Hello community,
here is the log from the commit of package yast2-bootloader for
openSUSE:Leap:15.2 checked in at 2020-03-13 10:55:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/yast2-bootloader (Old)
and /work/SRC/openSUSE:Leap:15.2/.yast2-bootloader.new.3160 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-bootloader"
Fri Mar 13 10:55:16 2020 rev:116 rq:781759 version:4.2.17
Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/yast2-bootloader/yast2-bootloader.changes
2020-03-02 17:21:22.654066865 +0100
+++
/work/SRC/openSUSE:Leap:15.2/.yast2-bootloader.new.3160/yast2-bootloader.changes
2020-03-13 10:55:19.788347179 +0100
@@ -1,0 +2,6 @@
+Fri Feb 28 14:23:30 UTC 2020 - Steffen Winterfeldt <[email protected]>
+
+- add support for S390 secure boot (jsc#SLE-9471, jsc#SLE-9425)
+- 4.2.17
+
+-------------------------------------------------------------------
Old:
----
yast2-bootloader-4.2.16.tar.bz2
New:
----
yast2-bootloader-4.2.17.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-bootloader.spec ++++++
--- /var/tmp/diff_new_pack.oF1DQQ/_old 2020-03-13 10:55:20.220347487 +0100
+++ /var/tmp/diff_new_pack.oF1DQQ/_new 2020-03-13 10:55:20.220347487 +0100
@@ -17,7 +17,7 @@
Name: yast2-bootloader
-Version: 4.2.16
+Version: 4.2.17
Release: 0
Summary: YaST2 - Bootloader Configuration
License: GPL-2.0-or-later
++++++ yast2-bootloader-4.2.16.tar.bz2 -> yast2-bootloader-4.2.17.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-bootloader-4.2.16/package/yast2-bootloader.changes
new/yast2-bootloader-4.2.17/package/yast2-bootloader.changes
--- old/yast2-bootloader-4.2.16/package/yast2-bootloader.changes
2020-02-26 12:06:56.000000000 +0100
+++ new/yast2-bootloader-4.2.17/package/yast2-bootloader.changes
2020-02-28 15:32:22.000000000 +0100
@@ -1,4 +1,10 @@
-------------------------------------------------------------------
+Fri Feb 28 14:23:30 UTC 2020 - Steffen Winterfeldt <[email protected]>
+
+- add support for S390 secure boot (jsc#SLE-9471, jsc#SLE-9425)
+- 4.2.17
+
+-------------------------------------------------------------------
Fri Feb 21 11:10:24 UTC 2020 - José Iván López González <[email protected]>
- Delegate the logic for calculating a device udev link to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-bootloader-4.2.16/package/yast2-bootloader.spec
new/yast2-bootloader-4.2.17/package/yast2-bootloader.spec
--- old/yast2-bootloader-4.2.16/package/yast2-bootloader.spec 2020-02-26
12:06:56.000000000 +0100
+++ new/yast2-bootloader-4.2.17/package/yast2-bootloader.spec 2020-02-28
15:32:22.000000000 +0100
@@ -17,7 +17,7 @@
Name: yast2-bootloader
-Version: 4.2.16
+Version: 4.2.17
Release: 0
Summary: YaST2 - Bootloader Configuration
License: GPL-2.0-or-later
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-bootloader-4.2.16/src/lib/bootloader/autoyast_converter.rb
new/yast2-bootloader-4.2.17/src/lib/bootloader/autoyast_converter.rb
--- old/yast2-bootloader-4.2.16/src/lib/bootloader/autoyast_converter.rb
2020-02-26 12:06:56.000000000 +0100
+++ new/yast2-bootloader-4.2.17/src/lib/bootloader/autoyast_converter.rb
2020-02-28 15:32:22.000000000 +0100
@@ -234,6 +234,7 @@
# only for grub2, not for others
GRUB2_BOOLEAN_MAPPING = {
+ "secure_boot" => :secure_boot,
"trusted_grub" => :trusted_boot
}.freeze
private_constant :GRUB2_BOOLEAN_MAPPING
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-bootloader-4.2.16/src/lib/bootloader/grub2.rb
new/yast2-bootloader-4.2.17/src/lib/bootloader/grub2.rb
--- old/yast2-bootloader-4.2.16/src/lib/bootloader/grub2.rb 2020-02-26
12:06:56.000000000 +0100
+++ new/yast2-bootloader-4.2.17/src/lib/bootloader/grub2.rb 2020-02-28
15:32:22.000000000 +0100
@@ -7,6 +7,7 @@
require "bootloader/device_map"
require "bootloader/stage1"
require "bootloader/grub_install"
+require "bootloader/systeminfo"
Yast.import "Arch"
Yast.import "BootStorage"
@@ -15,7 +16,6 @@
module Bootloader
# Represents non-EFI variant of GRUB2
class Grub2 < Grub2Base
- attr_reader :stage1
attr_reader :device_map
def initialize
@@ -65,7 +65,9 @@
# powernv must not call grub2-install (bnc#970582)
unless Yast::Arch.board_powernv
- failed = @grub_install.execute(devices: stage1.devices, trusted_boot:
trusted_boot)
+ failed = @grub_install.execute(
+ devices: stage1.devices, secure_boot: secure_boot, trusted_boot:
trusted_boot
+ )
failed.each { |f| stage1.remove_device(f) }
stage1.write
end
@@ -100,12 +102,12 @@
Yast::Builtins.sformat(
_("Boot Loader Type: %1"),
"GRUB2"
- ),
- Yast::Builtins.sformat(
- _("Enable Trusted Boot: %1"),
- trusted_boot ? _("yes") : _("no")
)
]
+
+ result << secure_boot_summary if Systeminfo.secure_boot_available?(name)
+ result << trusted_boot_summary if
Systeminfo.trusted_boot_available?(name)
+
locations_val = locations
if !locations_val.empty?
