Fixed copy of mok manager

The name and location of the mok manager is distribution specific in the same way as the shim loader. Thus we need to apply a similar concept for looking it up
OSInside · Jul 12, 2021 · 5a71d94 · 5a71d94
1 parent 4cbc733
commit 5a71d94
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 9 deletions.
diff --git a/kiwi/bootloader/config/grub2.py b/kiwi/bootloader/config/grub2.py
@@ -750,12 +750,11 @@ def _setup_secure_boot_efi_image(self, lookup_path, uuid=None, mbrid=None):
                     os.sep.join([self.efi_boot_path, grub_image.binaryname])
                 ]
             )
-            mok_manager = os.sep.join(
-                [os.path.dirname(shim_image), 'MokManager.efi']
-            )
-            Command.run(
-                ['cp', mok_manager, self.efi_boot_path]
-            )
+            mok_manager = Defaults.get_mok_manager(lookup_path)
+            if mok_manager:
+                Command.run(
+                    ['cp', mok_manager, self.efi_boot_path]
+                )
         else:
             # Without shim a self signed grub image is used that
             # gets loaded by the firmware

diff --git a/kiwi/defaults.py b/kiwi/defaults.py
@@ -709,6 +709,31 @@ def get_shim_loader(root_path):
             for shim_file in glob.iglob(root_path + shim_file_pattern):
                 return shim_file
 
+    @staticmethod
+    def get_mok_manager(root_path: str) -> Optional[str]:
+        """
+        Provides Mok Manager file path
+
+        Searches distribution specific locations to find
+        the Mok Manager EFI binary
+
+        :param str root_path: image root path
+
+        :return: file path or None
+
+        :rtype: str
+        """
+        mok_manager_file_patterns = [
+            '/usr/share/efi/*/MokManager.efi',
+            '/usr/lib64/efi/MokManager.efi',
+            '/boot/efi/EFI/*/mm*.efi',
+            '/usr/lib/shim/mm*.efi'
+        ]
+        for mok_manager_file_pattern in mok_manager_file_patterns:
+            for mm_file in glob.iglob(root_path + mok_manager_file_pattern):
+                return mm_file
+        return None
+
     @staticmethod
     def get_grub_efi_font_directory(root_path):
         """

diff --git a/test/unit/bootloader/config/grub2_test.py b/test/unit/bootloader/config/grub2_test.py
@@ -59,9 +59,10 @@ def setup(self, mock_theme, mock_firmware):
             'root_dir/usr/lib64/efi/shim.efi': True,
             'root_dir/usr/lib64/efi/grub.efi': True,
             'root_dir/usr/lib64/efi/does-not-exist': False,
-            'root_dir/boot/efi/': True
+            'root_dir/boot/efi/': True,
         }
         self.glob_iglob = [
+            ['root_dir/usr/lib64/efi/MokManager.efi'],
             ['root_dir/usr/lib64/efi/shim.efi'],
             ['root_dir/usr/lib64/efi/grub.efi'],
             ['root_dir/boot/efi/EFI/DIST/fonts']
@@ -1367,6 +1368,7 @@ def side_effect_glob(arg):
                     )
                 ]
 
+    @patch('kiwi.bootloader.config.grub2.Defaults.get_shim_loader')
     @patch('kiwi.bootloader.config.base.BootLoaderConfigBase.get_boot_path')
     @patch('kiwi.bootloader.config.grub2.Path.which')
     @patch('kiwi.bootloader.config.grub2.Command.run')
@@ -1376,11 +1378,12 @@ def side_effect_glob(arg):
     @patch('os.stat')
     def test_setup_disk_boot_images_bios_plus_efi_secure_boot_no_shim_at_all(
         self, mock_stat, mock_chmod, mock_glob,
-        mock_exists, mock_command, mock_which, mock_get_boot_path
+        mock_exists, mock_command, mock_which, mock_get_boot_path,
+        mock_get_shim_loader
     ):
         # we expect the copy of grub.efi from the fallback
         # code if no shim was found at all
-        self.glob_iglob[0] = [None]
+        mock_get_shim_loader.return_value = None
 
         Defaults.set_platform_name('x86_64')
         mock_get_boot_path.return_value = '/boot'

diff --git a/test/unit/defaults_test.py b/test/unit/defaults_test.py
@@ -147,3 +147,19 @@ def iglob_custom_binary_match(pattern):
             '/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed',
             binaryname='grubx64.efi'
         )
+
+    @patch('glob.iglob')
+    def test_get_mok_manager(self, mock_iglob):
+        mock_iglob.return_value = []
+        assert Defaults.get_mok_manager('root_path') is None
+
+        mock_iglob.return_value = ['some_glob_result']
+        assert Defaults.get_mok_manager('root_path') == 'some_glob_result'
+
+    @patch('glob.iglob')
+    def test_get_shim_loader(self, mock_iglob):
+        mock_iglob.return_value = []
+        assert Defaults.get_shim_loader('root_path') is None
+
+        mock_iglob.return_value = ['some_glob_result']
+        assert Defaults.get_shim_loader('root_path') == 'some_glob_result'