From 83a6f72e1896bd012b7fbca21317e96c2c22b327 Mon Sep 17 00:00:00 2001 From: Michal Suchanek Date: Wed, 12 Jan 2022 19:25:54 +0100 Subject: [PATCH] grub-install: Add SUSE signed image support for powerpc. Signed-off-by: Michal Suchanek --- grub-core/osdep/linux/platform.c | 13 +++++++++++++ include/grub/util/install.h | 3 +++ util/grub-install.c | 29 ++++++++++++++++++++++++++--- 3 files changed, 42 insertions(+), 3 deletions(-) diff --git a/grub-core/osdep/linux/platform.c b/grub-core/osdep/linux/platform.c index e28a79dab..2a12ed867 100644 --- a/grub-core/osdep/linux/platform.c +++ b/grub-core/osdep/linux/platform.c @@ -154,3 +154,16 @@ grub_install_get_default_x86_platform (void) grub_util_info ("... not found"); return "i386-pc"; } + +int +grub_install_get_powerpc_secure_boot (void) +{ + int32_t ret = -1; + FILE *fp = grub_util_fopen ("/proc/device-tree/ibm,secure-boot", "rb"); + if (fp) { + if (fread (&ret , 1, sizeof(ret), fp) > 0) + ret = grub_be_to_cpu32(ret); + fclose(fp); + } + return ret; +} diff --git a/include/grub/util/install.h b/include/grub/util/install.h index c241a2a40..154487b72 100644 --- a/include/grub/util/install.h +++ b/include/grub/util/install.h @@ -233,6 +233,9 @@ grub_install_get_default_arm_platform (void); const char * grub_install_get_default_x86_platform (void); +int +grub_install_get_powerpc_secure_boot (void); + int grub_install_register_efi (grub_device_t efidir_grub_dev, const char *efifile_path, diff --git a/util/grub-install.c b/util/grub-install.c index a2286b3dd..8fb5ea616 100644 --- a/util/grub-install.c +++ b/util/grub-install.c @@ -321,10 +321,10 @@ static struct argp_option options[] = { {"suse-enable-tpm", OPTION_SUSE_ENABLE_TPM, 0, 0, N_("install TPM modules"), 0}, {"suse-force-signed", OPTION_SUSE_FORCE_SIGNED, 0, 0, N_("force installation of signed grub" "%s." - "This option is only available on ARM64 EFI targets."), 0}, + "This option is only available on ARM64 EFI and powerpc targets."), 0}, {"suse-inhibit-signed", OPTION_SUSE_INHIBIT_SIGNED, 0, 0, N_("inhibit installation of signed grub. " - "This option is only available on ARM64 EFI targets."), 0}, + "This option is only available on ARM64 EFI and powerpc targets."), 0}, {"debug", OPTION_DEBUG, 0, OPTION_HIDDEN, 0, 2}, {"no-floppy", OPTION_NO_FLOPPY, 0, OPTION_HIDDEN, 0, 2}, {"debug-image", OPTION_DEBUG_IMAGE, N_("STRING"), OPTION_HIDDEN, 0, 2}, @@ -1724,6 +1724,7 @@ main (int argc, char *argv[]) char mkimage_target[200]; const char *core_name = NULL; char *signed_imgfile = NULL; + int ppc_sb_state = -1; switch (platform) { @@ -1770,11 +1771,33 @@ main (int argc, char *argv[]) grub_install_get_platform_platform (platform)); break; + + case GRUB_INSTALL_PLATFORM_POWERPC_IEEE1275: + ppc_sb_state = grub_install_get_powerpc_secure_boot(); + + if ((signed_grub_mode >= SIGNED_GRUB_FORCE) || ((signed_grub_mode == SIGNED_GRUB_AUTO) && (ppc_sb_state > 0))) + { + signed_imgfile = grub_util_path_concat (2, grub_install_source_directory, "grub.elf"); + if (!grub_util_is_regular (signed_imgfile)) + { + if ((signed_grub_mode >= SIGNED_GRUB_FORCE) || (ppc_sb_state > 1)) + grub_util_error ("signed image `%s' does not exist\n", signed_imgfile); + else + { + free (signed_imgfile); + signed_imgfile = NULL; + } + } + } + + if (signed_imgfile) + fprintf (stderr, _("Use signed file in %s for installation.\n"), signed_imgfile); + + /* fallthrough. */ case GRUB_INSTALL_PLATFORM_I386_COREBOOT: case GRUB_INSTALL_PLATFORM_ARM_COREBOOT: case GRUB_INSTALL_PLATFORM_I386_MULTIBOOT: case GRUB_INSTALL_PLATFORM_I386_IEEE1275: - case GRUB_INSTALL_PLATFORM_POWERPC_IEEE1275: case GRUB_INSTALL_PLATFORM_I386_XEN: case GRUB_INSTALL_PLATFORM_X86_64_XEN: case GRUB_INSTALL_PLATFORM_I386_XEN_PVH: -- 2.31.1