shared/efi-loader: fix compilation with !ENABLE_EFI, improve messages

When compiled without ENABLE_EFI, efi_stub_measured() was not defined, so
compilation would fail. But it's not enough to add a stub that returns
-EOPNOTSUPP. We call this function in various places and usually print the error
at warning or error level, so we'd print a confusing message. We also can't add
a stub that always returns 0, because then we'd print a message like "Kernel
stub did not measure", which would be confusing too. Adding special handling for
-EOPNOTSUPP in every caller is also unattractive. So instead efi_stub_measured()
is reworked to log the warning or error internally, and such logging is removed
from the callers, and a stub is added that logs a custom message.

diff --git a/src/boot/pcrphase.c b/src/boot/pcrphase.c
index 003e0b8ad8d9dcffb9b6de66726ba421d32657bf..2add7f1f894bf7797f7541833f2f1f663f11b98c 100644 (file)
--- a/src/boot/pcrphase.c
+++ b/src/boot/pcrphase.c
@@ -334,9 +334,9 @@ static int run(int argc, char *argv[]) {
         length = strlen(word);
 
         /* Skip logic if sd-stub is not used, after all PCR 11 might have a very different purpose then. */
-        r = efi_stub_measured();
+        r = efi_stub_measured(LOG_ERR);
         if (r < 0)
-                return log_error_errno(r, "Failed to detect if we are running on a kernel image with TPM measurement enabled: %m");
+                return r;
         if (r == 0) {
                 log_info("Kernel stub did not measure kernel image into PCR %u, skipping userspace measurement, too.", TPM_PCR_INDEX_KERNEL_IMAGE);
                 return EXIT_SUCCESS;

diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 38ee7f8935300294bbcd1a23454dc3c4deb5863f..819d5bbb978217c0e6d4cd6e89f0c83f3068f26f 100644 (file)
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -828,9 +828,9 @@ static int measure_volume_key(
                 return 0;
         }
 
-        r = efi_stub_measured();
+        r = efi_stub_measured(LOG_WARNING);
         if (r < 0)
-                return log_warning_errno(r, "Failed to detect if we are running on a kernel image with TPM measurement enabled: %m");
+                return r;
         if (r == 0) {
                 log_debug("Kernel stub did not measure kernel image into the expected PCR, skipping userspace measurement, too.");
                 return 0;

diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c
index ed34e0a32fc5ea4294e8a868f2f794adaaaa72a2..efc553b698923e1a526632a4a9daf26aae1193c3 100644 (file)
--- a/src/fstab-generator/fstab-generator.c
+++ b/src/fstab-generator/fstab-generator.c
@@ -530,12 +530,10 @@ static int add_mount(
         }
 
         if (flags & MOUNT_PCRFS) {
-                r = efi_stub_measured();
-                if (r < 0)
-                        log_warning_errno(r, "Failed to detect if we are running on a kernel image with TPM measurement enabled, assuming not: %m");
-                else if (r == 0)
+                r = efi_stub_measured(LOG_WARNING);
+                if (r == 0)
                         log_debug("Kernel stub did not measure kernel image into PCR, skipping userspace measurement, too.");
-                else {
+                else if (r > 0) {
                         r = generator_hook_up_pcrfs(dest, where, target_unit);
                         if (r < 0)
                                 return r;

diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c
index dcf95a3ee1e27edfcda35ad1239792204f8bdca6..21b9284f8a729d18386091784435681f711ac022 100644 (file)
--- a/src/gpt-auto-generator/gpt-auto-generator.c
+++ b/src/gpt-auto-generator/gpt-auto-generator.c
@@ -102,13 +102,13 @@ static int add_cryptsetup(
                  * assignment, under the assumption that people who are fine to use sd-stub with its PCR
                  * assignments are also OK with our PCR 15 use here. */
 
