[thirdparty/systemd.git] / src / basic / efivars.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <linux/fs.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <unistd.h>

#include "sd-id128.h"

#include "alloc-util.h"
#include "chattr-util.h"
#include "efivars.h"
#include "fd-util.h"
#include "fileio.h"
#include "io-util.h"
#include "macro.h"
#include "memory-util.h"
#include "stdio-util.h"
#include "strv.h"
#include "time-util.h"
#include "utf8.h"
#include "virt.h"

#if ENABLE_EFI

/* Reads from efivarfs sometimes fail with EINTR. Retry that many times. */
#define EFI_N_RETRIES_NO_DELAY 20
#define EFI_N_RETRIES_TOTAL 25
#define EFI_RETRY_DELAY (50 * USEC_PER_MSEC)

int efi_get_variable(
                const char *variable,
                uint32_t *ret_attribute,
                void **ret_value,
                size_t *ret_size) {

        _cleanup_close_ int fd = -EBADF;
        _cleanup_free_ void *buf = NULL;
        struct stat st;
        usec_t begin = 0; /* Unnecessary initialization to appease gcc */
        uint32_t a;
        ssize_t n;

        assert(variable);

        const char *p = strjoina("/sys/firmware/efi/efivars/", variable);

        if (!ret_value && !ret_size && !ret_attribute) {
                /* If caller is not interested in anything, just check if the variable exists and is
                 * readable. */
                if (access(p, R_OK) < 0)
                        return -errno;

                return 0;
        }

        if (DEBUG_LOGGING) {
                log_debug("Reading EFI variable %s.", p);
                begin = now(CLOCK_MONOTONIC);
        }

        fd = open(p, O_RDONLY|O_NOCTTY|O_CLOEXEC);
        if (fd < 0)
                return log_debug_errno(errno, "open(\"%s\") failed: %m", p);

        if (fstat(fd, &st) < 0)
                return log_debug_errno(errno, "fstat(\"%s\") failed: %m", p);
        if (st.st_size < 4)
                return log_debug_errno(SYNTHETIC_ERRNO(ENODATA), "EFI variable %s is shorter than 4 bytes, refusing.", p);
        if (st.st_size > 4*1024*1024 + 4)
                return log_debug_errno(SYNTHETIC_ERRNO(E2BIG), "EFI variable %s is ridiculously large, refusing.", p);

        if (ret_value || ret_attribute) {
                /* The kernel ratelimits reads from the efivarfs because EFI is inefficient, and we'll
                 * occasionally fail with EINTR here. A slowdown is better than a failure for us, so
                 * retry a few times and eventually fail with -EBUSY.
                 *
                 * See https://github.com/torvalds/linux/blob/master/fs/efivarfs/file.c#L75
                 * and
                 * https://github.com/torvalds/linux/commit/bef3efbeb897b56867e271cdbc5f8adaacaeb9cd.
                 */
                for (unsigned try = 0;; try++) {
                        n = read(fd, &a, sizeof(a));
                        if (n >= 0)
                                break;
                        log_debug_errno(errno, "Reading from \"%s\" failed: %m", p);
                        if (errno != EINTR)
                                return -errno;
                        if (try >= EFI_N_RETRIES_TOTAL)
                                return -EBUSY;

                        if (try >= EFI_N_RETRIES_NO_DELAY)
                                (void) usleep(EFI_RETRY_DELAY);
                }

                if (n != sizeof(a))
                        return log_debug_errno(SYNTHETIC_ERRNO(EIO),
                                               "Read %zi bytes from EFI variable %s, expected %zu.",  n, p, sizeof(a));
        }

        if (ret_value) {
                buf = malloc(st.st_size - 4 + 3);
                if (!buf)
                        return -ENOMEM;

                n = read(fd, buf, (size_t) st.st_size - 4);
                if (n < 0)
                        return log_debug_errno(errno, "Failed to read value of EFI variable %s: %m", p);
                assert(n <= st.st_size - 4);

                /* Always NUL-terminate (3 bytes, to properly protect UTF-16, even if truncated in the middle
                 * of a character) */
                ((char*) buf)[n] = 0;
                ((char*) buf)[n + 1] = 0;
                ((char*) buf)[n + 2] = 0;
        } else
                /* Assume that the reported size is accurate */
                n = st.st_size - 4;

        if (DEBUG_LOGGING) {
                usec_t end = now(CLOCK_MONOTONIC);
                if (end > begin + EFI_RETRY_DELAY)
                        log_debug("Detected slow EFI variable read access on %s: %s",
                                  variable, FORMAT_TIMESPAN(end - begin, 1));
        }

