Class: Bootloader::Systeminfo

Inherits:

Object

• Object
• Bootloader::Systeminfo

Extended by:

Yast::Logger

Defined in:

src/lib/bootloader/systeminfo.rb

Overview

Provide system and architecture dependent information

Class Method Summary

• .efi? ⇒ Boolean
• .efi_arch ⇒ String

  Effective UEFI architecture.

• .efi_mandatory? ⇒ Boolean

  Check if EFI mandatory on this system.

• .efi_platform_size ⇒ Integer

  UEFI platform size (32 or 64 bits).

• .efi_supported? ⇒ Boolean

  Check if UEFI is available on this system.

• .efi_used?(bootloader_name) ⇒ Boolean

  Check if UEFI will be used.

• .nvram_available?(bootloader_name = nil) ⇒ Boolean

  Check if the system is expected to have nvram - ie.

• .ppc_secure_boot ⇒ Object

  Return secure boot status on ppc.

• .ppc_secure_boot_active? ⇒ Boolean

  Check if secure boot is currently active on an ppc machine.

• .ppc_secure_boot_available? ⇒ Boolean

  Check if secure boot is (in principle) available on an ppc machine.

• .ppc_secure_boot_supported? ⇒ Boolean

  Check if secure boot is supported with the current setup.

• .s390_secure_boot_active? ⇒ Boolean

  Check if secure boot is currently active on an s390 machine.

• .s390_secure_boot_available? ⇒ Boolean

  Check if secure boot is (in principle) available on an s390 machine.

• .s390_secure_boot_supported? ⇒ Boolean

  Check if secure boot is supported with the current setup.

• .scsi?(device) ⇒ Boolean

  Check if device is a SCSI device.

• .secure_boot_active? ⇒ Boolean

  Check current secure boot state.

• .secure_boot_available?(bootloader_name) ⇒ Boolean

  Check if secure boot is configurable with a bootloader.

• .secure_boot_supported? ⇒ Boolean

  Check if secure boot is in principle supported.

• .shim_needed?(bootloader_name, secure_boot) ⇒ Boolean

  Check if shim-install should be used instead of grub2-install.

• .trusted_boot_active? ⇒ Boolean

  Check current trusted boot state.

• .trusted_boot_available?(bootloader_name) ⇒ Boolean

  Check if trusted boot is configurable with a bootloader.

• .update_nvram_active? ⇒ Boolean
• .writable_efivars? ⇒ Boolean

  Checks if efivars exists and can be written The point here is that without writable UEFI variables the UEFI boot manager cannot (and must not) be updated.

• .zipl_device ⇒ Y2Storage::Partition, NilClass

  The partition where zipl is installed.

Class Method Details

.efi? ⇒ Boolean

Returns:

• (Boolean)

# File 'src/lib/bootloader/systeminfo.rb', line 266

def efi?
  Y2Storage::Arch.new.efiboot?
end

.efi_arch ⇒ String

Effective UEFI architecture.

Usually the same as the architecture except on x86_64 where it depends on the platform size.

Returns:

• (String) —

  architecture name

# File 'src/lib/bootloader/systeminfo.rb', line 140

def efi_arch
  arch = Yast::Arch.architecture
  arch = "i386" if arch == "x86_64" && efi_platform_size == 32
  arch
end

.efi_mandatory? ⇒ Boolean

Check if EFI mandatory on this system.

Returns:

• (Boolean) —

  true if system must boot via EFI

# File 'src/lib/bootloader/systeminfo.rb', line 107

def efi_mandatory?
  Yast::Arch.aarch64 || Yast::Arch.arm || Yast::Arch.riscv64
end

.efi_platform_size ⇒ Integer

UEFI platform size (32 or 64 bits).

On x86_64 systems both variants are possible.

Returns:

• (Integer) —

  platform size - or 0 if not applicable

# File 'src/lib/bootloader/systeminfo.rb', line 126

def efi_platform_size
  bits = File.read("/sys/firmware/efi/fw_platform_size").to_i
  log.info "EFI platform size: #{bits}"
  bits
rescue StandardError
  0
end

.efi_supported? ⇒ Boolean

Check if UEFI is available on this system.

It need not currently be used. It should just be possible to put the system into UEFI mode.

