Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
s390-tools.18357
s390-tools-sles15sp2-02-zipl-allow-stand-alone-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File s390-tools-sles15sp2-02-zipl-allow-stand-alone-secure-option-on-command-l.patch of Package s390-tools.18357
Subject: [PATCH] [BZ 184396] zipl: allow stand alone secure option on command line From: Stefan Haberland <sth@linux.ibm.com> Description: zipl: fix secure boot config handling Symptom: The config file parsing for secure boot worked not as it was expected to be. For example a config section setting was not evaluated properly. It is not possible to specify command line option -S without other options. Additionally the man page showed an invalid example. Problem: The config file parsing was not implemented properly. Solution: The hierarchy of the secure boot settings in the config file is: defaultboot > menu > section Allow that --secure or -S is specified on command line without the need to allow all options on the command line. Also ensure that the command line option overrules the config option and correctly ensure that secure boot is only set for SCSI devices. Fix man page example. Reproduction: Run zipl with a secure= setting in a configuration section or specify -S on command line. Upstream-ID: 27f6c0a167da8d08f7f3343360528528f85d661f Problem-ID: 184396 Upstream-Description: zipl: allow stand alone secure option on command line Allow that --secure or -S is specified on command line without the need to allow all options on the command line. Also ensure that the command line option overrules the config option and correctly ensure that secure boot is only set for SCSI devices. Signed-off-by: Stefan Haberland <sth@linux.ibm.com> Reviewed-by: Philipp Rudo <prudo@linux.ibm.com> Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com> Signed-off-by: Stefan Haberland <sth@linux.ibm.com> --- zipl/src/bootmap.c | 6 ++++++ zipl/src/job.c | 52 +++++++++++++++++++++++++--------------------------- 2 files changed, 31 insertions(+), 27 deletions(-) --- a/zipl/src/bootmap.c +++ b/zipl/src/bootmap.c @@ -1133,6 +1133,12 @@ bootmap_create(struct job_data *job, dis disk_get_type_name(info->type)); goto out_disk_free_info; } + /* Check if secure boot was enabled only for SCSI */ + if (job->is_secure == SECURE_BOOT_ENABLED && + info->type != disk_type_scsi) { + error_reason("Secure boot forced for non-SCSI disk type"); + goto out_disk_free_info; + } if (verbose) { printf("Target device information\n"); disk_print_info(info); --- a/zipl/src/job.c +++ b/zipl/src/job.c @@ -72,6 +72,7 @@ struct command_line { int add_files; int dry_run; int force; + int is_secure; enum scan_section_type type; }; @@ -89,6 +90,22 @@ store_option(struct command_line* cmdlin return 0; } +static int +set_secure_ipl(char *keyword, int *is_secure) +{ + if (strcmp(keyword, "auto") == 0) { + *is_secure = SECURE_BOOT_AUTO; + } else if (strcmp(keyword, "0") == 0) { + *is_secure = SECURE_BOOT_DISABLED; + } else if (strcmp(keyword, "1") == 0) { + *is_secure = SECURE_BOOT_ENABLED; + } else { + error_reason("Invalid secure boot setting '%s'", + keyword); + return -1; + } + return 0; +} static int get_command_line(int argc, char* argv[], struct command_line* line) @@ -217,9 +234,7 @@ get_command_line(int argc, char* argv[], cmdline.menu = optarg; break; case 'S': - is_keyword = 1; - rc = store_option(&cmdline, scan_keyword_secure, - optarg); + rc = set_secure_ipl(optarg, &cmdline.is_secure); break; case 'h': cmdline.help = 1; @@ -1270,27 +1285,6 @@ type_from_target(char *target, disk_type } static int -set_secure_ipl(char *keyword, struct job_data *job) -{ - if (strcmp(keyword, "auto") == 0) { - job->is_secure = SECURE_BOOT_AUTO; - } else if (strcmp(keyword, "0") == 0) { - job->is_secure = SECURE_BOOT_DISABLED; - } else if (strcmp(keyword, "1") == 0) { - if (job->target.targettype != disk_type_scsi) { - error_reason("Secure boot forced for non-SCSI disk type"); - return -1; - } - job->is_secure = SECURE_BOOT_ENABLED; - } else { - error_reason("Invalid secure boot setting '%s'", - keyword); - return -1; - } - return 0; -} - -static int get_job_from_section_data(char* data[], struct job_data* job, char* section) { int rc; @@ -1374,7 +1368,7 @@ get_job_from_section_data(char* data[], /* Fill in secure boot */ if (data[(int) scan_keyword_secure] != NULL) { rc = set_secure_ipl(data[(int) scan_keyword_secure], - job); + &job->is_secure); if (rc) return rc; } @@ -1538,7 +1532,7 @@ get_menu_job(struct scan_token* scan, ch case scan_keyword_secure: rc = set_secure_ipl( scan[i].content.keyword.value, - job); + &job->is_secure); if (rc) return rc; break; @@ -1880,7 +1874,6 @@ job_get(int argc, char* argv[], struct j job->add_files = cmdline.add_files; job->data.mvdump.force = cmdline.force; job->dry_run = cmdline.dry_run; - job->is_secure = SECURE_BOOT_AUTO; /* Get job data from user input */ if (cmdline.help) { job->command_line = 1; @@ -1899,6 +1892,11 @@ job_get(int argc, char* argv[], struct j job_free(job); return rc; } + if (cmdline.is_secure) + job->is_secure = cmdline.is_secure; + else + job->is_secure = job->is_secure ? : SECURE_BOOT_AUTO; + /* Check job data for validity */ rc = check_job_data(job); if (rc) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor