systemd-stub: ignore EFI shell unauthenticated kernel command line if we are in confi...

author Emanuele Giuseppe Esposito <eesposit@redhat.com>

Thu, 10 Aug 2023 13:21:41 +0000 (09:21 -0400)

committer Lennart Poettering <lennart@poettering.net>

Thu, 17 Aug 2023 09:31:43 +0000 (11:31 +0200)
author Emanuele Giuseppe Esposito <eesposit@redhat.com>
Thu, 10 Aug 2023 13:21:41 +0000 (09:21 -0400)
committer Lennart Poettering <lennart@poettering.net>
Thu, 17 Aug 2023 09:31:43 +0000 (11:31 +0200)
diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c

index 8fac41258e9f6a4b09ce36e41142f4fa728b83b1..183106b91feaa5d414bc8f77abdb57c50a21d709 100644 (file)
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -147,8 +147,9 @@ static bool use_load_options(
          assert(ret);
  
          /* We only allow custom command lines if we aren't in secure boot or if no cmdline was baked into
-         * the stub image. */
-        if (secure_boot_enabled() && have_cmdline)
+         * the stub image.
+         * We also don't allow it if we are in confidential vms and secureboot is on. */
+        if (secure_boot_enabled() && (have_cmdline || is_confidential_vm()))
                  return false;
  
          /* We also do a superficial check whether first character of passed command line
author	Emanuele Giuseppe Esposito <eesposit@redhat.com>
	Thu, 10 Aug 2023 13:21:41 +0000 (09:21 -0400)
committer	Lennart Poettering <lennart@poettering.net>
	Thu, 17 Aug 2023 09:31:43 +0000 (11:31 +0200)