        /* Note that efivarfs interestingly doesn't require ftruncate() to update an existing EFI variable
         * with a smaller value. */

        if (ret_attribute)
                *ret_attribute = a;

        if (ret_value)
                *ret_value = TAKE_PTR(buf);

        if (ret_size)
                *ret_size = n;

        return 0;
}

int efi_get_variable_string(const char *variable, char **ret) {
        _cleanup_free_ void *s = NULL;
        size_t ss = 0;
        int r;
        char *x;

        r = efi_get_variable(variable, NULL, &s, &ss);
        if (r < 0)
                return r;

        x = utf16_to_utf8(s, ss);
        if (!x)
                return -ENOMEM;

        *ret = x;
        return 0;
}

static int efi_verify_variable(const char *variable, uint32_t attr, const void *value, size_t size) {
        _cleanup_free_ void *buf = NULL;
        size_t n;
        uint32_t a;
        int r;

        assert(variable);
        assert(value || size == 0);

        r = efi_get_variable(variable, &a, &buf, &n);
        if (r < 0)
                return r;

        return a == attr && memcmp_nn(buf, n, value, size) == 0;
}

int efi_set_variable(const char *variable, const void *value, size_t size) {
        struct var {
                uint32_t attr;
                char buf[];
        } _packed_ * _cleanup_free_ buf = NULL;
        _cleanup_close_ int fd = -EBADF;
        uint32_t attr = EFI_VARIABLE_NON_VOLATILE|EFI_VARIABLE_BOOTSERVICE_ACCESS|EFI_VARIABLE_RUNTIME_ACCESS;
        bool saved_flags_valid = false;
        unsigned saved_flags;
        int r;

        assert(variable);
        assert(value || size == 0);

        const char *p = strjoina("/sys/firmware/efi/efivars/", variable);

        /* size 0 means removal, empty variable would not be enough for that */
        if (size > 0 && efi_verify_variable(variable, attr, value, size) > 0) {
                log_debug("Variable '%s' is already in wanted state, skipping write.", variable);
                return 0;
        }

        /* Newer efivarfs protects variables that are not in an allow list with FS_IMMUTABLE_FL by default,
         * to protect them for accidental removal and modification. We are not changing these variables
         * accidentally however, hence let's unset the bit first. */

        r = chattr_path(p, 0, FS_IMMUTABLE_FL, &saved_flags);
        if (r < 0 && r != -ENOENT)
                log_debug_errno(r, "Failed to drop FS_IMMUTABLE_FL flag from '%s', ignoring: %m", p);

        saved_flags_valid = r >= 0;

        if (size == 0) {
                if (unlink(p) < 0) {
                        r = -errno;
                        goto finish;
                }

                return 0;
        }

        fd = open(p, O_WRONLY|O_CREAT|O_NOCTTY|O_CLOEXEC, 0644);
        if (fd < 0) {
                r = -errno;
                goto finish;
        }

        buf = malloc(sizeof(uint32_t) + size);
        if (!buf) {
                r = -ENOMEM;
                goto finish;
        }

        buf->attr = attr;
        memcpy(buf->buf, value, size);

        r = loop_write(fd, buf, sizeof(uint32_t) + size, false);
        if (r < 0)
                goto finish;

        /* For some reason efivarfs doesn't update mtime automatically. Let's do it manually then. This is
         * useful for processes that cache EFI variables to detect when changes occurred. */
        if (futimens(fd, (struct timespec[2]) {
                                { .tv_nsec = UTIME_NOW },
                                { .tv_nsec = UTIME_NOW }
                        }) < 0)
                log_debug_errno(errno, "Failed to update mtime/atime on %s, ignoring: %m", p);

        r = 0;

finish:
        if (saved_flags_valid) {
                int q;

                /* Restore the original flags field, just in case */
                if (fd < 0)
                        q = chattr_path(p, saved_flags, FS_IMMUTABLE_FL, NULL);
                else
                        q = chattr_fd(fd, saved_flags, FS_IMMUTABLE_FL, NULL);
                if (q < 0)
                        log_debug_errno(q, "Failed to restore FS_IMMUTABLE_FL on '%s', ignoring: %m", p);
        }

        return r;
}

int efi_set_variable_string(const char *variable, const char *value) {
        _cleanup_free_ char16_t *u16 = NULL;

        u16 = utf8_to_utf16(value, strlen(value));
        if (!u16)
                return -ENOMEM;

        return efi_set_variable(variable, u16, (char16_strlen(u16) + 1) * sizeof(char16_t));
}

