Hello community,
here is the log from the commit of package yast2-bootloader for
openSUSE:Leap:15.2 checked in at 2020-04-08 12:47:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/yast2-bootloader (Old)
and /work/SRC/openSUSE:Leap:15.2/.yast2-bootloader.new.3248 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-bootloader"
Wed Apr 8 12:47:52 2020 rev:119 rq:791112 version:4.2.21
Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/yast2-bootloader/yast2-bootloader.changes
2020-03-31 07:22:54.546412070 +0200
+++
/work/SRC/openSUSE:Leap:15.2/.yast2-bootloader.new.3248/yast2-bootloader.changes
2020-04-08 12:47:53.946327807 +0200
@@ -1,0 +2,6 @@
+Thu Apr 2 15:52:56 UTC 2020 - Steffen Winterfeldt <[email protected]>
+
+- limit s390 secure boot to SCSI disks (bsc#1168165)
+- 4.2.21
+
+-------------------------------------------------------------------
Old:
----
yast2-bootloader-4.2.20.tar.bz2
New:
----
yast2-bootloader-4.2.21.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-bootloader.spec ++++++
--- /var/tmp/diff_new_pack.mTFUF0/_old 2020-04-08 12:47:54.370328020 +0200
+++ /var/tmp/diff_new_pack.mTFUF0/_new 2020-04-08 12:47:54.370328020 +0200
@@ -17,7 +17,7 @@
Name: yast2-bootloader
-Version: 4.2.20
+Version: 4.2.21
Release: 0
Summary: YaST2 - Bootloader Configuration
License: GPL-2.0-or-later
++++++ yast2-bootloader-4.2.20.tar.bz2 -> yast2-bootloader-4.2.21.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-bootloader-4.2.20/package/yast2-bootloader.changes
new/yast2-bootloader-4.2.21/package/yast2-bootloader.changes
--- old/yast2-bootloader-4.2.20/package/yast2-bootloader.changes
2020-03-27 09:42:09.000000000 +0100
+++ new/yast2-bootloader-4.2.21/package/yast2-bootloader.changes
2020-04-02 18:13:23.000000000 +0200
@@ -1,4 +1,10 @@
-------------------------------------------------------------------
+Thu Apr 2 15:52:56 UTC 2020 - Steffen Winterfeldt <[email protected]>
+
+- limit s390 secure boot to SCSI disks (bsc#1168165)
+- 4.2.21
+
+-------------------------------------------------------------------
Fri Mar 27 08:19:54 UTC 2020 - Ancor Gonzalez Sosa <[email protected]>
- Reverted the changes to delegate to yast2-storage-ng the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-bootloader-4.2.20/package/yast2-bootloader.spec
new/yast2-bootloader-4.2.21/package/yast2-bootloader.spec
--- old/yast2-bootloader-4.2.20/package/yast2-bootloader.spec 2020-03-27
09:42:09.000000000 +0100
+++ new/yast2-bootloader-4.2.21/package/yast2-bootloader.spec 2020-04-02
18:13:23.000000000 +0200
@@ -17,7 +17,7 @@
Name: yast2-bootloader
-Version: 4.2.20
+Version: 4.2.21
Release: 0
Summary: YaST2 - Bootloader Configuration
License: GPL-2.0-or-later
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-bootloader-4.2.20/src/lib/bootloader/systeminfo.rb
new/yast2-bootloader-4.2.21/src/lib/bootloader/systeminfo.rb
--- old/yast2-bootloader-4.2.20/src/lib/bootloader/systeminfo.rb
2020-03-27 09:42:09.000000000 +0100
+++ new/yast2-bootloader-4.2.21/src/lib/bootloader/systeminfo.rb
2020-04-02 18:13:23.000000000 +0200
@@ -31,7 +31,7 @@
# @param bootloader_name [String] bootloader name
# @return [Boolean] true if secure boot setting is available with this
bootloader
def secure_boot_available?(bootloader_name)
- efi_used?(bootloader_name) || s390_secure_boot_supported?
+ efi_used?(bootloader_name) || s390_secure_boot_available?
end
# Check current trusted boot state.
@@ -87,16 +87,26 @@
(Yast::Arch.x86_64 || Yast::Arch.i386) && secure_boot &&
efi_used?(bootloader_name)
end
- # Check if secure boot is supported on an s390 machine.
