Hello, it seems that in insecure composefs mode with systemd-boot, bootc status fails to match the verity digest.
ComposefsCmdline::new() strips the ? prefix when parsing /proc/cmdline, but BLSConfig::get_verity() returns the raw value with ? intact, causing find_bls_entry to always fail the comparison.
Although I might be wrong in my conclusions, but the error is definitely present )
|
let value = value.to_owned(); |
bootc status
error: Status: Getting composefs deployment status: Getting composefs deployment status: Checking soft reboot capability: Setting soft reboot capability for Type1 entries: Booted BLS entry not found
cat /proc/cmdline
... composefs=?af81b5e18c0ff59aa955b3b0235cd3c15c26c490e9859e9553aa0567128cb7becd0b1ffa9f91942ec499aaf80323fc938f151c62529e5558746aa7e38d6d2433 ...
cat /boot/efi/loader/entries/*.conf
title ALT Atomic Onyx Nightly
...
options ... composefs=?af81b5e18c0ff59aa955b3b0235cd3c15c26c490e9859e9553aa0567128cb7becd0b1ffa9f91942ec499aaf80323fc938f151c62529e5558746aa7e38d6d2433 ...
Hello, it seems that in insecure composefs mode with systemd-boot, bootc status fails to match the verity digest.
ComposefsCmdline::new() strips the ? prefix when parsing /proc/cmdline, but BLSConfig::get_verity() returns the raw value with ? intact, causing find_bls_entry to always fail the comparison.
Although I might be wrong in my conclusions, but the error is definitely present )
bootc/crates/lib/src/bootc_composefs/status.rs
Line 73 in 6ac06b7
bootc/crates/lib/src/parsers/bls_config.rs
Line 198 in 6ac06b7