From e4d9dff1976630a495d2168d77aa5d337fe2b7ff Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 30 Jun 2020 15:00:14 -0400
Subject: [PATCH] Make dbxtool.service not run on live images

If an OS is temporarily being booted on a machine, such as may be the
case with a Live Image, it's undesirable to have that OS make permanent
changes to the system's configuration and policy.  In the case of
dbxtool, that kind of security policy change could potentially include
the de-authorization of the installed OS, the developers of which are
expecting to apply such a change during the regular OS updates.  This
results in a *horrible* user experience, and we shouldn't encourage it.

At the same time, many OS installations start with by booting a Live
Image and copying it to become the installed system's root file system,
and in such cases we still want dbxtool to be installed and for the
service to run during the next reboot.  In that case we still need
dbxtool to be installed in the live image, just not to run.

This patch adds a criterion to the systemd service's [unit] declaration
to inhibit running if the kernel command line option "rd.live.image" is
set, which is what Fedora-like systems set on the Live Image command
line.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 src/dbxtool.service | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/dbxtool.service b/src/dbxtool.service
index 1a2a8296329..ed613278428 100644
--- a/src/dbxtool.service
+++ b/src/dbxtool.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=Secure Boot DBX (blacklist) updater
 ConditionPathExists=/sys/firmware/efi/efivars
+ConditionKernelCommandLine=!rd.live.image
 
 [Install]
 WantedBy=multi-user.target
-- 
2.26.2