Merge be33461 into dfe082c

package/yast2-bootloader.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Sep 23 12:01:59 UTC 2020 - Michal Suchanek <msuchanek@suse.com>
+
+- Add UPDATE_NVRAM in /etc/sysconfig/bootloader (bsc#1157550).
+- 4.3.10
+
 -------------------------------------------------------------------
 Mon Sep 14 12:07:31 UTC 2020 - Josef Reidinger <jreidinger@suse.com>
 - merge SLE15 SP2 changes:

package/yast2-bootloader.spec

@@ -17,7 +17,7 @@
 
 
 Name:           yast2-bootloader
-Version:        4.3.9
+Version:        4.3.10
 Release:        0
 Summary:        YaST2 - Bootloader Configuration
 License:        GPL-2.0-or-later

src/autoyast-rnc/bootloader.rnc

@@ -66,6 +66,7 @@ bl_global =
       element os_prober       { STRING_BOOL }? &
       element suse_btrfs      { STRING_BOOL }? &
       element secure_boot      { STRING_BOOL }? &
+      element update_nvram      { STRING_BOOL }? &
       element xen_append        { STRING }? &
       element xen_kernel_append { STRING }? &
 

src/lib/bootloader/autoinst_profile/global_section.rb

@@ -45,6 +45,7 @@ def self.attributes
           { name: :timeout },
           { name: :trusted_boot },
           { name: :trusted_grub },
+          { name: :update_nvram },
           { name: :vgamode },
           { name: :xen_append },
           { name: :xen_kernel_append }
@@ -111,6 +112,10 @@ def self.attributes
       #   @return [String,nil] use Trusted GRUB (only for `grub2` loader type). Valid values
       #     are "true" and "false".
 
+      # @!attribute update_nvram
+      #   @return [String,nil] Update NVRAM with entry for the installed bootloader. Valid values
+      #     are "true" and "false".
+
       # @!attribute vgamode
       #   @return [String,nil] `vga` kernel parameter (e.g., "0x317").
 

src/lib/bootloader/autoyast_converter.rb

@@ -222,7 +222,8 @@ def bootloader_from_data(data)
 
       # only for grub2, not for others
       GRUB2EFI_BOOLEAN_MAPPING = {
-        "secure_boot" => :secure_boot
+        "secure_boot"  => :secure_boot,
+        "update_nvram" => :update_nvram
       }.freeze
       private_constant :GRUB2EFI_BOOLEAN_MAPPING
       def export_grub2efi(res, bootloader)
@@ -235,7 +236,8 @@ def export_grub2efi(res, bootloader)
       # only for grub2, not for others
       GRUB2_BOOLEAN_MAPPING = {
         "secure_boot"  => :secure_boot,
-        "trusted_grub" => :trusted_boot
+        "trusted_grub" => :trusted_boot,
+        "update_nvram" => :update_nvram
       }.freeze
       private_constant :GRUB2_BOOLEAN_MAPPING
       def export_grub2(res, bootloader)

src/lib/bootloader/grub2.rb

@@ -66,7 +66,8 @@ def write
       # powernv must not call grub2-install (bnc#970582)
       unless Yast::Arch.board_powernv
         failed = @grub_install.execute(
-          devices: stage1.devices, secure_boot: secure_boot, trusted_boot: trusted_boot
+          devices: stage1.devices, secure_boot: secure_boot, trusted_boot: trusted_boot,
+          update_nvram: update_nvram
         )
         failed.each { |f| stage1.remove_device(f) }
         stage1.write
@@ -105,8 +106,7 @@ def summary(simple_mode: false)
         )
       ]
 
