From 769ac686f158197103f42b01a1e3b3a97d84ebc7 Mon Sep 17 00:00:00 2001
From: Nikita Dubrovskii <nikita@linux.ibm.com>
Date: Mon, 5 Sep 2022 12:08:35 +0200
Subject: [PATCH] s390x: simplify 's390x-se-luks-gencpio' script

---
 src/libostree/ostree-bootloader-zipl.c | 43 ++++++++++++++++----------
 src/libostree/s390x-se-luks-gencpio    | 18 ++++-------
 2 files changed, 33 insertions(+), 28 deletions(-)

diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
index f2c8063e..fc0614c0 100644
--- a/src/libostree/ostree-bootloader-zipl.c
+++ b/src/libostree/ostree-bootloader-zipl.c
@@ -200,11 +200,28 @@ _ostree_secure_execution_luks_key_exists (void)
 }
 
 static gboolean
-_ostree_secure_execution_enable_luks(const gchar *oldramfs,
-                                     const gchar *newramfs,
-                                     GError **error)
+_ostree_secure_execution_generate_initrd (const gchar *initrd,
+                                          GLnxTmpfile *out_initrd,
+                                          gchar **out_initrdname,
+                                          GError **error)
 {
-  const char *const argv[] = {SECURE_EXECUTION_RAMDISK_TOOL, oldramfs, newramfs, NULL};
+  if (!_ostree_secure_execution_luks_key_exists ())
+    return glnx_throw (error, "s390x SE: missing luks keys and config");
+
+
+  if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, out_initrd, error))
+    return glnx_prefix_error (error, "s390x SE: opening new ramdisk");
+  {
+    glnx_autofd int fd = -1;
+    glnx_openat_rdonly (AT_FDCWD, initrd, TRUE, &fd, error);
+    if (glnx_regfile_copy_bytes (fd, out_initrd->fd, (off_t) -1) < 0)
+      return glnx_throw_errno_prefix (error, "s390x SE: copying ramdisk");
+  }
+
+  g_autofree gchar *tmpdir = g_mkdtemp (g_strdup ("/var/tmp/se-initramfs-XXXXXX"));
+
+  *out_initrdname = g_strdup_printf ("/proc/%d/fd/%d", getpid (), out_initrd->fd);
+  const char *const argv[] = {SECURE_EXECUTION_RAMDISK_TOOL, *out_initrdname, tmpdir, NULL};
   g_autofree gchar *out = NULL;
   g_autofree gchar *err = NULL;
   int status = 0;
@@ -219,7 +236,7 @@ _ostree_secure_execution_enable_luks(const gchar *oldramfs,
       return glnx_prefix_error(error, "s390x SE: `%s` failed", SECURE_EXECUTION_RAMDISK_TOOL);
     }
 
-  ot_journal_print(LOG_INFO, "s390x SE: luks key added to initrd");
+  ot_journal_print(LOG_INFO, "s390x SE: luks keys added to initrd");
   return TRUE;
 }
 
@@ -235,24 +252,18 @@ _ostree_secure_execution_generate_sdboot (gchar *vmlinuz,
   ot_journal_print(LOG_INFO, "s390x SE: initrd: %s", initramfs);
   ot_journal_print(LOG_INFO, "s390x SE: kargs: %s", options);
 
-  pid_t self = getpid();
-
   // Store kernel options to temp file, so `genprotimg` can later embed it
   g_auto(GLnxTmpfile) cmdline = { 0, };
   if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, &cmdline, error))
-    return glnx_prefix_error(error, "s390x SE: opening cmdline file");
+    return glnx_prefix_error (error, "s390x SE: opening cmdline file");
   if (glnx_loop_write (cmdline.fd, options, strlen (options)) < 0)
     return glnx_throw_errno_prefix (error, "s390x SE: writting cmdline file");
-  g_autofree gchar *cmdline_filename = g_strdup_printf ("/proc/%d/fd/%d", self, cmdline.fd);
+  g_autofree gchar *cmdline_filename = g_strdup_printf ("/proc/%d/fd/%d", getpid (), cmdline.fd);
 
-  // Copy initramfs to temp file and embed LUKS key and config into it
-  if (!_ostree_secure_execution_luks_key_exists ())
-    return glnx_throw(error, "s390x SE: missing luks keys and config");
+  // Copy initramfs to temp file and embed LUKS keys & config into it
   g_auto(GLnxTmpfile) ramdisk = { 0, };
-  if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, &ramdisk, error))
-    return glnx_prefix_error(error, "s390x SE: creating new ramdisk");
-  g_autofree gchar *ramdisk_filename = g_strdup_printf ("/proc/%d/fd/%d", self, ramdisk.fd);
-  if (!_ostree_secure_execution_enable_luks (initramfs, ramdisk_filename, error))
+  g_autofree gchar *ramdisk_filename = NULL;
+  if (!_ostree_secure_execution_generate_initrd (initramfs, &ramdisk, &ramdisk_filename, error))
     return FALSE;
 
   g_autoptr(GPtrArray) argv = g_ptr_array_new ();
diff --git a/src/libostree/s390x-se-luks-gencpio b/src/libostree/s390x-se-luks-gencpio
index e821e2fe..4e5d7ad8 100755
--- a/src/libostree/s390x-se-luks-gencpio
+++ b/src/libostree/s390x-se-luks-gencpio
@@ -1,22 +1,16 @@
 #!/bin/bash
-# This script creates new initramdisk with LUKS config within
+# This script appends LUKS keys and config to initrd
 set -euo pipefail
 
-old_initrd=$1
-new_initrd=$2
-currdir=$PWD
-
-# Copying existing initramdisk
-cp ${old_initrd} ${new_initrd}
+initrd=$1
+tmpdir=$2
 
 # Appending LUKS root keys and crypttab config to the end of initrd
-workdir=$(mktemp -d -p /tmp se-initramfs-XXXXXX)
-cd ${workdir}
+cd ${tmpdir}
 mkdir -p etc/luks
 cp -f /etc/luks/* etc/luks/
 cp -f /etc/crypttab etc/
-find . -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
+find . -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> ${initrd}
 
 # Cleanup
-cd ${currdir}
-rm -rf ${workdir}
+rm -rf etc/