return 0;
}
-#endif
static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, EVP_PKEY *private_key) {
+ int r;
+
if (!arg_secure_boot_auto_enroll)
return 0;
-#if HAVE_OPENSSL
- int r;
-
_cleanup_free_ uint8_t *dercert = NULL;
int dercertsz;
dercertsz = i2d_X509(certificate, &dercert);
}
return 0;
-#else
- return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot set up secure boot auto-enrollment.");
-#endif
}
+#endif
static bool same_entry(uint16_t id, sd_id128_t uuid, const char *path) {
_cleanup_free_ char *opath = NULL;
return r == 0;
}
+#if HAVE_OPENSSL
static int load_secure_boot_auto_enroll(
X509 **ret_certificate,
EVP_PKEY **ret_private_key) {
return 0;
}
+#endif
int verb_install(int argc, char *argv[], void *userdata) {
sd_id128_t uuid = SD_ID128_NULL;
/* Support graceful mode only for updates, unless forcibly enabled in chroot environments */
graceful = arg_graceful() == ARG_GRACEFUL_FORCE || (!install && arg_graceful() != ARG_GRACEFUL_NO);
+#if HAVE_OPENSSL
_cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL;
_cleanup_(X509_freep) X509 *certificate = NULL;
r = load_secure_boot_auto_enroll(&certificate, &private_key);
if (r < 0)
return r;
+#endif
r = acquire_esp(/* unprivileged_mode= */ false, graceful, &part, &pstart, &psize, &uuid, NULL);
if (graceful && r == -ENOKEY)
if (r < 0)
return r;
+#if HAVE_OPENSSL
r = install_secure_boot_auto_enroll(arg_esp_path, certificate, private_key);
if (r < 0)
return r;
+#endif
}
r = install_loader_specification(arg_dollar_boot_path());
if (arg_dry_run && argv[optind] && !STR_IN_SET(argv[optind], "unlink", "cleanup"))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--dry-run is only supported with --unlink or --cleanup");
- if (arg_secure_boot_auto_enroll && !arg_certificate)
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no certificate provided");
-
- if (arg_secure_boot_auto_enroll && !arg_private_key)
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no private key provided");
+ if (arg_secure_boot_auto_enroll) {
+#if HAVE_OPENSSL
+ if (!arg_certificate)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no certificate provided.");
+
+ if (!arg_private_key)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no private key provided.");
+#else
+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Secure boot auto-enrollment requested but OpenSSL support is disabled.");
+#endif
+ }
r = sd_varlink_invocation(SD_VARLINK_ALLOW_ACCEPT);
if (r < 0)
projects / thirdparty / systemd.git / commitdiff