result << Yast::Builtins.sformat(
@@ -142,7 +144,9 @@
# FIXME: refactor with injection like super(prewrite: prewrite, sysconfig
= ...)
# overwrite BootloaderBase version to save trusted boot
def write_sysconfig(prewrite: false)
- sysconfig = Bootloader::Sysconfig.new(bootloader: name, trusted_boot:
trusted_boot)
+ sysconfig = Bootloader::Sysconfig.new(
+ bootloader: name, secure_boot: secure_boot, trusted_boot: trusted_boot
+ )
prewrite ? sysconfig.pre_write : sysconfig.write
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-bootloader-4.2.16/src/lib/bootloader/grub2_widgets.rb
new/yast2-bootloader-4.2.17/src/lib/bootloader/grub2_widgets.rb
--- old/yast2-bootloader-4.2.16/src/lib/bootloader/grub2_widgets.rb
2020-02-26 12:06:56.000000000 +0100
+++ new/yast2-bootloader-4.2.17/src/lib/bootloader/grub2_widgets.rb
2020-02-28 15:32:22.000000000 +0100
@@ -6,6 +6,7 @@
require "bootloader/device_map_dialog"
require "bootloader/serial_console"
require "bootloader/cpu_mitigations"
+require "bootloader/systeminfo"
require "cfa/matcher"
Yast.import "BootStorage"
@@ -14,6 +15,7 @@
Yast.import "Report"
Yast.import "UI"
Yast.import "Mode"
+Yast.import "Arch"
module Bootloader
# Adds to generic widget grub2 specific helpers
@@ -326,7 +328,7 @@
end
def help
- _("<p><b>Enable Secure Boot Support</b> if checked enables UEFI Secure
Boot support.</p>")
+ _("<p><b>Enable Secure Boot Support</b> if checked enables Secure Boot
support.</p>")
end
def init
@@ -336,6 +338,19 @@
def store
grub2.secure_boot = value
end
+
+ def validate
+ return true if Yast::Mode.config ||
+ !Yast::Arch.s390 ||
+ value == Systeminfo.secure_boot_active?
+
+ Yast::Popup.ContinueCancel(
+ _(
+ "Make sure the Secure Boot setting matches the configuration of the
HMC.\n\n" \
+ "Otherwise this system will not boot."
+ )
+ )
+ end
end
# Represents switcher for Trusted Boot
@@ -978,18 +993,11 @@
end
def secure_boot_widget?
- (Yast::Arch.x86_64 || Yast::Arch.i386 || Yast::Arch.aarch64) &&
grub2.name == "grub2-efi"
+ Systeminfo.secure_boot_available?(grub2.name)
end
def trusted_boot_widget?
- return false if !(Yast::Arch.x86_64 || Yast::Arch.i386)
-
- return true if grub2.name == "grub2"
-
- # for details about grub2 efi trusted boot support see FATE#315831
- return File.exist?("/dev/tpm0") if grub2.name == "grub2-efi"
-
- false
+ Systeminfo.trusted_boot_available?(grub2.name)
end
def pmbr_widget?
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-bootloader-4.2.16/src/lib/bootloader/grub2base.rb
new/yast2-bootloader-4.2.17/src/lib/bootloader/grub2base.rb
--- old/yast2-bootloader-4.2.16/src/lib/bootloader/grub2base.rb 2020-02-26
12:06:56.000000000 +0100
+++ new/yast2-bootloader-4.2.17/src/lib/bootloader/grub2base.rb 2020-02-28
15:32:22.000000000 +0100
@@ -45,13 +45,22 @@
attr_accessor :pmbr_action
- # @return [Boolean]
+ # @!attribute trusted_boot
+ # @return [Boolean] current trusted boot setting
attr_accessor :trusted_boot
+ # @!attribute secure_boot
+ # @return [Boolean] current secure boot setting
+ attr_accessor :secure_boot
+
# @!attribute console
# @return [::Bootloader::SerialConsole] serial console or nil if none
attr_reader :console
+ # @!attribute stage1
+ # @return [::Bootloader::Stage1, nil] bootloader stage1, if one is needed
+ attr_reader :stage1
+
def initialize
super
@@ -114,7 +123,8 @@
@sections = ::Bootloader::Sections.new(grub_cfg)
log.info "grub sections: #{@sections.all}"
- self.trusted_boot = Sysconfig.from_system.trusted_boot
+ self.trusted_boot = Systeminfo.trusted_boot_active?
+ self.secure_boot = Systeminfo.secure_boot_active?
end
def write
@@ -151,7 +161,7 @@
propose_xen_hypervisor
self.trusted_boot = false
- nil
+ self.secure_boot = Systeminfo.secure_boot_active?
end
def merge(other)
@@ -163,6 +173,7 @@
merge_sections(other)
self.trusted_boot = other.trusted_boot unless other.trusted_boot.nil?
+ self.secure_boot = other.secure_boot unless other.secure_boot.nil?
end
def enable_serial_console(console_arg_string)
@@ -365,6 +376,30 @@
def propose_encrypted
grub_default.cryptodisk.value = !!Yast::BootStorage.encrypted_boot?
end
+
+ # Secure boot setting shown in summary screen.
+ #
+ # @return [String]
+ def secure_boot_summary
+ _("Secure Boot:") + " " + (secure_boot ? _("enabled") : _("disabled")) +
" " +
+ if secure_boot
+ "<a href=\"disable_secure_boot\">(" + _("disable") + ")</a>"
+ else
+ "<a href=\"enable_secure_boot\">(" + _("enable") + ")</a>"
+ end
+ end
+
+ # Trusted boot setting shown in summary screen.
+ #
+ # @return [String]
+ def trusted_boot_summary
+ _("Trusted Boot:") + " " + (trusted_boot ? _("enabled") : _("disabled"))
+ " " +
+ if trusted_boot
+ "<a href=\"disable_trusted_boot\">(" + _("disable") + ")</a>"
+ else
+ "<a href=\"enable_trusted_boot\">(" + _("enable") + ")</a>"
+ end
+ end
end
# rubocop:enable Metrics/ClassLength
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-bootloader-4.2.16/src/lib/bootloader/grub2efi.rb
new/yast2-bootloader-4.2.17/src/lib/bootloader/grub2efi.rb
--- old/yast2-bootloader-4.2.16/src/lib/bootloader/grub2efi.rb 2020-02-26
12:06:56.000000000 +0100
+++ new/yast2-bootloader-4.2.17/src/lib/bootloader/grub2efi.rb 2020-02-28
15:32:22.000000000 +0100
@@ -13,7 +13,6 @@
# Represents grub2 bootloader with efi target
class Grub2EFI < Grub2Base
include Yast::Logger
- attr_accessor :secure_boot
def initialize
super
@@ -25,8 +24,6 @@
# Read settings from disk overwritting already set values
def read
- @secure_boot = Sysconfig.from_system.secure_boot
-
super
end
@@ -50,7 +47,7 @@
pmbr_setup(*disks.map(&:name))
end
- @grub_install.execute(secure_boot: @secure_boot, trusted_boot:
trusted_boot)
+ @grub_install.execute(secure_boot: secure_boot, trusted_boot:
trusted_boot)
true
end
@@ -61,34 +58,27 @@
# for UEFI always remove PMBR flag on disk (bnc#872054)
self.pmbr_action = :remove
- # Only x86_64 and aarch64 systems support secure boot
- @secure_boot = (Yast::Arch.x86_64 || Yast::Arch.aarch64) ? true : false
grub_default.generic_set("GRUB_USE_LINUXEFI", Yast::Arch.aarch64 ?
"false" : "true")
end
def merge(other)
super
-
- @secure_boot = other.secure_boot unless other.secure_boot.nil?
