X-Git-Url: https://git.ozlabs.org/?a=blobdiff_plain;f=discover%2Fboot.c;h=dc6da7d5254d9a3b420cd01ed698f2a0af1053ee;hb=d0c069b5acfacd853873bb6623ede94d4d1fe10e;hp=c4ddfef591ebf5c76bf483ac0d5fa2fd13c9dc15;hpb=86c9d34380b0074dab1ba89a569a94280d6999c4;p=petitboot

diff --git a/discover/boot.c b/discover/boot.c
index c4ddfef..dc6da7d 100644
--- a/discover/boot.c
+++ b/discover/boot.c
@@ -51,9 +51,14 @@ static int kexec_load(struct boot_task *boot_task)
 	boot_task->local_image_override = NULL;
 
 	if ((result = gpg_validate_boot_files(boot_task))) {
-		if (result == KEXEC_LOAD_SIGNATURE_FAILURE) {
+		if (result == KEXEC_LOAD_DECRYPTION_FALURE) {
 			pb_log("%s: Aborting kexec due to"
-				" signature verification failure\n", __func__);
+				" decryption failure\n", __func__);
+			goto abort_kexec;
+		}
+		if (result == KEXEC_LOAD_SIGNATURE_FAILURE) {
+			pb_log("%s: Aborting kexec due to signature"
+				" verification failure\n", __func__);
 			goto abort_kexec;
 		}
 	}
@@ -215,7 +220,7 @@ static void boot_hook_setenv(struct boot_task *task)
 	unsetenv("boot_initrd");
 	unsetenv("boot_dtb");
 	unsetenv("boot_args");
-	unsetenv("boot_tty");
+	unsetenv("boot_console");
 
 	setenv("boot_image", task->local_image, 1);
 	if (task->local_initrd)
@@ -224,8 +229,8 @@ static void boot_hook_setenv(struct boot_task *task)
 		setenv("boot_dtb", task->local_dtb, 1);
 	if (task->args)
 		setenv("boot_args", task->args, 1);
-	if (task->boot_tty)
-		setenv("boot_tty", task->boot_tty, 1);
+	if (task->boot_console)
+		setenv("boot_console", task->boot_console, 1);
 }
 
 static int hook_filter(const struct dirent *dirent)
@@ -391,7 +396,13 @@ static void boot_process(struct load_url_result *result, void *data)
 				load_pending(task->dtb_signature) ||
 				load_pending(task->cmdline_signature))
 			return;
+	}
+	if (task->decrypt_files) {
+		if (load_pending(task->cmdline_signature))
+			return;
+	}
 
+	if (task->verify_signature) {
 		if (check_load(task, "kernel image signature",
 					task->image_signature) ||
 				check_load(task, "initrd signature",
@@ -402,6 +413,14 @@ static void boot_process(struct load_url_result *result, void *data)
 					task->cmdline_signature))
 			goto no_sig_load;
 	}
+	if (task->decrypt_files) {
+		if (load_pending(task->cmdline_signature))
+			return;
+
+		if (check_load(task, "command line signature",
+					task->cmdline_signature))
+			goto no_decrypt_sig_load;
+	}
 
 	/* we make a copy of the local paths, as the boot hooks might update
 	 * and/or create these */
@@ -416,6 +435,8 @@ static void boot_process(struct load_url_result *result, void *data)
 			task->initrd_signature->local : NULL;
 		task->local_dtb_signature = task->dtb_signature ?
 			task->dtb_signature->local : NULL;
+	}
+	if (task->verify_signature || task->decrypt_files) {
 		task->local_cmdline_signature = task->cmdline_signature ?
 			task->cmdline_signature->local : NULL;
 	}
@@ -426,7 +447,11 @@ static void boot_process(struct load_url_result *result, void *data)
 			_("performing kexec_load"));
 
 	rc = kexec_load(task);
-	if (rc == KEXEC_LOAD_SIGNATURE_FAILURE) {
+	if (rc == KEXEC_LOAD_DECRYPTION_FALURE) {
+		update_status(task->status_fn, task->status_arg,
+				BOOT_STATUS_ERROR, _("decryption failed"));
+	}
+	else if (rc == KEXEC_LOAD_SIGNATURE_FAILURE) {
 		update_status(task->status_fn, task->status_arg,
 				BOOT_STATUS_ERROR,
 				_("signature verification failed"));
@@ -446,6 +471,8 @@ no_sig_load:
 	cleanup_load(task->image_signature);
 	cleanup_load(task->initrd_signature);
 	cleanup_load(task->dtb_signature);
+
+no_decrypt_sig_load:
 	cleanup_load(task->cmdline_signature);
 
 no_load:
@@ -490,10 +517,11 @@ struct boot_task *boot(void *ctx, struct discover_boot_option *opt,
 	struct pb_url *image = NULL, *initrd = NULL, *dtb = NULL;
 	struct pb_url *image_sig = NULL, *initrd_sig = NULL, *dtb_sig = NULL,
 		*cmdline_sig = NULL;
-	const struct config *config;
+	const struct config *config = config_get();
 	struct boot_task *boot_task;
 	const char *boot_desc;
 	int rc;
+	int lockdown_type;
 
 	if (opt && opt->option->name)
 		boot_desc = opt->option->name;
@@ -533,7 +561,9 @@ struct boot_task *boot(void *ctx, struct discover_boot_option *opt,
 	boot_task->status_fn = status_fn;
 	boot_task->status_arg = status_arg;
 
-	boot_task->verify_signature = (lockdown_status() == PB_LOCKDOWN_SIGN);
+	lockdown_type = lockdown_status();
+	boot_task->verify_signature = (lockdown_type == PB_LOCKDOWN_SIGN);
+	boot_task->decrypt_files = (lockdown_type == PB_LOCKDOWN_DECRYPT);
 
 	if (cmd && cmd->boot_args) {
 		boot_task->args = talloc_strdup(boot_task, cmd->boot_args);
@@ -544,14 +574,12 @@ struct boot_task *boot(void *ctx, struct discover_boot_option *opt,
 		boot_task->args = NULL;
 	}
 
-	if (cmd && cmd->tty)
-		boot_task->boot_tty = talloc_strdup(boot_task, cmd->tty);
-	else {
-		config = config_get();
-		boot_task->boot_tty = config ? config->boot_tty : NULL;
-	}
+	if (cmd && cmd->console && !config->manual_console)
+		boot_task->boot_console = talloc_strdup(boot_task, cmd->console);
+	else
+		boot_task->boot_console = config ? config->boot_console : NULL;
 
-	if (boot_task->verify_signature) {
+	if (boot_task->verify_signature || boot_task->decrypt_files) {
 		if (cmd && cmd->args_sig_file) {
 			cmdline_sig = pb_url_parse(opt, cmd->args_sig_file);
 		} else if (opt && opt->args_sig_file) {
@@ -590,7 +618,9 @@ struct boot_task *boot(void *ctx, struct discover_boot_option *opt,
 			rc |= start_url_load(boot_task, "dtb signature",
 				dtb_sig, &boot_task->dtb_signature);
 		}
+	}
 
+	if (boot_task->verify_signature || boot_task->decrypt_files) {
 		rc |= start_url_load(boot_task,
 			"kernel command line signature", cmdline_sig,
 			&boot_task->cmdline_signature);