#include "ostree-sysroot-private.h"
#include "ostree-bootloader-zipl.h"
+#include "ostree-deployment-private.h"
#include "otutil.h"
-
+#include <systemd/sd-journal.h>
#include <string.h>
+#define SECURE_EXECUTION_BOOT_IMAGE "/boot/sd-boot"
+#define SECURE_EXECUTION_HOSTKEY_PATH "/etc/se-hostkeys/"
+#define SECURE_EXECUTION_HOSTKEY_PREFIX "ibm-z-hostkey"
+
/* This is specific to zipl today, but in the future we could also
* use it for the grub2-mkconfig case.
*/
return TRUE;
}
+static gboolean
+_ostree_secure_execution_get_keys (GPtrArray **keys,
+ GCancellable *cancellable,
+ GError **error)
+{
+ g_auto (GLnxDirFdIterator) it = { 0,};
+ if ( !glnx_dirfd_iterator_init_at (-1, SECURE_EXECUTION_HOSTKEY_PATH, TRUE, &it, error))
+ return glnx_prefix_error (error, "s390x SE: looking for SE keys");
+
+ g_autoptr(GPtrArray) ret_keys = g_ptr_array_new_with_free_func (g_free);
+ while (TRUE)
+ {
+ struct dirent *dent = NULL;
+ if (!glnx_dirfd_iterator_next_dent (&it, &dent, cancellable, error))
+ return FALSE;
+
+ if (!dent)
+ break;
+
+ if (g_str_has_prefix (dent->d_name, SECURE_EXECUTION_HOSTKEY_PREFIX))
+ g_ptr_array_add (ret_keys, g_build_filename (SECURE_EXECUTION_HOSTKEY_PATH, dent->d_name, NULL));
+ }
+
+ *keys = g_steal_pointer (&ret_keys);
+ return TRUE;
+}
+
+static gboolean
+_ostree_secure_execution_get_bls_config (OstreeBootloaderZipl *self,
+ int bootversion,
+ gchar **vmlinuz,
+ gchar **initramfs,
+ gchar **options,
+ GCancellable *cancellable,
+ GError **error)
+{
+ g_autoptr (GPtrArray) configs = NULL;
+ if ( !_ostree_sysroot_read_boot_loader_configs (self->sysroot, bootversion, &configs, cancellable, error))
+ return glnx_prefix_error (error, "s390x SE: loading bls configs");
+
+ if (!configs || configs->len == 0)
+ return glnx_throw (error, "s390x SE: no bls config");
+
+ OstreeBootconfigParser *parser = (OstreeBootconfigParser *) g_ptr_array_index (configs, 0);
+ const gchar *val = NULL;
+
+ val = ostree_bootconfig_parser_get (parser, "linux");
+ if (!val)
+ return glnx_throw (error, "s390x SE: no \"linux\" key in bootloader config");
+ *vmlinuz = g_build_filename ("/boot", val, NULL);
+
+ val = ostree_bootconfig_parser_get (parser, "initrd");
+ if (!val)
+ return glnx_throw (error, "s390x SE: no \"initrd\" key in bootloader config");
+ *initramfs = g_build_filename ("/boot", val, NULL);
+
+ val = ostree_bootconfig_parser_get (parser, "options");
+ if (!val)
+ return glnx_throw (error, "s390x SE: no \"options\" key in bootloader config");
+ *options = g_strdup(val);
+
+ return TRUE;
+}
+
+static gboolean
+_ostree_secure_execution_generate_sdboot (gchar *vmlinuz,
+ gchar *initramfs,
+ gchar *options,
+ GPtrArray *keys,
+ GError **error)
+{
+ g_assert (vmlinuz && initramfs && options && keys && keys->len);
+ sd_journal_print(LOG_INFO, "s390x SE: kernel: %s", vmlinuz);
+ sd_journal_print(LOG_INFO, "s390x SE: initrd: %s", initramfs);
+ sd_journal_print(LOG_INFO, "s390x SE: kargs: %s", options);
+
+ pid_t self = getpid();
+
+ // Store kernel options to temp file, so `genprotimg` can later embed it
+ g_auto(GLnxTmpfile) cmdline = { 0, };
+ if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, &cmdline, error))