Returns:

• (Boolean) —

  true if system can (in principle) boot via UEFI

# File 'src/lib/bootloader/systeminfo.rb', line 101

def efi_supported?
  Yast::Arch.x86_64 || Yast::Arch.i386 || efi_mandatory?
end

.efi_used?(bootloader_name) ⇒ Boolean

Check if UEFI will be used.

param bootloader_name [String] bootloader name

Returns:

• (Boolean) —

  true if UEFI will be used for booting with this bootloader

# File 'src/lib/bootloader/systeminfo.rb', line 91

def efi_used?(bootloader_name)
  ["grub2-efi", "systemd-boot"].include?(bootloader_name)
end

.nvram_available?(bootloader_name = nil) ⇒ Boolean

Check if the system is expected to have nvram - ie. update_nvram_active? makes a difference

Returns:

• (Boolean)

# File 'src/lib/bootloader/systeminfo.rb', line 64

def nvram_available?(bootloader_name = nil)
  (bootloader_name ? efi_used?(bootloader_name) : efi_supported?) || Yast::Arch.ppc
end

.ppc_secure_boot ⇒ Object

Return secure boot status on ppc

nil - no support 0 - disabled 1 - enabled in audit-only mode 2+ - enabled in enforcing mode

# File 'src/lib/bootloader/systeminfo.rb', line 196

def ppc_secure_boot
  # see bsc#1192764
  result = nil
  return nil unless Yast::Arch.ppc

  begin
    result = File.read("/proc/device-tree/ibm,secure-boot")
    result = result.unpack1("N")
    log.info "reading ibm,secure-boot result #{result}"
  rescue StandardError => e
    log.info "reading ibm,secure-boot failed with #{e}"
    result = nil
  end
  result
end

.ppc_secure_boot_active? ⇒ Boolean

Check if secure boot is currently active on an ppc machine.

The 'real' state, not any config file setting.

Returns:

• (Boolean) —

  true if ppc machine has secure boot enabled

# File 'src/lib/bootloader/systeminfo.rb', line 233

def ppc_secure_boot_active?
  # see bsc#1192764
  ppc_secure_boot.to_i > 0
end

.ppc_secure_boot_available? ⇒ Boolean

Check if secure boot is (in principle) available on an ppc machine.

Returns:

• (Boolean) —

  true if this is an ppc machine and it has secure boot support

# File 'src/lib/bootloader/systeminfo.rb', line 215

def ppc_secure_boot_available?
  # see bsc#1192764
  !ppc_secure_boot.nil?
end

.ppc_secure_boot_supported? ⇒ Boolean

Check if secure boot is supported with the current setup.

Returns:

• (Boolean) —

  true if this is an ppc machine and secure boot is supported with the current setup

# File 'src/lib/bootloader/systeminfo.rb', line 224

def ppc_secure_boot_supported?
  ppc_secure_boot_available?
end

.s390_secure_boot_active? ⇒ Boolean

Check if secure boot is currently active on an s390 machine.

The 'real' state, not any config file setting.

Returns:

• (Boolean) —

  true if 390x machine has secure boot enabled

# File 'src/lib/bootloader/systeminfo.rb', line 178

def s390_secure_boot_active?
  return false unless Yast::Arch.s390

  # see jsc#SLE-9425
  res = File.read("/sys/firmware/ipl/secure", 1)
  log.info "s390 secure: #{res}"

  res == "1"
rescue StandardError
  false
end

.s390_secure_boot_available? ⇒ Boolean

Check if secure boot is (in principle) available on an s390 machine.

Returns:

• (Boolean) —

  true if this is an s390 machine and it has secure boot support

# File 'src/lib/bootloader/systeminfo.rb', line 149

def s390_secure_boot_available?
  # see jsc#SLE-9425
  return false unless Yast::Arch.s390

  res = File.read("/sys/firmware/ipl/has_secure", 1)
  log.info "s390 has secure: #{res}"

  res == "1"
rescue StandardError
  false
end

.s390_secure_boot_supported? ⇒ Boolean

Check if secure boot is supported with the current setup.

The catch here is that secure boot works only with SCSI disks.

Returns:

• (Boolean) —

  true if this is an s390 machine and secure boot is supported with the current setup

# File 'src/lib/bootloader/systeminfo.rb', line 167

def s390_secure_boot_supported?
  return false unless Yast::Arch.s390

  s390_secure_boot_available? && scsi?(zipl_device)
end

.scsi?(device) ⇒ Boolean

Check if device is a SCSI device.

param device [Y2Storage::Partition, NilClass] partition device (or nil)

Returns:

• (Boolean) —

  true if device is a SCSI device

# File 'src/lib/bootloader/systeminfo.rb', line 257

def scsi?(device)
  # checking if device name starts with 'sd' is not enough: it could
  # be a device mapper target (e.g. multipath)
  # see bsc#1171821
  device.name.start_with?("/dev/sd") || device.udev_ids.any?(/^scsi-/)
rescue StandardError
  false
end

.secure_boot_active? ⇒ Boolean

Check current secure boot state.

This reflects settings on OS level. If secure boot is not supported, it returns false.

