]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
1a14a53c | 2 | |
1a14a53c | 3 | #include <stdlib.h> |
41bc4849 | 4 | #include <sys/file.h> |
cf0fbc49 | 5 | #include <unistd.h> |
1a14a53c | 6 | |
85624f01 | 7 | #include "sd-device.h" |
07630cea LP |
8 | #include "sd-id128.h" |
9 | ||
b5efdb8a | 10 | #include "alloc-util.h" |
07630cea | 11 | #include "blkid-util.h" |
18c528e9 | 12 | #include "blockdev-util.h" |
07630cea | 13 | #include "btrfs-util.h" |
133432cc | 14 | #include "device-util.h" |
7176f06c | 15 | #include "devnum-util.h" |
a0956174 | 16 | #include "dirent-util.h" |
72e18a98 | 17 | #include "dissect-image.h" |
1fac34b9 | 18 | #include "dropin.h" |
0bb2f0f1 | 19 | #include "efi-loader.h" |
3ffd4af2 | 20 | #include "fd-util.h" |
07630cea | 21 | #include "fileio.h" |
2bef2582 | 22 | #include "fs-util.h" |
07630cea LP |
23 | #include "fstab-util.h" |
24 | #include "generator.h" | |
25 | #include "gpt.h" | |
84be0c71 | 26 | #include "image-policy.h" |
baa6a42d | 27 | #include "initrd-util.h" |
049af8ad | 28 | #include "mountpoint-util.h" |
6bedfcbb | 29 | #include "parse-util.h" |
07630cea | 30 | #include "path-util.h" |
4e731273 | 31 | #include "proc-cmdline.h" |
1a14a53c | 32 | #include "special.h" |
98bad05e | 33 | #include "specifier.h" |
8fcde012 | 34 | #include "stat-util.h" |
07630cea | 35 | #include "string-util.h" |
85624f01 | 36 | #include "strv.h" |
1a14a53c | 37 | #include "unit-name.h" |
9a5cb137 | 38 | #include "virt.h" |
1a14a53c | 39 | |
ec6e9597 | 40 | static const char *arg_dest = NULL; |
73b80ec2 LP |
41 | static bool arg_enabled = true; |
42 | static bool arg_root_enabled = true; | |
9a2982b6 | 43 | static bool arg_swap_enabled = true; |
cf451f38 LP |
44 | static char *arg_root_fstype = NULL; |
45 | static char *arg_root_options = NULL; | |
c94b2417 | 46 | static int arg_root_rw = -1; |
84be0c71 LP |
47 | static ImagePolicy *arg_image_policy = NULL; |
48 | ||
49 | STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep); | |
1a14a53c | 50 | |
cf451f38 LP |
51 | STATIC_DESTRUCTOR_REGISTER(arg_root_fstype, freep); |
52 | STATIC_DESTRUCTOR_REGISTER(arg_root_options, freep); | |
53 | ||
06648fa9 LP |
54 | static int add_cryptsetup( |
55 | const char *id, | |
56 | const char *what, | |
57 | bool rw, | |
58 | bool require, | |
ff386f98 | 59 | bool measure, |
06648fa9 LP |
60 | char **ret_device) { |
61 | ||
5b137503 | 62 | #if HAVE_LIBCRYPTSETUP |
ff386f98 | 63 | _cleanup_free_ char *e = NULL, *n = NULL, *d = NULL, *options = NULL; |
1af72119 | 64 | _cleanup_fclose_ FILE *f = NULL; |
1af72119 LP |
65 | int r; |
66 | ||
67 | assert(id); | |
68 | assert(what); | |
1af72119 | 69 | |
7410616c LP |
70 | r = unit_name_from_path(what, ".device", &d); |
71 | if (r < 0) | |
72 | return log_error_errno(r, "Failed to generate unit name: %m"); | |
1af72119 LP |
73 | |
74 | e = unit_name_escape(id); | |
75 | if (!e) | |
76 | return log_oom(); | |
77 | ||
7410616c LP |
78 | r = unit_name_build("systemd-cryptsetup", e, ".service", &n); |
79 | if (r < 0) | |
80 | return log_error_errno(r, "Failed to generate unit name: %m"); | |
1af72119 | 81 | |
121ce4a6 | 82 | r = generator_open_unit_file(arg_dest, /* source = */ NULL, n, &f); |
a7e88558 LP |
83 | if (r < 0) |
84 | return r; | |
98bad05e | 85 | |
a7e88558 LP |
86 | r = generator_write_cryptsetup_unit_section(f, NULL); |
87 | if (r < 0) | |
88 | return r; | |
1af72119 LP |
89 | |
90 | fprintf(f, | |
1af72119 | 91 | "Before=umount.target cryptsetup.target\n" |
a7e88558 LP |
92 | "Conflicts=umount.target\n" |
93 | "BindsTo=%s\n" | |
94 | "After=%s\n", | |
95 | d, d); | |
96 | ||
ff386f98 LP |
97 | if (!rw) { |
98 | options = strdup("read-only"); | |
99 | if (!options) | |
100 | return log_oom(); | |
101 | } | |
102 | ||
0d5f59a2 LP |
103 | r = efi_measured_uki(LOG_WARNING); |
104 | if (r > 0) | |
105 | /* Enable TPM2 based unlocking automatically, if we have a TPM. See #30176. */ | |
106 | if (!strextend_with_separator(&options, ",", "tpm2-device=auto")) | |
107 | return log_oom(); | |
108 | ||
ff386f98 LP |
109 | if (measure) { |
110 | /* We only measure the root volume key into PCR 15 if we are booted with sd-stub (i.e. in a | |
111 | * UKI), and sd-stub measured the UKI. We do this in order not to step into people's own PCR | |
112 | * assignment, under the assumption that people who are fine to use sd-stub with its PCR | |
113 | * assignments are also OK with our PCR 15 use here. */ | |
0d5f59a2 | 114 | if (r > 0) |
2f6c52b9 ZJS |
115 | if (!strextend_with_separator(&options, ",", "tpm2-measure-pcr=yes")) |
116 | return log_oom(); | |
0d5f59a2 LP |
117 | if (r == 0) |
118 | log_debug("Will not measure volume key of volume '%s', not booted via systemd-stub with measurements enabled.", id); | |
