Merge 23c2c0b into a555e29

package/yast2-bootloader.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Nov 22 13:49:24 UTC 2018 - Josef Reidinger <jreidinger@suse.com>
+
+- enable secure boot on aarch64 (fate#326540)
+- 4.1.12
+
 -------------------------------------------------------------------
 Tue Oct 23 14:54:29 UTC 2018 - jreidinger@suse.com
 

package/yast2-bootloader.spec

@@ -17,7 +17,7 @@
 
 
 Name:           yast2-bootloader
-Version:        4.1.11
+Version:        4.1.12
 Release:        0
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

src/lib/bootloader/grub2_widgets.rb

@@ -909,7 +909,7 @@ def generic_mbr_widget?
     end
 
     def secure_boot_widget?
-      (Yast::Arch.x86_64 || Yast::Arch.i386) && grub2.name == "grub2-efi"
+      (Yast::Arch.x86_64 || Yast::Arch.i386 || Yast::Arch.aarch64) && grub2.name == "grub2-efi"
     end
 
     def trusted_boot_widget?

src/lib/bootloader/grub2efi.rb

@@ -61,8 +61,8 @@ def propose
       # for UEFI always remove PMBR flag on disk (bnc#872054)
       self.pmbr_action = :remove
 
-      # non-x86_64 systems don't support secure boot yet (bsc#978157)
-      @secure_boot = Yast::Arch.x86_64 ? true : false
+      # non-x86_64 systems don't support secure boot yet (bsc#978157) except arm (fate#326540)
+      @secure_boot = (Yast::Arch.x86_64 || Yast::Arch.aarch64) ? true : false
       grub_default.generic_set("GRUB_USE_LINUXEFI", Yast::Arch.aarch64 ? "false" : "true")
     end
 
@@ -103,7 +103,6 @@ def packages
         res << "grub2-i386-efi"
       when "x86_64"
         res << "grub2-x86_64-efi"
-        res << "shim" << "mokutil" if @secure_boot
       when "arm"
         res << "grub2-arm-efi"
       when "aarch64"
@@ -112,6 +111,8 @@ def packages
         log.warn "Unknown architecture #{Yast::Arch.architecture} for EFI"
       end
 
+      res << "shim" << "mokutil" if @secure_boot
+
       res
     end
 

src/lib/bootloader/sysconfig.rb

@@ -30,8 +30,8 @@ def initialize(bootloader: nil, secure_boot: false, trusted_boot: false)
     def self.from_system
       bootloader = Yast::SCR.Read(AGENT_PATH + "LOADER_TYPE")
       # propose secure boot always to true (bnc#872054), otherwise respect user choice
-      # but only on architectures that support it (bnc#984895)
-      secure_boot = if Yast::Arch.x86_64 || Yast::Arch.i386
+      # but only on architectures that support it (bnc#984895),(fate#326540)
+      secure_boot = if Yast::Arch.x86_64 || Yast::Arch.i386 || Yast::Arch.aarch64
         Yast::SCR.Read(AGENT_PATH + "SECURE_BOOT") != "no"
       else
         false

test/grub2_efi_test.rb

@@ -84,11 +84,11 @@
       expect(subject.secure_boot).to eq true
     end
 
-    it "proposes to not use secure boot for aarch64" do
+    it "proposes to use secure boot for aarch64" do
       allow(Yast::Arch).to receive(:architecture).and_return("aarch64")
       subject.propose
 
-      expect(subject.secure_boot).to eq false
+      expect(subject.secure_boot).to eq true
     end
   end
 

test/sysconfig_test.rb

@@ -37,11 +37,26 @@
       end
     end
 
-    context "on other architectures" do
+    context "aarch64" do
       before do
         allow(Yast::Arch).to receive(:architecture).and_return("aarch64")
       end
 
+      it "defaults secure_boot to true if not set" do
+        allow(Yast::SCR).to receive(:Read).with(
+          Yast::Path.new(".sysconfig.bootloader.SECURE_BOOT")
+        ).and_return(nil)
+
+        sysconfig = Bootloader::Sysconfig.from_system
+        expect(sysconfig.secure_boot).to be true
+      end
+    end
+
+    context "on other architectures" do
+      before do
+        allow(Yast::Arch).to receive(:architecture).and_return("ppc64")
+      end
+
       it "defaults secure_boot to false if not set" do
         allow(Yast::SCR).to receive(:Read).with(
           Yast::Path.new(".sysconfig.bootloader.SECURE_BOOT")