From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date: Thu, 10 Aug 2023 13:21:41 +0000 (-0400)
Subject: systemd-stub: ignore EFI shell unauthenticated kernel command line if we are in confi... 
X-Git-Tag: v255-rc1~703
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fab0eeb72bb5e1fdf3304cc6e01ebf5d7677c124;p=thirdparty%2Fsystemd.git

systemd-stub: ignore EFI shell unauthenticated kernel command line if we are in confidential vms
---

diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index 8fac41258e9..183106b91fe 100644
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -147,8 +147,9 @@ static bool use_load_options(
         assert(ret);
 
         /* We only allow custom command lines if we aren't in secure boot or if no cmdline was baked into
-         * the stub image. */
-        if (secure_boot_enabled() && have_cmdline)
+         * the stub image.
+         * We also don't allow it if we are in confidential vms and secureboot is on. */
+        if (secure_boot_enabled() && (have_cmdline || is_confidential_vm()))
                 return false;
 
         /* We also do a superficial check whether first character of passed command line