activating secure boot

yast · Apr 26, 2023 · 436317a · 436317a
1 parent a2e7740
commit 436317a
Showing 1 changed file with 55 additions and 24 deletions.
diff --git a/src/lib/bootloader/systemdboot.rb b/src/lib/bootloader/systemdboot.rb
@@ -1,9 +1,10 @@
 # frozen_string_literal: true
-
+require "fileutils"
 require "yast"
 require "bootloader/sysconfig"
 
 Yast.import "Report"
+Yast.import "Arch"
 
 module Bootloader
   # Represents systemd bootloader with efi target
@@ -30,7 +31,7 @@ def read
       super
 
       read_menue_timeout()
-      self.secure_boot = Systeminfo.secure_boot_active?      
+      self.secure_boot = Systeminfo.secure_boot_active?
     end
 
     # Write bootloader settings to disk
@@ -41,15 +42,8 @@ def write(etc_only: false)
 
       install_bootloader      
       create_menue_entries
-      # Set menue timeout
       write_menue_timeout
 
-      unless etc_only
-        # writing in none transactional systems
-#        @grub_install.execute(secure_boot: secure_boot, trusted_boot: trusted_boot,
-#          update_nvram: update_nvram)
-      end
-
       true
     end
 
@@ -67,11 +61,7 @@ def summary(*)
           "Systemd Boot"
         )
       ]
-
-#      result << secure_boot_summary if Systeminfo.secure_boot_available?(name)
-#      result << trusted_boot_summary if Systeminfo.trusted_boot_available?(name)
-#      result << update_nvram_summary if Systeminfo.nvram_available?(name)
-
+      result << secure_boot_summary if Systeminfo.secure_boot_available?(name)
       result
     end
 
@@ -84,12 +74,12 @@ def delete
     end
 
     # overwrite BootloaderBase version to save secure boot
-#    def write_sysconfig(prewrite: false)
-#      sysconfig = Bootloader::Sysconfig.new(bootloader: name,
-#        secure_boot: secure_boot, trusted_boot: trusted_boot,
-#        update_nvram: update_nvram)
-#      prewrite ? sysconfig.pre_write : sysconfig.write
-#    end
+    def write_sysconfig(prewrite: false)
+      sysconfig = Bootloader::Sysconfig.new(bootloader: name,
+        secure_boot: secure_boot, trusted_boot: false,
+        update_nvram: false)
+      prewrite ? sysconfig.pre_write : sysconfig.write
+    end
 
   private
 
@@ -98,6 +88,7 @@ def delete
     BOOTCTL = "/bin/bootctl".freeze
     CAT = "/bin/cat".freeze
     LOADERCONF = "/boot/efi/loader/loader.conf"
+    MOKUTIL = "/bin/mokutil".freeze
 
     def create_menue_entries
       Dir.foreach('/usr/lib/modules') do |kernel_name|
@@ -161,6 +152,27 @@ def bootloader_is_installed
       Yast::Execute.on_target(BOOTCTL, "is-installed", allowed_exitstatus: 1) == 0
     end
 
+    def remove_secure_boot_settings
+      del_files = ["/boot/efi/EFI/systemd/grub.efi",
+                   "/boot/efi/EFI/systemd/systemd-bootx64.efi",
+                   "/boot/efi/EFI/systemd/MokManager.efi"]
+      del_files.each do |f|
+        filename = File.join(Yast::Installation.destdir, f)
+        File.delete(filename) if File.exist?(filename)
+      end
+    end
+
+    def secure_boot_available
+      ret = false
+      begin
+        ret = Yast::Execute.on_target(MOKUTIL, "--sb-state", allowed_exitstatus: 1) == 0
+      rescue Cheetah::ExecutionFailed => e
+        log.info("Command `#{e.commands.inspect}`.\n" \
+                 "Error output: #{e.stderr}")
+      end
+      ret
+    end
+
     def delete_bootloader
       if bootloader_is_installed
         log.info("Removing already installed systemd bootmanager.");
@@ -172,14 +184,16 @@ def delete_bootloader
                  "Cannot remove systemd bootloader:\n" \
                  "Command `%{command}`.\n" \
                  "Error output: %{stderr}"
-               ), command: e.commands.inspect, stderr: e.stderr))
-        end      
+                 ), command: e.commands.inspect, stderr: e.stderr))
+          return
+        end
+        remove_secure_boot_settings
       end
     end
 
     def install_bootloader
       begin
-        delete_bootloader if bootloader_is_installed
+        delete_bootloader # if bootloader is already installed
         Yast::Execute.on_target!(BOOTCTL, "--make-entry-directory=yes",
                                  "install")
       rescue Cheetah::ExecutionFailed => e
@@ -191,6 +205,23 @@ def install_bootloader
                ), command: e.commands.inspect, stderr: e.stderr))
         return
       end
-     end
+
+      if secure_boot
+        if secure_boot_available
+          log.info("Enabling secure boot options")
+          src = File.join(Yast::Installation.destdir, "/boot/efi/EFI/systemd/systemd-bootx64.efi")
+          dest = File.join(Yast::Installation.destdir, "/boot/efi/EFI/systemd/grub.efi")
+          FileUtils.mv(src, dest) if File.exist?(src)
+          src = File.join(Yast::Installation.destdir, "/usr/share/efi/", Yast::Arch.architecture, "/shim.efi")
+          dest = File.join(Yast::Installation.destdir, "/boot/efi/EFI/systemd/systemd-bootx64.efi")
+          FileUtils.cp(src, dest) if File.exist?(src)
+          src = File.join(Yast::Installation.destdir, "/usr/share/efi/", Yast::Arch.architecture, "/MokManager.efi")
+          dest = File.join(Yast::Installation.destdir, "/boot/efi/EFI/systemd/MokManager.efi")
+          FileUtils.cp(src, dest) if File.exist?(src)
+        else
+          Yast::Report.Error(_("Cannot activate secure boot because it is not available on your system."))
+        end
+      end
+    end
   end
 end