mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-10-26 17:25:34 +03:00
bootctl: optionally install .signed efi file
if /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed exists install that instead of /usr/lib/systemd/boot/efi/systemd-bootx64.efi the idea is that SecureBoot tooling can create the efi.signed file whenever /usr/lib/systemd/boot/efi/systemd-bootx64.efi from the package is updated.
This commit is contained in:
parent
0264c60d44
commit
12caf72716
@ -286,6 +286,14 @@
|
|||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1>
|
||||||
|
<title>Signed .efi files</title>
|
||||||
|
<para><command>bootctl</command> <option>install</option> and <option>update</option> will look for a
|
||||||
|
<command>systemd-boot</command> file ending with the <literal>.efi.signed</literal> suffix first, and copy
|
||||||
|
that instead of the normal <literal>.efi</literal> file. This allows distributions or end-users to provide
|
||||||
|
signed images for UEFI SecureBoot.</para>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Exit status</title>
|
<title>Exit status</title>
|
||||||
<para>On success, 0 is returned, a non-zero failure code otherwise.</para>
|
<para>On success, 0 is returned, a non-zero failure code otherwise.</para>
|
||||||
|
@ -628,14 +628,19 @@ static int create_subdirs(const char *root, const char * const *subdirs) {
|
|||||||
|
|
||||||
static int copy_one_file(const char *esp_path, const char *name, bool force) {
|
static int copy_one_file(const char *esp_path, const char *name, bool force) {
|
||||||
const char *e;
|
const char *e;
|
||||||
char *p, *q;
|
char *p, *q, *dest_name, *s;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
|
dest_name = strdupa_safe(name);
|
||||||
|
s = endswith_no_case(dest_name, ".signed");
|
||||||
|
if (s)
|
||||||
|
*s = 0;
|
||||||
|
|
||||||
p = strjoina(BOOTLIBDIR "/", name);
|
p = strjoina(BOOTLIBDIR "/", name);
|
||||||
q = strjoina(esp_path, "/EFI/systemd/", name);
|
q = strjoina(esp_path, "/EFI/systemd/", dest_name);
|
||||||
r = copy_file_with_version_check(p, q, force);
|
r = copy_file_with_version_check(p, q, force);
|
||||||
|
|
||||||
e = startswith(name, "systemd-boot");
|
e = startswith(dest_name, "systemd-boot");
|
||||||
if (e) {
|
if (e) {
|
||||||
int k;
|
int k;
|
||||||
char *v;
|
char *v;
|
||||||
@ -664,9 +669,18 @@ static int install_binaries(const char *esp_path, bool force) {
|
|||||||
FOREACH_DIRENT(de, d, return log_error_errno(errno, "Failed to read \""BOOTLIBDIR"\": %m")) {
|
FOREACH_DIRENT(de, d, return log_error_errno(errno, "Failed to read \""BOOTLIBDIR"\": %m")) {
|
||||||
int k;
|
int k;
|
||||||
|
|
||||||
if (!endswith_no_case(de->d_name, ".efi"))
|
if (!endswith_no_case(de->d_name, ".efi") && !endswith_no_case(de->d_name, ".efi.signed"))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
|
/* skip the .efi file, if there's a .signed version of it */
|
||||||
|
if (endswith_no_case(de->d_name, ".efi")) {
|
||||||
|
_cleanup_free_ const char *s = strjoin(BOOTLIBDIR, "/", de->d_name, ".signed");
|
||||||
|
if (!s)
|
||||||
|
return log_oom();
|
||||||
|
if (access(s, F_OK) >= 0)
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
k = copy_one_file(esp_path, de->d_name, force);
|
k = copy_one_file(esp_path, de->d_name, force);
|
||||||
/* Don't propagate an error code if no update necessary, installed version already equal or
|
/* Don't propagate an error code if no update necessary, installed version already equal or
|
||||||
* newer version, or other boot loader in place. */
|
* newer version, or other boot loader in place. */
|
||||||
|
Loading…
Reference in New Issue
Block a user