packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #2580 from nikita-dubrovskii/sdboot_partition 

s390x: generate sd-boot at its own partition
This commit is contained in:
Colin Walters 2022-05-23 08:41:35 -04:00 committed by GitHub
parent e632e5f1f1 7a5c604ca3
commit fe4ca42760
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 33 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/libostree/ostree-bootloader-zipl.c
View File

@ -21,12 +21,17 @@
#include "ostree-bootloader-zipl.h" #include "ostree-bootloader-zipl.h"
#include "ostree-deployment-private.h" #include "ostree-deployment-private.h"
#include "otutil.h" #include "otutil.h"
#include <sys/mount.h>
#include <sys/stat.h>
#include <string.h> #include <string.h>
#define SECURE_EXECUTION_BOOT_IMAGE "/boot/sd-boot" #define SECURE_EXECUTION_PARTITION "/dev/disk/by-label/se"
#define SECURE_EXECUTION_MOUNTPOINT "/sysroot/se"
#define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sd-boot"
#define SECURE_EXECUTION_HOSTKEY_PATH "/etc/se-hostkeys/" #define SECURE_EXECUTION_HOSTKEY_PATH "/etc/se-hostkeys/"
#define SECURE_EXECUTION_HOSTKEY_PREFIX "ibm-z-hostkey" #define SECURE_EXECUTION_HOSTKEY_PREFIX "ibm-z-hostkey"
#define SECURE_EXECUTION_LUKS_ROOT_KEY "/etc/luks/root" #define SECURE_EXECUTION_LUKS_ROOT_KEY "/etc/luks/root"
#define SECURE_EXECUTION_LUKS_BOOT_KEY "/etc/luks/boot"
#define SECURE_EXECUTION_LUKS_CONFIG "/etc/crypttab" #define SECURE_EXECUTION_LUKS_CONFIG "/etc/crypttab"
#define SECURE_EXECUTION_RAMDISK_TOOL PKGLIBEXECDIR "/s390x-se-luks-gencpio" #define SECURE_EXECUTION_RAMDISK_TOOL PKGLIBEXECDIR "/s390x-se-luks-gencpio"
@ -67,6 +72,25 @@ _ostree_bootloader_zipl_get_name (OstreeBootloader *bootloader)
return "zipl"; return "zipl";
} }
static gboolean
_ostree_secure_execution_mount(GError **error)
{
const char *device = realpath (SECURE_EXECUTION_PARTITION, NULL);
if (device == NULL)
return glnx_throw_errno_prefix(error, "s390x SE: resolving %s", SECURE_EXECUTION_PARTITION);
if (mount (device, SECURE_EXECUTION_MOUNTPOINT, "ext4", 0, NULL) < 0)
return glnx_throw_errno_prefix (error, "s390x SE: Mounting %s", device);
return TRUE;
}
static gboolean
_ostree_secure_execution_umount(GError **error)
{
if (umount (SECURE_EXECUTION_MOUNTPOINT) < 0)
return glnx_throw_errno_prefix (error, "s390x SE: Unmounting %s", SECURE_EXECUTION_MOUNTPOINT);
return TRUE;
}
static gboolean static gboolean
_ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader, _ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader,
int bootversion, int bootversion,
@ -152,8 +176,8 @@ _ostree_secure_execution_get_bls_config (OstreeBootloaderZipl *self,
static gboolean static gboolean
_ostree_secure_execution_luks_key_exists (void) _ostree_secure_execution_luks_key_exists (void)
{ {
return (access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 && return (access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0 &&
access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0); (access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 || access(SECURE_EXECUTION_LUKS_BOOT_KEY, F_OK) == 0));
} }
static gboolean static gboolean
@ -250,7 +274,7 @@ static gboolean
_ostree_secure_execution_call_zipl (GError **error) _ostree_secure_execution_call_zipl (GError **error)
{ {
int status = 0; int status = 0;
const char *const zipl_argv[] = {"zipl", "-V", "-t", "/boot", "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL}; const char *const zipl_argv[] = {"zipl", "-V", "-t", SECURE_EXECUTION_MOUNTPOINT, "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL};
if (!g_spawn_sync (NULL, (char**)zipl_argv, NULL, G_SPAWN_SEARCH_PATH, if (!g_spawn_sync (NULL, (char**)zipl_argv, NULL, G_SPAWN_SEARCH_PATH,
NULL, NULL, NULL, NULL, &status, error)) NULL, NULL, NULL, NULL, &status, error))
return glnx_prefix_error(error, "s390x SE: spawning zipl"); return glnx_prefix_error(error, "s390x SE: spawning zipl");
@ -274,9 +298,11 @@ _ostree_secure_execution_enable (OstreeBootloaderZipl *self,
g_autofree gchar* options = NULL; g_autofree gchar* options = NULL;
gboolean rc = gboolean rc =
_ostree_secure_execution_mount (error) &&
_ostree_secure_execution_get_bls_config (self, bootversion, &vmlinuz, &initramfs, &options, cancellable, error) && _ostree_secure_execution_get_bls_config (self, bootversion, &vmlinuz, &initramfs, &options, cancellable, error) &&
_ostree_secure_execution_generate_sdboot (vmlinuz, initramfs, options, keys, error) && _ostree_secure_execution_generate_sdboot (vmlinuz, initramfs, options, keys, error) &&
_ostree_secure_execution_call_zipl (error); _ostree_secure_execution_call_zipl (error) &&
_ostree_secure_execution_umount (error);
return rc; return rc;
} }

4
src/libostree/s390x-se-luks-gencpio
View File

@ -12,11 +12,11 @@ gzip -cd ${old_initrd} | cpio -imd --quiet
# Adding LUKS root key and crypttab config # Adding LUKS root key and crypttab config
mkdir -p etc/luks mkdir -p etc/luks
cp -f /etc/luks/root etc/luks/ cp -f /etc/luks/* etc/luks/
cp -f /etc/crypttab etc/ cp -f /etc/crypttab etc/
# Creating new initramdisk image # Creating new initramdisk image
find . | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd} find . -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
# Cleanup # Cleanup
rm -rf ${workdir} rm -rf ${workdir}