bool is_efi_boot(void) {
        static int cache = -1;

        if (cache < 0) {
                if (detect_container() > 0)
                        cache = false;
                else {
                        cache = access("/sys/firmware/efi/", F_OK) >= 0;
                        if (!cache && errno != ENOENT)
                                log_debug_errno(errno, "Unable to test whether /sys/firmware/efi/ exists, assuming EFI not available: %m");
                }
        }

        return cache;
}

static int read_flag(const char *variable) {
        _cleanup_free_ void *v = NULL;
        uint8_t b;
        size_t s;
        int r;

        if (!is_efi_boot()) /* If this is not an EFI boot, assume the queried flags are zero */
                return 0;

        r = efi_get_variable(variable, NULL, &v, &s);
        if (r < 0)
                return r;

        if (s != 1)
                return -EINVAL;

        b = *(uint8_t *)v;
        return !!b;
}

bool is_efi_secure_boot(void) {
        static int cache = -1;
        int r;

        if (cache < 0) {
                r = read_flag(EFI_GLOBAL_VARIABLE(SecureBoot));
                if (r == -ENOENT)
                        cache = false;
                else if (r < 0)
                        log_debug_errno(r, "Error reading SecureBoot EFI variable, assuming not in SecureBoot mode: %m");
                else
                        cache = r;
        }

        return cache > 0;
}

SecureBootMode efi_get_secure_boot_mode(void) {
        static SecureBootMode cache = _SECURE_BOOT_INVALID;

        if (cache != _SECURE_BOOT_INVALID)
                return cache;

        int secure = read_flag(EFI_GLOBAL_VARIABLE(SecureBoot));
        if (secure < 0) {
                if (secure != -ENOENT)
                        log_debug_errno(secure, "Error reading SecureBoot EFI variable, assuming not in SecureBoot mode: %m");

                return (cache = SECURE_BOOT_UNSUPPORTED);
        }

        /* We can assume false for all these if they are abscent (AuditMode and
         * DeployedMode may not exist on older firmware). */
        int audit    = read_flag(EFI_GLOBAL_VARIABLE(AuditMode));
        int deployed = read_flag(EFI_GLOBAL_VARIABLE(DeployedMode));
        int setup    = read_flag(EFI_GLOBAL_VARIABLE(SetupMode));
        log_debug("Secure boot variables: SecureBoot=%d AuditMode=%d DeployedMode=%d SetupMode=%d",
                  secure, audit, deployed, setup);

        return (cache = decode_secure_boot_mode(secure, audit > 0, deployed > 0, setup > 0));
}

static int read_efi_options_variable(char **ret) {
        int r;

        /* In SecureBoot mode this is probably not what you want. As your cmdline is cryptographically signed
         * like when using Type #2 EFI Unified Kernel Images (https://uapi-group.org/specifications/specs/boot_loader_specification)
         * The user's intention is then that the cmdline should not be modified. You want to make sure that
         * the system starts up as exactly specified in the signed artifact.
         *
         * (NB: For testing purposes, we still check the $SYSTEMD_EFI_OPTIONS env var before accessing this
         * cache, even when in SecureBoot mode.) */
        if (is_efi_secure_boot()) {
                /* Let's be helpful with the returned error and check if the variable exists at all. If it
                 * does, let's return a recognizable error (EPERM), and if not ENODATA. */

                if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), F_OK) < 0)
                        return errno == ENOENT ? -ENODATA : -errno;

                return -EPERM;
        }

        r = efi_get_variable_string(EFI_SYSTEMD_VARIABLE(SystemdOptions), ret);
        if (r == -ENOENT)
                return -ENODATA;
        return r;
}

int cache_efi_options_variable(void) {
        _cleanup_free_ char *line = NULL;
        int r;

        r = read_efi_options_variable(&line);
        if (r < 0)
                return r;

        return write_string_file(EFIVAR_CACHE_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), line,
                                 WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755);
}

int systemd_efi_options_variable(char **ret) {
        const char *e;
        int r;

        /* Returns the contents of the variable for current boot from the cache. */

        assert(ret);

        /* For testing purposes it is sometimes useful to be able to override this */
        e = secure_getenv("SYSTEMD_EFI_OPTIONS");
        if (e) {
                char *m;

                m = strdup(e);
                if (!m)
                        return -ENOMEM;