ff386f98 LP |
119 | } |
120 | ||
121 | r = generator_write_cryptsetup_service_section(f, id, what, NULL, options); | |
a7e88558 LP |
122 | if (r < 0) |
123 | return r; | |
1af72119 | 124 | |
dacd6cee LP |
125 | r = fflush_and_check(f); |
126 | if (r < 0) | |
a7e88558 | 127 | return log_error_errno(r, "Failed to write file %s: %m", n); |
1af72119 | 128 | |
9cdcf368 ZJS |
129 | r = generator_add_symlink(arg_dest, d, "wants", n); |
130 | if (r < 0) | |
131 | return r; | |
1af72119 | 132 | |
6a488fa7 | 133 | const char *dmname = strjoina("dev-mapper-", e, ".device"); |
1af72119 | 134 | |
1fac34b9 | 135 | if (require) { |
9cdcf368 ZJS |
136 | r = generator_add_symlink(arg_dest, "cryptsetup.target", "requires", n); |
137 | if (r < 0) | |
138 | return r; | |
01af8c01 | 139 | |
9cdcf368 ZJS |
140 | r = generator_add_symlink(arg_dest, dmname, "requires", n); |
141 | if (r < 0) | |
142 | return r; | |
01af8c01 | 143 | } |
1af72119 | 144 | |
1fac34b9 ZJS |
145 | r = write_drop_in_format(arg_dest, dmname, 50, "job-timeout", |
146 | "# Automatically generated by systemd-gpt-auto-generator\n\n" | |
147 | "[Unit]\n" | |
a9b837aa | 148 | "JobTimeoutSec=infinity"); /* the binary handles timeouts anyway */ |
23bbb0de | 149 | if (r < 0) |
1fac34b9 | 150 | log_warning_errno(r, "Failed to write device timeout drop-in, ignoring: %m"); |
1af72119 | 151 | |
06648fa9 LP |
152 | if (ret_device) { |
153 | char *s; | |
2aa2860b | 154 | |
06648fa9 LP |
155 | s = path_join("/dev/mapper", id); |
156 | if (!s) | |
2aa2860b | 157 | return log_oom(); |
1af72119 | 158 | |
06648fa9 | 159 | *ret_device = s; |
2aa2860b ZJS |
160 | } |
161 | ||
1af72119 | 162 | return 0; |
5b137503 | 163 | #else |
6a488fa7 | 164 | return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), |
4e494e6a | 165 | "Partition is encrypted, but systemd-gpt-auto-generator was compiled without libcryptsetup support."); |
5b137503 | 166 | #endif |
1af72119 LP |
167 | } |
168 | ||
73b80ec2 LP |
169 | static int add_mount( |
170 | const char *id, | |
171 | const char *what, | |
172 | const char *where, | |
173 | const char *fstype, | |
cca1dfdd | 174 | bool rw, |
400c1e8f | 175 | bool growfs, |
ff386f98 | 176 | bool measure, |
59512f21 | 177 | const char *options, |
73b80ec2 LP |
178 | const char *description, |
179 | const char *post) { | |
180 | ||
121ce4a6 | 181 | _cleanup_free_ char *unit = NULL, *crypto_what = NULL; |
1a14a53c | 182 | _cleanup_fclose_ FILE *f = NULL; |
e48fdd84 | 183 | int r; |
1a14a53c | 184 | |
98bad05e LP |
185 | /* Note that we don't apply specifier escaping on the input strings here, since we know they are not configured |
186 | * externally, but all originate from our own sources here, and hence we know they contain no % characters that | |
187 | * could potentially be understood as specifiers. */ | |
188 | ||
1af72119 LP |
189 | assert(id); |
190 | assert(what); | |
191 | assert(where); | |
1af72119 LP |
192 | assert(description); |
193 | ||
074cdb95 | 194 | log_debug("Adding %s: %s fstype=%s", where, what, fstype ?: "(any)"); |
1a14a53c | 195 | |
73b80ec2 | 196 | if (streq_ptr(fstype, "crypto_LUKS")) { |
ff386f98 | 197 | r = add_cryptsetup(id, what, rw, /* require= */ true, measure, &crypto_what); |
1af72119 LP |
198 | if (r < 0) |
199 | return r; | |
200 | ||
201 | what = crypto_what; | |
202 | fstype = NULL; | |
80ce8580 LP |
203 | } else if (fstype) { |
204 | r = dissect_fstype_ok(fstype); | |
205 | if (r < 0) | |
206 | return log_error_errno(r, "Unable to determine of dissected file system type '%s' is permitted: %m", fstype); | |
207 | if (!r) | |
208 | return log_error_errno( | |
209 | SYNTHETIC_ERRNO(EIDRM), | |
210 | "Refusing to automatically mount uncommon file system '%s' to '%s'.", | |
211 | fstype, where); | |
1af72119 LP |
212 | } |
213 | ||
7410616c LP |
214 | r = unit_name_from_path(where, ".mount", &unit); |
215 | if (r < 0) | |
216 | return log_error_errno(r, "Failed to generate unit name: %m"); | |
1a14a53c | 217 | |
121ce4a6 MY |
218 | r = generator_open_unit_file(arg_dest, /* source = */ NULL, unit, &f); |
219 | if (r < 0) | |
220 | return r; | |
1a14a53c LP |
221 | |
222 | fprintf(f, | |
1a14a53c | 223 | "[Unit]\n" |
c3834f9b LP |
224 | "Description=%s\n" |
225 | "Documentation=man:systemd-gpt-auto-generator(8)\n", | |
e48fdd84 LP |
226 | description); |
227 | ||
73b80ec2 LP |
228 | if (post) |
229 | fprintf(f, "Before=%s\n", post); | |
230 | ||
e48fdd84 LP |
231 | r = generator_write_fsck_deps(f, arg_dest, what, where, fstype); |
232 | if (r < 0) | |
233 | return r; | |
234 | ||
a7e88558 LP |
235 | r = generator_write_blockdev_dependency(f, what); |
236 | if (r < 0) | |
237 | return r; | |
238 | ||
e48fdd84 LP |
239 | fprintf(f, |
240 | "\n" | |
1a14a53c LP |
