- add tboot-grub2-refuse-secure-boot.patch: don't generate tboot menu entries

in grub when the system is running with UEFI Secure Boot (bsc#1175114). This
  prevents hard to understand error messages when trying to boot tboot in this
  context.

OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=100

tboot-grub2-refuse-secure-boot.patch

@@ -0,0 +1,66 @@
+Index: tboot-1.9.12/tboot/20_linux_tboot
+===================================================================
+--- tboot-1.9.12.orig/tboot/20_linux_tboot
++++ tboot-1.9.12/tboot/20_linux_tboot
+@@ -34,6 +34,28 @@ if test -e ${sysconfdir}/default/grub-tb
+   .  ${sysconfdir}/default/grub-tboot
+ fi
+ 
++secureBootActive()
++{
++	for secboot_var in /sys/firmware/efi/efivars/SecureBoot-*; do
++		[ ! -e "$secboot_var" ] && continue
++
++		# this variable contains a '1' byte at the end if secure boot is enabled
++		local secboot_byte=`od --address-radix=n --format=u1 "$secboot_var" | tr -d ' \n' | tail -c 1`
++
++		[ "$secboot_byte" = "1" ] && return 0
++	done
++
++	return 1
++}
++
++if secureBootActive; then
++	cat >&2 << EOF
++Not generating tboot menu entries, because UEFI Secure Boot is active.
++tboot is not compatible with UEFI Secure Boot.
++EOF
++	exit 0
++fi
++
+ # Set the following variables in /etc/default/grub-tboot to customize command lines
+ # (empty values are treated as if the variables were unset).
+ [ -z "${GRUB_CMDLINE_TBOOT}" ] && unset GRUB_CMDLINE_TBOOT
+Index: tboot-1.9.12/tboot/20_linux_xen_tboot
+===================================================================
+--- tboot-1.9.12.orig/tboot/20_linux_xen_tboot
++++ tboot-1.9.12/tboot/20_linux_xen_tboot
+@@ -34,6 +34,28 @@ if test -e ${sysconfdir}/default/grub-tb
+   .  ${sysconfdir}/default/grub-tboot
+ fi
+ 
++secureBootActive()
++{
++	for secboot_var in /sys/firmware/efi/efivars/SecureBoot-*; do
++		[ ! -e "$secboot_var" ] && continue
++
++		# this variable contains a '1' byte at the end if secure boot is enabled
++		local secboot_byte=`od --address-radix=n --format=u1 "$secboot_var" | tr -d ' \n' | tail -c 1`
++
++		[ "$secboot_byte" = "1" ] && return 0
++	done
++
++	return 1
++}
++
++if secureBootActive; then
++	cat >&2 << EOF
++Not generating tboot menu entries, because UEFI Secure Boot is active.
++tboot is not compatible with UEFI Secure Boot.
++EOF
++	exit 0
++fi
++
+ # Set the following variables in /etc/default/grub-tboot to customize command lines
+ # (empty values are treated as if the variables were unset).
+ [ -z "${GRUB_CMDLINE_TBOOT}" ] && unset GRUB_CMDLINE_TBOOT

tboot.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Nov 12 12:19:51 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- add tboot-grub2-refuse-secure-boot.patch: don't generate tboot menu entries
+  in grub when the system is running with UEFI Secure Boot (bsc#1175114). This
+  prevents hard to understand error messages when trying to boot tboot in this
+  context.
+
 -------------------------------------------------------------------
 Mon Sep 28 12:14:22 UTC 2020 - matthias.gerstner@suse.com
 

tboot.spec

@@ -28,6 +28,7 @@ Source0:        http://downloads.sourceforge.net/project/tboot/tboot/tboot-%{ver
 Patch3:         tboot-grub2-fix-menu-in-xen-host-server.patch
 Patch4:         tboot-grub2-fix-xen-submenu-name.patch
 Patch7:         tboot-distributor.patch
+Patch8:         tboot-grub2-refuse-secure-boot.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 ExclusiveArch:  %{ix86} x86_64
 BuildRequires:  openssl-devel
@@ -54,6 +55,7 @@ verified launch of an OS kernel/VMM.
 %patch3 -p1
 %patch4 -p1
 %patch7 -p1
+%patch8 -p1
 
 %build
 # Tumbleweed now uses -flto=3 by default which gives us trouble with the