From d3616496e01b5d4e122a31e01d9cc64a1a632a52 Mon Sep 17 00:00:00 2001
From: Nikita Dubrovskii <nikita@linux.ibm.com>
Date: Fri, 19 Aug 2022 09:39:12 +0200
Subject: [PATCH 1/4] s390x: secex: remove the Ignition config before entering
 the emergency-shell

---
 .../modules.d/99emergency-shell-setup/emergency-shell.sh  | 8 +++++++-
 .../ignition-virtio-dump-journal.service                  | 1 +
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh b/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh
index 8fa214e269..5623e60c70 100644
--- a/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh
@@ -32,7 +32,7 @@ _display_relevant_errors() {
 
         # Print Ignition logs
         if echo ${failed} | grep -qFe 'ignition-'; then
-        cat <<EOF
+            cat <<EOF
 ------
 Ignition has failed. Please ensure your config is valid. Note that only
 Ignition spec v3.0.0+ configs are accepted.
@@ -70,6 +70,12 @@ EOF
     fi
 }
 
+# in SE case drop config before entering shell
+if [ -f /run/coreos/secure-execution ]; then
+    rm -f /run/ignition.json
+    rm -f /usr/lib/ignition/user.ign
+fi
+
 # Print warnings/informational messages to all configured consoles on the
 # machine. Code inspired by https://github.com/dracutdevs/dracut/commit/32f68c1
 MESSAGE="$(_display_relevant_errors)"
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/ignition-virtio-dump-journal.service b/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/ignition-virtio-dump-journal.service
index b4b7b52aae..27160589db 100644
--- a/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/ignition-virtio-dump-journal.service
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/ignition-virtio-dump-journal.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=Dump Journal to Virtio Port
 ConditionPathExists=/etc/initrd-release
+ConditionPathExists=!/run/coreos/secure-execution
 DefaultDependencies=false
 ConditionVirtualization=|kvm
 ConditionVirtualization=|qemu

From 06bb0febb57ac7349fb70c6efbc79f6f4f7802ef Mon Sep 17 00:00:00 2001
From: Nikita Dubrovskii <nikita@linux.ibm.com>
Date: Thu, 15 Sep 2022 17:09:18 +0200
Subject: [PATCH 2/4] s390x: secex: disable login on serial console

---
 .../dracut/modules.d/35coreos-ignition/01-secex.ign  | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/01-secex.ign b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/01-secex.ign
index 637228d107..6848038632 100644
--- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/01-secex.ign
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/01-secex.ign
@@ -66,5 +66,17 @@
         "wipeFilesystem": true
       }
     ]
+  },
+  "systemd": {
+    "units": [
+      {
+        "mask": true,
+        "name": "serial-getty@.service"
+      },
+      {
+        "mask": true,
+        "name": "autovt@.service"
+      }
+    ]
   }
 }

From 77295d35e3d7343be3ac242816375a7a7a05bec8 Mon Sep 17 00:00:00 2001
From: Nikita Dubrovskii <nikita@linux.ibm.com>
Date: Thu, 18 Aug 2022 13:46:58 +0200
Subject: [PATCH 3/4] s390x: secex: disable Ignition's logs

---
 .../35coreos-ignition/coreos-diskful-generator       | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
index f2d313dce7..c6cb313cea 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
@@ -74,5 +74,17 @@ EOF
         mkdir -p /run/coreos/
         touch /run/coreos/secure-execution
         cp /usr/lib/coreos/01-secex.ign /usr/lib/ignition/base.d/01-secex.ign
+        # Add dropins to disable Ignition logging for all stages
+        stages=("fetch-offline" "fetch" "kargs" "disks" "mount" "files")
+        for s in "${stages[@]}"; do
+            dropin="${UNIT_DIR}/ignition-${s}.service.d"
+            mkdir -p "${dropin}"
+            cat > "${dropin}/10-secex.conf" <<EOF
+[Service]
+Environment=IGNITION_ARGS=-log-to-stdout
+StandardOutput=null
+StandardError=null
+EOF
+        done
     fi
 fi

From 0b634e3c9169ace5c56f7d61f2171eba15af2799 Mon Sep 17 00:00:00 2001
From: Nikita Dubrovskii <nikita@linux.ibm.com>
Date: Mon, 22 Aug 2022 14:17:08 +0200
Subject: [PATCH 4/4] s390x: secex: decrypt ignition config on firstboot

---
 .../coreos-secex-ignition-decrypt.service     | 17 ++++++++++++
 .../coreos-secex-ignition-decrypt.sh          | 26 +++++++++++++++++++
 .../35coreos-ignition/module-setup.sh         | 11 ++++++++
 .../emergency-shell.sh                        |  3 ++-
 4 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service
 create mode 100755 overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service
new file mode 100644
index 0000000000..02283bc3d0
--- /dev/null
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=CoreOS Secex Ignition Config Decryptor
+ConditionPathExists=/etc/initrd-release
+ConditionPathExists=/run/coreos/secure-execution
+DefaultDependencies=false
+
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+# Run after virtio_blk and before Ignition
+After=coreos-gpt-setup.service
+Before=ignition-fetch-offline.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/sbin/coreos-secex-ignition-decrypt
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh
new file mode 100755
index 0000000000..fcbf822529
--- /dev/null
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+set -euo pipefail
+
+disk=/dev/disk/by-id/virtio-ignition_crypted
+conf=/usr/lib/ignition/user.ign
+pkey=/usr/lib/coreos/ignition.asc
+tmpd=
+
+cleanup() {
+    rm -f "${pkey}"
+    if [[ -n "${tmpd}" ]]; then
+        rm -rf "${tmpd}"
+    fi
+}
+
+trap cleanup EXIT
+
+tmpd=$(mktemp -d)
+
+if [ ! -e "${disk}" ]; then
+    echo "Ignition config must be encrypted"
+    exit 1
+fi
+
+gpg --homedir "${tmpd}" --import "${pkey}" && rm "${pkey}"
+gpg --homedir "${tmpd}" --skip-verify --output "${conf}" --decrypt "${disk}"
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
index f53564dd7c..d39da6fa08 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
@@ -26,6 +26,13 @@ install() {
         sgdisk \
         uname
 
+    # For IBM SecureExecution
+    if [[ $(uname -m) = s390x ]]; then
+        inst_multiple \
+            gpg \
+            gpg-agent
+    fi
+
     inst_simple "$moddir/coreos-diskful-generator" \
         "$systemdutildir/system-generators/coreos-diskful-generator"
 
@@ -76,4 +83,8 @@ install() {
 
     # IBM Secure Execution. Ignition config for reencryption of / and /boot
     inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign
+    install_ignition_unit "coreos-secex-ignition-decrypt.service"
+    inst_script "$moddir/coreos-secex-ignition-decrypt.sh" \
+        "/usr/sbin/coreos-secex-ignition-decrypt"
+
 }
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh b/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh
index 5623e60c70..b9b89e671a 100644
--- a/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh
@@ -70,10 +70,11 @@ EOF
     fi
 }
 
-# in SE case drop config before entering shell
+# in SE case drop everything before entering shell
 if [ -f /run/coreos/secure-execution ]; then
     rm -f /run/ignition.json
     rm -f /usr/lib/ignition/user.ign
+    rm -f /usr/lib/coreos/ignition.asc
 fi
 
 # Print warnings/informational messages to all configured consoles on the