Returns:

• (Boolean) —

  true if secure boot is currently active

# File 'src/lib/bootloader/systeminfo.rb', line 22

def secure_boot_active?
  secure_boot_supported? &&
    Sysconfig.from_system.secure_boot
end

.secure_boot_available?(bootloader_name) ⇒ Boolean

Check if secure boot is configurable with a bootloader.

Parameters:

• bootloader_name (String) —

  bootloader name

Returns:

• (Boolean) —

  true if secure boot setting is available with this bootloader

# File 'src/lib/bootloader/systeminfo.rb', line 43

def secure_boot_available?(bootloader_name)
  # no shim for i386 (yet)
  return false if efi_arch == "i386"
  # no shim neither secure boot support for 32 bit arm nor riscv64 (bsc#1229070)
  return false if Yast::Arch.arm || Yast::Arch.riscv64

  efi_used?(bootloader_name) || s390_secure_boot_available? || ppc_secure_boot_available?
end

.secure_boot_supported? ⇒ Boolean

Check if secure boot is in principle supported.

Returns:

• (Boolean) —

  true if secure boot is (in principle) supported on this system

# File 'src/lib/bootloader/systeminfo.rb', line 30

def secure_boot_supported?
  # no shim for i386 (yet)
  return false if efi_arch == "i386"
  # no shim neither secure boot support for 32 bit arm nor riscv64 (bsc#1229070)
  return false if Yast::Arch.arm || Yast::Arch.riscv64

  efi_supported? || s390_secure_boot_supported? || ppc_secure_boot_supported?
end

.shim_needed?(bootloader_name, secure_boot) ⇒ Boolean

Check if shim-install should be used instead of grub2-install.

param bootloader_name [String] bootloader name param secure_boot [Boolean] secure boot setting

Returns:

• (Boolean) —

  true if shim has to be used

# File 'src/lib/bootloader/systeminfo.rb', line 116

def shim_needed?(bootloader_name, secure_boot)
  (Yast::Arch.x86_64 || Yast::Arch.i386 || Yast::Arch.aarch64) &&
    secure_boot && efi_used?(bootloader_name)
end

.trusted_boot_active? ⇒ Boolean

Check current trusted boot state.

ATM this just returns the config file setting.

Returns:

• (Boolean) —

  true if trusted boot is currently active

# File 'src/lib/bootloader/systeminfo.rb', line 57

def trusted_boot_active?
  # FIXME: this should probably be a real check as in Grub2Widget#validate
  #   and then Grub2Widget#validate could use Systeminfo.trusted_boot_active?
  Sysconfig.from_system.trusted_boot
end

.trusted_boot_available?(bootloader_name) ⇒ Boolean

Check if trusted boot is configurable with a bootloader.

param bootloader_name [String] bootloader name

Returns:

• (Boolean) —

  true if trusted boot setting is available with this bootloader

# File 'src/lib/bootloader/systeminfo.rb', line 76

def trusted_boot_available?(bootloader_name)
  # TPM availability is must have
  return false unless File.exist?("/dev/tpm0")

  # for details about grub2 efi trusted boot support see FATE#315831
  (
    bootloader_name == "grub2" &&
    (Yast::Arch.x86_64 || Yast::Arch.i386)
  ) || bootloader_name == "grub2-efi"
end

.update_nvram_active? ⇒ Boolean

Returns:

• (Boolean)

# File 'src/lib/bootloader/systeminfo.rb', line 68

def update_nvram_active?
  Sysconfig.from_system.update_nvram
end

.writable_efivars? ⇒ Boolean

Checks if efivars exists and can be written The point here is that without writable UEFI variables the UEFI boot manager cannot (and must not) be updated.

Returns:

• (Boolean) —

  true if efivars are writable

See Also:

• https://bugzilla.suse.com/show_bug.cgi?id=1174111#c37

# File 'src/lib/bootloader/systeminfo.rb', line 277

def writable_efivars?
  storage_arch = Y2Storage::Arch.new
  storage_arch.efiboot? && storage_arch.efibootmgr?
end

.zipl_device ⇒ Y2Storage::Partition, NilClass

The partition where zipl is installed.

Returns:

• (Y2Storage::Partition, NilClass) —

  zipl partition

# File 'src/lib/bootloader/systeminfo.rb', line 241

def zipl_device
  staging = Y2Storage::StorageManager.instance.staging
  mountpoint =
    Y2Storage::MountPoint.find_by_path(staging, "/boot/zipl").first ||
    Y2Storage::MountPoint.find_by_path(staging, "/boot").first ||
    Y2Storage::MountPoint.find_by_path(staging, "/").first
  mountpoint.filesystem.blk_devices.first
rescue StandardError
  nil
end