From e3bfb469608c47a185b469cfb39dab78208b589e9fd82a363a5dae2befeddd48 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Tue, 21 May 2024 05:06:43 +0000
Subject: [PATCH] Accepting request 1175311 from
 home:gary_lin:branches:Base:System

- Only enable grub-protect for EFI systems
  * 0001-util-enable-grub-protect-only-for-EFI-systems.patch

OBS-URL: https://build.opensuse.org/request/show/1175311
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=505
---
 ...le-grub-protect-only-for-EFI-systems.patch | 33 +++++++++++++++++++
 grub2.changes                                 |  6 ++++
 grub2.spec                                    |  5 ++-
 3 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 0001-util-enable-grub-protect-only-for-EFI-systems.patch

diff --git a/0001-util-enable-grub-protect-only-for-EFI-systems.patch b/0001-util-enable-grub-protect-only-for-EFI-systems.patch
new file mode 100644
index 0000000..5ac1b7a
--- /dev/null
+++ b/0001-util-enable-grub-protect-only-for-EFI-systems.patch
@@ -0,0 +1,33 @@
+From 6ce53d4db8430de5526ea4c48beac8139ba60925 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 20 May 2024 14:19:58 +0800
+Subject: [PATCH] util: enable grub-protect only for EFI systems
+
+Add 'enable = efi;' back to the grub-protect section to enable the
+utility only for EFI systems.
+
+The restriction was relaxed in the upstreaming patch to enable the
+grub-emu TPM2 testcases. Since we already build the utility natively for
+the architectures with EFI support, there is no need to build the
+program again for grub-emu.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ Makefile.util.def | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Makefile.util.def b/Makefile.util.def
+index 90850125d..5085152b0 100644
+--- a/Makefile.util.def
++++ b/Makefile.util.def
+@@ -210,6 +210,7 @@ program = {
+ program = {
+   name = grub-protect;
+   mansection = 1;
++  enable = efi;
+ 
+   common = grub-core/kern/emu/argp_common.c;
+   common = grub-core/osdep/init.c;
+-- 
+2.35.3
+
diff --git a/grub2.changes b/grub2.changes
index bd7b02b..43011c3 100644
--- a/grub2.changes
+++ b/grub2.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon May 20 07:22:09 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Only enable grub-protect for EFI systems
+  * 0001-util-enable-grub-protect-only-for-EFI-systems.patch
+
 -------------------------------------------------------------------
 Wed May 15 06:19:54 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
 
diff --git a/grub2.spec b/grub2.spec
index b56e417..2ba2cfa 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -394,6 +394,7 @@ Patch203:       grub2-bsc1220338-key_protector-implement-the-blocklist.patch
 Patch204:       0001-ofdisk-Enhance-canonical-path-handling-for-bootpath.patch
 Patch205:       0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch
 Patch206:       0001-util-bash-completion-Fix-for-bash-completion-2.12.patch
+Patch207:       0001-util-enable-grub-protect-only-for-EFI-systems.patch
 
 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140
@@ -1223,7 +1224,6 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
 %{_mandir}/man1/%{name}-mkrelpath.1.*
 %{_mandir}/man1/%{name}-mkrescue.1.*
 %{_mandir}/man1/%{name}-mkstandalone.1.*
-%{_mandir}/man1/%{name}-protect.1.*
 %{_mandir}/man1/%{name}-render-label.1.*
 %{_mandir}/man1/%{name}-script-check.1.*
 %{_mandir}/man1/%{name}-syslinux2cfg.1.*
@@ -1251,6 +1251,9 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
 %{_mandir}/man8/%{name}-ofpathname.8.*
 %{_mandir}/man8/%{name}-sparc64-setup.8.*
 %endif
+%ifarch %{efi}
+%{_mandir}/man1/%{name}-protect.1.*
+%endif
 
 %files branding-upstream
 %defattr(-,root,root,-)