Merge pull request #2326 from OSInside/secure-boot-efi

Add SECURE_BOOT no when the firmware is efi
OSInside · Jul 19, 2023 · 553ef4e · 553ef4e
2 parents 3a82983 + cfb4c8e
commit 553ef4e
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/kiwi/bootloader/config/grub2.py b/kiwi/bootloader/config/grub2.py
@@ -580,6 +580,8 @@ def _setup_sysconfig_bootloader(self):
             sysconfig_bootloader_entries['TRUSTED_BOOT'] = 'yes'
         if self.firmware.efi_mode() == 'uefi':
             sysconfig_bootloader_entries['SECURE_BOOT'] = 'yes'
+        if self.firmware.efi_mode() == 'efi':
+            sysconfig_bootloader_entries['SECURE_BOOT'] = 'no'
         if self.cmdline:
             sysconfig_bootloader_entries['DEFAULT_APPEND'] = '"{0}"'.format(
                 self.cmdline

diff --git a/test/unit/bootloader/config/grub2_test.py b/test/unit/bootloader/config/grub2_test.py
@@ -761,6 +761,47 @@ def test_setup_sysconfig_bootloader(self, mock_sysconfig, mock_exists):
             call('TRUSTED_BOOT', 'yes')
         ]
 
+    @patch('os.path.exists')
+    @patch('kiwi.bootloader.config.grub2.SysConfig')
+    def test_setup_sysconfig_bootloader_no_secure(
+        self, mock_sysconfig, mock_exists
+    ):
+        sysconfig_bootloader = MagicMock()
+        mock_sysconfig.return_value = sysconfig_bootloader
+        mock_exists.return_value = True
+        self.bootloader._setup_sysconfig_bootloader()
+        mock_sysconfig.assert_called_once_with(
+            'root_dir/etc/sysconfig/bootloader'
+        )
+        sysconfig_bootloader.write.assert_called_once_with()
+        assert sysconfig_bootloader.__setitem__.call_args_list == [
+            call('DEFAULT_APPEND', '"some-cmdline root=UUID=foo"'),
+            call(
+                'FAILSAFE_APPEND',
+                '"some-cmdline root=UUID=foo failsafe-options"'
+            ),
+            call('LOADER_LOCATION', 'mbr'),
+            call('LOADER_TYPE', 'grub2'),
+            call('TRUSTED_BOOT', 'yes')
+        ]
+        self.firmware.efi_mode = Mock(
+            return_value='efi'
+        )
+        sysconfig_bootloader.__setitem__.reset_mock()
+        self.bootloader._setup_sysconfig_bootloader()
+        print(sysconfig_bootloader.__setitem__.call_args_list)
+        assert sysconfig_bootloader.__setitem__.call_args_list == [
+            call('DEFAULT_APPEND', '"some-cmdline root=UUID=foo"'),
+            call(
+                'FAILSAFE_APPEND',
+                '"some-cmdline root=UUID=foo failsafe-options"'
+            ),
+            call('LOADER_LOCATION', 'none'),
+            call('LOADER_TYPE', 'grub2-efi'),
+            call('SECURE_BOOT', 'no'),
+            call('TRUSTED_BOOT', 'yes')
+        ]
+
     @patch('os.path.exists')
     def test_setup_live_image_config_custom_template(self, mock_exists):
         bootloader = Mock()