From 83a6f72e1896bd012b7fbca21317e96c2c22b327 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Wed, 12 Jan 2022 19:25:54 +0100
Subject: [PATCH] grub-install: Add SUSE signed image support for powerpc.

Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
 grub-core/osdep/linux/platform.c | 13 +++++++++++++
 include/grub/util/install.h      |  3 +++
 util/grub-install.c              | 29 ++++++++++++++++++++++++++---
 3 files changed, 42 insertions(+), 3 deletions(-)

--- a/grub-core/osdep/linux/platform.c
+++ b/grub-core/osdep/linux/platform.c
@@ -154,3 +154,16 @@
   grub_util_info ("... not found");
   return "i386-pc";
 }
+
+int
+grub_install_get_powerpc_secure_boot (void)
+{
+  int32_t ret = -1;
+  FILE *fp = grub_util_fopen ("/proc/device-tree/ibm,secure-boot", "rb");
+  if (fp) {
+    if (fread (&ret , 1, sizeof(ret), fp) > 0)
+      ret = grub_be_to_cpu32(ret);
+    fclose(fp);
+  }
+  return ret;
+}
--- a/include/grub/util/install.h
+++ b/include/grub/util/install.h
@@ -233,6 +233,9 @@
 grub_install_get_default_x86_platform (void);
 
 int
+grub_install_get_powerpc_secure_boot (void);
+
+int
 grub_install_register_efi (grub_device_t efidir_grub_dev,
 			   const char *efifile_path,
 			   const char *efi_distributor);
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -321,10 +321,10 @@
   {"suse-enable-tpm", OPTION_SUSE_ENABLE_TPM, 0, 0, N_("install TPM modules"), 0},
   {"suse-force-signed", OPTION_SUSE_FORCE_SIGNED, 0, 0,
    N_("force installation of signed grub" "%s."
-      "This option is only available on ARM64 EFI targets."), 0},
+      "This option is only available on ARM64 EFI and powerpc targets."), 0},
   {"suse-inhibit-signed", OPTION_SUSE_INHIBIT_SIGNED, 0, 0,
    N_("inhibit installation of signed grub. "
-      "This option is only available on ARM64 EFI targets."), 0},
+      "This option is only available on ARM64 EFI and powerpc targets."), 0},
   {"debug", OPTION_DEBUG, 0, OPTION_HIDDEN, 0, 2},
   {"no-floppy", OPTION_NO_FLOPPY, 0, OPTION_HIDDEN, 0, 2},
   {"debug-image", OPTION_DEBUG_IMAGE, N_("STRING"), OPTION_HIDDEN, 0, 2},
@@ -1749,6 +1749,7 @@
   char mkimage_target[200];
   const char *core_name = NULL;
   char *signed_imgfile = NULL;
+  int ppc_sb_state = -1;
 
   switch (platform)
     {
@@ -1796,11 +1797,33 @@
 		grub_install_get_platform_platform (platform));
       break;
 
+
+    case GRUB_INSTALL_PLATFORM_POWERPC_IEEE1275:
+      ppc_sb_state = grub_install_get_powerpc_secure_boot();
+
+      if ((signed_grub_mode >= SIGNED_GRUB_FORCE) || ((signed_grub_mode == SIGNED_GRUB_AUTO) && (ppc_sb_state > 0)))
+	{
+	  signed_imgfile = grub_util_path_concat (2, grub_install_source_directory, "grub.elf");
+	  if (!grub_util_is_regular (signed_imgfile))
+	    {
+	      if ((signed_grub_mode >= SIGNED_GRUB_FORCE) || (ppc_sb_state > 1))
+		grub_util_error ("signed image `%s' does not exist\n", signed_imgfile);
+	      else
+		{
+		  free (signed_imgfile);
+		  signed_imgfile = NULL;
+		}
+	    }
+	}
+
+      if (signed_imgfile)
+	fprintf (stderr, _("Use signed file in %s for installation.\n"), signed_imgfile);
+
+      /* fallthrough.  */
     case GRUB_INSTALL_PLATFORM_I386_COREBOOT:
     case GRUB_INSTALL_PLATFORM_ARM_COREBOOT:
     case GRUB_INSTALL_PLATFORM_I386_MULTIBOOT:
     case GRUB_INSTALL_PLATFORM_I386_IEEE1275:
-    case GRUB_INSTALL_PLATFORM_POWERPC_IEEE1275:
     case GRUB_INSTALL_PLATFORM_I386_XEN:
     case GRUB_INSTALL_PLATFORM_X86_64_XEN:
     case GRUB_INSTALL_PLATFORM_I386_XEN_PVH: