[pve-devel] [PATCH installer 1/2] move secure boot state to RunEnv

From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH installer 1/2] move secure boot state to RunEnv
Date: Tue, 23 Apr 2024 14:27:53 +0200	[thread overview]
Message-ID: <20240423122754.926057-1-f.gruenbichler@proxmox.com> (raw)

as preparation for using it in more than one place.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 Proxmox/Install.pm        | 18 +++++-------------
 Proxmox/Install/RunEnv.pm | 12 +++++++++++-
 2 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/Proxmox/Install.pm b/Proxmox/Install.pm
index 19f7dc1..82619ae 100644
--- a/Proxmox/Install.pm
+++ b/Proxmox/Install.pm
@@ -15,7 +15,7 @@ use Proxmox::Install::StorageConfig;
 
 use Proxmox::Sys::Block qw(get_cached_disks wipe_disk partition_bootable_disk);
 use Proxmox::Sys::Command qw(run_command syscmd);
-use Proxmox::Sys::File qw(file_read_all file_read_firstline file_write_all);
+use Proxmox::Sys::File qw(file_read_firstline file_write_all);
 use Proxmox::UI;
 
 # TODO: move somewhere better?
@@ -576,20 +576,12 @@ my sub chroot_chmod {
 }
 
 sub prepare_proxmox_boot_esp {
-    my ($espdev, $targetdir) = @_;
+    my ($espdev, $targetdir, $secureboot) = @_;
 
     my $mode = '';
 
-    # detect secure boot being enabled and switch to grub-on-ESP if it is
-    if (-d "/sys/firmware/efi") {
-	my $content = eval { file_read_all("/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c") };
-	if ($@) {
-	    warn "Failed to read secure boot state: $@\n";
-	} else {
-	    my @secureboot = unpack("CCCCC", $content);
-	    $mode = 'grub' if $secureboot[4] == 1;
-	}
-    }
+    # if secure boot is enabled switch to grub-on-ESP
+    $mode = 'grub' if $secureboot;
 
     syscmd("chroot $targetdir proxmox-boot-tool init $espdev $mode") == 0 ||
 	die "unable to init ESP and install proxmox-boot loader on '$espdev'\n";
@@ -1237,7 +1229,7 @@ _EOD
 		foreach my $di (@$bootdevinfo) {
 		    my $dev = $di->{devname};
 		    if ($use_zfs) {
-			prepare_proxmox_boot_esp($di->{esp}, $targetdir);
+			prepare_proxmox_boot_esp($di->{esp}, $targetdir, $run_env->{secure_boot});
 		    } else {
 			if (!$native_4k_disk_bootable) {
 			    eval {
diff --git a/Proxmox/Install/RunEnv.pm b/Proxmox/Install/RunEnv.pm
index 39505d0..7eaf96a 100644
--- a/Proxmox/Install/RunEnv.pm
+++ b/Proxmox/Install/RunEnv.pm
@@ -8,7 +8,7 @@ use JSON qw(from_json to_json);
 
 use Proxmox::Log;
 use Proxmox::Sys::Command qw(run_command CMD_FINISHED);
-use Proxmox::Sys::File qw(file_read_firstline);
+use Proxmox::Sys::File qw(file_read_all file_read_firstline);
 use Proxmox::Sys::Block;
 use Proxmox::Sys::Net;
 
@@ -285,6 +285,16 @@ sub query_installation_environment : prototype() {
     $output->{hvm_supported} = query_cpu_hvm_support();
     $output->{boot_type} = -d '/sys/firmware/efi' ? 'efi' : 'bios';
 
+    if ($output->{boot_type} eq 'efi') {
+	my $content = eval { file_read_all("/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c") };
+	if ($@) {
+	    log_warn("Failed to read secure boot state: $@\n");
+	} else {
+	    my @secureboot = unpack("CCCCC", $content);
+	    $output->{secure_boot} = $secureboot[4] == 1;
+	}
+    }
+
     my $err;
     my $country;
     if ($routes->{gateway4}) {
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