                *ret = m;
                return 0;
        }

        r = read_one_line_file(EFIVAR_CACHE_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), ret);
        if (r == -ENOENT)
                return -ENODATA;
        return r;
}

static inline int compare_stat_mtime(const struct stat *a, const struct stat *b) {
        return CMP(timespec_load(&a->st_mtim), timespec_load(&b->st_mtim));
}

int systemd_efi_options_efivarfs_if_newer(char **ret) {
        struct stat a = {}, b;
        int r;

        if (stat(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), &a) < 0 && errno != ENOENT)
                return log_debug_errno(errno, "Failed to stat EFI variable SystemdOptions: %m");

        if (stat(EFIVAR_CACHE_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), &b) < 0) {
                if (errno != ENOENT)
                        log_debug_errno(errno, "Failed to stat "EFIVAR_CACHE_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions))": %m");
        } else if (compare_stat_mtime(&a, &b) > 0)
                log_debug("Variable SystemdOptions in evifarfs is newer than in cache.");
        else {
                log_debug("Variable SystemdOptions in cache is up to date.");
                *ret = NULL;
                return 0;
        }

        r = read_efi_options_variable(ret);
        if (r < 0)
                return log_debug_errno(r, "Failed to read SystemdOptions EFI variable: %m");

        return 0;
}
#endif
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
0bb2f0f1 ZJS	2
	3	#include <errno.h>
	4	#include <fcntl.h>
	5	#include <limits.h>
	6	#include <linux/fs.h>
0bb2f0f1	7	#include <stdlib.h>
0bb2f0f1 ZJS	8	#include <sys/stat.h>
	9	#include <unistd.h>
	10
	11	#include "sd-id128.h"
	12
	13	#include "alloc-util.h"
	14	#include "chattr-util.h"
	15	#include "efivars.h"
	16	#include "fd-util.h"
209b2592	17	#include "fileio.h"
0bb2f0f1 ZJS	18	#include "io-util.h"
0bb2f0f1 ZJS	19	#include "macro.h"
37e4637a	20	#include "memory-util.h"
0bb2f0f1 ZJS	21	#include "stdio-util.h"
	22	#include "strv.h"
	23	#include "time-util.h"
	24	#include "utf8.h"
c7d26acc	25	#include "virt.h"
0bb2f0f1 ZJS	26
	27	#if ENABLE_EFI
	28
7229ec02	29	/* Reads from efivarfs sometimes fail with EINTR. Retry that many times. */
eee9b30a ZJS	30	#define EFI_N_RETRIES_NO_DELAY 20
eee9b30a ZJS	31	#define EFI_N_RETRIES_TOTAL 25
7229ec02 ZJS	32	#define EFI_RETRY_DELAY (50 * USEC_PER_MSEC)
7229ec02 ZJS	33
0bb2f0f1	34	int efi_get_variable(
e6f055cb	35	const char *variable,
0bb2f0f1 ZJS	36	uint32_t *ret_attribute,
	37	void **ret_value,
	38	size_t *ret_size) {
	39
254d1313	40	_cleanup_close_ int fd = -EBADF;
0bb2f0f1 ZJS	41	_cleanup_free_ void *buf = NULL;
0bb2f0f1 ZJS	42	struct stat st;
aff81b18	43	usec_t begin = 0; /* Unnecessary initialization to appease gcc */
0bb2f0f1 ZJS	44	uint32_t a;
	45	ssize_t n;
	46
e6f055cb	47	assert(variable);
0bb2f0f1	48
e6f055cb	49	const char *p = strjoina("/sys/firmware/efi/efivars/", variable);
0bb2f0f1 ZJS	50
0bb2f0f1 ZJS	51	if (!ret_value && !ret_size && !ret_attribute) {
7229ec02 ZJS	52	/* If caller is not interested in anything, just check if the variable exists and is
7229ec02 ZJS	53	* readable. */
0bb2f0f1 ZJS	54	if (access(p, R_OK) < 0)
	55	return -errno;
	56
	57	return 0;
	58	}
	59
84190644 LP	60	if (DEBUG_LOGGING) {
84190644 LP	61	log_debug("Reading EFI variable %s.", p);
698564d1	62	begin = now(CLOCK_MONOTONIC);
