diff options
| author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2024-11-06 18:08:26 +0100 |
|---|---|---|
| committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2024-11-07 20:30:47 +0100 |
| commit | a1d46e3078a67b128a2eb93da7ae51d253b326f7 (patch) | |
| tree | 7b1a4994fae1b5367e84e3766f27cd4b034c0a3d /src/bootctl | |
| parent | openssl-util: Set expected object type to private keys (diff) | |
| download | systemd-a1d46e3078a67b128a2eb93da7ae51d253b326f7.tar.xz systemd-a1d46e3078a67b128a2eb93da7ae51d253b326f7.zip | |
tree-wide: Introduce --certificate-source= option
This allows loading the X.509 certificate from an OpenSSL provider
instead of a file system path. This allows loading certficates directly
from hardware tokens instead of having to export them to a file on
disk first.
Diffstat (limited to 'src/bootctl')
| -rw-r--r-- | src/bootctl/bootctl-install.c | 12 | ||||
| -rw-r--r-- | src/bootctl/bootctl.c | 30 | ||||
| -rw-r--r-- | src/bootctl/bootctl.h | 2 |
3 files changed, 37 insertions, 7 deletions
diff --git a/src/bootctl/bootctl-install.c b/src/bootctl/bootctl-install.c index ebbdab0ce8..26ee2865b2 100644 --- a/src/bootctl/bootctl-install.c +++ b/src/bootctl/bootctl-install.c @@ -956,7 +956,17 @@ int verb_install(int argc, char *argv[], void *userdata) { graceful = !install && arg_graceful; /* support graceful mode for updates */ if (arg_secure_boot_auto_enroll) { - r = openssl_load_x509_certificate(arg_certificate, &certificate); + if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) { + r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate); + if (r < 0) + return r; + } + + r = openssl_load_x509_certificate( + arg_certificate_source_type, + arg_certificate_source, + arg_certificate, + &certificate); if (r < 0) return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate); diff --git a/src/bootctl/bootctl.c b/src/bootctl/bootctl.c index 23a3d2f922..98721347f4 100644 --- a/src/bootctl/bootctl.c +++ b/src/bootctl/bootctl.c @@ -64,6 +64,8 @@ ImagePolicy *arg_image_policy = NULL; bool arg_varlink = false; bool arg_secure_boot_auto_enroll = false; char *arg_certificate = NULL; +CertificateSourceType arg_certificate_source_type = OPENSSL_CERTIFICATE_SOURCE_FILE; +char *arg_certificate_source = NULL; char *arg_private_key = NULL; KeySourceType arg_private_key_source_type = OPENSSL_KEY_SOURCE_FILE; char *arg_private_key_source = NULL; @@ -77,6 +79,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_image, freep); STATIC_DESTRUCTOR_REGISTER(arg_efi_boot_option_description, freep); STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep); STATIC_DESTRUCTOR_REGISTER(arg_certificate, freep); +STATIC_DESTRUCTOR_REGISTER(arg_certificate_source, freep); STATIC_DESTRUCTOR_REGISTER(arg_private_key, freep); STATIC_DESTRUCTOR_REGISTER(arg_private_key_source, freep); @@ -295,9 +298,14 @@ static int help(int argc, char *argv[], void *userdata) { " Specify how to use KEY for --private-key=. Allows\n" " an OpenSSL engine/provider to be used when setting\n" " up secure boot auto-enrollment\n" - " --certificate=PATH\n" - " PEM certificate to use when setting up secure boot\n" - " auto-enrollment\n" + " --certificate=PATH|URI\n" + " PEM certificate to use when setting up Secure Boot\n" + " auto-enrollment, or a provider specific designation\n" + " if --certificate-source= is used\n" + " --certificate-source=file|provider:PROVIDER\n" + " Specify how to interpret the certificate from\n" + " --certificate=. Allows the certificate to be loaded\n" + " from an OpenSSL provider\n" "\nSee the %2$s for details.\n", program_invocation_short_name, link, @@ -332,6 +340,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_PRINT_STUB_PATH, ARG_SECURE_BOOT_AUTO_ENROLL, ARG_CERTIFICATE, + ARG_CERTIFICATE_SOURCE, ARG_PRIVATE_KEY, ARG_PRIVATE_KEY_SOURCE, }; @@ -366,6 +375,7 @@ static int parse_argv(int argc, char *argv[]) { { "dry-run", no_argument, NULL, ARG_DRY_RUN }, { "secure-boot-auto-enroll", required_argument, NULL, ARG_SECURE_BOOT_AUTO_ENROLL }, { "certificate", required_argument, NULL, ARG_CERTIFICATE }, + { "certificate-source", required_argument, NULL, ARG_CERTIFICATE_SOURCE }, { "private-key", required_argument, NULL, ARG_PRIVATE_KEY }, { "private-key-source", required_argument, NULL, ARG_PRIVATE_KEY_SOURCE }, {} @@ -526,12 +536,20 @@ static int parse_argv(int argc, char *argv[]) { return r; break; - case ARG_CERTIFICATE: { - r = parse_path_argument(optarg, /*suppress_root=*/ false, &arg_certificate); + case ARG_CERTIFICATE: + r = free_and_strdup_warn(&arg_certificate, optarg); + if (r < 0) + return r; + break; + + case ARG_CERTIFICATE_SOURCE: + r = parse_openssl_certificate_source_argument( + optarg, + &arg_certificate_source, + &arg_certificate_source_type); if (r < 0) return r; break; - } case ARG_PRIVATE_KEY: { r = free_and_strdup_warn(&arg_private_key, optarg); diff --git a/src/bootctl/bootctl.h b/src/bootctl/bootctl.h index 8a67f5d8f8..6d0dfec47f 100644 --- a/src/bootctl/bootctl.h +++ b/src/bootctl/bootctl.h @@ -41,6 +41,8 @@ extern ImagePolicy *arg_image_policy; extern bool arg_varlink; extern bool arg_secure_boot_auto_enroll; extern char *arg_certificate; +extern CertificateSourceType arg_certificate_source_type; +extern char *arg_certificate_source; extern char *arg_private_key; extern KeySourceType arg_private_key_source_type; extern char *arg_private_key_source; |