end
# Display bootloader summary
# @return a list of summary lines
def summary(*)
- [
+ result = [
Yast::Builtins.sformat(
_("Boot Loader Type: %1"),
"GRUB2 EFI"
- ),
- Yast::Builtins.sformat(
- _("Enable Secure Boot: %1"),
- @secure_boot ? _("yes") : _("no")
- ),
- Yast::Builtins.sformat(
- _("Enable Trusted Boot: %1"),
- trusted_boot ? _("yes") : _("no")
)
]
+
+ result << secure_boot_summary if Systeminfo.secure_boot_available?(name)
+ result << trusted_boot_summary if
Systeminfo.trusted_boot_available?(name)
+
+ result
end
def name
@@ -103,7 +93,7 @@
res << "grub2-i386-efi"
when "x86_64"
res << "grub2-x86_64-efi"
- res << "shim" << "mokutil" if @secure_boot
+ res << "shim" << "mokutil" if secure_boot
when "arm"
res << "grub2-arm-efi"
when "aarch64"
@@ -118,7 +108,7 @@
# overwrite BootloaderBase version to save secure boot
def write_sysconfig(prewrite: false)
sysconfig = Bootloader::Sysconfig.new(bootloader: name,
- secure_boot: @secure_boot, trusted_boot: trusted_boot)
+ secure_boot: secure_boot, trusted_boot: trusted_boot)
prewrite ? sysconfig.pre_write : sysconfig.write
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-bootloader-4.2.16/src/lib/bootloader/grub_install.rb
new/yast2-bootloader-4.2.17/src/lib/bootloader/grub_install.rb
--- old/yast2-bootloader-4.2.16/src/lib/bootloader/grub_install.rb
2020-02-26 12:06:56.000000000 +0100
+++ new/yast2-bootloader-4.2.17/src/lib/bootloader/grub_install.rb
2020-02-28 15:32:22.000000000 +0100
@@ -2,6 +2,7 @@
require "yast"
require "yast2/execute"
+require "bootloader/systeminfo"
Yast.import "Arch"
Yast.import "Report"
@@ -14,6 +15,7 @@
def initialize(efi: false)
@efi = efi
+ @grub2_name = "grub2" + (@efi ? "-efi" : "")
textdomain "bootloader"
end
@@ -25,7 +27,13 @@
# @param trusted_boot [Boolean] if trusted boot variant should be used
# @return [Array<String>] list of devices for which install failed
def execute(devices: [], secure_boot: false, trusted_boot: false)
- raise "cannot have secure boot without efi" if secure_boot && !efi
+ if secure_boot && !Systeminfo.secure_boot_available?(@grub2_name)
+ # There might be some secure boot setting left over when the
+ # bootloader had been switched.
+ # Simply ignore it when it is not applicable instead of raising an
+ # error.
+ log.warn "Ignoring secure boot setting on this machine"
+ end
cmd = basic_cmd(secure_boot, trusted_boot)
@@ -71,7 +79,7 @@
# creates basic command for grub2 install without specifying any stage1
# locations
def basic_cmd(secure_boot, trusted_boot)
- if secure_boot && !Yast::Arch.aarch64
+ if Systeminfo.shim_needed?(@grub2_name, secure_boot)
cmd = ["/usr/sbin/shim-install", "--config-file=/boot/grub2/grub.cfg"]
else
cmd = ["/usr/sbin/grub2-install", "--target=#{target}"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-bootloader-4.2.16/src/lib/bootloader/proposal_client.rb
new/yast2-bootloader-4.2.17/src/lib/bootloader/proposal_client.rb
--- old/yast2-bootloader-4.2.16/src/lib/bootloader/proposal_client.rb
2020-02-26 12:06:56.000000000 +0100
+++ new/yast2-bootloader-4.2.17/src/lib/bootloader/proposal_client.rb
2020-02-28 15:32:22.000000000 +0100
@@ -4,12 +4,14 @@
require "bootloader/exceptions"
require "bootloader/main_dialog"
require "bootloader/bootloader_factory"
+require "bootloader/systeminfo"
require "yast2/popup"
Yast.import "BootArch"
module Bootloader
# Proposal client for bootloader configuration
+ # rubocop:disable Metrics/ClassLength
class ProposalClient < ::Installation::ProposalClient
# Error when during update media is booted by different technology than
target system.
class MismatchBootloader < RuntimeError
@@ -72,7 +74,11 @@
"enable_boot_mbr",
"disable_boot_mbr",
"enable_boot_boot",
- "disable_boot_boot"
+ "disable_boot_boot",
+ "enable_secure_boot",
+ "disable_secure_boot",
+ "enable_trusted_boot",
+ "disable_trusted_boot"
].freeze
def make_proposal(attrs)
@@ -94,7 +100,7 @@
case chosen_id
when *PROPOSAL_LINKS
value = (chosen_id =~ /enable/) ? true : false
- option = chosen_id[/(enable|disable)_boot_(.*)/, 2]
+ option = chosen_id[/(enable|disable)_(.*)/, 2]
single_click_action(option, value)
else
settings = export_settings
@@ -336,12 +342,31 @@
end
def single_click_action(option, value)
- stage1 = ::Bootloader::BootloaderFactory.current.stage1
- devices = (option.to_sym == :mbr) ? stage1.boot_disk_names :
stage1.boot_partition_names
- log.info "single_click_action #{option} #{value.inspect} #{devices}"
+ bootloader = ::Bootloader::BootloaderFactory.current
- devices.each do |device|
- value ? stage1.add_udev_device(device) : stage1.remove_device(device)
+ log.info "single_click_action: option #{option}, value #{value.inspect}"
+
+ case option
+ when "boot_mbr", "boot_boot"
+ stage1 = bootloader.stage1
+ devices = (option == "boot_mbr") ? stage1.boot_disk_names :
stage1.boot_partition_names
+ log.info "single_click_action: devices #{devices}"
+ devices.each do |device|
+ value ? stage1.add_udev_device(device) : stage1.remove_device(device)
+ end
+ when "trusted_boot"
+ bootloader.trusted_boot = value
+ when "secure_boot"
+ bootloader.secure_boot = value
+ if value && Yast::Arch.s390
+ Yast2::Popup.show(
+ _(
+ "Make sure to also enable Secure Boot in the HMC.\n\n" \
+ "Otherwise this system will not boot."