84190644	63	}
698564d1	64
0bb2f0f1 ZJS	65	fd = open(p, O_RDONLY\|O_NOCTTY\|O_CLOEXEC);
0bb2f0f1 ZJS	66	if (fd < 0)
7229ec02	67	return log_debug_errno(errno, "open(\"%s\") failed: %m", p);
0bb2f0f1 ZJS	68
0bb2f0f1 ZJS	69	if (fstat(fd, &st) < 0)
84190644	70	return log_debug_errno(errno, "fstat(\"%s\") failed: %m", p);
0bb2f0f1	71	if (st.st_size < 4)
84190644	72	return log_debug_errno(SYNTHETIC_ERRNO(ENODATA), "EFI variable %s is shorter than 4 bytes, refusing.", p);
0bb2f0f1	73	if (st.st_size > 410241024 + 4)
84190644	74	return log_debug_errno(SYNTHETIC_ERRNO(E2BIG), "EFI variable %s is ridiculously large, refusing.", p);
0bb2f0f1 ZJS	75
0bb2f0f1 ZJS	76	if (ret_value \|\| ret_attribute) {
7229ec02 ZJS	77	/* The kernel ratelimits reads from the efivarfs because EFI is inefficient, and we'll
	78	* occasionally fail with EINTR here. A slowdown is better than a failure for us, so
	79	* retry a few times and eventually fail with -EBUSY.
	80	*
	81	* See https://github.com/torvalds/linux/blob/master/fs/efivarfs/file.c#L75
	82	* and
	83	* https://github.com/torvalds/linux/commit/bef3efbeb897b56867e271cdbc5f8adaacaeb9cd.
	84	*/
	85	for (unsigned try = 0;; try++) {
	86	n = read(fd, &a, sizeof(a));
	87	if (n >= 0)
	88	break;
84190644	89	log_debug_errno(errno, "Reading from \"%s\" failed: %m", p);
7229ec02 ZJS	90	if (errno != EINTR)
7229ec02 ZJS	91	return -errno;
eee9b30a	92	if (try >= EFI_N_RETRIES_TOTAL)
7229ec02	93	return -EBUSY;
c75e7da0	94
eee9b30a ZJS	95	if (try >= EFI_N_RETRIES_NO_DELAY)
eee9b30a ZJS	96	(void) usleep(EFI_RETRY_DELAY);
7229ec02 ZJS	97	}
7229ec02 ZJS	98
0bb2f0f1	99	if (n != sizeof(a))
84190644 LP	100	return log_debug_errno(SYNTHETIC_ERRNO(EIO),
84190644 LP	101	"Read %zi bytes from EFI variable %s, expected %zu.", n, p, sizeof(a));
0bb2f0f1 ZJS	102	}
	103
	104	if (ret_value) {
c75e7da0	105	buf = malloc(st.st_size - 4 + 3);
0bb2f0f1 ZJS	106	if (!buf)
	107	return -ENOMEM;
	108
	109	n = read(fd, buf, (size_t) st.st_size - 4);
	110	if (n < 0)
84190644	111	return log_debug_errno(errno, "Failed to read value of EFI variable %s: %m", p);
35b9eb0a	112	assert(n <= st.st_size - 4);
0bb2f0f1	113
e6f055cb ZJS	114	/* Always NUL-terminate (3 bytes, to properly protect UTF-16, even if truncated in the middle
e6f055cb ZJS	115	* of a character) */
861f1789 LP	116	((char*) buf)[n] = 0;
861f1789 LP	117	((char*) buf)[n + 1] = 0;
c75e7da0	118	((char*) buf)[n + 2] = 0;
35b9eb0a ZJS	119	} else
	120	/* Assume that the reported size is accurate */
	121	n = st.st_size - 4;
0bb2f0f1	122
698564d1	123	if (DEBUG_LOGGING) {
5291f26d	124	usec_t end = now(CLOCK_MONOTONIC);
698564d1	125	if (end > begin + EFI_RETRY_DELAY)
e6f055cb	126	log_debug("Detected slow EFI variable read access on %s: %s",
5291f26d	127	variable, FORMAT_TIMESPAN(end - begin, 1));
698564d1 LP	128	}
698564d1 LP	129
0bb2f0f1 ZJS	130	/* Note that efivarfs interestingly doesn't require ftruncate() to update an existing EFI variable
	131	* with a smaller value. */
	132
	133	if (ret_attribute)
	134	*ret_attribute = a;
	135
	136	if (ret_value)
	137	*ret_value = TAKE_PTR(buf);
	138
	139	if (ret_size)
35b9eb0a	140	*ret_size = n;
0bb2f0f1 ZJS	141
	142	return 0;
	143	}
	144
187513fd	145	int efi_get_variable_string(const char variable, char *ret) {
0bb2f0f1 ZJS	146	_cleanup_free_ void *s = NULL;
	147	size_t ss = 0;
	148	int r;
	149	char *x;
	150
e6f055cb	151	r = efi_get_variable(variable, NULL, &s, &ss);
0bb2f0f1 ZJS	152	if (r < 0)
