Accepting request 1002927 from home:KHanich:branches:devel:openSUSE:Factory

- Add logic to shim.spec to only set sbat policy when efivarfs is writeable. (bsc#1201066) OBS-URL: https://build.opensuse.org/request/show/1002927 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=192
2022-09-16 06:35:39 +00:00 · 2022-09-16 06:35:39 +00:00 · 2386bd59cb
commit 2386bd59cb
parent a379c7b18b
2 changed files with 12 additions and 2 deletions
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Sep 12 12:30:54 UTC 2022 - Kilian Hanich <khanich.opensource@gmx.de>
+
+- Add logic to shim.spec to only set sbat policy when efivarfs is writeable.
+  (bsc#1201066)
+
 -------------------------------------------------------------------
 Fri Aug  5 05:25:16 UTC 2022 - Joey Lee <jlee@suse.com>

--- a/shim.spec
+++ b/shim.spec
@ -306,9 +306,13 @@ is_efi () {
    return $rc
 }
 # run mokutil for setting sbat policy to latest mode
-SBAT_POLICY=/sys/firmware/efi/efivars/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23
+EFIVARFS=/sys/firmware/efi/efivars
+SBAT_POLICY="$EFIVARFS/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23"
 if is_efi; then
-        if [ ! -f "$SBAT_POLICY" ] && mokutil -h | grep -q "set-sbat-policy"; then
+        if [ -w $EFIVARFS ] && \
+           [ ! -f "$SBAT_POLICY" ] && \
+           mokutil -h | grep -q "set-sbat-policy"; \
+        then
        # Only apply CA check on the kernel package certs (bsc#1173115)
                mokutil --set-sbat-policy latest
        fi