cleanup

Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me>

Author: Gareth Widlansky

crates/lib/src/bootc_composefs/boot.rs

@@ -78,7 +78,6 @@ use cap_std_ext::{
 };
 use clap::ValueEnum;
 use composefs::fs::read_file;
-use composefs::generic_tree::{Directory, Inode, LeafContent};
 use composefs::tree::RegularFile;
 use composefs_boot::BootOps;
 use composefs_boot::{
@@ -133,6 +132,8 @@ const SYSTEMD_LOADER_CONF_PATH: &str = "loader/loader.conf";
 const INITRD: &str = "initrd";
 const VMLINUZ: &str = "vmlinuz";
 
+const BOOTC_AUTOENROLL_PATH: &str = "usr/lib/bootc/keys";
+
 /// We want to be able to control the ordering of UKIs so we put them in a directory that's not the
 /// directory specified by the BLS spec. We do this because we want systemd-boot to only look at
 /// our config files and not show the actual UKIs in the bootloader menu
@@ -1143,40 +1144,41 @@ pub(crate) fn setup_composefs_uki_boot(
     Ok(())
 }
 
-pub struct AuthFile {
-    pub filename: Utf8PathBuf,
-    pub file: RegularFile<Sha512HashValue>,
+pub enum AutoEnroll {
+    None,
+    Keys { dir: Dir, keys: Vec<Utf8PathBuf> },
 }
 
-fn get_autoenroll_keys(root: &Directory<RegularFile<Sha512HashValue>>) -> Result<Vec<AuthFile>> {
+fn get_systemd_boot_autoenroll(fs: &Dir, p: &str) -> Result<AutoEnroll> {
     let mut entries = vec![];
-    match root.get_directory("/usr/lib/bootc/keys".as_ref()) {
-        Ok(keys_dir) => {
-            for (filename, inode) in keys_dir.entries() {
-                if !filename.as_bytes().ends_with(b".auth") {
-                    continue;
-                }
 
-                let Inode::Leaf(leaf) = inode else {
-                    bail!("/usr/lib/bootc/keys/{filename:?} is a directory");
-                };
-
-                let LeafContent::Regular(file) = &leaf.content else {
-                    bail!("/usr/lib/bootc/keys/{filename:?} is not a regular file");
-                };
-                let path = match Utf8PathBuf::from_os_string(filename.into()) {
-                    Ok(p) => p,
-                    Err(_) => bail!("couldn't get pathbuf: /usr/lib/bootc/keys/{filename:?}"),
-                };
-                entries.push(AuthFile {
-                    filename: path,
-                    file: file.clone(),
-                });
-            }
+    let keys_dir = fs.open_dir(p)?;
+
+    for entry in keys_dir.entries()? {
+        let file = entry?;
+
+        let name = file.file_name();
+        if !file.file_type()?.is_file() {
+            bail!("/{p}/{name:?} is a not a regular file");
         }
-        Err(other) => Err(other)?,
-    };
-    Ok(entries)
+
+        if !name.as_bytes().ends_with(b".auth") {
+            continue;
+        }
+
+        let path = match Utf8PathBuf::from_os_string(name.clone()) {
+            Ok(p) => p,
+            Err(_) => bail!("couldn't get pathbuf: /{p}/{name:?}"),
+        };
+        entries.push(path);
+    }
+    if entries.len() > 0 {
+        return Ok(AutoEnroll::Keys {
+            dir: keys_dir,
+            keys: entries,
+        });
+    }
+    return Ok(AutoEnroll::None);
 }
 
 #[context("Setting up composefs boot")]
@@ -1197,8 +1199,6 @@ pub(crate) fn setup_composefs_boot(
 
     let postfetch = PostFetchState::new(state, &mounted_fs)?;
 