241 | "[Mount]\n" |
242 | "What=%s\n" | |
1af72119 LP |
243 | "Where=%s\n", |
244 | what, where); | |
245 | ||
73b80ec2 LP |
246 | if (fstype) |
247 | fprintf(f, "Type=%s\n", fstype); | |
248 | ||
59512f21 | 249 | if (options) |
de1461ac | 250 | fprintf(f, "Options=%s\n", options); |
1a14a53c | 251 | |
dacd6cee LP |
252 | r = fflush_and_check(f); |
253 | if (r < 0) | |
121ce4a6 | 254 | return log_error_errno(r, "Failed to write unit %s: %m", unit); |
1a14a53c | 255 | |
400c1e8f LP |
256 | if (growfs) { |
257 | r = generator_hook_up_growfs(arg_dest, where, post); | |
258 | if (r < 0) | |
259 | return r; | |
260 | } | |
261 | ||
04959faa LP |
262 | if (measure) { |
263 | r = generator_hook_up_pcrfs(arg_dest, where, post); | |
264 | if (r < 0) | |
265 | return r; | |
266 | } | |
267 | ||
400c1e8f LP |
268 | if (post) { |
269 | r = generator_add_symlink(arg_dest, post, "requires", unit); | |
270 | if (r < 0) | |
271 | return r; | |
272 | } | |
273 | ||
1a14a53c LP |
274 | return 0; |
275 | } | |
276 | ||
e137880b | 277 | static int path_is_busy(const char *where) { |
59512f21 KS |
278 | int r; |
279 | ||
6a488fa7 ZJS |
280 | assert(where); |
281 | ||
59512f21 | 282 | /* already a mountpoint; generators run during reload */ |
b409aacb | 283 | r = path_is_mount_point_full(where, /* root = */ NULL, AT_SYMLINK_FOLLOW); |
59512f21 KS |
284 | if (r > 0) |
285 | return false; | |
6a488fa7 | 286 | /* The directory will be created by the mount or automount unit when it is started. */ |
59512f21 KS |
287 | if (r == -ENOENT) |
288 | return false; | |
289 | ||
290 | if (r < 0) | |
e137880b | 291 | return log_warning_errno(r, "Cannot check if \"%s\" is a mount point: %m", where); |
59512f21 KS |
292 | |
293 | /* not a mountpoint but it contains files */ | |
db55bbf2 | 294 | r = dir_is_empty(where, /* ignore_hidden_or_backup= */ false); |
6a488fa7 ZJS |
295 | if (r == -ENOTDIR) { |
296 | log_debug("\"%s\" is not a directory, ignoring.", where); | |
297 | return true; | |
298 | } else if (r < 0) | |
e137880b | 299 | return log_warning_errno(r, "Cannot check if \"%s\" is empty: %m", where); |
6a488fa7 ZJS |
300 | else if (r == 0) { |
301 | log_debug("\"%s\" already populated, ignoring.", where); | |
302 | return true; | |
303 | } | |
59512f21 | 304 | |
6a488fa7 | 305 | return false; |
59512f21 KS |
306 | } |
307 | ||
72e18a98 | 308 | static int add_partition_mount( |
de1461ac | 309 | PartitionDesignator d, |
72e18a98 | 310 | DissectedPartition *p, |
61331eab | 311 | const char *id, |
61331eab | 312 | const char *where, |
72e18a98 | 313 | const char *description) { |
61331eab | 314 | |
de1461ac | 315 | _cleanup_free_ char *options = NULL; |
e137880b | 316 | int r; |
de1461ac | 317 | |
72e18a98 | 318 | assert(p); |
61331eab | 319 | |
e137880b ZJS |
320 | r = path_is_busy(where); |
321 | if (r != 0) | |
322 | return r < 0 ? r : 0; | |
61331eab | 323 | |
de1461ac LP |
324 | r = partition_pick_mount_options( |
325 | d, | |
326 | dissected_partition_fstype(p), | |
327 | p->rw, | |
328 | /* discard= */ true, | |
329 | &options, | |
330 | /* ret_ms_flags= */ NULL); | |
331 | if (r < 0) | |
332 | return r; | |
333 | ||
61331eab LP |
334 | return add_mount( |
335 | id, | |
72e18a98 | 336 | p->node, |
61331eab | 337 | where, |
72e18a98 LP |
338 | p->fstype, |
339 | p->rw, | |
400c1e8f | 340 | p->growfs, |
ff386f98 | 341 | /* measure= */ STR_IN_SET(id, "root", "var"), /* by default measure rootfs and /var, since they contain the "identity" of the system */ |
de1461ac | 342 | options, |
61331eab | 343 | description, |
72e18a98 | 344 | SPECIAL_LOCAL_FS_TARGET); |
61331eab LP |
345 | } |
346 | ||
235ae69c | 347 | static int add_partition_swap(DissectedPartition *p) { |
8859b8f7 | 348 | const char *what; |
121ce4a6 | 349 | _cleanup_free_ char *name = NULL, *crypto_what = NULL; |
59512f21 KS |
350 | _cleanup_fclose_ FILE *f = NULL; |
351 | int r; | |
352 | ||
8859b8f7 HOB |
353 | assert(p); |
354 | assert(p->node); | |
59512f21 | 355 | |
9a2982b6 DT |
356 | if (!arg_swap_enabled) |
357 | return 0; | |
358 | ||
fc5bc384 FB |
359 | /* Disable the swap auto logic if at least one swap is defined in /etc/fstab, see #6192. */ |
360 | r = fstab_has_fstype("swap"); | |
361 | if (r < 0) | |
362 | return log_error_errno(r, "Failed to parse fstab: %m"); | |
1a680ae3 | 363 | if (r > 0) { |
fc5bc384 FB |
364 | log_debug("swap specified in fstab, ignoring."); |
365 | return 0; | |
366 | } | |
367 | ||
8859b8f7 | 368 | if (streq_ptr(p->fstype, "crypto_LUKS")) { |
ff386f98 | 369 | r = add_cryptsetup("swap", p->node, /* rw= */ true, /* require= */ true, /* measure= */ false, &crypto_what); |
8859b8f7 HOB |
370 | if (r < 0) |
371 | return r; | |
372 | what = crypto_what; | |
373 | } else | |
374 | what = p->node; | |
375 | ||
376 | log_debug("Adding swap: %s", what); | |
59512f21 | 377 | |
8859b8f7 | 378 | r = unit_name_from_path(what, ".swap", &name); |
59512f21 KS |
379 | if (r < 0) |
380 | return log_error_errno(r, "Failed to generate unit name: %m"); | |
381 | ||
121ce4a6 MY |
382 | r = generator_open_unit_file(arg_dest, /* source = */ NULL, name, &f); |
383 | if (r < 0) | |
384 | return r; | |
59512f21 KS |
385 | |
386 | fprintf(f, | |
59512f21 KS |
387 | "[Unit]\n" |
388 | "Description=Swap Partition\n" | |
a7e88558 LP |
389 | "Documentation=man:systemd-gpt-auto-generator(8)\n"); |
390 | ||
8859b8f7 | 391 | r = generator_write_blockdev_dependency(f, what); |
a7e88558 LP |
392 | if (r < 0) |
393 | return r; | |
394 | ||
395 | fprintf(f, | |
396 | "\n" | |
59512f21 KS |
397 | "[Swap]\n" |
398 | "What=%s\n", | |
8859b8f7 | 399 | what); |
59512f21 | 400 | |
dacd6cee LP |
401 | r = fflush_and_check(f); |
402 | if (r < 0) | |
121ce4a6 | 403 | return log_error_errno(r, "Failed to write unit %s: %m", name); |
59512f21 | 404 | |
9cdcf368 | 405 | return generator_add_symlink(arg_dest, SPECIAL_SWAP_TARGET, "wants", name); |
59512f21 KS |
406 | } |
407 | ||
7a1494aa TG |
408 | static int add_automount( |
409 | const char *id, | |
410 | const char *what, | |
411 | const char *where, | |
412 | const char *fstype, | |
413 | bool rw, | |
400c1e8f | 414 | bool growfs, |
7a1494aa TG |
415 | const char *options, |
416 | const char *description, | |
417 | usec_t timeout) { | |
418 | ||
121ce4a6 | 419 | _cleanup_free_ char *unit = NULL; |
7a1494aa TG |
420 | _cleanup_fclose_ FILE *f = NULL; |
421 | int r; | |
422 | ||
423 | assert(id); | |
424 | assert(where); | |
425 | assert(description); | |
426 | ||
7a1494aa TG |
427 | r = add_mount(id, |
428 | what, | |
429 | where, | |
430 | fstype, | |
431 | rw, | |
400c1e8f | 432 | growfs, |
ff386f98 | 433 | /* measure= */ false, |
d22771fc | 434 | options, |
7a1494aa TG |
435 | description, |
436 | NULL); | |
437 | if (r < 0) | |
438 | return r; | |
439 | ||
440 | r = unit_name_from_path(where, ".automount", &unit); | |
441 | if (r < 0) | |
442 | return log_error_errno(r, "Failed to generate unit name: %m"); | |
443 | ||
121ce4a6 MY |
444 | r = generator_open_unit_file(arg_dest, /* source = */ NULL, unit, &f); |
445 | if (r < 0) | |
446 | return r; | |
7a1494aa TG |
447 | |
448 | fprintf(f, | |
7a1494aa TG |
449 | "[Unit]\n" |
450 | "Description=%s\n" | |
451 | "Documentation=man:systemd-gpt-auto-generator(8)\n" | |
452 | "[Automount]\n" | |
453 | "Where=%s\n" | |
70887c5f | 454 | "TimeoutIdleSec="USEC_FMT"\n", |
7a1494aa TG |
455 | description, |
456 | where, | |
70887c5f | 457 | timeout / USEC_PER_SEC); |
7a1494aa TG |
458 | |
459 | r = fflush_and_check(f); | |
460 | if (r < 0) | |
121ce4a6 | 461 | return log_error_errno(r, "Failed to write unit %s: %m", unit); |
7a1494aa | 462 | |
9cdcf368 | 463 | return generator_add_symlink(arg_dest, SPECIAL_LOCAL_FS_TARGET, "wants", unit); |
7a1494aa TG |
464 | } |
465 | ||
235ae69c | 466 | static int add_partition_xbootldr(DissectedPartition *p) { |
de1461ac | 467 | _cleanup_free_ char *options = NULL; |
9f1cb0c1 LP |
468 | int r; |
469 | ||
470 | assert(p); | |
471 | ||
472 | if (in_initrd()) { | |
473 | log_debug("In initrd, ignoring the XBOOTLDR partition."); | |
474 | return 0; | |
475 | } | |
476 | ||
9f1cb0c1 LP |
477 | r = path_is_busy("/boot"); |
478 | if (r < 0) | |
479 | return r; | |
480 | if (r > 0) | |
481 | return 0; | |
482 | ||
de1461ac LP |
483 | r = partition_pick_mount_options( |
484 | PARTITION_XBOOTLDR, | |
485 | dissected_partition_fstype(p), | |
486 | /* rw= */ true, | |
487 | /* discard= */ false, | |
488 | &options, | |
489 | /* ret_ms_flags= */ NULL); | |
490 | if (r < 0) | |
6a488fa7 ZJS |
491 | return log_error_errno(r, "Failed to determine default mount options for /boot/: %m"); |
492 | ||
493 | return add_automount( | |
494 | "boot", | |
495 | p->node, | |
496 | "/boot", | |
497 | p->fstype, | |
498 | /* rw= */ true, | |
499 | /* growfs= */ false, | |
500 | options, | |
501 | "Boot Loader Partition", | |
502 | 120 * USEC_PER_SEC); | |
9f1cb0c1 LP |
503 | } |
504 | ||
505 | #if ENABLE_EFI | |
7f4b3dc0 ZJS |
506 | static bool slash_boot_exists(void) { |
507 | static int cache = -1; | |
508 | ||
509 | if (cache >= 0) | |
510 | return cache; | |
511 | ||
512 | if (access("/boot", F_OK) >= 0) | |
513 | return (cache = true); | |
514 | if (errno != ENOENT) | |
515 | log_error_errno(errno, "Failed to determine whether /boot/ exists, assuming no: %m"); | |
516 | else | |
517 | log_debug_errno(errno, "/boot/: %m"); | |
518 | return (cache = false); | |
519 | } | |
520 | ||
235ae69c | 521 | static int add_partition_esp(DissectedPartition *p, bool has_xbootldr) { |
9f1cb0c1 | 522 | const char *esp_path = NULL, *id = NULL; |
de1461ac | 523 | _cleanup_free_ char *options = NULL; |
59512f21 KS |
524 | int r; |
525 | ||
72e18a98 | 526 | assert(p); |
59512f21 | 527 | |
59512f21 | 528 | if (in_initrd()) { |
b52a109a | 529 | log_debug("In initrd, ignoring the ESP."); |
59512f21 KS |
530 | return 0; |
531 | } | |
532 | ||
7893a547 MY |
533 | /* Check if there's an existing fstab entry for ESP. If so, we just skip the gpt-auto logic. */ |
534 | r = fstab_has_node(p->node); | |
535 | if (r < 0) | |
622f2dcc MY |
536 | log_warning_errno(r, "Failed to check if fstab entry for device '%s' exists, ignoring: %m", |
537 | p->node); | |
7893a547 MY |
538 | if (r > 0) |
539 | return 0; | |
540 | ||
6a488fa7 ZJS |
541 | /* If /boot/ is present, unused, and empty, we'll take that. |
542 | * Otherwise, if /efi/ is unused and empty (or missing), we'll take that. | |
7893a547 | 543 | * Otherwise, we do nothing. */ |
6a488fa7 | 544 | if (!has_xbootldr && slash_boot_exists()) { |
8a132658 | 545 | r = path_is_busy("/boot"); |
6a488fa7 ZJS |
546 | if (r < 0) |
547 | return r; | |
548 | if (r == 0) { | |
8a132658 FB |
549 | esp_path = "/boot"; |
550 | id = "boot"; | |
9f1cb0c1 LP |
551 | } |
552 | } | |
6a488fa7 ZJS |
553 | |
554 | if (!esp_path) { | |
6a488fa7 ZJS |
555 | r = path_is_busy("/efi"); |
556 | if (r < 0) | |
557 | return r; | |
558 | if (r > 0) | |
559 | return 0; | |
560 | ||
9f1cb0c1 | 561 | esp_path = "/efi"; |
9f1cb0c1 | 562 | id = "efi"; |
59512f21 KS |
563 | } |
564 | ||
de1461ac LP |
565 | r = partition_pick_mount_options( |
566 | PARTITION_ESP, | |
567 | dissected_partition_fstype(p), | |
568 | /* rw= */ true, | |
569 | /* discard= */ false, | |
570 | &options, | |
571 | /* ret_ms_flags= */ NULL); | |
572 | if (r < 0) | |
6a488fa7 ZJS |
573 | return log_error_errno(r, "Failed to determine default mount options for %s: %m", esp_path); |
574 | ||
575 | return add_automount( | |
576 | id, | |
577 | p->node, | |
578 | esp_path, | |
579 | p->fstype, | |
580 | /* rw= */ true, | |
581 | /* growfs= */ false, | |
582 | options, | |
583 | "EFI System Partition Automount", | |
584 | 120 * USEC_PER_SEC); | |
7a1494aa | 585 | } |
59512f21 | 586 | #else |
235ae69c | 587 | static int add_partition_esp(DissectedPartition *p, bool has_xbootldr) { |
59512f21 | 588 | return 0; |
59512f21 | 589 | } |
7a1494aa | 590 | #endif |
59512f21 | 591 | |
235ae69c | 592 | static int add_partition_root_rw(DissectedPartition *p) { |
fd89051e LP |
593 | const char *path; |
594 | int r; | |
595 | ||
596 | assert(p); | |
5253b4a9 | 597 | assert(!in_initrd()); |
fd89051e | 598 | |
5253b4a9 | 599 | /* Invoked on the main system (not initrd), to honour GPT flag 60 on the root fs (ro) */ |
fd89051e LP |
600 | |
601 | if (arg_root_rw >= 0) { | |
602 | log_debug("Parameter ro/rw specified on kernel command line, not generating drop-in for systemd-remount-fs.service."); | |
603 | return 0; | |
604 | } | |
605 | ||
606 | if (!p->rw) { | |
607 | log_debug("Root partition marked read-only in GPT partition table, not generating drop-in for systemd-remount-fs.service."); | |
608 | return 0; | |
609 | } | |
610 | ||
40b1224e LP |
611 | r = generator_enable_remount_fs_service(arg_dest); |
612 | if (r < 0) | |
613 | return r; | |
9b69569d | 614 | |
fd89051e | 615 | path = strjoina(arg_dest, "/systemd-remount-fs.service.d/50-remount-rw.conf"); |
fd89051e LP |
616 | |
617 | r = write_string_file(path, | |
dd23292c | 618 | "# Automatically generated by systemd-gpt-auto-generator\n\n" |
fd89051e LP |
619 | "[Service]\n" |
620 | "Environment=SYSTEMD_REMOUNT_ROOT_RW=1\n", | |
e82e549f | 621 | WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_NOFOLLOW|WRITE_STRING_FILE_MKDIR_0755); |
fd89051e LP |
622 | if (r < 0) |
623 | return log_error_errno(r, "Failed to write drop-in file %s: %m", path); | |
624 | ||
625 | return 0; | |
626 | } | |
627 | ||
6b5fe5d7 LP |
628 | static int add_partition_root_growfs(DissectedPartition *p) { |
629 | ||
630 | assert(p); | |
631 | assert(!in_initrd()); | |
632 | ||
633 | /* Invoked on the main system (not initrd), to honour GPT flag 59 on the root fs (growfs) */ | |
634 | ||
635 | if (!p->growfs) { | |
636 | log_debug("Root partition not marked for growing the file system in the GPT partition table, not generating drop-in for systemd-growfs-root.service."); | |
637 | return 0; | |
638 | } | |
639 | ||
640 | return generator_hook_up_growfs(arg_dest, "/", SPECIAL_LOCAL_FS_TARGET); | |
641 | } | |
642 | ||
643 | static int add_partition_root_flags(DissectedPartition *p) { | |
644 | int r = 0; | |
645 | ||
646 | assert(p); | |
647 | assert(!in_initrd()); | |
648 | ||
649 | RET_GATHER(r, add_partition_root_growfs(p)); | |
650 | RET_GATHER(r, add_partition_root_rw(p)); | |
651 | ||
652 | return r; | |
653 | } | |
654 | ||
9fe6f5cc ZJS |
655 | #if ENABLE_EFI |
656 | static int add_root_cryptsetup(void) { | |
d0523bb0 | 657 | #if HAVE_LIBCRYPTSETUP |
1a14a53c | 658 | |
9fe6f5cc ZJS |
659 | /* If a device /dev/gpt-auto-root-luks appears, then make it pull in systemd-cryptsetup-root.service, which |
660 | * sets it up, and causes /dev/gpt-auto-root to appear which is all we are looking for. */ | |
1a14a53c | 661 | |
ff386f98 | 662 | return add_cryptsetup("root", "/dev/gpt-auto-root-luks", /* rw= */ true, /* require= */ false, /* measure= */ true, NULL); |
d0523bb0 DS |
663 | #else |
664 | return 0; | |
665 | #endif | |
9fe6f5cc ZJS |
666 | } |
667 | #endif | |
d2a62382 | 668 | |
9fe6f5cc ZJS |
669 | static int add_root_mount(void) { |
670 | #if ENABLE_EFI | |
de1461ac | 671 | _cleanup_free_ char *options = NULL; |
9fe6f5cc | 672 | int r; |
1a14a53c | 673 | |
9fe6f5cc | 674 | if (!is_efi_boot()) { |
387f6955 | 675 | log_debug("Not an EFI boot, not creating root mount."); |
8090b41e | 676 | return 0; |
fa041593 | 677 | } |
61331eab | 678 | |
9fe6f5cc ZJS |
679 | r = efi_loader_get_device_part_uuid(NULL); |
680 | if (r == -ENOENT) { | |
b50a3a15 ZJS |
681 | log_notice("EFI loader partition unknown, exiting.\n" |
682 | "(The boot loader did not set EFI variable LoaderDevicePartUUID.)"); | |
8090b41e | 683 | return 0; |
9fe6f5cc | 684 | } else if (r < 0) |
68f8a86a | 685 | return log_error_errno(r, "Failed to read loader partition UUID: %m"); |
61331eab | 686 | |
68f8a86a MY |
687 | /* OK, we have an ESP/XBOOTLDR partition, this is fantastic, so let's wait for a root device to show up. |
688 | * A udev rule will create the link for us under the right name. */ | |
61331eab | 689 | |
9fe6f5cc ZJS |
690 | if (in_initrd()) { |
691 | r = generator_write_initrd_root_device_deps(arg_dest, "/dev/gpt-auto-root"); | |
692 | if (r < 0) | |
693 | return 0; | |
61331eab | 694 | |
9fe6f5cc ZJS |
695 | r = add_root_cryptsetup(); |
696 | if (r < 0) | |
697 | return r; | |
61331eab LP |
698 | } |
699 | ||
6b5fe5d7 LP |
700 | /* Note that we do not need to enable systemd-remount-fs.service here. If /etc/fstab exists, |
701 | * systemd-fstab-generator will pull it in for us, and otherwise add_partition_root_flags() will do | |
702 | * it, after the initrd transition. */ | |
61331eab | 703 | |
de1461ac LP |
704 | r = partition_pick_mount_options( |
705 | PARTITION_ROOT, | |
706 | arg_root_fstype, | |
707 | arg_root_rw > 0, | |
708 | /* discard= */ true, | |
709 | &options, | |
710 | /* ret_ms_flags= */ NULL); | |
711 | if (r < 0) | |
712 | return log_error_errno(r, "Failed to pick root mount options: %m"); | |
713 | ||
714 | if (arg_root_options) | |
715 | if (!strextend_with_separator(&options, ",", arg_root_options)) | |
716 | return log_oom(); | |
717 | ||
9fe6f5cc ZJS |
718 | return add_mount( |
719 | "root", | |
720 | "/dev/gpt-auto-root", | |
721 | in_initrd() ? "/sysroot" : "/", | |
cf451f38 | 722 | arg_root_fstype, |
400c1e8f LP |
723 | /* rw= */ arg_root_rw > 0, |
724 | /* growfs= */ false, | |
ff386f98 | 725 | /* measure= */ true, |
de1461ac | 726 | options, |
9fe6f5cc ZJS |
727 | "Root Partition", |
728 | in_initrd() ? SPECIAL_INITRD_ROOT_FS_TARGET : SPECIAL_LOCAL_FS_TARGET); | |
729 | #else | |
730 | return 0; | |
731 | #endif | |
72e18a98 | 732 | } |
cb971249 | 733 | |
68f8a86a MY |
734 | static int process_loader_partitions(DissectedPartition *esp, DissectedPartition *xbootldr) { |
735 | sd_id128_t loader_uuid; | |
fa989c74 | 736 | int r; |
68f8a86a MY |
737 | |
738 | assert(esp); | |
739 | assert(xbootldr); | |
740 | ||
8a132658 FB |
741 | /* If any paths in fstab look similar to our favorite paths for ESP or XBOOTLDR, we just exit |
742 | * early. We also don't bother with cases where one is configured explicitly and the other shall be | |
743 | * mounted automatically. */ | |
744 | ||
745 | r = fstab_has_mount_point_prefix_strv(STRV_MAKE("/boot", "/efi")); | |
746 | if (r > 0) { | |
747 | log_debug("Found mount entries in the /boot/ or /efi/ hierarchies in fstab, not generating ESP or XBOOTLDR mounts."); | |
748 | return 0; | |
749 | } | |
750 | if (r < 0) | |
751 | log_debug_errno(r, "Failed to check fstab existing paths, ignoring: %m"); | |
752 | ||
68f8a86a MY |
753 | if (!is_efi_boot()) { |
754 | log_debug("Not an EFI boot, skipping loader partition UUID check."); | |
755 | goto mount; | |
756 | } | |
757 | ||
758 | /* Let's check if LoaderDevicePartUUID points to either ESP or XBOOTLDR. We prefer it pointing | |
759 | * to the ESP, but we accept XBOOTLDR too. If it points to neither of them, don't mount any | |
760 | * loader partitions, since they are not the ones used for booting. */ | |
761 | ||
762 | r = efi_loader_get_device_part_uuid(&loader_uuid); | |
763 | if (r == -ENOENT) { | |
764 | log_debug_errno(r, "EFI loader partition unknown, skipping ESP and XBOOTLDR mounts."); | |
765 | return 0; | |
766 | } | |
767 | if (r < 0) | |
768 | return log_debug_errno(r, "Failed to read loader partition UUID, ignoring: %m"); | |
769 | ||
770 | if (esp->found && sd_id128_equal(esp->uuid, loader_uuid)) | |
771 | goto mount; | |
772 | ||
773 | if (xbootldr->found && sd_id128_equal(xbootldr->uuid, loader_uuid)) { | |
774 | log_debug("LoaderDevicePartUUID points to XBOOTLDR partition."); | |
775 | goto mount; | |
776 | } | |
777 | ||
778 | log_debug("LoaderDevicePartUUID points to neither ESP nor XBOOTLDR, ignoring."); | |
779 | return 0; | |
780 | ||
781 | mount: | |
fa989c74 | 782 | r = 0; |
68f8a86a | 783 | |
fa989c74 ZJS |
784 | if (xbootldr->found) |
785 | RET_GATHER(r, add_partition_xbootldr(xbootldr)); | |
786 | if (esp->found) | |
787 | RET_GATHER(r, add_partition_esp(esp, xbootldr->found)); | |
68f8a86a | 788 | |
fa989c74 | 789 | return r; |
68f8a86a MY |
790 | } |
791 | ||
72e18a98 | 792 | static int enumerate_partitions(dev_t devnum) { |
72e18a98 | 793 | _cleanup_(dissected_image_unrefp) DissectedImage *m = NULL; |
55a065cd YW |
794 | _cleanup_(loop_device_unrefp) LoopDevice *loop = NULL; |
795 | _cleanup_free_ char *devname = NULL; | |
fa989c74 | 796 | int r; |
61331eab | 797 | |
ca8ac0f9 LP |
798 | assert(!in_initrd()); |
799 | ||
800 | /* Run on the final root fs (not in the initrd), to mount auxiliary partitions, and hook in rw | |
801 | * remount and growfs of the root partition */ | |
802 | ||
55a065cd YW |
803 | r = block_get_whole_disk(devnum, &devnum); |
804 | if (r < 0) | |
805 | return log_debug_errno(r, "Failed to get whole block device for " DEVNUM_FORMAT_STR ": %m", | |
806 | DEVNUM_FORMAT_VAL(devnum)); | |
807 | ||
808 | r = devname_from_devnum(S_IFBLK, devnum, &devname); | |
809 | if (r < 0) | |
810 | return log_debug_errno(r, "Failed to get device node of " DEVNUM_FORMAT_STR ": %m", | |
811 | DEVNUM_FORMAT_VAL(devnum)); | |
61331eab | 812 | |
41bc4849 LP |
813 | /* Let's take a LOCK_SH lock on the block device, in case udevd is already running. If we don't take |
814 | * the lock, udevd might end up issuing BLKRRPART in the middle, and we don't want that, since that | |
815 | * might remove all partitions while we are operating on them. */ | |
de3b7f16 | 816 | r = loop_device_open_from_path(devname, O_RDONLY, LOCK_SH, &loop); |
55a065cd | 817 | if (r < 0) |
af3d3873 | 818 | return log_debug_errno(r, "Failed to open %s: %m", devname); |
41bc4849 | 819 | |
55a065cd YW |
820 | r = dissect_loop_device( |
821 | loop, | |
84be0c71 LP |
822 | /* verity= */ NULL, |
823 | /* mount_options= */ NULL, | |
824 | arg_image_policy ?: &image_policy_host, | |
d04faa4e | 825 | DISSECT_IMAGE_GPT_ONLY| |
8716a76c | 826 | DISSECT_IMAGE_USR_NO_ROOT| |
ee0e6e47 YW |
827 | DISSECT_IMAGE_DISKSEQ_DEVNODE| |
828 | DISSECT_IMAGE_ALLOW_EMPTY, | |
73d88b80 LP |
829 | /* NB! Unlike most other places where we dissect block devices we do not use |
830 | * DISSECT_IMAGE_ADD_PARTITION_DEVICES here: we want that the kernel finds the | |
831 | * devices, and udev probes them before we mount them via .mount units much later | |
832 | * on. And thus we also don't set DISSECT_IMAGE_PIN_PARTITION_DEVICES here, because | |
833 | * we don't actually mount anything immediately. */ | |
d04faa4e | 834 | &m); |
4953e39c ZJS |
835 | if (r < 0) { |
836 | bool ok = r == -ENOPKG; | |
837 | dissect_log_error(ok ? LOG_DEBUG : LOG_ERR, r, devname, NULL); | |
838 | return ok ? 0 : r; | |
61331eab | 839 | } |
0238d4c6 | 840 | |
fa989c74 ZJS |
841 | if (m->partitions[PARTITION_SWAP].found) |
842 | RET_GATHER(r, add_partition_swap(m->partitions + PARTITION_SWAP)); | |
1a14a53c | 843 | |
fa989c74 | 844 | RET_GATHER(r, process_loader_partitions(m->partitions + PARTITION_ESP, m->partitions + PARTITION_XBOOTLDR)); |
59512f21 | 845 | |
fa989c74 ZJS |
846 | if (m->partitions[PARTITION_HOME].found) |
847 | RET_GATHER(r, add_partition_mount(PARTITION_HOME, m->partitions + PARTITION_HOME, | |
848 | "home", "/home", "Home Partition")); | |
e48fdd84 | 849 | |
fa989c74 ZJS |
850 | if (m->partitions[PARTITION_SRV].found) |
851 | RET_GATHER(r, add_partition_mount(PARTITION_SRV, m->partitions + PARTITION_SRV, | |
852 | "srv", "/srv", "Server Data Partition")); | |
1a14a53c | 853 | |
fa989c74 ZJS |
854 | if (m->partitions[PARTITION_VAR].found) |
855 | RET_GATHER(r, add_partition_mount(PARTITION_VAR, m->partitions + PARTITION_VAR, | |
856 | "var", "/var", "Variable Data Partition")); | |
d4dffb85 | 857 | |
fa989c74 ZJS |
858 | if (m->partitions[PARTITION_TMP].found) |
859 | RET_GATHER(r, add_partition_mount(PARTITION_TMP, m->partitions + PARTITION_TMP, | |