+ ),
+ headline: :warning, buttons: :ok
+ )
+ end
end
Yast::Bootloader.proposed_cfg_changed = true
@@ -355,4 +380,5 @@
Yast::PackagesProposal.AddResolvables("yast2-bootloader", :package,
bl.packages)
end
end
+ # rubocop:enable Metrics/ClassLength
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-bootloader-4.2.16/src/lib/bootloader/sysconfig.rb
new/yast2-bootloader-4.2.17/src/lib/bootloader/sysconfig.rb
--- old/yast2-bootloader-4.2.16/src/lib/bootloader/sysconfig.rb 2020-02-26
12:06:56.000000000 +0100
+++ new/yast2-bootloader-4.2.17/src/lib/bootloader/sysconfig.rb 2020-02-28
15:32:22.000000000 +0100
@@ -1,6 +1,7 @@
# frozen_string_literal: true
require "yast"
+require "bootloader/systeminfo"
Yast.import "Arch"
@@ -33,11 +34,7 @@
bootloader = Yast::SCR.Read(AGENT_PATH + "LOADER_TYPE")
# propose secure boot always to true (bnc#872054), otherwise respect
user choice
# but only on architectures that support it
- secure_boot = if Yast::Arch.x86_64 || Yast::Arch.i386 ||
Yast::Arch.aarch64
- Yast::SCR.Read(AGENT_PATH + "SECURE_BOOT") != "no"
- else
- false
- end
+ secure_boot = Yast::SCR.Read(AGENT_PATH + "SECURE_BOOT") != "no"
trusted_boot = Yast::SCR.Read(AGENT_PATH + "TRUSTED_BOOT") == "yes"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-bootloader-4.2.16/src/lib/bootloader/systeminfo.rb
new/yast2-bootloader-4.2.17/src/lib/bootloader/systeminfo.rb
--- old/yast2-bootloader-4.2.16/src/lib/bootloader/systeminfo.rb
1970-01-01 01:00:00.000000000 +0100
+++ new/yast2-bootloader-4.2.17/src/lib/bootloader/systeminfo.rb
2020-02-28 15:32:22.000000000 +0100
@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+require "yast"
+require "bootloader/bootloader_factory"
+require "bootloader/sysconfig"
+
+Yast.import "Arch"
+
+module Bootloader
+ # Provide system and architecture dependent information
+ class Systeminfo
+ class << self
+ # Check current secure boot state.
+ #
+ # This prefers the 'real' state over the config file setting, if
possible.
+ #
+ # @return [Boolean] true if secure boot is currently active
+ def secure_boot_active?
+ (efi_supported? && Sysconfig.from_system.secure_boot) ||
s390_secure_boot_active?
+ end
+
+ # Check if secure boot is in principle supported.
+ #
+ # @return [Boolean] true if secure boot is (in principle) supported on
this system
+ # def secure_boot_supported?
+ # efi_supported? || s390_secure_boot_supported?
+ # end
+
+ # Check if secure boot is configurable with a bootloader.
+ #
+ # @param bootloader_name [String] bootloader name
+ # @return [Boolean] true if secure boot setting is available with this
bootloader
+ def secure_boot_available?(bootloader_name)
+ efi_used?(bootloader_name) || s390_secure_boot_supported?
+ end
+
+ # Check current trusted boot state.
+ #
+ # ATM this just returns the config file setting.
+ #
+ # @return [Boolean] true if trusted boot is currently active
+ def trusted_boot_active?
+ # FIXME: this should probably be a real check as in
Grub2Widget#validate
+ # and then Grub2Widget#validate could use
Systeminfo.trusted_boot_active?
+ Sysconfig.from_system.trusted_boot
+ end
+
+ # Check if trusted boot is configurable with a bootloader.
