efi: allow ESP validity checks to be turned off
let's add an env var for this, as this really shouldn't be a top-level feature, as it turning off the validity checks certainly isn't advisable. Fixes: #4925
This commit is contained in:
parent
4eb5636b6c
commit
8cbb7d8783
|
@ -112,6 +112,13 @@ systemd-timedated:
|
||||||
first existing unit listed in the environment variable, and
|
first existing unit listed in the environment variable, and
|
||||||
`timedatectl set-ntp off` disables and stops all listed units.
|
`timedatectl set-ntp off` disables and stops all listed units.
|
||||||
|
|
||||||
|
bootctl and other tools that access the EFI System Partition (ESP):
|
||||||
|
|
||||||
|
* `$SYSTEMD_RELAX_ESP_CHECKS=1` — if set, the ESP validation checks are
|
||||||
|
relaxed. Specifically, validation checks that ensure the specified ESP path
|
||||||
|
is a FAT file system are turned off, as are checks that the path is located
|
||||||
|
on a GPT partition with the correct type UUID.
|
||||||
|
|
||||||
systemd itself:
|
systemd itself:
|
||||||
|
|
||||||
* `$SYSTEMD_ACTIVATION_UNIT` — set for all NSS and PAM module invocations that
|
* `$SYSTEMD_ACTIVATION_UNIT` — set for all NSS and PAM module invocations that
|
||||||
|
|
|
@ -126,6 +126,13 @@
|
||||||
<para>On success, 0 is returned, a non-zero failure code otherwise.</para>
|
<para>On success, 0 is returned, a non-zero failure code otherwise.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1>
|
||||||
|
<title>Environment</title>
|
||||||
|
<para>If <varname>$SYSTEMD_RELAX_ESP_CHECKS=1</varname> is set the validation checks for the ESP are relaxed, and
|
||||||
|
the path specified with <option>--path=</option> may refer to any kind of file system on any kind of
|
||||||
|
partition.</para>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>See Also</title>
|
<title>See Also</title>
|
||||||
<para>
|
<para>
|
||||||
|
|
|
@ -12,6 +12,7 @@
|
||||||
#include "def.h"
|
#include "def.h"
|
||||||
#include "device-nodes.h"
|
#include "device-nodes.h"
|
||||||
#include "efivars.h"
|
#include "efivars.h"
|
||||||
|
#include "env-util.h"
|
||||||
#include "fd-util.h"
|
#include "fd-util.h"
|
||||||
#include "fileio.h"
|
#include "fileio.h"
|
||||||
#include "parse-util.h"
|
#include "parse-util.h"
|
||||||
|
@ -412,13 +413,17 @@ static int verify_esp(
|
||||||
struct statfs sfs;
|
struct statfs sfs;
|
||||||
sd_id128_t uuid = SD_ID128_NULL;
|
sd_id128_t uuid = SD_ID128_NULL;
|
||||||
uint32_t part = 0;
|
uint32_t part = 0;
|
||||||
|
bool relax_checks;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
assert(p);
|
assert(p);
|
||||||
|
|
||||||
|
relax_checks = getenv_bool("SYSTEMD_RELAX_ESP_CHECKS") > 0;
|
||||||
|
|
||||||
/* Non-root user can only check the status, so if an error occured in the following, it does not cause any
|
/* Non-root user can only check the status, so if an error occured in the following, it does not cause any
|
||||||
* issues. Let's also, silence the error messages. */
|
* issues. Let's also, silence the error messages. */
|
||||||
|
|
||||||
|
if (!relax_checks) {
|
||||||
if (statfs(p, &sfs) < 0) {
|
if (statfs(p, &sfs) < 0) {
|
||||||
/* If we are searching for the mount point, don't generate a log message if we can't find the path */
|
/* If we are searching for the mount point, don't generate a log message if we can't find the path */
|
||||||
if (errno == ENOENT && searching)
|
if (errno == ENOENT && searching)
|
||||||
|
@ -435,6 +440,7 @@ static int verify_esp(
|
||||||
log_error("File system \"%s\" is not a FAT EFI System Partition (ESP) file system.", p);
|
log_error("File system \"%s\" is not a FAT EFI System Partition (ESP) file system.", p);
|
||||||
return -ENODEV;
|
return -ENODEV;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (stat(p, &st) < 0)
|
if (stat(p, &st) < 0)
|
||||||
return log_full_errno(unprivileged_mode && errno == EACCES ? LOG_DEBUG : LOG_ERR, errno,
|
return log_full_errno(unprivileged_mode && errno == EACCES ? LOG_DEBUG : LOG_ERR, errno,
|
||||||
|
@ -458,7 +464,7 @@ static int verify_esp(
|
||||||
|
|
||||||
/* In a container we don't have access to block devices, skip this part of the verification, we trust the
|
/* In a container we don't have access to block devices, skip this part of the verification, we trust the
|
||||||
* container manager set everything up correctly on its own. Also skip the following verification for non-root user. */
|
* container manager set everything up correctly on its own. Also skip the following verification for non-root user. */
|
||||||
if (detect_container() > 0 || unprivileged_mode)
|
if (detect_container() > 0 || unprivileged_mode || relax_checks)
|
||||||
goto finish;
|
goto finish;
|
||||||
|
|
||||||
#if HAVE_BLKID
|
#if HAVE_BLKID
|
||||||
|
|
Loading…
Reference in a new issue