From: Yu Watanabe Date: Sun, 26 Oct 2025 07:58:09 +0000 (+0900) Subject: bootctl: return earlier when secure boot auto-enrollment is requested but OpenSSL... X-Git-Tag: v259-rc1~186^2~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=219a67c131156d6b3844af54b89d1934e6dd0a9c;p=thirdparty%2Fsystemd.git bootctl: return earlier when secure boot auto-enrollment is requested but OpenSSL support is disabled --- diff --git a/src/bootctl/bootctl-install.c b/src/bootctl/bootctl-install.c index a0a2ba49081..0a2fb1888ba 100644 --- a/src/bootctl/bootctl-install.c +++ b/src/bootctl/bootctl-install.c @@ -623,15 +623,13 @@ static int efi_timestamp(EFI_TIME *ret) { return 0; } -#endif static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, EVP_PKEY *private_key) { + int r; + if (!arg_secure_boot_auto_enroll) return 0; -#if HAVE_OPENSSL - int r; - _cleanup_free_ uint8_t *dercert = NULL; int dercertsz; dercertsz = i2d_X509(certificate, &dercert); @@ -755,10 +753,8 @@ static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, E } return 0; -#else - return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot set up secure boot auto-enrollment."); -#endif } +#endif static bool same_entry(uint16_t id, sd_id128_t uuid, const char *path) { _cleanup_free_ char *opath = NULL; @@ -966,6 +962,7 @@ static int are_we_installed(const char *esp_path) { return r == 0; } +#if HAVE_OPENSSL static int load_secure_boot_auto_enroll( X509 **ret_certificate, EVP_PKEY **ret_private_key) { @@ -1025,6 +1022,7 @@ static int load_secure_boot_auto_enroll( return 0; } +#endif int verb_install(int argc, char *argv[], void *userdata) { sd_id128_t uuid = SD_ID128_NULL; @@ -1040,11 +1038,13 @@ int verb_install(int argc, char *argv[], void *userdata) { /* Support graceful mode only for updates, unless forcibly enabled in chroot environments */ graceful = arg_graceful() == ARG_GRACEFUL_FORCE || (!install && arg_graceful() != ARG_GRACEFUL_NO); +#if HAVE_OPENSSL _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL; _cleanup_(X509_freep) X509 *certificate = NULL; r = load_secure_boot_auto_enroll(&certificate, &private_key); if (r < 0) return r; +#endif r = acquire_esp(/* unprivileged_mode= */ false, graceful, &part, &pstart, &psize, &uuid, NULL); if (graceful && r == -ENOKEY) @@ -1108,9 +1108,11 @@ int verb_install(int argc, char *argv[], void *userdata) { if (r < 0) return r; +#if HAVE_OPENSSL r = install_secure_boot_auto_enroll(arg_esp_path, certificate, private_key); if (r < 0) return r; +#endif } r = install_loader_specification(arg_dollar_boot_path()); diff --git a/src/bootctl/bootctl.c b/src/bootctl/bootctl.c index 1341036cede..dc321a07ca8 100644 --- a/src/bootctl/bootctl.c +++ b/src/bootctl/bootctl.c @@ -654,11 +654,17 @@ static int parse_argv(int argc, char *argv[]) { if (arg_dry_run && argv[optind] && !STR_IN_SET(argv[optind], "unlink", "cleanup")) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--dry-run is only supported with --unlink or --cleanup"); - if (arg_secure_boot_auto_enroll && !arg_certificate) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no certificate provided"); - - if (arg_secure_boot_auto_enroll && !arg_private_key) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no private key provided"); + if (arg_secure_boot_auto_enroll) { +#if HAVE_OPENSSL + if (!arg_certificate) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no certificate provided."); + + if (!arg_private_key) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no private key provided."); +#else + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Secure boot auto-enrollment requested but OpenSSL support is disabled."); +#endif + } r = sd_varlink_invocation(SD_VARLINK_ALLOW_ACCEPT); if (r < 0)