+ #
+ # param bootloader_name [String] bootloader name
+ # @return [Boolean] true if trusted boot setting is available with this
bootloader
+ def trusted_boot_available?(bootloader_name)
+ # for details about grub2 efi trusted boot support see FATE#315831
+ (
+ bootloader_name == "grub2" &&
+ (Yast::Arch.x86_64 || Yast::Arch.i386)
+ ) || (
+ bootloader_name == "grub2-efi" &&
+ File.exist?("/dev/tpm0")
+ )
+ end
+
+ # Check if UEFI will be used.
+ #
+ # param bootloader_name [String] bootloader name
+ # @return [Boolean] true if UEFI will be used for booting with this
bootloader
+ def efi_used?(bootloader_name)
+ bootloader_name == "grub2-efi"
+ end
+
+ # Check if UEFI is available on this system.
+ #
+ # It need not currently be used. It should just be possible to put the
+ # system into UEFI mode.
+ #
+ # @return [Boolean] true if system can (in principle) boot via UEFI
+ def efi_supported?
+ Yast::Arch.x86_64 || Yast::Arch.i386 || Yast::Arch.aarch64
+ end
+
+ # Check if shim-install should be used instead of grub2-install.
+ #
+ # param bootloader_name [String] bootloader name
+ # param secure_boot [Boolean] secure boot setting
+ # @return [Boolean] true if shim has to be used
+ def shim_needed?(bootloader_name, secure_boot)
+ (Yast::Arch.x86_64 || Yast::Arch.i386) && secure_boot &&
efi_used?(bootloader_name)
+ end
+
+ # Check if secure boot is supported on an s390 machine.
+ #
+ # @return [Boolean] true if this is an s390 machine and it has secure
boot support
+ def s390_secure_boot_supported?
+ # FIXME: this is just a stub - replace with real code later
+ Yast::Arch.s390
+ end
+
+ # Check if secure boot is currently active on an s390 machine.
+ #
+ # The 'real' state, not any config file setting.
+ #
+ # @return [Boolean] true if 390x machine has secure boot enabled
+ def s390_secure_boot_active?
+ # FIXME: this is just a stub - replace with real code later
+ false
+ end
+ end
+ end
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-bootloader-4.2.16/test/grub2_efi_test.rb
new/yast2-bootloader-4.2.17/test/grub2_efi_test.rb
--- old/yast2-bootloader-4.2.16/test/grub2_efi_test.rb 2020-02-26
12:06:56.000000000 +0100
+++ new/yast2-bootloader-4.2.17/test/grub2_efi_test.rb 2020-02-28
15:32:22.000000000 +0100
@@ -17,6 +17,7 @@
allow(Bootloader::Sections).to
receive(:new).and_return(double("Sections").as_null_object)
allow(Yast::BootStorage).to
receive(:available_swap_partitions).and_return([])
allow(Bootloader::GrubInstall).to
receive(:new).and_return(double.as_null_object)
+ allow(Yast::Arch).to receive(:architecture).and_return("x86_64")
end
describe "#read" do
@@ -142,7 +143,7 @@
it "returns line with secure boot option specified" do
subject.secure_boot = false
- expect(subject.summary).to include("Enable Secure Boot: no")
+ expect(subject.summary).to include(match(/Secure Boot: disabled/))
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-bootloader-4.2.16/test/grub2_test.rb
new/yast2-bootloader-4.2.17/test/grub2_test.rb
--- old/yast2-bootloader-4.2.16/test/grub2_test.rb 2020-02-26
12:06:56.000000000 +0100
+++ new/yast2-bootloader-4.2.17/test/grub2_test.rb 2020-02-28
15:32:22.000000000 +0100
@@ -81,7 +81,7 @@
grub2_install = double(Bootloader::GrubInstall)
expect(grub2_install).to receive(:execute)
- .with(devices: ["/dev/sda", "/dev/sdb1"], trusted_boot:
false).and_return([])
+ .with(devices: ["/dev/sda", "/dev/sdb1"], secure_boot: nil,
trusted_boot: false).and_return([])
expect(Bootloader::GrubInstall).to receive(:new).with(efi:
false).and_return(grub2_install)
subject.trusted_boot = false
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-bootloader-4.2.16/test/grub_install_test.rb
new/yast2-bootloader-4.2.17/test/grub_install_test.rb
--- old/yast2-bootloader-4.2.16/test/grub_install_test.rb 2020-02-26
12:06:56.000000000 +0100
+++ new/yast2-bootloader-4.2.17/test/grub_install_test.rb 2020-02-28
15:32:22.000000000 +0100
@@ -131,8 +131,9 @@
subject { Bootloader::GrubInstall.new(efi: false) }
