[pve-devel] [PATCH installer 1/2] move secure boot state to RunEnv

[pve-devel] [PATCH installer 1/2] move secure boot state to RunEnv

[Fabian Grünbichler]

as preparation for using it in more than one place.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 Proxmox/Install.pm        | 18 +++++-------------
 Proxmox/Install/RunEnv.pm | 12 +++++++++++-
 2 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/Proxmox/Install.pm b/Proxmox/Install.pm
index 19f7dc1..82619ae 100644
--- a/Proxmox/Install.pm
+++ b/Proxmox/Install.pm
@@ -15,7 +15,7 @@ use Proxmox::Install::StorageConfig;
 
 use Proxmox::Sys::Block qw(get_cached_disks wipe_disk partition_bootable_disk);
 use Proxmox::Sys::Command qw(run_command syscmd);
-use Proxmox::Sys::File qw(file_read_all file_read_firstline file_write_all);
+use Proxmox::Sys::File qw(file_read_firstline file_write_all);
 use Proxmox::UI;
 
 # TODO: move somewhere better?
@@ -576,20 +576,12 @@ my sub chroot_chmod {
 }
 
 sub prepare_proxmox_boot_esp {
-    my ($espdev, $targetdir) = @_;
+    my ($espdev, $targetdir, $secureboot) = @_;
 
     my $mode = '';
 
-    # detect secure boot being enabled and switch to grub-on-ESP if it is
-    if (-d "/sys/firmware/efi") {
-	my $content = eval { file_read_all("/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c") };
-	if ($@) {
-	    warn "Failed to read secure boot state: $@\n";
-	} else {
-	    my @secureboot = unpack("CCCCC", $content);
-	    $mode = 'grub' if $secureboot[4] == 1;
-	}
-    }
+    # if secure boot is enabled switch to grub-on-ESP
+    $mode = 'grub' if $secureboot;
 
     syscmd("chroot $targetdir proxmox-boot-tool init $espdev $mode") == 0 ||
 	die "unable to init ESP and install proxmox-boot loader on '$espdev'\n";
@@ -1237,7 +1229,7 @@ _EOD
 		foreach my $di (@$bootdevinfo) {
 		    my $dev = $di->{devname};
 		    if ($use_zfs) {
-			prepare_proxmox_boot_esp($di->{esp}, $targetdir);
+			prepare_proxmox_boot_esp($di->{esp}, $targetdir, $run_env->{secure_boot});
 		    } else {
 			if (!$native_4k_disk_bootable) {
 			    eval {
diff --git a/Proxmox/Install/RunEnv.pm b/Proxmox/Install/RunEnv.pm
index 39505d0..7eaf96a 100644
--- a/Proxmox/Install/RunEnv.pm
+++ b/Proxmox/Install/RunEnv.pm
@@ -8,7 +8,7 @@ use JSON qw(from_json to_json);
 
 use Proxmox::Log;
 use Proxmox::Sys::Command qw(run_command CMD_FINISHED);
-use Proxmox::Sys::File qw(file_read_firstline);
+use Proxmox::Sys::File qw(file_read_all file_read_firstline);
 use Proxmox::Sys::Block;
 use Proxmox::Sys::Net;
 
@@ -285,6 +285,16 @@ sub query_installation_environment : prototype() {
     $output->{hvm_supported} = query_cpu_hvm_support();
     $output->{boot_type} = -d '/sys/firmware/efi' ? 'efi' : 'bios';
 
+    if ($output->{boot_type} eq 'efi') {
+	my $content = eval { file_read_all("/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c") };
+	if ($@) {
+	    log_warn("Failed to read secure boot state: $@\n");
+	} else {
+	    my @secureboot = unpack("CCCCC", $content);
+	    $output->{secure_boot} = $secureboot[4] == 1;
+	}
+    }
+
     my $err;
     my $country;
     if ($routes->{gateway4}) {
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH installer 2/2] skip proxmox-secure-boot-support if secureboot is not enabled

[Fabian Grünbichler]

while it doesn't hurt to be installed, it also doesn't help in any fashion on
such systems.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

Notes:
    only makes sense if proxmox-secure-boot-support is on the ISO

 Proxmox/Install.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Proxmox/Install.pm b/Proxmox/Install.pm
index 82619ae..e2f8ad9 100644
--- a/Proxmox/Install.pm
+++ b/Proxmox/Install.pm
@@ -1098,6 +1098,7 @@ _EOD
 	    # upon upgrade - and conflict with each other - install the fitting one only
 	    next if ($deb =~ /grub-pc_/ && $run_env->{boot_type} ne 'bios');
 	    next if ($deb =~ /grub-efi-amd64_/ && $run_env->{boot_type} ne 'efi');
+	    next if ($deb =~ /^proxmox-secure-boot-support_/ && !$run_env->{secure_boot});
 
 	    update_progress($count/$pkg_count, 0.5, 0.75, "extracting $deb");
 	    print STDERR "extracting: $deb\n";
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied-series: [PATCH installer 1/2] move secure boot state to RunEnv

[Thomas Lamprecht]

Am 23/04/2024 um 14:27 schrieb Fabian Grünbichler:
> as preparation for using it in more than one place.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
>  Proxmox/Install.pm        | 18 +++++-------------
>  Proxmox/Install/RunEnv.pm | 12 +++++++++++-
>  2 files changed, 16 insertions(+), 14 deletions(-)
> 
>

applied both patches, thanks!


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel