creds-util: add common helper for determinign global boot credentials path

It's very useful being able to determine the directory where to write
global boot credentials to, that are picked up by all kernels.

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index 997ace5d3c3aa8c3fb3a13d6053b87eb70091911..935d60d3db71ea64a593e5a8b203149284090c61 100644 (file)
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -4293,34 +4293,12 @@ static int determine_boot_policy_file(char **ret) {
 
         assert(ret);
 
-        r = find_xbootldr_and_warn(
-                        /* root= */ NULL,
-                        /* path= */ NULL,
-                        /* unprivileged_mode= */ false,
-                        &path,
-                        /* ret_uuid= */ NULL,
-                        /* ret_devid= */ NULL);
-        if (r < 0) {
-                if (r != -ENOKEY)
-                        return log_error_errno(r, "Failed to find XBOOTLDR partition: %m");
-
-                r = find_esp_and_warn(
-                                /* root= */ NULL,
-                                /* path= */ NULL,
-                                /* unprivileged_mode= */ false,
-                                &path,
-                                /* ret_part= */ NULL,
-                                /* ret_pstart= */ NULL,
-                                /* ret_psize= */ NULL,
-                                /* ret_uuid= */ NULL,
-                                /* ret_devid= */ NULL);
-                if (r < 0) {
-                        if (r != -ENOKEY)
-                                return log_error_errno(r, "Failed to find ESP partition: %m");
-
-                        *ret = NULL;
-                        return 0; /* not found! */
-                }
+        r = get_global_boot_credentials_path(&path);
+        if (r < 0)
+                return r;
+        if (r == 0) {
+                *ret = NULL;
+                return 0; /* not found! */
         }
 
         r = sd_id128_get_machine(&machine_id);
@@ -4344,7 +4322,7 @@ static int determine_boot_policy_file(char **ret) {
         if (!filename_is_valid(fn))
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name '%s' would not be a valid file name, refusing.", fn);
 
-        joined = path_join(path, "loader/credentials", fn);
+        joined = path_join(path, fn);
         if (!joined)
                 return log_oom();
 

diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index eaf772bff2c5035f7e0954c9e7812a2e4acae08c..e99477997a054ecf44b4f78f89d6036b602a06fd 100644 (file)
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -19,6 +19,7 @@
 #include "env-util.h"
 #include "fd-util.h"
 #include "fileio.h"
+#include "find-esp.h"
 #include "format-util.h"
 #include "fs-util.h"
 #include "io-util.h"
@@ -1657,6 +1658,56 @@ int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp,
         return 0;
 }
 
+int get_global_boot_credentials_path(char **ret) {
+        _cleanup_free_ char *path = NULL;
+        int r;
+
+        assert(ret);
+
+        /* Determines where to put global boot credentials in. Returns the path to the "/loader/credentials/"
+         * directory below the XBOOTLDR or ESP partition. Any credentials placed in this directory can be
+         * picked up later in the initrd. */
+
+        r = find_xbootldr_and_warn(
+                        /* root= */ NULL,
+                        /* path= */ NULL,
+                        /* unprivileged_mode= */ false,
+                        &path,
+                        /* ret_uuid= */ NULL,
+                        /* ret_devid= */ NULL);
+        if (r < 0) {
+                if (r != -ENOKEY)
+                        return log_error_errno(r, "Failed to find XBOOTLDR partition: %m");
+
+                r = find_esp_and_warn(
+                                /* root= */ NULL,
+                                /* path= */ NULL,
+                                /* unprivileged_mode= */ false,
+                                &path,
+                                /* ret_part= */ NULL,
+                                /* ret_pstart= */ NULL,
+                                /* ret_psize= */ NULL,
+                                /* ret_uuid= */ NULL,
+                                /* ret_devid= */ NULL);
+                if (r < 0) {
+                        if (r != -ENOKEY)
+                                return log_error_errno(r, "Failed to find ESP partition: %m");
+
+                        *ret = NULL;
+                        return 0; /* not found! */
+                }
+        }
+
+        _cleanup_free_ char *joined = path_join(path, "loader/credentials");
+        if (!joined)
+                return log_oom();
+
+        log_debug("Determined global boot credentials path as: %s", joined);
+
+        *ret = TAKE_PTR(joined);
+        return 1; /* found! */
+}
+
 static int pick_up_credential_one(
                 int credential_dir_fd,
                 const char *credential_name,

diff --git a/src/shared/creds-util.h b/src/shared/creds-util.h
index b80755b7d7b04a01ef2e4335d63e08fdb703bbb1..e096b6d4d41bebc4b7f59feed6dbef184df5bf83 100644 (file)
--- a/src/shared/creds-util.h
+++ b/src/shared/creds-util.h
@@ -94,6 +94,8 @@ int decrypt_credential_and_warn(const char *validate_name, usec_t validate_times
 int ipc_encrypt_credential(const char *name, usec_t timestamp, usec_t not_after, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret);
 int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret);
 
+int get_global_boot_credentials_path(char **ret);
+
 typedef struct PickUpCredential {
         const char *credential_prefix;
         const char *target_dir;