- it "raise exception if secure_boot: true passed" do
- expect { subject.execute(secure_boot: true) }.to
raise_error(RuntimeError)
+ it "do not raise exception if secure_boot: true passed" do
+ stub_arch("x86_64")
+ expect { subject.execute(secure_boot: true) }.to_not
raise_error(RuntimeError)
end
it "runs for each device passed in devices" do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-bootloader-4.2.16/test/systeminfo_test.rb
new/yast2-bootloader-4.2.17/test/systeminfo_test.rb
--- old/yast2-bootloader-4.2.16/test/systeminfo_test.rb 1970-01-01
01:00:00.000000000 +0100
+++ new/yast2-bootloader-4.2.17/test/systeminfo_test.rb 2020-02-28
15:32:22.000000000 +0100
@@ -0,0 +1,313 @@
+# frozen_string_literal: true
+
+require_relative "test_helper"
+
+require "bootloader/systeminfo"
+
+describe Bootloader::Systeminfo do
+ let(:arch) { nil }
+
+ before do
+ allow(Yast::Arch).to receive(:architecture).and_return(arch)
+ allow(Yast::SCR).to receive(:Write)
+ allow(Yast::SCR).to receive(:Read)
+ end
+
+ describe ".secure_boot_active?" do
+ context "if arch is x86_64" do
+ let(:arch) { "x86_64" }
+
+ context "if SECURE_BOOT is 'yes' in sysconfig" do
+ it "returns true" do
+ allow(Yast::SCR).to receive(:Read).with(
+ Yast::Path.new(".sysconfig.bootloader.SECURE_BOOT")
+ ).and_return("yes")
+ expect(described_class.secure_boot_active?).to be true
+ end
+ end
+
+ context "if SECURE_BOOT is 'no' in sysconfig" do
+ it "returns false" do
+ allow(Yast::SCR).to receive(:Read).with(
+ Yast::Path.new(".sysconfig.bootloader.SECURE_BOOT")
+ ).and_return("no")
+ expect(described_class.secure_boot_active?).to be false
+ end
+ end
+ end
+
+ context "if arch is s390x" do
+ let(:arch) { "s390_64" }
+
+ context "if SECURE_BOOT is 'yes' in sysconfig" do
+ it "returns true" do
+ allow(Yast::SCR).to receive(:Read).with(
+ Yast::Path.new(".sysconfig.bootloader.SECURE_BOOT")
+ ).and_return("yes")
+ expect(described_class.secure_boot_active?).to be false
+ end
+ end
+
+ context "if SECURE_BOOT is 'no' in sysconfig" do
+ it "returns false" do
+ allow(Yast::SCR).to receive(:Read).with(
+ Yast::Path.new(".sysconfig.bootloader.SECURE_BOOT")
+ ).and_return("no")
+ expect(described_class.secure_boot_active?).to be false
+ end
+ end
+ end
+ end
+
+ describe ".secure_boot_available?" do
+ context "if bootloader is grub2" do
+ context "and arch is x86_64" do
+ let(:arch) { "x86_64" }
+ it "returns false" do
+ expect(described_class.secure_boot_available?("grub2")).to be false
+ end
+ end
+
+ context "and arch is s390x" do
+ let(:arch) { "s390_64" }
+ it "returns true" do
+ expect(described_class.secure_boot_available?("grub2")).to be true
+ end
+ end
+ end
+
+ context "if bootloader is grub2-efi" do
+ context "and arch is x86_64" do
+ let(:arch) { "x86_64" }
+
+ it "returns true" do
+ expect(described_class.secure_boot_available?("grub2-efi")).to be
true
+ end
+ end
+
+ context "and arch is aarch64" do
+ let(:arch) { "aarch64" }
+
+ it "returns true" do
+ expect(described_class.secure_boot_available?("grub2-efi")).to be
true
+ end
+ end
+ end
+ end
+
+ describe ".trusted_boot_active?" do
+ context "if TRUSTED_BOOT is 'yes' in sysconfig" do
+ it "returns true" do
+ allow(Yast::SCR).to receive(:Read).with(
+ Yast::Path.new(".sysconfig.bootloader.TRUSTED_BOOT")
+ ).and_return("yes")
+ expect(described_class.trusted_boot_active?).to be true
+ end
+ end
+
+ context "if TRUSTED_BOOT is 'no' in sysconfig" do
+ it "returns true" do
+ allow(Yast::SCR).to receive(:Read).with(
+ Yast::Path.new(".sysconfig.bootloader.TRUSTED_BOOT")
+ ).and_return("no")
+ expect(described_class.trusted_boot_active?).to be false
+ end
+ end
+ end
+
+ describe ".trusted_boot_available?" do
+ context "if bootloader is grub2" do
+ context "and arch is x86_64" do
+ let(:arch) { "x86_64" }
+
+ it "returns true" do
+ expect(described_class.trusted_boot_available?("grub2")).to be true
+ end
+ end
+
+ context "and arch is i386" do
+ let(:arch) { "i386" }
+
+ it "returns true" do
+ expect(described_class.trusted_boot_available?("grub2")).to be true