-    let keys = get_autoenroll_keys(&fs.root)?;
-
     let boot_uuid = root_setup
         .get_boot_uuid()?
         .or(root_setup.rootfs_uuid.as_deref())
@@ -1220,8 +1220,7 @@ pub(crate) fn setup_composefs_boot(
             &root_setup.physical_root_path,
             &state.config_opts,
             None,
-            keys,
-            &repo,
+            get_systemd_boot_autoenroll(&mounted_fs, BOOTC_AUTOENROLL_PATH)?,
         )?;
     }
 

crates/lib/src/bootloader.rs

@@ -7,13 +7,12 @@ use camino::Utf8Path;
 use cap_std_ext::cap_std::ambient_authority;
 use cap_std_ext::cap_std::fs::Dir;
 use cap_std_ext::dirext::CapStdExtDirExt;
-use composefs::fs::read_file;
 use fn_error_context::context;
 
 use bootc_blockdev::{Partition, PartitionTable};
 use bootc_mount as mount;
 
-use crate::bootc_composefs::boot::{mount_esp, AuthFile};
+use crate::bootc_composefs::boot::{mount_esp, AutoEnroll};
 use crate::{discoverable_partition_specification, utils};
 
 /// The name of the mountpoint for efi (as a subdirectory of /boot, or at the toplevel)
@@ -23,6 +22,8 @@ pub(crate) const EFI_DIR: &str = "efi";
 #[allow(dead_code)]
 const BOOTUPD_UPDATES: &str = "usr/lib/bootupd/updates";
 
+const SYSTEMD_AUTOENROLL: &str = "loader/keys/auto";
+
 #[allow(dead_code)]
 pub(crate) fn esp_in(device: &PartitionTable) -> Result<&Partition> {
     device
@@ -78,8 +79,9 @@ pub(crate) fn install_systemd_boot(
     _rootfs: &Utf8Path,
     _configopts: &crate::install::InstallConfigOpts,
     _deployment_path: Option<&str>,
-    autoenroll: Vec<AuthFile>,
-    repo: &crate::store::ComposefsRepository,
+    // autoenroll: Vec<Utf8PathBuf>,
+    // bootc_keys_dir: Option<Dir>,
+    autoenroll: AutoEnroll,
 ) -> Result<()> {
     let esp_part = device
         .find_partition_of_type(discoverable_partition_specification::ESP)
@@ -95,25 +97,23 @@ pub(crate) fn install_systemd_boot(
         .log_debug()
         .run_inherited_with_cmd_context()?;
 
-    if autoenroll.len() < 1 {
-        return Ok(());
-    }
-
-    println!("Autoenrolling keys");
-    let path = esp_path.join("loader/keys/auto");
-    create_dir_all(&path)?;
-
-    let keys_dir = Dir::open_ambient_dir(&path, ambient_authority())
-        .with_context(|| format!("Opening {path}"))?;
-    for a in autoenroll.iter() {
-        let p = path.join(a.filename.clone());
-        keys_dir
-            .atomic_write(
-                &a.filename,
-                read_file(&a.file, &repo).context("reading file")?,
-            )
-            .with_context(|| format!("Writing secure boot key: {p}"))?;
-        println!("Wrote secure boot key: {p}");
+    match autoenroll {
+        AutoEnroll::None => return Ok(()),
+        AutoEnroll::Keys { dir, keys } => {
+            println!("Autoenrolling keys");
+            let path = esp_path.join(SYSTEMD_AUTOENROLL);
+            create_dir_all(&path)?;
+
+            let keys_dir = Dir::open_ambient_dir(&path, ambient_authority())
+                .with_context(|| format!("Opening {path}"))?;
+            for filename in keys.iter() {
+                let p = path.join(filename.clone());
+                keys_dir
+                    .atomic_write(&filename, dir.read(&filename)?)
+                    .with_context(|| format!("Writing secure boot key: {p}"))?;
+                println!("Wrote secure boot key: {p}");
+            }
+        }
     }
     Ok(())
 }