Hello community, here is the log from the commit of package yast2-bootloader for openSUSE:Factory checked in at 2017-04-25 08:57:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-bootloader (Old) and /work/SRC/openSUSE:Factory/.yast2-bootloader.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-bootloader" Tue Apr 25 08:57:17 2017 rev:245 rq:489013 version:3.2.19 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-bootloader/yast2-bootloader.changes 2017-03-29 13:23:03.241328627 +0200 +++ /work/SRC/openSUSE:Factory/.yast2-bootloader.new/yast2-bootloader.changes 2017-04-25 08:57:18.894498743 +0200 @@ -1,0 +2,6 @@ +Thu Apr 13 13:34:12 UTC 2017 - [email protected] + +- Add possibility to use trusted boot for EFI (FATE#315831) +- 3.2.19 + +------------------------------------------------------------------- Old: ---- yast2-bootloader-3.2.18.tar.bz2 New: ---- yast2-bootloader-3.2.19.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-bootloader.spec ++++++ --- /var/tmp/diff_new_pack.dk104S/_old 2017-04-25 08:57:19.602398646 +0200 +++ /var/tmp/diff_new_pack.dk104S/_new 2017-04-25 08:57:19.606398081 +0200 @@ -17,7 +17,7 @@ Name: yast2-bootloader -Version: 3.2.18 +Version: 3.2.19 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ yast2-bootloader-3.2.18.tar.bz2 -> yast2-bootloader-3.2.19.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/.travis.yml new/yast2-bootloader-3.2.19/.travis.yml --- old/yast2-bootloader-3.2.18/.travis.yml 2017-03-24 16:41:55.803983895 +0100 +++ new/yast2-bootloader-3.2.19/.travis.yml 2017-04-18 09:23:45.216091561 +0200 @@ -9,3 +9,4 @@ # the "yast-travis-ruby" script is included in the base yastdevel/ruby image # see https://github.com/yast/docker-yast-ruby/blob/master/yast-travis-ruby - docker run -it -e TRAVIS=1 -e TRAVIS_JOB_ID="$TRAVIS_JOB_ID" yast-bootloader-image yast-travis-ruby + - docker run -it yast-bootloader-image rake check:doc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/Dockerfile new/yast2-bootloader-3.2.19/Dockerfile --- old/yast2-bootloader-3.2.18/Dockerfile 2017-03-24 16:41:55.803983895 +0100 +++ new/yast2-bootloader-3.2.19/Dockerfile 2017-04-18 09:23:45.216091561 +0200 @@ -1,3 +1,2 @@ FROM yastdevel/ruby COPY . /usr/src/app - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/Rakefile new/yast2-bootloader-3.2.19/Rakefile --- old/yast2-bootloader-3.2.18/Rakefile 2017-03-24 16:41:55.803983895 +0100 +++ new/yast2-bootloader-3.2.19/Rakefile 2017-04-18 09:23:45.216091561 +0200 @@ -4,4 +4,7 @@ # lets ignore license check for now conf.skip_license_check << /.*/ conf.install_locations["doc/autodocs"] = conf.install_doc_dir + # TODO: improve it, at least do not get worse + # TODO: remove condition when new packaging tasks are accepted to factory + conf.documentation_minimal = 50 if conf.respond_to?(:documentation_minimal=) end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/package/yast2-bootloader.changes new/yast2-bootloader-3.2.19/package/yast2-bootloader.changes --- old/yast2-bootloader-3.2.18/package/yast2-bootloader.changes 2017-03-24 16:41:55.807983895 +0100 +++ new/yast2-bootloader-3.2.19/package/yast2-bootloader.changes 2017-04-18 09:23:45.220091561 +0200 @@ -1,4 +1,10 @@ ------------------------------------------------------------------- +Thu Apr 13 13:34:12 UTC 2017 - [email protected] + +- Add possibility to use trusted boot for EFI (FATE#315831) +- 