-      result << secure_boot_summary if Systeminfo.secure_boot_available?(name)
-      result << trusted_boot_summary if Systeminfo.trusted_boot_available?(name)
+      result.concat(boot_flags_summary)
 
       locations_val = locations
       if !locations_val.empty?
@@ -145,7 +145,8 @@ def packages
     # overwrite BootloaderBase version to save trusted boot
     def write_sysconfig(prewrite: false)
       sysconfig = Bootloader::Sysconfig.new(
-        bootloader: name, secure_boot: secure_boot, trusted_boot: trusted_boot
+        bootloader: name, secure_boot: secure_boot, trusted_boot: trusted_boot,
+        update_nvram: update_nvram
       )
       prewrite ? sysconfig.pre_write : sysconfig.write
     end
@@ -256,5 +257,15 @@ def url_location_summary
       # TRANSLATORS: title for list of location proposals
       _("Change Location: %s") % line
     end
+
+    # summary for various boot flags
+    def boot_flags_summary
+      result = []
+      result << secure_boot_summary if Systeminfo.secure_boot_available?(name)
+      result << trusted_boot_summary if Systeminfo.trusted_boot_available?(name)
+      result << update_nvram_summary if Systeminfo.nvram_available?(name)
+
+      result
+    end
   end
 end

src/lib/bootloader/grub2_widgets.rb

@@ -423,6 +423,35 @@ def validate
     end
   end
 
+  # Represents switcher for NVRAM update
+  class UpdateNvramWidget < CWM::CheckBox
+    include Grub2Widget
+
+    def initialize
+      textdomain "bootloader"
+    end
+
+    def label
+      _("Update &NVRAM Entry")
+    end
+
+    def help
+      res = _("<p><b>Update NVRAM Entry</b> will add nvram entry for the bootloader\n" \
+          "in the firmware.\n" \
+          "This is usually desirable unless you want to preserve specific settings\n" \
+          "or need to work around firmware issues.</p>\n")
+      res
+    end
+
+    def init
+      self.value = grub2.update_nvram
+    end
+
+    def store
+      grub2.update_nvram = value
+    end
+  end
+
   # Represents grub password protection widget
   class GrubPasswordWidget < CWM::CustomWidget
     include Grub2Widget
@@ -979,6 +1008,7 @@ def widgets
 
       w << SecureBootWidget.new if secure_boot_widget?
       w << TrustedBootWidget.new if trusted_boot_widget?
+      w << UpdateNvramWidget.new if update_nvram_widget?
 
       w.map do |widget|
         MarginBox(horizontal_margin, 0, Left(widget))
@@ -1017,6 +1047,10 @@ def trusted_boot_widget?
       Systeminfo.trusted_boot_available?(grub2.name)
     end
 
+    def update_nvram_widget?
+      Systeminfo.nvram_available?(grub2.name)
+    end
+
     def pmbr_widget?
       (Yast::Arch.x86_64 || Yast::Arch.i386) &&
         Yast::BootStorage.gpt_boot_disk?

src/lib/bootloader/grub2base.rb

@@ -53,6 +53,10 @@ class Grub2Base < BootloaderBase
     #   @return [Boolean] current secure boot setting
     attr_accessor :secure_boot
 
+    # @!attribute update_nvram
+    #   @return [Boolean] current update nvram setting
+    attr_accessor :update_nvram
+
     # @!attribute console
     #   @return [::Bootloader::SerialConsole] serial console or nil if none
     attr_reader :console
@@ -70,6 +74,7 @@ def initialize
       @sections = ::Bootloader::Sections.new
       @pmbr_action = :nothing
       @explicit_cpu_mitigations = false
+      @update_nvram = true
     end
 
     # general functions
@@ -125,6 +130,7 @@ def read
 
       self.trusted_boot = Systeminfo.trusted_boot_active?
       self.secure_boot = Systeminfo.secure_boot_active?
+      self.update_nvram = Systeminfo.update_nvram_active?
     end
 
     def write
@@ -162,6 +168,7 @@ def propose
 
       self.trusted_boot = false
       self.secure_boot = Systeminfo.secure_boot_active?
+      self.update_nvram = true
     end
 
     def merge(other)
@@ -174,6 +181,7 @@ def merge(other)
 