860 | "var-tmp", "/var/tmp", "Temporary Data Partition")); | |
d4dffb85 | 861 | |
fa989c74 | 862 | if (m->partitions[PARTITION_ROOT].found) |
6b5fe5d7 | 863 | RET_GATHER(r, add_partition_root_flags(m->partitions + PARTITION_ROOT)); |
fd89051e | 864 | |
1a14a53c LP |
865 | return r; |
866 | } | |
867 | ||
9fe6f5cc | 868 | static int add_mounts(void) { |
b00651cf | 869 | dev_t devno; |
c56be2c2 | 870 | int r; |
9fe6f5cc | 871 | |
c56be2c2 LP |
872 | r = blockdev_get_root(LOG_ERR, &devno); |
873 | if (r < 0) | |
874 | return r; | |
875 | if (r == 0) { | |
876 | log_debug("Skipping automatic GPT dissection logic, root file system not backed by a (single) whole block device."); | |
877 | return 0; | |
9fe6f5cc ZJS |
878 | } |
879 | ||
880 | return enumerate_partitions(devno); | |
881 | } | |
882 | ||
96287a49 | 883 | static int parse_proc_cmdline_item(const char *key, const char *value, void *data) { |
73b80ec2 | 884 | int r; |
1a14a53c | 885 | |
73b80ec2 | 886 | assert(key); |
1a14a53c | 887 | |
8a9c44ed LP |
888 | if (proc_cmdline_key_streq(key, "systemd.gpt_auto") || |
889 | proc_cmdline_key_streq(key, "rd.systemd.gpt_auto")) { | |
1a14a53c | 890 | |
1d84ad94 | 891 | r = value ? parse_boolean(value) : 1; |
73b80ec2 | 892 | if (r < 0) |
0a1b9449 | 893 | log_warning_errno(r, "Failed to parse gpt-auto switch \"%s\", ignoring: %m", value); |
8086ffac ZJS |
894 | else |
895 | arg_enabled = r; | |
1a14a53c | 896 | |
a8d3315b | 897 | } else if (streq(key, "root")) { |
1d84ad94 LP |
898 | |
899 | if (proc_cmdline_value_missing(key, value)) | |
900 | return 0; | |
73b80ec2 LP |
901 | |
902 | /* Disable root disk logic if there's a root= value | |
903 | * specified (unless it happens to be "gpt-auto") */ | |
904 | ||
074cdb95 ZJS |
905 | if (!streq(value, "gpt-auto")) { |
906 | arg_root_enabled = false; | |
907 | log_debug("Disabling root partition auto-detection, root= is defined."); | |
908 | } | |
73b80ec2 | 909 | |
a8d3315b | 910 | } else if (streq(key, "roothash")) { |
2f3dfc6f LP |
911 | |
912 | if (proc_cmdline_value_missing(key, value)) | |
913 | return 0; | |
914 | ||
915 | /* Disable root disk logic if there's roothash= defined (i.e. verity enabled) */ | |
916 | ||
917 | arg_root_enabled = false; | |
918 | ||
cf451f38 LP |
919 | } else if (streq(key, "rootfstype")) { |
920 | ||
921 | if (proc_cmdline_value_missing(key, value)) | |
922 | return 0; | |
923 | ||
924 | return free_and_strdup_warn(&arg_root_fstype, value); | |
925 | ||
926 | } else if (streq(key, "rootflags")) { | |
927 | ||
928 | if (proc_cmdline_value_missing(key, value)) | |
929 | return 0; | |
930 | ||
931 | if (!strextend_with_separator(&arg_root_options, ",", value)) | |
932 | return log_oom(); | |
933 | ||
a8d3315b | 934 | } else if (streq(key, "rw") && !value) |
73b80ec2 | 935 | arg_root_rw = true; |
a8d3315b | 936 | else if (streq(key, "ro") && !value) |
73b80ec2 | 937 | arg_root_rw = false; |
06e78680 | 938 | else if (proc_cmdline_key_streq(key, "systemd.image_policy")) |
d0a0059c | 939 | return parse_image_policy_argument(value, &arg_image_policy); |
73b80ec2 | 940 | |
a8d3315b | 941 | else if (streq(key, "systemd.swap")) { |
9a2982b6 DT |
942 | |
943 | r = value ? parse_boolean(value) : 1; | |
944 | if (r < 0) | |
945 | log_warning_errno(r, "Failed to parse swap switch \"%s\", ignoring: %m", value); | |
946 | else | |
947 | arg_swap_enabled = r; | |
948 | ||
949 | if (!arg_swap_enabled) | |
950 | log_debug("Disabling swap partitions auto-detection, systemd.swap=no is defined."); | |
951 | ||
952 | } | |
953 | ||
73b80ec2 LP |
954 | return 0; |
955 | } | |
956 | ||
ec6e9597 | 957 | static int run(const char *dest, const char *dest_early, const char *dest_late) { |
8f50e86a | 958 | int r, k; |
73b80ec2 | 959 | |
ec6e9597 | 960 | assert_se(arg_dest = dest_late); |
73b80ec2 | 961 | |
75f86906 | 962 | if (detect_container() > 0) { |
73b80ec2 | 963 | log_debug("In a container, exiting."); |
ec6e9597 | 964 | return 0; |
1a14a53c | 965 | } |
3db604b9 | 966 | |
1d84ad94 | 967 | r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, 0); |
b5884878 | 968 | if (r < 0) |
da927ba9 | 969 | log_warning_errno(r, "Failed to parse kernel command line, ignoring: %m"); |
1a14a53c | 970 | |
73b80ec2 LP |
971 | if (!arg_enabled) { |
972 | log_debug("Disabled, exiting."); | |
ec6e9597 | 973 | return 0; |
73b80ec2 LP |
974 | } |
975 | ||
976 | if (arg_root_enabled) | |
977 | r = add_root_mount(); | |
978 | ||
979 | if (!in_initrd()) { | |
73b80ec2 | 980 | k = add_mounts(); |
ec6e9597 | 981 | if (r >= 0) |
73b80ec2 LP |
982 | r = k; |
983 | } | |
984 | ||
ec6e9597 | 985 | return r; |
1a14a53c | 986 | } |
ec6e9597 ZJS |
987 | |
988 | DEFINE_MAIN_GENERATOR_FUNCTION(run); |