+ return glnx_prefix_error(error, "s390x SE: opening cmdline file");
+ if (glnx_loop_write (cmdline.fd, options, strlen (options)) < 0)
+ return glnx_throw_errno_prefix (error, "s390x SE: writting cmdline file");
+ g_autofree gchar *cmdline_filename = g_strdup_printf ("/proc/%d/fd/%d", self, cmdline.fd);
+
+ g_autoptr(GPtrArray) argv = g_ptr_array_new ();
+ g_ptr_array_add (argv, "genprotimg");
+ g_ptr_array_add (argv, "-i");
+ g_ptr_array_add (argv, vmlinuz);
+ g_ptr_array_add (argv, "-r");
+ g_ptr_array_add (argv, initramfs);
+ g_ptr_array_add (argv, "-p");
+ g_ptr_array_add (argv, cmdline_filename);
+ for (guint i = 0; i < keys->len; ++i)
+ {
+ gchar *key = g_ptr_array_index (keys, i);
+ g_ptr_array_add (argv, "-k");
+ g_ptr_array_add (argv, key);
+ sd_journal_print(LOG_INFO, "s390x SE: key[%d]: %s", i + 1, key);
+ }
+ g_ptr_array_add (argv, "--no-verify");
+ g_ptr_array_add (argv, "-o");
+ g_ptr_array_add (argv, SECURE_EXECUTION_BOOT_IMAGE);
+ g_ptr_array_add (argv, NULL);
+
+ gint status = 0;
+ if (!g_spawn_sync (NULL, (char**)argv->pdata, NULL, G_SPAWN_SEARCH_PATH,
+ NULL, NULL, NULL, NULL, &status, error))
+ return glnx_prefix_error(error, "s390x SE: spawning genprotimg");
+
+ if (!g_spawn_check_exit_status (status, error))
+ return glnx_prefix_error(error, "s390x SE: `genprotimg` failed");
+
+ sd_journal_print(LOG_INFO, "s390x SE: `%s` generated", SECURE_EXECUTION_BOOT_IMAGE);
+ return TRUE;
+}
+
+static gboolean
+_ostree_secure_execution_call_zipl (GError **error)
+{
+ int status = 0;
+ const char *const zipl_argv[] = {"zipl", "-V", "-t", "/boot", "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL};
+ if (!g_spawn_sync (NULL, (char**)zipl_argv, NULL, G_SPAWN_SEARCH_PATH,
+ NULL, NULL, NULL, NULL, &status, error))
+ return glnx_prefix_error(error, "s390x SE: spawning zipl");
+
+ if (!g_spawn_check_exit_status (status, error))
+ return glnx_prefix_error(error, "s390x SE: `zipl` failed");
+
+ sd_journal_print(LOG_INFO, "s390x SE: `sd-boot` zipled");
+ return TRUE;
+}
+
+static gboolean
+_ostree_secure_execution_enable (OstreeBootloaderZipl *self,
+ int bootversion,
+ GPtrArray *keys,
+ GCancellable *cancellable,
+ GError **error)
+{
+ g_autofree gchar* vmlinuz = NULL;
+ g_autofree gchar* initramfs = NULL;
+ g_autofree gchar* options = NULL;
+
+ gboolean rc =
+ _ostree_secure_execution_get_bls_config (self, bootversion, &vmlinuz, &initramfs, &options, cancellable, error) &&
+ _ostree_secure_execution_generate_sdboot (vmlinuz, initramfs, options, keys, error) &&
+ _ostree_secure_execution_call_zipl (error);
+
+ return rc;
+}
+
+
static gboolean
_ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader,
+ int bootversion,
GCancellable *cancellable,
GError **error)
{
if (errno == ENOENT)
return TRUE;
+ /* Try with Secure Execution */
+ g_autoptr(GPtrArray) keys = NULL;
+ if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
+ return FALSE;
+ if (keys && keys->len)
+ return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
+
+ /* Fallback to non-SE setup */
const char *const zipl_argv[] = {"zipl", NULL};
int estatus;
if (!g_spawn_sync (NULL, (char**)zipl_argv, NULL, G_SPAWN_SEARCH_PATH,
projects / ostree.git / commitdiff