       self.trusted_boot = other.trusted_boot unless other.trusted_boot.nil?
       self.secure_boot = other.secure_boot unless other.secure_boot.nil?
+      self.update_nvram = other.update_nvram unless other.update_nvram.nil?
     end
 
     def enable_serial_console(console_arg_string)
@@ -400,6 +408,18 @@ def trusted_boot_summary
           "<a href=\"enable_trusted_boot\">(" + _("enable") + ")</a>"
         end
     end
+
+    # Update nvram shown in summary screen
+    #
+    # @return [String]
+    def update_nvram_summary
+      _("Update NVRAM:") + " " + (update_nvram ? _("enabled") : _("disabled")) + " " +
+        if update_nvram
+          "<a href=\"disable_update_nvram\">(" + _("disable") + ")</a>"
+        else
+          "<a href=\"enable_update_nvram\">(" + _("enable") + ")</a>"
+        end
+    end
   end
   # rubocop:enable Metrics/ClassLength
 end

src/lib/bootloader/grub2efi.rb

@@ -47,7 +47,8 @@ def write
         pmbr_setup(*disks.map(&:name))
       end
 
-      @grub_install.execute(secure_boot: secure_boot, trusted_boot: trusted_boot)
+      @grub_install.execute(secure_boot: secure_boot, trusted_boot: trusted_boot,
+                            update_nvram: update_nvram)
 
       true
     end
@@ -77,6 +78,7 @@ def summary(*)
 
       result << secure_boot_summary if Systeminfo.secure_boot_available?(name)
       result << trusted_boot_summary if Systeminfo.trusted_boot_available?(name)
+      result << update_nvram_summary if Systeminfo.nvram_available?(name)
 
       result
     end
@@ -108,7 +110,7 @@ def packages
     # overwrite BootloaderBase version to save secure boot
     def write_sysconfig(prewrite: false)
       sysconfig = Bootloader::Sysconfig.new(bootloader: name,
-        secure_boot: secure_boot, trusted_boot: trusted_boot)
+        secure_boot: secure_boot, trusted_boot: trusted_boot, update_nvram: true)
       prewrite ? sysconfig.pre_write : sysconfig.write
     end
 

src/lib/bootloader/grub_install.rb

@@ -25,8 +25,9 @@ def initialize(efi: false)
     #   Ignored when grub2 does not need device.
     # @param secure_boot [Boolean] if secure boot variant should be used
     # @param trusted_boot [Boolean] if trusted boot variant should be used
+    # @param update_nvram [Boolean] if bootloader entry should be added to nvram
     # @return [Array<String>] list of devices for which install failed
-    def execute(devices: [], secure_boot: false, trusted_boot: false)
+    def execute(devices: [], secure_boot: false, trusted_boot: false, update_nvram: true)
       if secure_boot && !Systeminfo.secure_boot_available?(@grub2_name)
         # There might be some secure boot setting left over when the
         # bootloader had been switched.
@@ -35,14 +36,13 @@ def execute(devices: [], secure_boot: false, trusted_boot: false)
         log.warn "Ignoring secure boot setting on this machine"
       end
 
-      cmd = basic_cmd(secure_boot, trusted_boot)
+      cmd = basic_cmd(secure_boot, trusted_boot, update_nvram)
 
       if no_device_install?
         Yast::Execute.on_target(cmd)
         # workaround for arm on SLE15 SP2 (bsc#1167015)
         # run grub2-install also non-removable if efi is there
         if Yast::Arch.aarch64 && !Dir.glob("/sys/firmware/efi/efivars/*").empty?
-          cmd.delete("--no-nvram")
           cmd.delete("--removable")
           Yast::Execute.on_target(cmd)
         end
@@ -85,7 +85,7 @@ def report_failure(exception)
 
