diff options
author | Nikita Dubrovskii <nikita@linux.ibm.com> | 2022-05-23 17:28:54 +0200 |
---|---|---|
committer | Nikita Dubrovskii <nikita@linux.ibm.com> | 2022-05-23 18:24:43 +0200 |
commit | d0005698596ff3e434a3e4ddd4aea8d4c618079f (patch) | |
tree | c89c08cf228f56ca9be3485690c4a449d9681f87 /src/libostree/ostree-bootloader-zipl.c | |
parent | fe4ca42760a34b8fbb834eaa97b4ca065a05c809 (diff) | |
download | ostree-d0005698596ff3e434a3e4ddd4aea8d4c618079f.tar.gz |
s390x: ensure SecureExecution is enabled before sd-boot generation
Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
Diffstat (limited to 'src/libostree/ostree-bootloader-zipl.c')
-rw-r--r-- | src/libostree/ostree-bootloader-zipl.c | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c index fe024d80..348dfe03 100644 --- a/src/libostree/ostree-bootloader-zipl.c +++ b/src/libostree/ostree-bootloader-zipl.c @@ -25,6 +25,7 @@ #include <sys/stat.h> #include <string.h> +#define SECURE_EXECUTION_SYSFS_FLAG "/sys/firmware/uv/prot_virt_guest" #define SECURE_EXECUTION_PARTITION "/dev/disk/by-label/se" #define SECURE_EXECUTION_MOUNTPOINT "/sysroot/se" #define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sd-boot" @@ -109,6 +110,14 @@ _ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader, return TRUE; } +static gboolean _ostree_secure_execution_is_enabled (GCancellable *cancellable) { + gsize len = 0; + g_autofree char *data = glnx_file_get_contents_utf8_at (-1, SECURE_EXECUTION_SYSFS_FLAG, &len, cancellable, NULL); + if (!data) + return FALSE; + return strstr (data, "1") != NULL; +} + static gboolean _ostree_secure_execution_get_keys (GPtrArray **keys, GCancellable *cancellable, @@ -329,12 +338,15 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader, return TRUE; /* Try with Secure Execution */ - g_autoptr(GPtrArray) keys = NULL; - if (!_ostree_secure_execution_get_keys (&keys, cancellable, error)) - return FALSE; - if (keys && keys->len) - return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error); - + if ( _ostree_secure_execution_is_enabled (cancellable) ) + { + g_autoptr(GPtrArray) keys = NULL; + if (!_ostree_secure_execution_get_keys (&keys, cancellable, error)) + return FALSE; + if (!keys || keys->len == 0) + return glnx_throw (error, "s390x SE: no keys"); + return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error); + } /* Fallback to non-SE setup */ const char *const zipl_argv[] = {"zipl", NULL}; int estatus; |