3.2.19 + +------------------------------------------------------------------- Fri Mar 24 14:17:00 UTC 2017 - [email protected] - Report user friendly message when no root partition is detected diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/package/yast2-bootloader.spec new/yast2-bootloader-3.2.19/package/yast2-bootloader.spec --- old/yast2-bootloader-3.2.18/package/yast2-bootloader.spec 2017-03-24 16:41:55.807983895 +0100 +++ new/yast2-bootloader-3.2.19/package/yast2-bootloader.spec 2017-04-18 09:23:45.220091561 +0200 @@ -17,7 +17,7 @@ Name: yast2-bootloader -Version: 3.2.18 +Version: 3.2.19 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/src/lib/bootloader/grub2.rb new/yast2-bootloader-3.2.19/src/lib/bootloader/grub2.rb --- old/yast2-bootloader-3.2.18/src/lib/bootloader/grub2.rb 2017-03-24 16:41:55.811983895 +0100 +++ new/yast2-bootloader-3.2.19/src/lib/bootloader/grub2.rb 2017-04-18 09:23:45.224091561 +0200 @@ -17,8 +17,6 @@ class Grub2 < Grub2Base attr_reader :stage1 attr_reader :device_map - # @return [Boolean] - attr_accessor :trusted_boot def initialize super @@ -27,7 +25,6 @@ @stage1 = Stage1.new @grub_install = GrubInstall.new(efi: false) @device_map = DeviceMap.new - @trusted_boot = false end # Read settings from disk, overwritting already set values @@ -52,8 +49,6 @@ log.info "grub2/device.map does not exist. Using empty one." @device_map = DeviceMap.new end - - @trusted_boot = Sysconfig.from_system.trusted_boot end # Write bootloader settings to disk @@ -86,14 +81,12 @@ # boot, safer option for legacy booting (bnc#872054) self.pmbr_action = :add if Yast::BootStorage.gpt_boot_disk? device_map.propose if Yast::Arch.x86_64 || Yast::Arch.i386 - @trusted_boot = false end def merge(other) super @device_map = other.device_map if !other.device_map.empty? - @trusted_boot = other.trusted_boot unless other.trusted_boot.nil? stage1.merge(other.stage1) end @@ -108,7 +101,7 @@ ), Yast::Builtins.sformat( _("Enable Trusted Boot: %1"), - @trusted_boot ? _("yes") : _("no") + trusted_boot ? _("yes") : _("no") ) ] locations_val = locations @@ -148,7 +141,7 @@ end if Yast::Arch.x86_64 || Yast::Arch.i386 - res << "trustedgrub2" << "trustedgrub2-i386-pc" if @trusted_boot + res << "trustedgrub2" << "trustedgrub2-i386-pc" if trusted_boot end res @@ -157,7 +150,7 @@ # FIXME: refactor with injection like super(prewrite: prewrite, sysconfig = ...) # overwrite BootloaderBase version to save trusted boot def write_sysconfig(prewrite: false) - sysconfig = Bootloader::Sysconfig.new(bootloader: name, trusted_boot: @trusted_boot) + sysconfig = Bootloader::Sysconfig.new(bootloader: name, trusted_boot: trusted_boot) prewrite ? sysconfig.pre_write : sysconfig.write end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/src/lib/bootloader/grub2_widgets.rb new/yast2-bootloader-3.2.19/src/lib/bootloader/grub2_widgets.rb --- old/yast2-bootloader-3.2.18/src/lib/bootloader/grub2_widgets.rb 2017-03-24 16:41:55.811983895 +0100 +++ new/yast2-bootloader-3.2.19/src/lib/bootloader/grub2_widgets.rb 2017-04-18 09:23:45.224091561 +0200 @@ -298,13 +298,17 @@ def help # TRANSLATORS: TrustedGRUB2 is a name, don't translate it - _("<p><b>Trusted Boot</b> will install TrustedGRUB2\n" \ - "instead of regular GRUB2.</p>\n" \ - "<p>It means measuring the integrity of the boot process,\n" \ - "with the help from the hardware (a TPM, Trusted Platform Module,\n" \ - "chip).