mirror of
https://github.com/systemd/systemd
synced 2024-10-01 13:55:20 +00:00
creds-util: add common helper for determinign global boot credentials path
It's very useful being able to determine the directory where to write global boot credentials to, that are picked up by all kernels.
This commit is contained in:
parent
c29778a100
commit
7d9a8cc4ac
|
@ -4293,34 +4293,12 @@ static int determine_boot_policy_file(char **ret) {
|
|||
|
||||
assert(ret);
|
||||
|
||||
r = find_xbootldr_and_warn(
|
||||
/* root= */ NULL,
|
||||
/* path= */ NULL,
|
||||
/* unprivileged_mode= */ false,
|
||||
&path,
|
||||
/* ret_uuid= */ NULL,
|
||||
/* ret_devid= */ NULL);
|
||||
if (r < 0) {
|
||||
if (r != -ENOKEY)
|
||||
return log_error_errno(r, "Failed to find XBOOTLDR partition: %m");
|
||||
|
||||
r = find_esp_and_warn(
|
||||
/* root= */ NULL,
|
||||
/* path= */ NULL,
|
||||
/* unprivileged_mode= */ false,
|
||||
&path,
|
||||
/* ret_part= */ NULL,
|
||||
/* ret_pstart= */ NULL,
|
||||
/* ret_psize= */ NULL,
|
||||
/* ret_uuid= */ NULL,
|
||||
/* ret_devid= */ NULL);
|
||||
if (r < 0) {
|
||||
if (r != -ENOKEY)
|
||||
return log_error_errno(r, "Failed to find ESP partition: %m");
|
||||
|
||||
*ret = NULL;
|
||||
return 0; /* not found! */
|
||||
}
|
||||
r = get_global_boot_credentials_path(&path);
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r == 0) {
|
||||
*ret = NULL;
|
||||
return 0; /* not found! */
|
||||
}
|
||||
|
||||
r = sd_id128_get_machine(&machine_id);
|
||||
|
@ -4344,7 +4322,7 @@ static int determine_boot_policy_file(char **ret) {
|
|||
if (!filename_is_valid(fn))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name '%s' would not be a valid file name, refusing.", fn);
|
||||
|
||||
joined = path_join(path, "loader/credentials", fn);
|
||||
joined = path_join(path, fn);
|
||||
if (!joined)
|
||||
return log_oom();
|
||||
|
||||
|
|
|
@ -19,6 +19,7 @@
|
|||
#include "env-util.h"
|
||||
#include "fd-util.h"
|
||||
#include "fileio.h"
|
||||
#include "find-esp.h"
|
||||
#include "format-util.h"
|
||||
#include "fs-util.h"
|
||||
#include "io-util.h"
|
||||
|
@ -1657,6 +1658,56 @@ int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp,
|
|||
return 0;
|
||||
}
|
||||
|
||||
int get_global_boot_credentials_path(char **ret) {
|
||||
_cleanup_free_ char *path = NULL;
|
||||
int r;
|
||||
|
||||
assert(ret);
|
||||
|
||||
/* Determines where to put global boot credentials in. Returns the path to the "/loader/credentials/"
|
||||
* directory below the XBOOTLDR or ESP partition. Any credentials placed in this directory can be
|
||||
* picked up later in the initrd. */
|
||||
|
||||
r = find_xbootldr_and_warn(
|
||||
/* root= */ NULL,
|
||||
/* path= */ NULL,
|
||||
/* unprivileged_mode= */ false,
|
||||
&path,
|
||||
/* ret_uuid= */ NULL,
|
||||
/* ret_devid= */ NULL);
|
||||
if (r < 0) {
|
||||
if (r != -ENOKEY)
|
||||
return log_error_errno(r, "Failed to find XBOOTLDR partition: %m");
|
||||
|
||||
r = find_esp_and_warn(
|
||||
/* root= */ NULL,
|
||||
/* path= */ NULL,
|
||||
/* unprivileged_mode= */ false,
|
||||
&path,
|
||||
/* ret_part= */ NULL,
|
||||
/* ret_pstart= */ NULL,
|
||||
/* ret_psize= */ NULL,
|
||||
/* ret_uuid= */ NULL,
|
||||
/* ret_devid= */ NULL);
|
||||
if (r < 0) {
|
||||
if (r != -ENOKEY)
|
||||
return log_error_errno(r, "Failed to find ESP partition: %m");
|
||||
|
||||
*ret = NULL;
|
||||
return 0; /* not found! */
|
||||
}
|
||||
}
|
||||
|
||||
_cleanup_free_ char *joined = path_join(path, "loader/credentials");
|
||||
if (!joined)
|
||||
return log_oom();
|
||||
|
||||
log_debug("Determined global boot credentials path as: %s", joined);
|
||||
|
||||
*ret = TAKE_PTR(joined);
|
||||
return 1; /* found! */
|
||||
}
|
||||
|
||||
static int pick_up_credential_one(
|
||||
int credential_dir_fd,
|
||||
const char *credential_name,
|
||||
|
|
|
@ -94,6 +94,8 @@ int decrypt_credential_and_warn(const char *validate_name, usec_t validate_times
|
|||
int ipc_encrypt_credential(const char *name, usec_t timestamp, usec_t not_after, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret);
|
||||
int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret);
|
||||
|
||||
int get_global_boot_credentials_path(char **ret);
|
||||
|
||||
typedef struct PickUpCredential {
|
||||
const char *credential_prefix;
|
||||
const char *target_dir;
|
||||
|
|
Loading…
Reference in a new issue