Skip to content

Commit

Permalink
lib/bootloader-zipl: Check for Secure Boot before zipl
Browse files Browse the repository at this point in the history
  • Loading branch information
nikita-dubrovskii committed Oct 24, 2023
1 parent 4085eee commit 305ee04
Showing 1 changed file with 47 additions and 1 deletion.
48 changes: 47 additions & 1 deletion src/libostree/ostree-bootloader-zipl.c
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
#define SECURE_EXECUTION_LUKS_ROOT_KEY "/etc/luks/root"
#define SECURE_EXECUTION_LUKS_BOOT_KEY "/etc/luks/boot"
#define SECURE_EXECUTION_LUKS_CONFIG "/etc/crypttab"
#define SECURE_BOOT_SYSFS_FLAG "/sys/firmware/ipl/secure"

#if !(defined HAVE_LIBARCHIVE) && defined(__s390x__)
#error libarchive is required for s390x
Expand Down Expand Up @@ -112,6 +113,48 @@ _ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader, int bootvers
return TRUE;
}

static gboolean
_ostree_secure_boot_is_enabled (gboolean *out_enabled, GCancellable *cancellable,
GError **error)
{
*out_enabled = FALSE;
glnx_autofd int fd = -1;
if (!ot_openat_ignore_enoent (AT_FDCWD, SECURE_BOOT_SYSFS_FLAG, &fd, error))
return FALSE;
if (fd != -1)
{
g_autofree char *data = glnx_fd_readall_utf8 (fd, NULL, cancellable, error);
if (!data)
return FALSE;
*out_enabled = strstr (data, "1") != NULL;
ot_journal_print (LOG_INFO, "s390x: sysfs: Secure Boot enabled: %d", *out_enabled);
return TRUE;
}

// Fallback, RHEL 9 kernel is buggy and doesn't have sysfs flag.
// Let's check dmesg, with Secure Boot enabled kernel prints smth like:
// [ 0.023193] setup: Linux is running as a z/VM guest operating system in 64-bit mode
// [ 0.023193] setup: Linux is running with Secure-IPL enabled
// [ 0.023194] setup: The IPL report contains the following components:
// [ 0.023194] setup: 0000000000009000 - 000000000000a000 (not signed)
// [ 0.023196] setup: 000000000000a000 - 000000000000e000 (signed, verified)
// [ 0.023197] setup: 0000000000010000 - 0000000000866000 (signed, verified)
// [ 0.023198] setup: 0000000000867000 - 0000000000868000 (not signed)
// [ 0.023199] setup: 0000000000877000 - 0000000000878000 (not signed)
// [ 0.023200] setup: 0000000000880000 - 0000000003f98000 (not signed)
int status = 0;
const char *const cmd[] = {"dmesg", "--kernel", NULL};
g_autofree gchar *output = NULL;
if (!g_spawn_sync (NULL, (char **)cmd, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, &output, NULL,
&status, error))
return glnx_prefix_error (error, "spawning dmesg");
if (!g_spawn_check_exit_status (status, error))
return glnx_prefix_error (error, "`dmesg` failed");
*out_enabled = (output != NULL && strstr (output, "Secure-IPL enabled") != NULL);
ot_journal_print (LOG_INFO, "s390x: dmesg: Secure Boot enabled: %d", *out_enabled);
return TRUE;
}

static gboolean
_ostree_secure_execution_is_enabled (gboolean *out_enabled, GCancellable *cancellable,
GError **error)
Expand Down Expand Up @@ -408,7 +451,10 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader, int bootver
return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
}
/* Fallback to non-SE setup */
const char *const zipl_argv[] = { "zipl", NULL };
gboolean sb_enabled = FALSE;
if (!_ostree_secure_boot_is_enabled (&sb_enabled, cancellable, error))
return FALSE;
const char *const zipl_argv[] = {"zipl", "--secure", (sb_enabled == TRUE)? "1": "auto", "-V", NULL};
int estatus;
if (!g_spawn_sync (NULL, (char **)zipl_argv, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL, NULL, NULL,
&estatus, error))
Expand Down

0 comments on commit 305ee04

Please sign in to comment.