]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/efi-random.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
6 #include "alloc-util.h"
7 #include "chattr-util.h"
8 #include "efi-random.h"
12 #include "random-util.h"
15 void lock_down_efi_variables(void) {
16 _cleanup_close_
int fd
= -EBADF
;
19 fd
= open(EFIVAR_PATH(EFI_LOADER_VARIABLE(LoaderSystemToken
)), O_RDONLY
|O_CLOEXEC
);
22 log_warning_errno(errno
, "Unable to open LoaderSystemToken EFI variable, ignoring: %m");
26 /* Paranoia: let's restrict access modes of these a bit, so that unprivileged users can't use them to
27 * identify the system or gain too much insight into what we might have credited to the entropy
29 r
= chattr_fd(fd
, 0, FS_IMMUTABLE_FL
, NULL
);
31 log_warning_errno(r
, "Failed to drop FS_IMMUTABLE_FL from LoaderSystemToken EFI variable, ignoring: %m");
32 if (fchmod(fd
, 0600) < 0)
33 log_warning_errno(errno
, "Failed to reduce access mode of LoaderSystemToken EFI variable, ignoring: %m");