     # creates basic command for grub2 install without specifying any stage1
     # locations
-    def basic_cmd(secure_boot, trusted_boot)
+    def basic_cmd(secure_boot, trusted_boot, update_nvram)
       if Systeminfo.shim_needed?(@grub2_name, secure_boot)
         cmd = ["/usr/sbin/shim-install", "--config-file=/boot/grub2/grub.cfg"]
       else
@@ -101,7 +101,8 @@ def basic_cmd(secure_boot, trusted_boot)
         cmd << (efi ? "--suse-enable-tpm" : "--directory=/usr/lib/trustedgrub2/#{target}")
       end
 
-      cmd << "--no-nvram" << "--removable" if removable_efi?
+      cmd << "--removable" if removable_efi?
+      cmd << "--no-nvram" if !update_nvram
 
       cmd
     end

src/lib/bootloader/sysconfig.rb

@@ -13,7 +13,8 @@ class Sysconfig
     ATTR_VALUE_MAPPING = {
       bootloader:   "LOADER_TYPE",
       secure_boot:  "SECURE_BOOT",
-      trusted_boot: "TRUSTED_BOOT"
+      trusted_boot: "TRUSTED_BOOT",
+      update_nvram: "UPDATE_NVRAM"
     }.freeze
 
     # specifies bootloader in sysconfig
@@ -22,12 +23,15 @@ class Sysconfig
     attr_accessor :secure_boot
     # @return [Boolean] if trusted boot should be used
     attr_accessor :trusted_boot
+    # @return [Boolean] if nvram should be updated
+    attr_accessor :update_nvram
 
-    def initialize(bootloader: nil, secure_boot: false, trusted_boot: false)
+    def initialize(bootloader: nil, secure_boot: false, trusted_boot: false, update_nvram: true)
       @sys_agent = AGENT_PATH
       @bootloader = bootloader
       @secure_boot = secure_boot
       @trusted_boot = trusted_boot
+      @update_nvram = update_nvram
     end
 
     def self.from_system
@@ -38,7 +42,10 @@ def self.from_system
 
       trusted_boot = Yast::SCR.Read(AGENT_PATH + "TRUSTED_BOOT") == "yes"
 
-      new(bootloader: bootloader, secure_boot: secure_boot, trusted_boot: trusted_boot)
+      update_nvram = Yast::SCR.Read(AGENT_PATH + "UPDATE_NVRAM") != "no"
+
+      new(bootloader: bootloader, secure_boot: secure_boot, trusted_boot: trusted_boot,
+          update_nvram: update_nvram)
     end
 
     # Specialized write before rpm install, that do not have switched SCR
@@ -82,6 +89,16 @@ def pre_write
         "#\n" \
         "# Enable Trusted Boot support\n" \
         "# Only available on hardware with a Trusted Platform Module.\n" \
+        "#\n",
+
+      update_nvram: "\n" \
+        "## Path:\tSystem/Bootloader\n" \
+        "## Description:\tBootloader configuration\n" \
+        "## Type:\tyesno\n" \
+        "## Default:\t\"yes\"\n" \
+        "#\n" \
+        "# Update nvram boot settings (UEFI, OF)\n" \
+        "# Unset to preserve specific settings or workaround firmware issues.\n" \
         "#\n"
     }.freeze
 
@@ -96,6 +113,9 @@ def write
       tb = trusted_boot ? "yes" : "no"
       write_option(:trusted_boot, tb)
 
+      un = update_nvram ? "yes" : "no"
+      write_option(:update_nvram, un)
+
       # flush write
       Yast::SCR.Write(sys_agent, nil)
 

src/lib/bootloader/systeminfo.rb

@@ -45,6 +45,15 @@ def trusted_boot_active?
         Sysconfig.from_system.trusted_boot
       end
 
+      # Check if the system is expected to have nvram - ie. update_nvram_active? makes a difference
+      def nvram_available?(bootloader_name = nil)
+        (bootloader_name ? efi_used?(bootloader_name) : efi_supported?) || Yast::Arch.ppc
+      end
+
+      def update_nvram_active?
+        Sysconfig.from_system.update_nvram
+      end
+
       # Check if trusted boot is configurable with a bootloader.
       #
       # param bootloader_name [String] bootloader name