src/core/efi-random.c

   1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
   2
   3 #include <fcntl.h>
   4 #include <unistd.h>
   5
   6 #include "alloc-util.h"
   7 #include "chattr-util.h"
   8 #include "efi-random.h"
   9 #include "efivars.h"
  10 #include "fd-util.h"
  11 #include "fs-util.h"
  12 #include "random-util.h"
  13 #include "strv.h"
  14
  15 void lock_down_efi_variables(void) {
  16         _cleanup_close_ int fd = -1;
  17         int r;
  18
  19         fd = open(EFIVAR_PATH(EFI_LOADER_VARIABLE(LoaderSystemToken)), O_RDONLY|O_CLOEXEC);
  20         if (fd < 0) {
  21                 if (errno != ENOENT)
  22                         log_warning_errno(errno, "Unable to open LoaderSystemToken EFI variable, ignoring: %m");
  23                 return;
  24         }
  25
  26         /* Paranoia: let's restrict access modes of these a bit, so that unprivileged users can't use them to
  27          * identify the system or gain too much insight into what we might have credited to the entropy
  28          * pool. */
  29         r = chattr_fd(fd, 0, FS_IMMUTABLE_FL, NULL);
  30         if (r < 0)
  31                 log_warning_errno(r, "Failed to drop FS_IMMUTABLE_FL from LoaderSystemToken EFI variable, ignoring: %m");
  32         if (fchmod(fd, 0600) < 0)
  33                 log_warning_errno(errno, "Failed to reduce access mode of LoaderSystemToken EFI variable, ignoring: %m");
  34 }