-                r = efi_stub_measured();
-                if (r < 0)
-                        log_warning_errno(r, "Failed to determine whether booted via systemd-stub with measurements enabled, ignoring: %m");
-                else if (r == 0)
+                r = efi_stub_measured(LOG_WARNING);
+                if (r == 0)
                         log_debug("Will not measure volume key of volume '%s', because not booted via systemd-stub with measurements enabled.", id);
-                else if (!strextend_with_separator(&options, ",", "tpm2-measure-pcr=yes"))
-                        return log_oom();
+                else if (r > 0) {
+                        if (!strextend_with_separator(&options, ",", "tpm2-measure-pcr=yes"))
+                                return log_oom();
+                }
         }
 
         r = generator_write_cryptsetup_service_section(f, id, what, NULL, options);

diff --git a/src/shared/efi-loader.c b/src/shared/efi-loader.c
index 621fa082baae29defe8dfd5b16d406f558fb6492..f77f8351cf95dff4f1f5307ce3a7f5b7eee45ca1 100644 (file)
--- a/src/shared/efi-loader.c
+++ b/src/shared/efi-loader.c
@@ -238,7 +238,7 @@ int efi_stub_get_features(uint64_t *ret) {
         return 0;
 }
 
-int efi_stub_measured(void) {
+int efi_stub_measured(int log_level) {
         _cleanup_free_ char *pcr_string = NULL;
         unsigned pcr_nr;
         int r;
@@ -264,13 +264,17 @@ int efi_stub_measured(void) {
         if (r == -ENOENT)
                 return 0;
         if (r < 0)
-                return r;
+                return log_full_errno(log_level, r,
+                                      "Failed to get StubPcrKernelImage EFI variable: %m");
 
         r = safe_atou(pcr_string, &pcr_nr);
         if (r < 0)
-                return log_debug_errno(r, "Failed to parse StubPcrKernelImage EFI variable: %s", pcr_string);
+                return log_full_errno(log_level, r,
+                                      "Failed to parse StubPcrKernelImage EFI variable: %s", pcr_string);
         if (pcr_nr != TPM_PCR_INDEX_KERNEL_IMAGE)
-                return log_debug_errno(SYNTHETIC_ERRNO(EREMOTE), "Kernel stub measured kernel image into PCR %u, which is different than expected %u.", pcr_nr, TPM_PCR_INDEX_KERNEL_IMAGE);
+                return log_full_errno(log_level, SYNTHETIC_ERRNO(EREMOTE),
+                                      "Kernel stub measured kernel image into PCR %u, which is different than expected %u.",
+                                      pcr_nr, TPM_PCR_INDEX_KERNEL_IMAGE);
 
         return 1;
 }

diff --git a/src/shared/efi-loader.h b/src/shared/efi-loader.h
index 56ccdee9c1e14c500552c70ed4e3a11d649a4c97..834362292a88a18a5ffe3545b9fbfe1448b54431 100644 (file)
--- a/src/shared/efi-loader.h
+++ b/src/shared/efi-loader.h
@@ -18,7 +18,7 @@ int efi_loader_get_entries(char ***ret);
 int efi_loader_get_features(uint64_t *ret);
 int efi_stub_get_features(uint64_t *ret);
 
-int efi_stub_measured(void);
+int efi_stub_measured(int log_level);
 
 int efi_loader_get_config_timeout_one_shot(usec_t *ret);
 int efi_loader_update_entry_one_shot_cache(char **cache, struct stat *cache_stat);
@@ -45,6 +45,11 @@ static inline int efi_stub_get_features(uint64_t *ret) {
         return -EOPNOTSUPP;
 }
 
+static inline int efi_stub_measured(int log_level) {
+        return log_full_errno(log_level, SYNTHETIC_ERRNO(EOPNOTSUPP),
+                              "Compiled without support for EFI");
+}
+
 static inline int efi_loader_get_config_timeout_one_shot(usec_t *ret) {
         return -EOPNOTSUPP;
 }