morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 08:25:20 +09:00
Code Issues Packages Projects Releases Wiki Activity

import-creds: don't import creds from SMBIOS/qemu in confidential VMs

Browse Source
This commit is contained in:
Lennart Poettering
2023-07-07 16:00:09 +02:00
committed by Luca Boccassi
parent 26b682e816
commit 738e807e40
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/core/import-creds.c
View File

@@ -2,6 +2,7 @@
#include <sys/mount.h>
#include "confidential-virt.h"
#include "copy.h"
#include "creds-util.h"
#include "escape.h"
@@ -9,8 +10,8 @@
#include "format-util.h"
#include "fs-util.h"
#include "hexdecoct.h"
#include "initrd-util.h"
#include "import-creds.h"
#include "initrd-util.h"
#include "io-util.h"
#include "mkdir-label.h"
#include "mount-util.h"
@@ -376,6 +377,9 @@ static int import_credentials_qemu(ImportCredentialContext *c) {
if (detect_container() > 0) /* don't access /sys/ in a container */
return 0;
if (detect_confidential_virtualization() > 0) /* don't trust firmware if confidential VMs */
return 0;
source_dir_fd = open(QEMU_FWCFG_PATH, O_RDONLY|O_DIRECTORY|O_CLOEXEC);
if (source_dir_fd < 0) {
if (errno == ENOENT) {
@@ -570,6 +574,9 @@ static int import_credentials_smbios(ImportCredentialContext *c) {
if (detect_container() > 0) /* don't access /sys/ in a container */
return 0;
if (detect_confidential_virtualization() > 0) /* don't trust firmware if confidential VMs */
return 0;
for (unsigned i = 0;; i++) {
struct dmi_field_header {
uint8_t type;