</p>\n" \ - "<p>First you need to make sure Trusted Boot is enabled in the BIOS\n" \ - "setup (the setting may be named Security Chip, for example).</p>\n") + res = _("<p><b>Trusted Boot</b> will install TrustedGRUB2\n" \ + "instead of regular GRUB2.</p>\n" \ + "<p>It means measuring the integrity of the boot process,\n" \ + "with the help from the hardware (a TPM, Trusted Platform Module,\n" \ + "chip).</p>\n") + if grub2.name == "grub2" + res += _("<p>First you need to make sure Trusted Boot is enabled in the BIOS\n" \ + "setup (the setting may be named Security Chip, for example).</p>\n") + end + + res end def init @@ -316,7 +320,7 @@ end def validate - return true if Yast::Mode.config || !value + return true if Yast::Mode.config || !value || grub2.name == "grub2-efi" tpm_files = Dir.glob("/sys/**/pcrs") if !tpm_files.empty? # check for file size does not work, since FS reports it 4096 @@ -603,7 +607,7 @@ @vga_modes.sort! do |a, b| res = a["width"] <=> b["width"] - res = a["height"] <=> b["height"] if res == 0 + res = a["height"] <=> b["height"] if res.zero? res end @@ -892,7 +896,11 @@ end def trusted_boot_widget? - (Yast::Arch.x86_64 || Yast::Arch.i386) && grub2.name == "grub2" + return false if !(Yast::Arch.x86_64 || Yast::Arch.i386) + return true if grub2.name == "grub2" + # for details about grub2 efi trusted boot support see FATE#315831 + return File.exist?("/dev/tpm0") if grub2.name == "grub2-efi" + false end def pmbr_widget? diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/src/lib/bootloader/grub2base.rb new/yast2-bootloader-3.2.19/src/lib/bootloader/grub2base.rb --- old/yast2-bootloader-3.2.18/src/lib/bootloader/grub2base.rb 2017-03-24 16:41:55.811983895 +0100 +++ new/yast2-bootloader-3.2.19/src/lib/bootloader/grub2base.rb 2017-04-18 09:23:45.224091561 +0200 @@ -45,6 +45,9 @@ attr_accessor :pmbr_action + # @return [Boolean] + attr_accessor :trusted_boot + def initialize super @@ -87,6 +90,8 @@ end @sections = ::Bootloader::Sections.new(grub_cfg) log.info "grub sections: #{@sections.all}" + + self.trusted_boot = Sysconfig.from_system.trusted_boot end def write @@ -122,6 +127,7 @@ propose_serial propose_xen_hypervisor + self.trusted_boot = false nil end @@ -132,6 +138,8 @@ merge_password(other) merge_pmbr_action(other) merge_sections(other) + + self.trusted_boot = other.trusted_boot unless other.trusted_boot.nil? end def enable_serial_console(console) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/src/lib/bootloader/grub2efi.rb new/yast2-bootloader-3.2.19/src/lib/bootloader/grub2efi.rb --- old/yast2-bootloader-3.2.18/src/lib/bootloader/grub2efi.rb 2017-03-24 16:41:55.811983895 +0100 +++ new/yast2-bootloader-3.2.19/src/lib/bootloader/grub2efi.rb 2017-04-18 09:23:45.224091561 +0200 @@ -46,7 +46,7 @@ pmbr_setup(*device.real_devices) end - @grub_install.execute(secure_boot: @secure_boot) + @grub_install.execute(secure_boot: @secure_boot, trusted_boot: trusted_boot) true end @@ -79,6 +79,10 @@ Yast::Builtins.sformat( _("Enable Secure Boot: %1"), @secure_boot ? _("yes") : _("no") + ), + Yast::Builtins.sformat( + _("Enable Trusted Boot: %1"), + trusted_boot ? _("yes") : _("no") ) ] end @@ -109,7 +113,8 @@ # overwrite BootloaderBase version to save secure boot def write_sysconfig(prewrite: false) - sysconfig = Bootloader::Sysconfig.new(bootloader: name, secure_boot: @secure_boot) + sysconfig = Bootloader::Sysconfig.new(bootloader: name, + secure_boot: @secure_boot, trusted_boot: trusted_boot) prewrite ? sysconfig.pre_write : sysconfig.write end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/src/lib/bootloader/grub_install.rb new/yast2-bootloader-3.2.19/src/lib/bootloader/grub_install.rb --- old/yast2-bootloader-3.2.18/src/lib/bootloader/grub_install.rb 2017-03-24 16:41:55.811983895 +0100 +++ new/yast2-bootloader-3.2.19/src/lib/bootloader/grub_install.rb 2017-04-18 09:23:45.224091561 +0200 @@ -12,7 +12,6 @@ def execute(devices: [], secure_boot: false, trusted_boot: false) raise "cannot have secure boot without efi" if secure_boot && !efi - raise "cannot have trusted boot with efi" if trusted_boot && efi cmd = basic_cmd(secure_boot, trusted_boot) @@ -37,7 +36,10 @@ # Do skip-fs-probe to avoid error when embedding stage1 # to extended partition cmd << "--force" << "--skip-fs-probe" - cmd << "--directory=/usr/lib/trustedgrub2/#{target}" if trusted_boot + end + + if trusted_boot + cmd << (efi ? "--suse-enable-tpm" : "--directory=/usr/lib/trustedgrub2/#{target}") end cmd << "--no-nvram" << "--removable" if removable_efi? diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/test/grub2_efi_test.rb new/yast2-bootloader-3.2.19/test/grub2_efi_test.rb --- old/yast2-bootloader-3.2.18/test/grub2_efi_test.rb 2017-03-24 16:41:55.819983895 +0100 +++ new/yast2-bootloader-3.2.19/test/grub2_efi_test.rb 2017-04-18 09:23:45.240091561 +0200 @@ -13,8 +13,8 @@ describe "#read" do it "reads secure boot configuration from sysconfig" do - sysconfig = double(Bootloader::Sysconfig, secure_boot: true) - expect(Bootloader::Sysconfig).to receive(:from_system).and_return(sysconfig) + sysconfig = double(Bootloader::Sysconfig, secure_boot: true, trusted_boot: true) + expect(Bootloader::Sysconfig).to receive(:from_system).and_return(sysconfig).at_least(:once) subject.read @@ -36,24 +36,26 @@ subject.write end - it "calls grub2-install with respective secure boot configuration" do + it "calls grub2-install with respective secure boot and trusted boot configuration" do grub_install = double(Bootloader::GrubInstall) - expect(grub_install).to receive(:execute).with(secure_boot: true) + expect(grub_install).to receive(:execute).with(secure_boot: true, trusted_boot: true) allow(Bootloader::GrubInstall).to receive(:new).and_return(grub_install) subject.secure_boot = true + subject.trusted_boot = true subject.write end - it "writes secure boot configuration to bootloader sysconfig" do + it "writes secure boot and trusted boot configuration to bootloader sysconfig" do sysconfig = double(Bootloader::Sysconfig) expect(sysconfig).to receive(:write) expect(Bootloader::Sysconfig).to receive(:new) - .with(bootloader: "grub2-efi", secure_boot: true) + .with(bootloader: "grub2-efi", secure_boot: true, trusted_boot: true) .and_return(sysconfig) subject.secure_boot = true + subject.trusted_boot = true subject.write end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/test/grub2_test.rb new/yast2-bootloader-3.2.19/test/grub2_test.rb --- old/yast2-bootloader-3.2.18/test/grub2_test.rb 2017-03-24 16:41:55.823983895 +0100 +++ new/yast2-bootloader-3.2.19/test/grub2_test.rb 2017-04-18 09:23:45.240091561 +0200 @@ -80,6 +80,7 @@ .with(devices: ["/dev/sda", "/dev/sdb1"], trusted_boot: false) expect(Bootloader::GrubInstall).to receive(:new).with(efi: false).and_return(grub2_install) + subject.trusted_boot = false subject.write end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/test/grub2_widgets_test.rb new/yast2-bootloader-3.2.19/test/grub2_widgets_test.rb --- old/yast2-bootloader-3.2.18/test/grub2_widgets_test.rb 2017-03-24 16:41:55.823983895 +0100 +++ new/yast2-bootloader-3.2.19/test/grub2_widgets_test.rb 2017-04-18 09:23:45.240091561 +0200 @@ -691,3 +691,20 @@ subject.handle end end + +describe Bootloader::TrustedBootWidget do + before do + assign_bootloader + end + + it_behaves_like "labeled widget" + + it "check if trusted platform is found for legacy boot when enabled" do + expect(Dir).to receive(:glob).and_return([]) + expect(Yast::Popup).to receive(:ContinueCancel).and_return(false) + + allow(subject).to receive(:value).and_return(true) + + expect(subject.validate).to eq false + end +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/test/grub2base_test.rb new/yast2-bootloader-3.2.19/test/grub2base_test.rb --- old/yast2-bootloader-3.2.18/test/grub2base_test.rb 2017-03-24 16:41:55.823983895 +0100 +++ new/yast2-bootloader-3.2.19/test/grub2base_test.rb 2017-04-18 09:23:45.240091561 +0200 @@ -27,6 +27,22 @@ subject.read end + + it "reads trusted boot configuration from sysconfig" do + mocked_sysconfig = ::Bootloader::Sysconfig.new(trusted_boot: true) + expect(::Bootloader::Sysconfig).to receive(:from_system).and_return(mocked_sysconfig) + + subject.read + + expect(subject.trusted_boot).to eq true + + mocked_sysconfig = ::Bootloader::Sysconfig.new(trusted_boot: false) + expect(::Bootloader::Sysconfig).to receive(:from_system).and_return(mocked_sysconfig) + + subject.read + + expect(subject.trusted_boot).to eq false + end end describe "write" do @@ -355,6 +371,12 @@ expect(subject.grub_default.serial_console).to eq "serial --unit=1 --speed=4800 --parity=no --word=8" end + + it "proposes to disable trusted boot" do + subject.propose + + expect(subject.trusted_boot).to eq false + end end describe "#disable_serial_console" do @@ -468,5 +490,14 @@ expect(subject.pmbr_action).to eq :nothing end + + it "overwrites trusted boot configuration if merged define it" do + subject.trusted_boot = true + other.trusted_boot = false + + subject.merge(other) + + expect(subject.trusted_boot).to eq false + end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-bootloader-3.2.18/test/grub_install_test.rb new/yast2-bootloader-3.2.19/test/grub_install_test.rb --- old/yast2-bootloader-3.2.18/test/grub_install_test.rb 2017-03-24 16:41:55.823983895 +0100 +++ new/yast2-bootloader-3.2.19/test/grub_install_test.rb 2017-04-18 09:23:45.240091561 +0200 @@ -93,6 +93,17 @@ subject.execute end + + it "passes suse-enable-tpm option when trusted boot is requested" do + stub_arch("x86_64") + stub_efivars + + expect(Yast::Execute).to receive(:on_target) do |arg| + expect(arg).to include("--suse-enable-tpm") + end + + subject.execute(trusted_boot: true) + end end context "initialized with efi:false" do @@ -150,6 +161,16 @@ subject.execute(devices: []) end + it "pass directory argument when trusted boot is requested" do + stub_arch("x86_64") + + expect(Yast::Execute).to receive(:on_target) do |arg| + expect(arg).to include("--directory=/usr/lib/trustedgrub2/i386-pc") + end + + subject.execute(devices: ["/dev/sda"], trusted_boot: true) + end + it "raise exception on aarch64" do stub_arch("aarch64")