	153	return r;
	154
	155	x = utf16_to_utf8(s, ss);
	156	if (!x)
	157	return -ENOMEM;
	158
187513fd	159	*ret = x;
0bb2f0f1 ZJS	160	return 0;
	161	}
	162
37e4637a AH	163	static int efi_verify_variable(const char variable, uint32_t attr, const void value, size_t size) {
	164	_cleanup_free_ void *buf = NULL;
	165	size_t n;
	166	uint32_t a;
	167	int r;
	168
	169	assert(variable);
	170	assert(value \|\| size == 0);
	171
	172	r = efi_get_variable(variable, &a, &buf, &n);
	173	if (r < 0)
	174	return r;
	175
	176	return a == attr && memcmp_nn(buf, n, value, size) == 0;
	177	}
	178
e6f055cb	179	int efi_set_variable(const char variable, const void value, size_t size) {
0bb2f0f1 ZJS	180	struct var {
	181	uint32_t attr;
	182	char buf[];
	183	} _packed_ * _cleanup_free_ buf = NULL;
254d1313	184	_cleanup_close_ int fd = -EBADF;
37e4637a	185	uint32_t attr = EFI_VARIABLE_NON_VOLATILE\|EFI_VARIABLE_BOOTSERVICE_ACCESS\|EFI_VARIABLE_RUNTIME_ACCESS;
0bb2f0f1 ZJS	186	bool saved_flags_valid = false;
	187	unsigned saved_flags;
	188	int r;
	189
e6f055cb	190	assert(variable);
0bb2f0f1 ZJS	191	assert(value \|\| size == 0);
0bb2f0f1 ZJS	192
e6f055cb	193	const char *p = strjoina("/sys/firmware/efi/efivars/", variable);
0bb2f0f1	194
37e4637a AH	195	/* size 0 means removal, empty variable would not be enough for that */
	196	if (size > 0 && efi_verify_variable(variable, attr, value, size) > 0) {
	197	log_debug("Variable '%s' is already in wanted state, skipping write.", variable);
	198	return 0;
	199	}
	200
6b000af4 LP	201	/* Newer efivarfs protects variables that are not in an allow list with FS_IMMUTABLE_FL by default,
	202	* to protect them for accidental removal and modification. We are not changing these variables
	203	* accidentally however, hence let's unset the bit first. */
0bb2f0f1 ZJS	204
	205	r = chattr_path(p, 0, FS_IMMUTABLE_FL, &saved_flags);
	206	if (r < 0 && r != -ENOENT)
	207	log_debug_errno(r, "Failed to drop FS_IMMUTABLE_FL flag from '%s', ignoring: %m", p);
	208
	209	saved_flags_valid = r >= 0;
	210
	211	if (size == 0) {
	212	if (unlink(p) < 0) {
	213	r = -errno;
	214	goto finish;
	215	}
	216
	217	return 0;
	218	}
	219
	220	fd = open(p, O_WRONLY\|O_CREAT\|O_NOCTTY\|O_CLOEXEC, 0644);
	221	if (fd < 0) {
	222	r = -errno;
	223	goto finish;
	224	}
	225
	226	buf = malloc(sizeof(uint32_t) + size);
	227	if (!buf) {
	228	r = -ENOMEM;
	229	goto finish;
	230	}
	231
37e4637a	232	buf->attr = attr;
0bb2f0f1 ZJS	233	memcpy(buf->buf, value, size);
	234
	235	r = loop_write(fd, buf, sizeof(uint32_t) + size, false);
	236	if (r < 0)
	237	goto finish;
	238
d197c403 LP	239	/* For some reason efivarfs doesn't update mtime automatically. Let's do it manually then. This is
	240	* useful for processes that cache EFI variables to detect when changes occurred. */
	241	if (futimens(fd, (struct timespec[2]) {
	242	{ .tv_nsec = UTIME_NOW },
	243	{ .tv_nsec = UTIME_NOW }
	244	}) < 0)
	245	log_debug_errno(errno, "Failed to update mtime/atime on %s, ignoring: %m", p);
	246
0bb2f0f1 ZJS	247	r = 0;
	248
	249	finish:
	250	if (saved_flags_valid) {
	251	int q;
	252
	253	/* Restore the original flags field, just in case */
	254	if (fd < 0)
	255	q = chattr_path(p, saved_flags, FS_IMMUTABLE_FL, NULL);
	256	else
	257	q = chattr_fd(fd, saved_flags, FS_IMMUTABLE_FL, NULL);
	258	if (q < 0)
	259	log_debug_errno(q, "Failed to restore FS_IMMUTABLE_FL on '%s', ignoring: %m", p);
	260	}
	261
	262	return r;
	263	}
	264
