projects / ostree.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fe4ca42)
s390x: ensure SecureExecution is enabled before sd-boot generation
authorNikita Dubrovskii <nikita@linux.ibm.com>
Mon, 23 May 2022 15:28:54 +0000 (17:28 +0200)
committerNikita Dubrovskii <nikita@linux.ibm.com>
Mon, 23 May 2022 16:24:43 +0000 (18:24 +0200)
Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
src/libostree/ostree-bootloader-zipl.c patch | blob | history

diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
index fe024d80460991d9ac00875f0a41a9470886c907..348dfe036de71fc74cb00e2c4ac384c0c70dda06 100644 (file)
--- a/src/libostree/ostree-bootloader-zipl.c
+++ b/src/libostree/ostree-bootloader-zipl.c
@@ -25,6 +25,7 @@
 #include <sys/stat.h>
 #include <string.h>
 
+#define SECURE_EXECUTION_SYSFS_FLAG     "/sys/firmware/uv/prot_virt_guest"
 #define SECURE_EXECUTION_PARTITION      "/dev/disk/by-label/se"
 #define SECURE_EXECUTION_MOUNTPOINT     "/sysroot/se"
 #define SECURE_EXECUTION_BOOT_IMAGE     SECURE_EXECUTION_MOUNTPOINT "/sd-boot"
@@ -109,6 +110,14 @@ _ostree_bootloader_zipl_write_config (OstreeBootloader  *bootloader,
   return TRUE;
 }
 
+static gboolean _ostree_secure_execution_is_enabled (GCancellable *cancellable) {
+  gsize len = 0;
+  g_autofree char *data = glnx_file_get_contents_utf8_at (-1, SECURE_EXECUTION_SYSFS_FLAG, &len, cancellable, NULL);
+  if (!data)
+    return FALSE;
+  return strstr (data, "1") != NULL;
+}
+
 static gboolean
 _ostree_secure_execution_get_keys (GPtrArray **keys,
                                    GCancellable *cancellable,
@@ -329,12 +338,15 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader  *bootloader,
     return TRUE;
 
   /* Try with Secure Execution */
-  g_autoptr(GPtrArray) keys = NULL;
-  if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
-    return FALSE;
-  if (keys && keys->len)
-    return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
-
+  if ( _ostree_secure_execution_is_enabled (cancellable) )
+    {
+      g_autoptr(GPtrArray) keys = NULL;
+      if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
+        return FALSE;
+      if (!keys || keys->len == 0)
+          return glnx_throw (error, "s390x SE: no keys");
+      return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
+    }
   /* Fallback to non-SE setup */
   const char *const zipl_argv[] = {"zipl", NULL};
   int estatus;
Unnamed repository; edit this file 'description' to name the repository.