+ # Check if secure boot is (in principle) available on an s390 machine.
#
# @return [Boolean] true if this is an s390 machine and it has secure
boot support
- def s390_secure_boot_supported?
+ def s390_secure_boot_available?
# see jsc#SLE-9425
File.read("/sys/firmware/ipl/has_secure", 1) == "1"
rescue StandardError
false
end
+ # Check if secure boot is supported with the current setup.
+ #
+ # The catch here is that secure boot works only with SCSI disks.
+ #
+ # @return [Boolean] true if this is an s390 machine and secure boot is
+ # supported with the current setup
+ def s390_secure_boot_supported?
+ s390_secure_boot_available? && scsi?(zipl_device)
+ end
+
# Check if secure boot is currently active on an s390 machine.
#
# The 'real' state, not any config file setting.
@@ -108,6 +118,34 @@
rescue StandardError
false
end
+
+ # The partition where zipl is installed.
+ #
+ # @return [Y2Storage::Partition, NilClass] zipl partition
+ def zipl_device
+ staging = Y2Storage::StorageManager.instance.staging
+ mountpoint =
+ Y2Storage::MountPoint.find_by_path(staging, "/boot/zipl").first ||
+ Y2Storage::MountPoint.find_by_path(staging, "/boot").first ||
+ Y2Storage::MountPoint.find_by_path(staging, "/").first
+ mountpoint.filesystem.blk_devices.first
+ rescue StandardError
+ nil
+ end
+
+ # Check if device is a SCSI device.
+ #
+ # param device [Y2Storage::Partition, NilClass] partition device (or nil)
+ #
+ # @return [Boolean] true if device is a SCSI device
+ def scsi?(device)
+ # in lack of a better idea: check if device name starts with 'sd'
+ # alternatively: device.udev_ids.any?(/^scsi-/)
+ # or: device.udev_paths.any?(/-zfcp-/)
+ device.name.start_with?("/dev/sd")
+ rescue StandardError
+ false
+ end
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-bootloader-4.2.20/test/systeminfo_test.rb
new/yast2-bootloader-4.2.21/test/systeminfo_test.rb
--- old/yast2-bootloader-4.2.20/test/systeminfo_test.rb 2020-03-27
09:42:09.000000000 +0100
+++ new/yast2-bootloader-4.2.21/test/systeminfo_test.rb 2020-04-02
18:13:23.000000000 +0200
@@ -284,14 +284,53 @@
end
end
- describe ".s390_secure_boot_supported?" do
+ describe ".s390_secure_boot_available?" do
context "if arch is s390x" do
let(:arch) { "s390_64" }
context "and has_secure is 1" do
it "returns true" do
allow(File).to receive(:read).with("/sys/firmware/ipl/has_secure",
1).and_return("1")
- expect(described_class.s390_secure_boot_supported?).to be true
+ expect(described_class.s390_secure_boot_available?).to be true
+ end
+ end
+
+ context "and has_secure is 0" do
+ it "returns false" do
+ allow(File).to receive(:read).with("/sys/firmware/ipl/has_secure",
1).and_return("0")
+ expect(described_class.s390_secure_boot_available?).to be false
+ end
+ end
+ end
+
+ context "if arch is x86_64" do
+ let(:arch) { "x86_64" }
+
+ it "returns false" do
+ expect(described_class.s390_secure_boot_available?).to be false
+ end
+ end
+ end
+
+ describe ".s390_secure_boot_supported?" do
+ context "if arch is s390x" do
+ let(:arch) { "s390_64" }
+
+ context "and has_secure is 1" do
+ context "and zipl is on a SCSI disk" do
+ it "returns true" do
+ allow(File).to receive(:read).with("/sys/firmware/ipl/has_secure",
1).and_return("1")
+ allow(Bootloader::Systeminfo).to receive(:scsi?).and_return(true)
+ expect(described_class.s390_secure_boot_supported?).to be true
+ end
+ end
+
+ context "and zipl is not on a SCSI disk" do
+ it "returns false" do
+ allow(File).to receive(:read).with("/sys/firmware/ipl/has_secure",
1).and_return("1")
+ allow(Bootloader::Systeminfo).to receive(:scsi?).and_return(false)
+ expect(described_class.s390_secure_boot_supported?).to be false
+ end
end
end