e6f055cb	265	int efi_set_variable_string(const char variable, const char value) {
0bb2f0f1 ZJS	266	_cleanup_free_ char16_t *u16 = NULL;
0bb2f0f1 ZJS	267
e6f055cb	268	u16 = utf8_to_utf16(value, strlen(value));
0bb2f0f1 ZJS	269	if (!u16)
	270	return -ENOMEM;
	271
e6f055cb	272	return efi_set_variable(variable, u16, (char16_strlen(u16) + 1) * sizeof(char16_t));
0bb2f0f1 ZJS	273	}
0bb2f0f1 ZJS	274
c7d26acc	275	bool is_efi_boot(void) {
f46ba939	276	static int cache = -1;
c7d26acc	277
f46ba939 LP	278	if (cache < 0) {
	279	if (detect_container() > 0)
	280	cache = false;
5b4c1630	281	else {
f46ba939	282	cache = access("/sys/firmware/efi/", F_OK) >= 0;
5b4c1630 LP	283	if (!cache && errno != ENOENT)
	284	log_debug_errno(errno, "Unable to test whether /sys/firmware/efi/ exists, assuming EFI not available: %m");
	285	}
f46ba939 LP	286	}
	287
	288	return cache;
c7d26acc AP	289	}
c7d26acc AP	290
e6f055cb	291	static int read_flag(const char *variable) {
c7d26acc AP	292	_cleanup_free_ void *v = NULL;
	293	uint8_t b;
	294	size_t s;
	295	int r;
	296
	297	if (!is_efi_boot()) /* If this is not an EFI boot, assume the queried flags are zero */
	298	return 0;
	299
e6f055cb	300	r = efi_get_variable(variable, NULL, &v, &s);
c7d26acc AP	301	if (r < 0)
	302	return r;
	303
	304	if (s != 1)
	305	return -EINVAL;
	306
	307	b = (uint8_t )v;
	308	return !!b;
	309	}
	310
	311	bool is_efi_secure_boot(void) {
f46ba939	312	static int cache = -1;
3e09ad57	313	int r;
f46ba939	314
3e09ad57 LP	315	if (cache < 0) {
	316	r = read_flag(EFI_GLOBAL_VARIABLE(SecureBoot));
	317	if (r == -ENOENT)
	318	cache = false;
	319	else if (r < 0)
	320	log_debug_errno(r, "Error reading SecureBoot EFI variable, assuming not in SecureBoot mode: %m");
	321	else
	322	cache = r;
	323	}
f46ba939 LP	324
f46ba939 LP	325	return cache > 0;
c7d26acc AP	326	}
c7d26acc AP	327
c4964512 JJ	328	SecureBootMode efi_get_secure_boot_mode(void) {
c4964512 JJ	329	static SecureBootMode cache = _SECURE_BOOT_INVALID;
f46ba939	330
c4964512 JJ	331	if (cache != _SECURE_BOOT_INVALID)
c4964512 JJ	332	return cache;
f46ba939	333
c4964512 JJ	334	int secure = read_flag(EFI_GLOBAL_VARIABLE(SecureBoot));
	335	if (secure < 0) {
	336	if (secure != -ENOENT)
bc5eb900 LP	337	log_debug_errno(secure, "Error reading SecureBoot EFI variable, assuming not in SecureBoot mode: %m");
bc5eb900 LP	338
c4964512 JJ	339	return (cache = SECURE_BOOT_UNSUPPORTED);
	340	}
	341
	342	/* We can assume false for all these if they are abscent (AuditMode and
	343	* DeployedMode may not exist on older firmware). */
	344	int audit = read_flag(EFI_GLOBAL_VARIABLE(AuditMode));
	345	int deployed = read_flag(EFI_GLOBAL_VARIABLE(DeployedMode));
	346	int setup = read_flag(EFI_GLOBAL_VARIABLE(SetupMode));
	347	log_debug("Secure boot variables: SecureBoot=%d AuditMode=%d DeployedMode=%d SetupMode=%d",
	348	secure, audit, deployed, setup);
	349
	350	return (cache = decode_secure_boot_mode(secure, audit > 0, deployed > 0, setup > 0));
c7d26acc AP	351	}
c7d26acc AP	352
187513fd	353	static int read_efi_options_variable(char **ret) {
53aa0d02 ZJS	354	int r;
53aa0d02 ZJS	355
484f4e5b	356	/* In SecureBoot mode this is probably not what you want. As your cmdline is cryptographically signed
db811444	357	* like when using Type #2 EFI Unified Kernel Images (https://uapi-group.org/specifications/specs/boot_loader_specification)
484f4e5b LP	358	* The user's intention is then that the cmdline should not be modified. You want to make sure that
