Skip to content

Commit

Permalink
Merge pull request #330 from agraf/bug_978157
Browse files Browse the repository at this point in the history 
Only use secure boot on x86_64 (bsc#978157)
  • Loading branch information
@wfeldt
wfeldt committed May 9, 2016
2 parents cba64ba + 0af2c3c commit 71a7d48
Show file tree
Hide file tree
Showing 4 changed files with 66 additions and 3 deletions.
3 changes: 2 additions & 1 deletion src/lib/bootloader/grub2efi.rb
View file
Expand Up @@ -56,7 +56,8 @@ def propose
# for UEFI always remove PMBR flag on disk (bnc#872054)
self.pmbr_action = :remove

@secure_boot = true
# non-x86_64 systems don't support secure boot yet (bsc#978157)
@secure_boot = Yast::Arch.x86_64 ? true : false
grub_default.generic_set("GRUB_USE_LINUXEFI", Yast::Arch.aarch64 ? "false" : "true")
end

Expand Down
22 changes: 22 additions & 0 deletions src/lib/bootloader/grub_install.rb
View file
Expand Up @@ -23,6 +23,28 @@ def execute(devices: nil, secure_boot: false)
cmd << "--force" << "--skip-fs-probe"
end

# EFI has 2 boot paths. The default is that there is a target file listed
# in the boot list. The boot list is stored in NVRAM and exposed as
# efivars.
#
# If no entry in the boot list was bootable (or a removable media is in
# the boot list), EFI falls back to removable media booting which loads
# a default file from /efi/boot/boot.efi.
#
# On U-Boot EFI capable systems we do not have NVRAM because we would
# have to store that on the same flash that Linux may be running on,
# creating device ownership conflicts. So on those systems we instead have
# to rely on the removable boot case.
#
# The easiest heuristic is that on "normal" EFI systems with working
# NVRAM, there is at least one efi variable visible. On systems without
# working NVRAM, we either see no efivars at all (booted via non-EFI entry
# point) or there is no efi variable exposed. Install grub in the
# removable location there.
if Dir.glob("/sys/firmware/efi/efivars/*").empty?
cmd << "--no-nvram" << "--removable"
end

if devices
devices.each do |dev|
Yast::Execute.on_target(cmd + [dev])
Expand Down
10 changes: 9 additions & 1 deletion test/grub2_efi_test.rb
View file
Expand Up @@ -69,11 +69,19 @@
expect(subject.pmbr_action).to eq :remove
end

it "proposes to use secure boot" do
it "proposes to use secure boot for x86_64" do
allow(Yast::Arch).to receive(:architecture).and_return("x86_64")
subject.propose

expect(subject.secure_boot).to eq true
end

it "proposes to not use secure boot for aarch64" do
allow(Yast::Arch).to receive(:architecture).and_return("aarch64")
subject.propose

expect(subject.secure_boot).to eq false
end
end

describe "#packages" do
Expand Down
34 changes: 33 additions & 1 deletion test/grub_install_test.rb
View file
Expand Up @@ -10,8 +10,21 @@ def stub_arch(arch)
allow(Yast::Arch).to receive(:architecture).and_return(arch)
end

def expect_grub2_install(target, device: nil)
def stub_efivars(removable: false)
if removable
efivardirs = []
else
efivardirs = ["Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c",
"BootCurrent-8be4df61-93ca-11d2-aa0d-00e098032b8c",
"BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c"]
end

allow(Dir).to receive(:glob).and_return(efivardirs)
end

def expect_grub2_install(target, device: nil, removable: false)
params = [/grub2-install/, "--target=#{target}", "--force", "--skip-fs-probe"]
params << "--no-nvram" << "--removable" if removable
params << device if device

expect(Yast::Execute).to receive(:on_target)
Expand All @@ -22,6 +35,7 @@ def expect_grub2_install(target, device: nil)
subject { Bootloader::GrubInstall.new(efi: true) }

it "runs shim-install instead of grub2-install if secure_boot: true passed" do
stub_efivars
expect(Yast::Execute).to receive(:on_target)
.with([/shim-install/, "--config-file=/boot/grub2/grub.cfg"])

Expand All @@ -30,32 +44,37 @@ def expect_grub2_install(target, device: nil)

it "runs with target i386-efi on i386" do
stub_arch("i386")
stub_efivars
expect_grub2_install("i386-efi")

subject.execute
end

it "runs with target x86_64-efi on x86_64" do
stub_arch("x86_64")
stub_efivars
expect_grub2_install("x86_64-efi")

subject.execute
end

it "raise exception on ppc64" do
stub_arch("ppc64")
stub_efivars

expect { subject.execute }.to raise_error(RuntimeError)
end

it "raise exception on s390" do
stub_arch("s390_64")
stub_efivars

expect { subject.execute }.to raise_error(RuntimeError)
end

it "runs with target arm64-efi on aarch64" do
stub_arch("aarch64")
stub_efivars
expect_grub2_install("arm64-efi")

subject.execute
Expand All @@ -66,6 +85,14 @@ def expect_grub2_install(target, device: nil)

expect { subject.execute }.to raise_error(RuntimeError)
end

it "creates a removable grub2 install on non-nvram systems" do
stub_arch("aarch64")
stub_efivars(removable: true)
expect_grub2_install("arm64-efi", removable: true)

subject.execute
end
end

context "initialized with efi:false" do
Expand All @@ -77,6 +104,7 @@ def expect_grub2_install(target, device: nil)

it "runs for each device passed in devices" do
stub_arch("x86_64")
stub_efivars
expect_grub2_install("i386-pc", device: "/dev/sda")
expect_grub2_install("i386-pc", device: "/dev/sdb")
expect_grub2_install("i386-pc", device: "/dev/sdc")
Expand All @@ -86,27 +114,31 @@ def expect_grub2_install(target, device: nil)

it "runs with target i386-pc on i386" do
stub_arch("i386")
stub_efivars
expect_grub2_install("i386-pc", device: "/dev/sda")

subject.execute(devices: ["/dev/sda"])
end

it "runs with target i386-pc on x86_64" do
stub_arch("x86_64")
stub_efivars
expect_grub2_install("i386-pc", device: "/dev/sda")

subject.execute(devices: ["/dev/sda"])
end

it "runs with target powerpc-ieee1275 on ppc64" do
stub_arch("ppc64")
stub_efivars
expect_grub2_install("powerpc-ieee1275", device: "/dev/sda")

subject.execute(devices: ["/dev/sda"])
end

it "runs with target s390x-emu on s390" do
stub_arch("s390_64")
stub_efivars

expect_grub2_install("s390x-emu", device: "/dev/dasda1")

Expand Down

0 comments on commit 71a7d48

Please sign in to comment.