcrlock.c +++ b/src/pcrlock/pcrlock.c @@ -4293,34 +4293,12 @@ static int determine_boot_policy_file(char **ret) { assert(ret); - r = find_xbootldr_and_warn( - /* root= */ NULL, - /* path= */ NULL, - /* unprivileged_mode= */ false, - &path, - /* ret_uuid= */ NULL, - /* ret_devid= */ NULL); - if (r < 0) { - if (r != -ENOKEY) - return log_error_errno(r, "Failed to find XBOOTLDR partition: %m"); - - r = find_esp_and_warn( - /* root= */ NULL, - /* path= */ NULL, - /* unprivileged_mode= */ false, - &path, - /* ret_part= */ NULL, - /* ret_pstart= */ NULL, - /* ret_psize= */ NULL, - /* ret_uuid= */ NULL, - /* ret_devid= */ NULL); - if (r < 0) { - if (r != -ENOKEY) - return log_error_errno(r, "Failed to find ESP partition: %m"); - - *ret = NULL; - return 0; /* not found! */ - } + r = get_global_boot_credentials_path(&path); + if (r < 0) + return r; + if (r == 0) { + *ret = NULL; + return 0; /* not found! */ } r = sd_id128_get_machine(&machine_id); @@ -4344,7 +4322,7 @@ static int determine_boot_policy_file(char **ret) { if (!filename_is_valid(fn)) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name '%s' would not be a valid file name, refusing.", fn); - joined = path_join(path, "loader/credentials", fn); + joined = path_join(path, fn); if (!joined) return log_oom(); diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index eaf772bff2c..e99477997a0 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -19,6 +19,7 @@ #include "env-util.h" #include "fd-util.h" #include "fileio.h" +#include "find-esp.h" #include "format-util.h" #include "fs-util.h" #include "io-util.h" @@ -1657,6 +1658,56 @@ int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp, return 0; } +int get_global_boot_credentials_path(char **ret) { + _cleanup_free_ char *path = NULL; + int r; + + assert(ret); + + /* Determines where to put global boot credentials in. Returns the path to the "/loader/credentials/" + * directory below the XBOOTLDR or ESP partition. Any credentials placed in this directory can be + * picked up later in the initrd. */ + + r = find_xbootldr_and_warn( + /* root= */ NULL, + /* path= */ NULL, + /* unprivileged_mode= */ false, + &path, + /* ret_uuid= */ NULL, + /* ret_devid= */ NULL); + if (r < 0) { + if (r != -ENOKEY) + return log_error_errno(r, "Failed to find XBOOTLDR partition: %m"); + + r = find_esp_and_warn( + /* root= */ NULL, + /* path= */ NULL, + /* unprivileged_mode= */ false, + &path, + /* ret_part= */ NULL, + /* ret_pstart= */ NULL, + /* ret_psize= */ NULL, + /* ret_uuid= */ NULL, + /* ret_devid= */ NULL); + if (r < 0) { + if (r != -ENOKEY) + return log_error_errno(r, "Failed to find ESP partition: %m"); + + *ret = NULL; + return 0; /* not found! */ + } + } + + _cleanup_free_ char *joined = path_join(path, "loader/credentials"); + if (!joined) + return log_oom(); + + log_debug("Determined global boot credentials path as: %s", joined); + + *ret = TAKE_PTR(joined); + return 1; /* found! */ +} + static int pick_up_credential_one( int credential_dir_fd, const char *credential_name, diff --git a/src/shared/creds-util.h b/src/shared/creds-util.h index b80755b7d7b..e096b6d4d41 100644 --- a/src/shared/creds-util.h +++ b/src/shared/creds-util.h @@ -94,6 +94,8 @@ int decrypt_credential_and_warn(const char *validate_name, usec_t validate_times int ipc_encrypt_credential(const char *name, usec_t timestamp, usec_t not_after, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret); int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret); +int get_global_boot_credentials_path(char **ret); + typedef struct PickUpCredential { const char *credential_prefix; const char *target_dir;