From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 7 May 2025 13:24:06 +0000 (+0200)
Subject: bless-boot: in "status" output report bad state from prev boot as "dirty"
X-Git-Tag: v258-rc1~647^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9420a0e6cb832d6035c8cf634f11c4b2da0097bd;p=thirdparty%2Fsystemd.git

bless-boot: in "status" output report bad state from prev boot as "dirty"

The bless-boot logic currently assumes that if the name of the boot
entry reported via the EFI var matches the name on disk that the state
is "indeterminate", as we haven't counted down the counter (to mark it
bad) or drop the counter (to mark it good) yet. But there's one corner
case we so far didn't care about: what if the entry already reached 0
left tries in a previous boot, i.e. if the user invoked an entry already
known to be completely bad. In that case we'd still return
"indeterminate", but that's kinda misleading, because we *know* the
currently booted entry is bad, however we inherited that fact from a
previous boot, we didn't determine it on the current.

hence, let's introduce a new status we report in this case, that is both
distinct from "bad" (which indicates whether the *current* boot is bad)
and "indirect" (which indicates the current boot has not been decided on
yet): "dirty".

Why "dirty"? To mirror "clean" which we already have, which indicates a
boot already marked good in a previous boot, which is a relatively
symmetric state.

This is a really weak api break of sorts, because it introduces a new
state we never reported before, but I think it's fine, because the old
reporting was just wrong, and in a way this is bugfix, that we now
report correctly something where previously returned kind of rubbish
(though systematic rubbish).

Replaces:  #37350
---

diff --git a/man/systemd-bless-boot.service.xml b/man/systemd-bless-boot.service.xml
index 86a3fac799f..eb1d345fb82 100644
--- a/man/systemd-bless-boot.service.xml
+++ b/man/systemd-bless-boot.service.xml
@@ -57,13 +57,17 @@
       <varlistentry>
         <term><option>status</option></term>
 
-        <listitem><para>The current status of the boot loader entry file or unified kernel image file is shown. This
-        outputs one of <literal>good</literal>, <literal>bad</literal>, <literal>indeterminate</literal>,
-        <literal>clean</literal>, depending on the state and previous invocations of the command. The string
-        <literal>indeterminate</literal> is shown initially after boot, before it has been marked as "good" or
-        "bad". The string <literal>good</literal> is shown after the boot was marked as "good" with the
-        <option>good</option> command below, and "bad" conversely after the <option>bad</option> command was
-        invoked. The string <literal>clean</literal> is returned when boot counting is currently not in effect.</para>
+        <listitem><para>The current status of the boot loader entry file or unified kernel image file is
+        shown. This outputs one of <literal>good</literal>, <literal>bad</literal>,
+        <literal>indeterminate</literal>, <literal>clean</literal>, <literal>dirty</literal>, depending on
+        the state and previous invocations of the command. The string <literal>indeterminate</literal> is
+        shown initially after boot, before it has been marked as "good" or "bad". The string
+        <literal>good</literal> is shown after the boot was marked as "good" with the <option>good</option>
+        command below, and "bad" conversely after the <option>bad</option> command was invoked. The string
+        <literal>clean</literal> is returned when boot counting is currently not in effect (which includes
+        the case where the current entry was already marked as persistently good). The string
+        <literal>dirty</literal> is returned when the system is booted up with a known-bad kernel (i.e. one
+        where the tries left counter has previously reached zero already).</para>
 
         <para>This command is implied if no command argument is specified.</para>
 
@@ -96,9 +100,13 @@
       <varlistentry>
         <term><option>indeterminate</option></term>
 
-        <listitem><para>This command undoes any marking of the current boot loader entry file or unified kernel image
-        file as good or bad. This is implemented by renaming the boot loader entry file or unified kernel image file
-        back to the path encoded in the <varname>LoaderBootCountPath</varname> EFI variable.</para>
+        <listitem><para>This command undoes any marking of the current boot loader entry file or unified
+        kernel image file as good or bad. This is implemented by renaming the boot loader entry file or
+        unified kernel image file back to the path encoded in the <varname>LoaderBootCountPath</varname> EFI
+        variable. Note that operation will fail if the current kernel is not booted with boot counting
+        enabled (i.e. if the EFI variable is not set). If the boot counter already reached zero tries left on
+        a previous boot this operation will fail too: once an entry is marked <option>bad</option> it can
+        only be reset to <option>good</option> again, but not to <option>indeterminate</option>.</para>
 
         <xi:include href="version-info.xml" xpointer="v240"/></listitem>
       </varlistentry>
diff --git a/src/bless-boot/bless-boot.c b/src/bless-boot/bless-boot.c
index c41a948549b..e0143d97347 100644
--- a/src/bless-boot/bless-boot.c
+++ b/src/bless-boot/bless-boot.c
@@ -372,7 +372,14 @@ static int verb_status(int argc, char *argv[], void *userdata) {
                 }
 
                 if (faccessat(fd, skip_leading_slash(path), F_OK, 0) >= 0) {
-                        puts("indeterminate");
+                        /* If the item we booted with still exists under its name, it means we have not
+                         * change the current boot's marking so far. This may have two reasons: because we
+                         * simply didn't do that yet but still plan to, or because the left tries counter is
+                         * already at zero, hence we cannot further decrease it to mark it even
+                         * "worse"... Here we check the current counter to detect the latter case and return
+                         * "dirty", since the item is already marked bad from a previous boot, but otherwise
+                         * report "indeterminate" since we just didn't make a decision yet. */
+                        puts(left == 0 ? "dirty" : "indeterminate");
                         return 0;
                 }
                 if (errno != ENOENT)
@@ -402,10 +409,10 @@ static int verb_status(int argc, char *argv[], void *userdata) {
 static int verb_set(int argc, char *argv[], void *userdata) {
         _cleanup_free_ char *path = NULL, *prefix = NULL, *suffix = NULL, *good = NULL, *bad = NULL;
         const char *target, *source1, *source2;
-        uint64_t done;
+        uint64_t left, done;
         int r;
 
-        r = acquire_boot_count_path(&path, &prefix, NULL, &done, &suffix);
+        r = acquire_boot_count_path(&path, &prefix, &left, &done, &suffix);
         if (r == -EUNATCH) /* acquire_boot_count_path() won't log on its own for this specific error */
                 return log_error_errno(r, "Not booted with boot counting in effect.");
         if (r < 0)
@@ -434,6 +441,10 @@ static int verb_set(int argc, char *argv[], void *userdata) {
                 source2 = good;     /* Maybe this boot was previously marked as 'good'? */
         } else {
                 assert(streq(argv[0], "indeterminate"));
+
+                if (left == 0)
+                        return log_error_errno(r, "Current boot entry was already marked bad in a previous boot, cannot reset to indeterminate.");
+
                 target = path;
                 source1 = good;
                 source2 = bad;