+ end
+ end
+
+ context "and arch is ppc64" do
+ let(:arch) { "ppc64" }
+
+ it "returns false" do
+ expect(described_class.trusted_boot_available?("grub2")).to be false
+ end
+ end
+
+ context "and arch is s390x" do
+ let(:arch) { "s390_64" }
+
+ it "returns false" do
+ expect(described_class.trusted_boot_available?("grub2")).to be false
+ end
+ end
+ end
+
+ context "if bootloader is grub2-efi" do
+ context "and a tpm device exists" do
+ it "returns true" do
+ allow(File).to receive(:exist?).with("/dev/tpm0").and_return(true)
+ expect(described_class.trusted_boot_available?("grub2-efi")).to be
true
+ end
+ end
+
+ context "and a tpm device does not exist" do
+ it "returns false" do
+ allow(File).to receive(:exist?).with("/dev/tpm0").and_return(false)
+ expect(described_class.trusted_boot_available?("grub2-efi")).to be
false
+ end
+ end
+ end
+ end
+
+ describe ".efi_used?" do
+ context "if bootloader is grub2-efi" do
+ it "returns true" do
+ expect(described_class.efi_used?("grub2-efi")).to be true
+ end
+ end
+
+ context "if bootloader is grub2" do
+ it "returns false" do
+ expect(described_class.efi_used?("grub2")).to be false
+ end
+ end
+ end
+
+ describe ".efi_supported?" do
+ context "if arch is x86_64" do
+ let(:arch) { "x86_64" }
+
+ it "returns true" do
+ expect(described_class.efi_supported?).to be true
+ end
+ end
+
+ context "if arch is i386" do
+ let(:arch) { "i386" }
+
+ it "returns true" do
+ expect(described_class.efi_supported?).to be true
+ end
+ end
+
+ context "if arch is aarch64" do
+ let(:arch) { "aarch64" }
+
+ it "returns true" do
+ expect(described_class.efi_supported?).to be true
+ end
+ end
+
+ context "if arch is ppc64" do
+ let(:arch) { "ppc64" }
+
+ it "returns false" do
+ expect(described_class.efi_supported?).to be false
+ end
+ end
+
+ context "if arch is s390x" do
+ let(:arch) { "s390_64" }
+
+ it "returns false" do
+ expect(described_class.efi_supported?).to be false
+ end
+ end
+ end
+
+ describe ".shim_needed?" do
+ context "if UEFI is used and arch is x86_64" do
+ let(:arch) { "x86_64" }
+
+ context "and secure boot is enabled" do
+ it "returns true" do
+ expect(described_class.shim_needed?("grub2-efi", true)).to be true
+ end
+ end
+
+ context "and secure boot is disabled" do
+ it "returns false" do
+ expect(described_class.shim_needed?("grub2-efi", false)).to be false
+ end
+ end
+ end
+
+ context "if UEFI is used and arch is aarch64" do
+ let(:arch) { "aarch64" }
+
+ context "and secure boot is enabled" do
+ it "returns false" do
+ expect(described_class.shim_needed?("grub2-efi", true)).to be false
+ end
+ end
+
+ context "and secure boot is disabled" do
+ it "returns false" do
+ expect(described_class.shim_needed?("grub2-efi", false)).to be false
+ end
+ end
+ end
+
+ context "if UEFI is not used and arch is x86_64" do
+ let(:arch) { "x86_64" }
+
+ context "and secure boot is disabled" do
+ it "returns true" do
+ expect(described_class.shim_needed?("grub2", false)).to be false
+ end
+ end
+ end
+
+ context "if UEFI is not used and arch is s390x" do
+ let(:arch) { "s390_64" }
+
+ context "and secure boot is enabled" do
+ it "returns false" do
+ expect(described_class.shim_needed?("grub2", true)).to be false
+ end
+ end
+
+ context "and secure boot is disabled" do
+ it "returns false" do
+ expect(described_class.shim_needed?("grub2", false)).to be false
+ end
+ end
+ end
+ end
+
+ describe ".s390_secure_boot_supported?" do
+ context "if arch is s390x" do
+ let(:arch) { "s390_64" }
+
+ it "returns true" do
+ expect(described_class.s390_secure_boot_supported?).to be true
+ end
+ end
+
+ context "if arch is x86_64" do
+ let(:arch) { "x86_64" }
+
+ it "returns false" do
+ expect(described_class.s390_secure_boot_supported?).to be false
+ end
+ end
+ end
+
+ describe ".s390_secure_boot_active?" do
+ context "if arch is s390x" do
+ let(:arch) { "s390_64" }
+
+ it "returns false" do
+ expect(described_class.s390_secure_boot_active?).to be false
+ end
+ end
+ end
+end
