From 7d9a8cc4acabb1ebd957c2879971d0c7a01387f1 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 6 Jun 2024 12:14:35 +0200
Subject: [PATCH] creds-util: add common helper for determinign global boot
 credentials path

It's very useful being able to determine the directory where to write
global boot credentials to, that are picked up by all kernels.
---
 src/pcrlock/pcrlock.c   | 36 ++++++-----------------------
 src/shared/creds-util.c | 51 +++++++++++++++++++++++++++++++++++++++++
 src/shared/creds-util.h |  2 ++
 3 files changed, 60 insertions(+), 29 deletions(-)

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index 997ace5d3c3..935d60d3db7 100644
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -4293,34 +4293,12 @@ static int determine_boot_policy_file(char **ret) {
 
         assert(ret);
 
-        r = find_xbootldr_and_warn(
-                        /* root= */ NULL,
-                        /* path= */ NULL,
-                        /* unprivileged_mode= */ false,
-                        &path,
-                        /* ret_uuid= */ NULL,
-                        /* ret_devid= */ NULL);
-        if (r < 0) {
-                if (r != -ENOKEY)
-                        return log_error_errno(r, "Failed to find XBOOTLDR partition: %m");
-
-                r = find_esp_and_warn(
-                                /* root= */ NULL,
-                                /* path= */ NULL,
-                                /* unprivileged_mode= */ false,
-                                &path,
-                                /* ret_part= */ NULL,
-                                /* ret_pstart= */ NULL,
-                                /* ret_psize= */ NULL,
-                                /* ret_uuid= */ NULL,
-                                /* ret_devid= */ NULL);
-                if (r < 0) {
-                        if (r != -ENOKEY)
-                                return log_error_errno(r, "Failed to find ESP partition: %m");
-
-                        *ret = NULL;
-                        return 0; /* not found! */
-                }
+        r = get_global_boot_credentials_path(&path);
+        if (r < 0)
+                return r;
+        if (r == 0) {
+                *ret = NULL;
+                return 0; /* not found! */
         }
 
         r = sd_id128_get_machine(&machine_id);
@@ -4344,7 +4322,7 @@ static int determine_boot_policy_file(char **ret) {
         if (!filename_is_valid(fn))
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name '%s' would not be a valid file name, refusing.", fn);
 
-        joined = path_join(path, "loader/credentials", fn);
+        joined = path_join(path, fn);
         if (!joined)
                 return log_oom();
 
diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index eaf772bff2c..e99477997a0 100644
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -19,6 +19,7 @@
 #include "env-util.h"
 #include "fd-util.h"
 #include "fileio.h"
+#include "find-esp.h"
 #include "format-util.h"
 #include "fs-util.h"
 #include "io-util.h"
@@ -1657,6 +1658,56 @@ int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp,
         return 0;
 }
 
+int get_global_boot_credentials_path(char **ret) {
+        _cleanup_free_ char *path = NULL;
+        int r;
+
+        assert(ret);
+
+        /* Determines where to put global boot credentials in. Returns the path to the "/loader/credentials/"
+         * directory below the XBOOTLDR or ESP partition. Any credentials placed in this directory can be
+         * picked up later in the initrd. */
+
+        r = find_xbootldr_and_warn(
+                        /* root= */ NULL,
+                        /* path= */ NULL,
+                        /* unprivileged_mode= */ false,
+                        &path,
+                        /* ret_uuid= */ NULL,
+                        /* ret_devid= */ NULL);
+        if (r < 0) {
+                if (r != -ENOKEY)
+                        return log_error_errno(r, "Failed to find XBOOTLDR partition: %m");
+
+                r = find_esp_and_warn(
+                                /* root= */ NULL,
+                                /* path= */ NULL,
+                                /* unprivileged_mode= */ false,
+                                &path,
+                                /* ret_part= */ NULL,
+                                /* ret_pstart= */ NULL,
+                                /* ret_psize= */ NULL,
+                                /* ret_uuid= */ NULL,
+                                /* ret_devid= */ NULL);
+                if (r < 0) {
+                        if (r != -ENOKEY)
+                                return log_error_errno(r, "Failed to find ESP partition: %m");
+
+                        *ret = NULL;
+                        return 0; /* not found! */
+                }
+        }
+
+        _cleanup_free_ char *joined = path_join(path, "loader/credentials");
+        if (!joined)
+                return log_oom();
+
+        log_debug("Determined global boot credentials path as: %s", joined);
+
+        *ret = TAKE_PTR(joined);
+        return 1; /* found! */
+}
+
 static int pick_up_credential_one(
                 int credential_dir_fd,
                 const char *credential_name,
diff --git a/src/shared/creds-util.h b/src/shared/creds-util.h
index b80755b7d7b..e096b6d4d41 100644
--- a/src/shared/creds-util.h
+++ b/src/shared/creds-util.h
@@ -94,6 +94,8 @@ int decrypt_credential_and_warn(const char *validate_name, usec_t validate_times
 int ipc_encrypt_credential(const char *name, usec_t timestamp, usec_t not_after, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret);
 int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret);
 
+int get_global_boot_credentials_path(char **ret);
+
 typedef struct PickUpCredential {
         const char *credential_prefix;
         const char *target_dir;