From 8d07a8d6b10b88464f7c4b1c245b1f07f3f9ad3d Mon Sep 17 00:00:00 2001
From: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Mon, 7 Jul 2025 15:03:55 +0200
Subject: [PATCH] sysext: Support global sysext/confext

Load global sysext/confext from /.extra/global_{sysext,confext} which
systemd-stub puts there from ESP/loader/credentials/*.{sysext,confext}.raw.
Global extensions are handled the exact same way as per-UKI ones.
---
 src/shared/discover-image.c          | 10 ++++++----
 src/sysext/sysext.c                  |  6 +++++-
 units/systemd-confext-initrd.service |  1 +
 units/systemd-sysext-initrd.service  |  1 +
 4 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c
index 089d656f400..d39c3a13563 100644
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@@ -76,20 +76,22 @@ const char* const image_search_path[_IMAGE_CLASS_MAX] = {
                             "/usr/lib/confexts\0",
 };
 
-/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext/ and
- * .extra/confext/ in extension search dir) */
+/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext/,
+ * /.extra/global_sysext, .extra/confext/, and /.extra/global_confext in extension search dir) */
 static const char* const image_search_path_initrd[_IMAGE_CLASS_MAX] = {
         /* (entries that aren't listed here will get the same search path as for the non initrd-case) */
 
         [IMAGE_SYSEXT] =    "/etc/extensions\0"            /* only place symlinks here */
                             "/run/extensions\0"            /* and here too */
                             "/var/lib/extensions\0"        /* the main place for images */
-                            "/.extra/sysext\0",            /* put sysext picked up by systemd-stub last, since not trusted */
+                            "/.extra/sysext\0"             /* put sysext (per-UKI and global) picked up by systemd-stub */
+                            "/.extra/global_sysext\0",     /* last, since not trusted */
 
         [IMAGE_CONFEXT] =   "/run/confexts\0"              /* only place symlinks here */
                             "/var/lib/confexts\0"          /* the main place for images */
                             "/usr/local/lib/confexts\0"
-                            "/.extra/confext\0",           /* put confext picked up by systemd-stub last, since not trusted */
+                            "/.extra/confext\0"            /* put confext (per-UKI and global) picked up by systemd-stub */
+                            "/.extra/global_confext\0",    /* last, since not trusted. */
 };
 
 static const char* image_class_suffix_table[_IMAGE_CLASS_MAX] = {
diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c
index b232ee4fc19..97a835b8c85 100644
--- a/src/sysext/sysext.c
+++ b/src/sysext/sysext.c
@@ -1660,15 +1660,19 @@ static const ImagePolicy *pick_image_policy(const Image *img) {
         if (arg_image_policy)
                 return arg_image_policy;
 
-        /* If located in /.extra/sysext/ in the initrd, then it was placed there by systemd-stub, and was
+        /* If located in /.extra/ in the initrd, then it was placed there by systemd-stub, and was
          * picked up from an untrusted ESP. Thus, require a stricter policy by default for them. (For the
          * other directories we assume the appropriate level of trust was already established already.  */
 
         if (in_initrd()) {
                 if (path_startswith(img->path, "/.extra/sysext/"))
                         return &image_policy_sysext_strict;
+                if (path_startswith(img->path, "/.extra/global_sysext/"))
+                        return &image_policy_sysext_strict;
                 if (path_startswith(img->path, "/.extra/confext/"))
                         return &image_policy_confext_strict;
+                if (path_startswith(img->path, "/.extra/global_confext/"))
+                        return &image_policy_confext_strict;
 
                 /* Better safe than sorry, refuse everything else passed in via the untrusted /.extra/ dir */
                 if (path_startswith(img->path, "/.extra/"))
diff --git a/units/systemd-confext-initrd.service b/units/systemd-confext-initrd.service
index 22461fa7120..073307edcce 100644
--- a/units/systemd-confext-initrd.service
+++ b/units/systemd-confext-initrd.service
@@ -17,6 +17,7 @@ ConditionDirectoryNotEmpty=|/var/lib/confexts
 ConditionDirectoryNotEmpty=|/usr/local/lib/confexts
 ConditionDirectoryNotEmpty=|/usr/lib/confexts
 ConditionDirectoryNotEmpty=|/.extra/confext
+ConditionDirectoryNotEmpty=|/.extra/global_confext
 ConditionPathExists=/etc/initrd-release
 
 DefaultDependencies=no
diff --git a/units/systemd-sysext-initrd.service b/units/systemd-sysext-initrd.service
index f21990aad01..4a411bb65e0 100644
--- a/units/systemd-sysext-initrd.service
+++ b/units/systemd-sysext-initrd.service
@@ -16,6 +16,7 @@ ConditionDirectoryNotEmpty=|/etc/extensions
 ConditionDirectoryNotEmpty=|/run/extensions
 ConditionDirectoryNotEmpty=|/var/lib/extensions
 ConditionDirectoryNotEmpty=|/.extra/sysext
+ConditionDirectoryNotEmpty=|/.extra/global_sysext
 ConditionPathExists=/etc/initrd-release
 
 DefaultDependencies=no
-- 
2.47.3