[RFC] Enable secureboot on aarch64 (boo#1136601)

package/yast2-bootloader.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Jun  5 12:59:27 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Enable Secure Boot on AArch64 (boo#1136601)
+- 4.2.4
+
 -------------------------------------------------------------------
 Fri May 31 12:26:38 UTC 2019 - Stasiek Michalski <hellcp@mailbox.org>
 

package/yast2-bootloader.spec

@@ -17,7 +17,7 @@
 
 
 Name:           yast2-bootloader
-Version:        4.2.3
+Version:        4.2.4
 Release:        0
 Summary:        YaST2 - Bootloader Configuration
 License:        GPL-2.0-or-later

src/lib/bootloader/grub2_widgets.rb

@@ -977,7 +977,7 @@ def generic_mbr_widget?
     end
 
     def secure_boot_widget?
-      (Yast::Arch.x86_64 || Yast::Arch.i386) && grub2.name == "grub2-efi"
+      (Yast::Arch.x86_64 || Yast::Arch.i386 || Yast::Arch.aarch64) && grub2.name == "grub2-efi"
     end
 
     def trusted_boot_widget?

src/lib/bootloader/grub2efi.rb

@@ -61,8 +61,8 @@ def propose
       # for UEFI always remove PMBR flag on disk (bnc#872054)
       self.pmbr_action = :remove
 
-      # non-x86_64 systems don't support secure boot yet (bsc#978157)
-      @secure_boot = Yast::Arch.x86_64 ? true : false
+      # Only x86_64 and aarch64 systems support secure boot
+      @secure_boot = (Yast::Arch.x86_64 || Yast::Arch.aarch64) ? true : false
       grub_default.generic_set("GRUB_USE_LINUXEFI", Yast::Arch.aarch64 ? "false" : "true")
     end
 

src/lib/bootloader/grub_install.rb

@@ -72,10 +72,12 @@ def report_failure(exception)
     # creates basic command for grub2 install without specifying any stage1
     # locations
     def basic_cmd(secure_boot, trusted_boot)
-      if secure_boot
+      if secure_boot && !Yast::Arch.aarch64
         cmd = ["/usr/sbin/shim-install", "--config-file=/boot/grub2/grub.cfg"]
       else
         cmd = ["/usr/sbin/grub2-install", "--target=#{target}"]
+        # On aarch64, we do not use shim, but '--suse-signed-grub' option (bsc#1136601)
+        cmd << "--suse-signed-grub" if secure_boot && Yast::Arch.aarch64
         # Do skip-fs-probe to avoid error when embedding stage1
         # to extended partition
         cmd << "--force" << "--skip-fs-probe"

src/lib/bootloader/sysconfig.rb

@@ -30,8 +30,8 @@ def initialize(bootloader: nil, secure_boot: false, trusted_boot: false)
     def self.from_system
       bootloader = Yast::SCR.Read(AGENT_PATH + "LOADER_TYPE")
       # propose secure boot always to true (bnc#872054), otherwise respect user choice
-      # but only on architectures that support it (bnc#984895)
-      secure_boot = if Yast::Arch.x86_64 || Yast::Arch.i386
+      # but only on architectures that support it
+      secure_boot = if Yast::Arch.x86_64 || Yast::Arch.i386 || Yast::Arch.aarch64
         Yast::SCR.Read(AGENT_PATH + "SECURE_BOOT") != "no"
       else
         false

test/grub2_efi_test.rb

@@ -90,11 +90,11 @@
       expect(subject.secure_boot).to eq true
     end
 
-    it "proposes to not use secure boot for aarch64" do
+    it "proposes to use secure boot for aarch64" do
       allow(Yast::Arch).to receive(:architecture).and_return("aarch64")
       subject.propose
 
-      expect(subject.secure_boot).to eq false
+      expect(subject.secure_boot).to eq true
     end
   end
 

test/sysconfig_test.rb

@@ -37,18 +37,18 @@
       end
     end
 
-    context "on other architectures" do
+    context "aarch64" do
       before do
         allow(Yast::Arch).to receive(:architecture).and_return("aarch64")
       end
 
-      it "defaults secure_boot to false if not set" do
+      it "defaults secure_boot to true if not set" do
         allow(Yast::SCR).to receive(:Read).with(
           Yast::Path.new(".sysconfig.bootloader.SECURE_BOOT")
         ).and_return(nil)
 
         sysconfig = Bootloader::Sysconfig.from_system
-        expect(sysconfig.secure_boot).to be false
+        expect(sysconfig.secure_boot).to be true
       end
     end
   end