Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

base: initramfs: check for secure boot #1527

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

base: initramfs: check for secure boot #1527

wants to merge 1 commit into from
+2 −2

Conversation

ldts
Copy link
Contributor

@ldts ldts commented Oct 29, 2024

Using efivar --print-decimal returns an integer.

@ldts
base: initramfs: check for secure boot
78aac9d 
Using efivar --print-decimal returns an integer.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
@ldts
Copy link
Contributor Author

ldts commented Oct 30, 2024

@ricardosalveti please could we merge this. I have noticed errors on qemu with the previous validation code. thx.

@ldts ldts requested a review from a team October 30, 2024 07:20
igoropaniuk
igoropaniuk reviewed Oct 30, 2024
View reviewed changes
meta-lmp-base/recipes-core/initrdscripts/initramfs-framework/cryptfs_tpm2
@@ -7,7 +7,7 @@ cryptfs_check_tpm2() {
# Check for SecureBoot support as PCR 7 differs based on its state
efi_secure=`efivar --name=8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot --print-decimal`
efi_mode=`efivar --name=8be4df61-93ca-11d2-aa0d-00e098032b8c-SetupMode --print-decimal`
if [ "${efi_secure}" != "1" ] || [ "${efi_mode}" != "0" ]; then
if [ "${efi_secure}" -ne 1 ] || [ "${efi_mode}" -ne 0 ]; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you should drop quotation marks for the first operand, same in meta-lmp-base/recipes-core/initrdscripts/initramfs-module-install-efi/init-install-efi.sh

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it doesnt really matter in this particular case - all bash variables are strings anyway. it is safer and good practice to keep the quotes in case there are spaces and so on...

@ricardosalveti
Copy link
Member

@ricardosalveti please could we merge this. I have noticed errors on qemu with the previous validation code. thx.

Which errors? Looks like this won't change the actual functionality of the code.

@ricardosalveti ricardosalveti requested a review from a team October 30, 2024 22:56
@ldts
Copy link
Contributor Author

ldts commented Oct 31, 2024

I added some traces for you so you can see how bash works. Notice the delimiters around the variable

if [ "${efi_secure}" != "1"] || [ "${efi_mode}" != "0" ]; then
       echo "UEFI SecureBoot not enabled (required due PCR 7) ==>  ${efi_secure} ${efi_mode}"
       echo "efi_secure=[$efi_secure]"
       echo "efi_mode=[$efi_mode]"
        exit 1
fi

This generates the following error on output even though secure boot was enabled (secure = 1, mode = 0)

UEFI SecureBoot not enabled (required due PCR 7) ==>  1  0 
efi_secure=[1 ]
efi_mode=[0 ]

basically the trailing space makes the difference.

the sooner we merge, the better :)

@igoropaniuk
Copy link
Contributor

@ldts

just cross-checked on my laptop, you're right, --print-decimal actually prints a value with an additional trailing space:

# testvar=`efivar --name=8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot --print-decimal` && echo "%$testvar%"
%0 %

imo, why not to trim it with xargs for example (so it looks much more obvious what kind of an issue the commit addresses + add that information in commit message):

# testvar=`efivar --name=8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot --print-decimal | xargs` && echo "%$testvar%"
%0%

@ldts
Copy link
Contributor Author

ldts commented Nov 1, 2024

@ldts

imo, why not to trim it with xargs for example (so it looks much more obvious what kind of an issue the commit addresses + add that information in commit message):

# testvar=`efivar --name=8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot --print-decimal | xargs` && echo "%$testvar%"
%0%

Using standard solutions to standard problems is usually the better thing.

MrCry0
MrCry0 reviewed Nov 2, 2024
View reviewed changes
Copy link
Contributor

@MrCry0 MrCry0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems a fix for another commit. Could you please add a "Fixed:" field?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MrCry0 MrCry0 MrCry0 left review comments

@igoropaniuk igoropaniuk igoropaniuk left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ldts @ricardosalveti @igoropaniuk @MrCry0