fix: do not emit a temporary initrd location if it's not needed

RaitoBezarius · RaitoBezarius · commit 1020a0456c50 · 2024-01-25T03:15:25.000+01:00
We fabricated a lot of initrds which were exactly the same as the one in
our store when we had no initrd secrets. This ends this practice.
diff --git a/rust/tool/systemd/src/install.rs b/rust/tool/systemd/src/install.rs
@@ -210,17 +210,27 @@ impl<S: LanzabooteSigner> Installer<S> {
             .context("Failed to install the kernel.")?;
 
         // Assemble and install the initrd, and record its path on the ESP.
-        let initrd_location = tempdir
-            .write_secure_file(
-                fs::read(
-                    bootspec
-                        .initrd
-                        .as_ref()
-                        .context("Lanzaboote does not support missing initrd yet.")?,
+        // It is not needed to write the initrd in a temporary directory
+        // if we do not have any initrd secret.
+        let initrd_location = if bootspec.initrd_secrets.is_some() {
+            tempdir
+                .write_secure_file(
+                    fs::read(
+                        bootspec
+                            .initrd
+                            .as_ref()
+                            .context("Lanzaboote does not support missing initrd yet.")?,
+                    )
+                    .context("Failed to read the initrd.")?,
                 )
-                .context("Failed to read the initrd.")?,
-            )
-            .context("Failed to copy the initrd to the temporary directory.")?;
+                .context("Failed to copy the initrd to the temporary directory.")?
+        } else {
+            bootspec
+                .initrd
+                .clone()
+                .expect("Lanzaboote does not support missing initrd yet.")
+        };
+
         if let Some(initrd_secrets_script) = &bootspec.initrd_secrets {
             append_initrd_secrets(initrd_secrets_script, &initrd_location, generation.version)?;
         }