	359	* the system starts up as exactly specified in the signed artifact.
	360	*
209b2592 FB	361	* (NB: For testing purposes, we still check the $SYSTEMD_EFI_OPTIONS env var before accessing this
209b2592 FB	362	* cache, even when in SecureBoot mode.) */
484f4e5b	363	if (is_efi_secure_boot()) {
484f4e5b LP	364	/* Let's be helpful with the returned error and check if the variable exists at all. If it
	365	* does, let's return a recognizable error (EPERM), and if not ENODATA. */
	366
e6f055cb	367	if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), F_OK) < 0)
a0fa2683	368	return errno == ENOENT ? -ENODATA : -errno;
484f4e5b LP	369
	370	return -EPERM;
	371	}
	372
187513fd	373	r = efi_get_variable_string(EFI_SYSTEMD_VARIABLE(SystemdOptions), ret);
53aa0d02 ZJS	374	if (r == -ENOENT)
53aa0d02 ZJS	375	return -ENODATA;
ad2d6880 ZJS	376	return r;
	377	}
	378
	379	int cache_efi_options_variable(void) {
	380	_cleanup_free_ char *line = NULL;
	381	int r;
	382
	383	r = read_efi_options_variable(&line);
209b2592 FB	384	if (r < 0)
209b2592 FB	385	return r;
53aa0d02	386
e6f055cb ZJS	387	return write_string_file(EFIVAR_CACHE_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), line,
e6f055cb ZJS	388	WRITE_STRING_FILE_ATOMIC\|WRITE_STRING_FILE_CREATE\|WRITE_STRING_FILE_MKDIR_0755);
209b2592 FB	389	}
209b2592 FB	390
187513fd	391	int systemd_efi_options_variable(char **ret) {
209b2592	392	const char *e;
209b2592 FB	393	int r;
209b2592 FB	394
ad2d6880 ZJS	395	/* Returns the contents of the variable for current boot from the cache. */
ad2d6880 ZJS	396
187513fd	397	assert(ret);
209b2592 FB	398
	399	/* For testing purposes it is sometimes useful to be able to override this */
	400	e = secure_getenv("SYSTEMD_EFI_OPTIONS");
	401	if (e) {
	402	char *m;
	403
	404	m = strdup(e);
	405	if (!m)
	406	return -ENOMEM;
	407
187513fd	408	*ret = m;
209b2592 FB	409	return 0;
	410	}
	411
187513fd	412	r = read_one_line_file(EFIVAR_CACHE_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), ret);
209b2592 FB	413	if (r == -ENOENT)
209b2592 FB	414	return -ENODATA;
53aa0d02 ZJS	415	return r;
53aa0d02 ZJS	416	}
ad2d6880 ZJS	417
	418	static inline int compare_stat_mtime(const struct stat a, const struct stat b) {
	419	return CMP(timespec_load(&a->st_mtim), timespec_load(&b->st_mtim));
	420	}
	421
187513fd	422	int systemd_efi_options_efivarfs_if_newer(char **ret) {
ad2d6880 ZJS	423	struct stat a = {}, b;
	424	int r;
	425
	426	if (stat(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), &a) < 0 && errno != ENOENT)
	427	return log_debug_errno(errno, "Failed to stat EFI variable SystemdOptions: %m");
	428
	429	if (stat(EFIVAR_CACHE_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), &b) < 0) {
2f092762	430	if (errno != ENOENT)
ad2d6880 ZJS	431	log_debug_errno(errno, "Failed to stat "EFIVAR_CACHE_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions))": %m");
	432	} else if (compare_stat_mtime(&a, &b) > 0)
	433	log_debug("Variable SystemdOptions in evifarfs is newer than in cache.");
	434	else {
	435	log_debug("Variable SystemdOptions in cache is up to date.");
187513fd	436	*ret = NULL;
ad2d6880 ZJS	437	return 0;
	438	}
	439
187513fd	440	r = read_efi_options_variable(ret);
ad2d6880	441	if (r < 0)
afd1a45a LP	442	return log_debug_errno(r, "Failed to read SystemdOptions EFI variable: %m");
afd1a45a LP	443
83fe0be1	444	return 0;
ad2d6880	445	}
0bb2f0f1	446	#endif