From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id D2C42B38CA for ; Wed, 29 Nov 2023 11:13:39 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BAE173B03 for ; Wed, 29 Nov 2023 11:13:39 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 29 Nov 2023 11:13:39 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id CA9DD41AF8 for ; Wed, 29 Nov 2023 11:13:38 +0100 (CET) Date: Wed, 29 Nov 2023 11:13:37 +0100 From: Wolfgang Bumiller To: Gabriel Goller Cc: pbs-devel@lists.proxmox.com Message-ID: References: <20231129090746.38798-1-g.goller@proxmox.com> <20231129090746.38798-2-g.goller@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231129090746.38798-2-g.goller@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.097 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pbs-devel] [PATCH v4 proxmox 1/5] sys: add helper to get bootmode and secureboot status X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Nov 2023 10:13:39 -0000 On Wed, Nov 29, 2023 at 10:07:42AM +0100, Gabriel Goller wrote: > Helper that return the current boot_mode and secureboot status. > Detection works the same as in pve, we use `/sys/firmware/efi` and > the `efivars/SecureBoot-xxx..` file. > > Signed-off-by: Gabriel Goller > --- > proxmox-sys/src/boot_mode.rs | 72 ++++++++++++++++++++++++++++++++++++ > proxmox-sys/src/lib.rs | 1 + > 2 files changed, 73 insertions(+) > create mode 100644 proxmox-sys/src/boot_mode.rs > > diff --git a/proxmox-sys/src/boot_mode.rs b/proxmox-sys/src/boot_mode.rs > new file mode 100644 > index 0000000..dc9d4f5 > --- /dev/null > +++ b/proxmox-sys/src/boot_mode.rs > @@ -0,0 +1,72 @@ > +use std::{io::Read, sync::Mutex}; > + > +#[derive(Clone, Copy)] ^ Maybe also + Debug + Eq + PartialEq > +pub enum SecureBoot { > + /// SecureBoot is enabled > + Enabled, > + /// SecureBoot is disabled > + Disabled, > +} > + > +/// The possible BootModes > +#[derive(Clone, Copy)] ^ Maybe also + Debug + Eq + PartialEq > +pub enum BootMode { > + /// The BootMode is EFI/UEFI > + Efi, > + /// The BootMode is Legacy BIOS > + Bios, > +} > + > +impl BootMode { > + /// Returns the current bootmode (BIOS or EFI) > + pub fn query() -> BootMode { > + lazy_static::lazy_static!( > + static ref BOOT_MODE: Mutex> = Mutex::new(None); > + ); lazy_static + Mutex = overkill. Here we can just use std::sync::OnceLock. > + > + let mut last = BOOT_MODE.lock().unwrap(); > + let value = last.or_else(|| { > + if std::path::Path::new("/sys/firmware/efi").exists() { > + Some(BootMode::Efi) > + } else { > + Some(BootMode::Bios) > + } > + }); > + *last = value; > + value.unwrap() > + } > +} > + > +impl SecureBoot { > + /// Checks if secure boot is enabled > + pub fn query() -> SecureBoot { > + lazy_static::lazy_static!( > + static ref SECURE_BOOT: Mutex> = Mutex::new(None); > + ); ^ same > + > + let mut last = SECURE_BOOT.lock().unwrap(); > + let value = last.or_else(|| { > + // Check if SecureBoot is enabled > + // Attention: this file is not seekable! > + // Spec: https://uefi.org/specs/UEFI/2.10/03_Boot_Manager.html?highlight=8be4d#globally-defined-variables > + let efivar = std::fs::File::open( > + "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c", > + ); > + if let Ok(mut file) = efivar { > + let mut buf = [0; 5]; > + let Ok(_) = file.read_exact(&mut buf) else { Btw. we can probably shorten this chain to if File::open( "..." ).and_then(|file| file.read_exact(&mut buf)) .is_ok() && buf[4] == 1 { SecureBoot::Enabled } else { SecureBoot::Disabled } but, since in the API we need to do the same thing as in PVE, we might as well just have a From/Into and shorten this even further... > + return Some(SecureBoot::Disabled); > + }; > + if buf[4] == 1 { > + Some(SecureBoot::Enabled) > + } else { > + Some(SecureBoot::Disabled) > + } > + } else { > + Some(SecureBoot::Disabled) > + } > + }); > + *last = value; > + value.unwrap() > + } > +}