Merge pull request #348 from yast/secure_boot_fix

Secure boot fix
yast · Jul 7, 2016 · 91222e4 · 91222e4
2 parents 938ec03 + e4679cf
commit 91222e4
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 3 deletions.
diff --git a/package/yast2-bootloader.changes b/package/yast2-bootloader.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Jul  7 07:51:12 UTC 2016 - jreidinger@suse.com
+
+- set by default SECURE_BOOT to false on architectures that do not
+  support it to avoid call of shim there (bnc#984895)
+- 3.1.196
+
 -------------------------------------------------------------------
 Fri Jul  1 15:10:53 UTC 2016 - jreidinger@suse.com
 

diff --git a/package/yast2-bootloader.spec b/package/yast2-bootloader.spec
@@ -17,7 +17,7 @@
 
 
 Name:           yast2-bootloader
-Version:        3.1.195
+Version:        3.1.196
 Release:        0
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

diff --git a/src/lib/bootloader/sysconfig.rb b/src/lib/bootloader/sysconfig.rb
@@ -1,5 +1,7 @@
 require "yast"
 
+Yast.import "Arch"
+
 module Bootloader
   # Represents sysconfig file for bootloader usually located in /etc/sysconfig/bootloader
   class Sysconfig
@@ -28,7 +30,13 @@ def initialize(bootloader: nil, secure_boot: false, trusted_boot: false)
     def self.from_system
       bootloader = Yast::SCR.Read(AGENT_PATH + "LOADER_TYPE")
       # propose secure boot always to true (bnc#872054), otherwise respect user choice
-      secure_boot = Yast::SCR.Read(AGENT_PATH + "SECURE_BOOT") != "no"
+      # but only on architectures that support it (bnc#984895)
+      if Yast::Arch.x86_64 || Yast::Arch.i386
+        secure_boot = Yast::SCR.Read(AGENT_PATH + "SECURE_BOOT") != "no"
+      else
+        secure_boot = false
+      end
+
       trusted_boot = Yast::SCR.Read(AGENT_PATH + "TRUSTED_BOOT") == "yes"
 
       new(bootloader: bootloader, secure_boot: secure_boot, trusted_boot: trusted_boot)
@@ -63,7 +71,7 @@ def pre_write
         "## Default:\t\"no\"\n" \
         "#\n" \
         "# Enable UEFI Secure Boot support\n" \
-        "# This setting is only relevant to UEFI which supports UEFI. It won't\n" \
+        "# This setting is only relevant to UEFI which supports Secure Boot. It won't\n" \
         "# take effect on any other firmware type.\n" \
         "#\n" \
         "#\n",

diff --git a/test/sysconfig_test.rb b/test/sysconfig_test.rb
@@ -21,6 +21,36 @@
       expect(sysconfig.bootloader).to eq "grub2"
       expect(sysconfig.secure_boot).to be false
     end
+
+    context "x86_64" do
+      before do
+        allow(Yast::Arch).to receive(:architecture).and_return("x86_64")
+      end
+
+      it "defaults secure_boot to true if not set" do
+        allow(Yast::SCR).to receive(:Read).with(
+          Yast::Path.new(".sysconfig.bootloader.SECURE_BOOT")
+        ).and_return(nil)
+
+        sysconfig = Bootloader::Sysconfig.from_system
+        expect(sysconfig.secure_boot).to be true
+      end
+    end
+
+    context "on other architectures" do
+      before do
+        allow(Yast::Arch).to receive(:architecture).and_return("aarch64")
+      end
+
+      it "defaults secure_boot to false if not set" do
+        allow(Yast::SCR).to receive(:Read).with(
+          Yast::Path.new(".sysconfig.bootloader.SECURE_BOOT")
+        ).and_return(nil)
+
+        sysconfig = Bootloader::Sysconfig.from_system
+        expect(sysconfig.secure_boot).to be false
+      end
+    end
   end
 
   describe "#write" do