secure boot for grub2bls

src/lib/bootloader/grub2bls.rb

@@ -56,10 +56,12 @@ def read
           lines = + line
         end
       end
+      self.secure_boot = Systeminfo.secure_boot_active?
       grub_default.kernel_params.replace(lines)
       log.info "kernel params: #{grub_default.kernel_params}"
-      log.info "bls sections: #{@sections.all}"
-      log.info "bls default:  #{@sections.default}"
+      log.info "bls sections:  #{@sections.all}"
+      log.info "bls default:   #{@sections.default}"
+      log.info "secure boot:   #{self.secure_boot}"
       @is_read = true # flag that settings has been read
     end
 
@@ -76,6 +78,7 @@ def propose
         grub_default.kernel_params.replace(kernel_line)
       end
       grub_default.timeout = Yast::ProductFeatures.GetIntegerFeature("globals", "boot_timeout").to_i
+      self.secure_boot = Systeminfo.secure_boot_supported?
       @is_proposed = true
       # for UEFI always remove PMBR flag on disk (bnc#872054)
       self.pmbr_action = :remove
@@ -115,6 +118,7 @@ def merge(other)
       log.info "         mitigations: #{cpu_mitigations.to_human_string}=>" \
                "#{other.cpu_mitigations.to_human_string}"
       log.info "         pmbr_action: #{pmbr_action}=>#{other.pmbr_action}"
+      log.info "         secure boot: #{other.secure_boot}"
       log.info "         grub_default.kernel_params: #{grub_default.kernel_params.serialize}=>" \
                "#{other.grub_default.kernel_params.serialize}"
       log.info "         grub_default.kernel_params: #{grub_default.kernel_params.serialize}=>" \
@@ -123,11 +127,13 @@ def merge(other)
       merge_sections(other)
       merge_grub_default(other)
       merge_pmbr_action(other)
+      self.secure_boot = other.secure_boot unless other.secure_boot.nil?
 
       log.info "merging result: timeout: #{grub_default.timeout}"
       log.info "                mitigations: #{cpu_mitigations.to_human_string}"
       log.info "                kernel_params: #{grub_default.kernel_params.serialize}"
       log.info "                pmbr_action: #{pmbr_action}"
+      log.info "                secure boot: #{self.secure_boot}"
     end
     # rubocop:enable Metrics/AbcSize
 
@@ -136,9 +142,18 @@ def packages
       res = super
       res << ("grub2-" + grub2bls_architecture + "-efi-bls")
       res << "sdbootutil"
+      res << "shim"
       res
     end
 
+    # overwrite BootloaderBase version to save secure boot
+    def write_sysconfig(prewrite: false)
+      sysconfig = Bootloader::Sysconfig.new(bootloader: name,
+        secure_boot: self.secure_boot, trusted_boot: false,
+        update_nvram: false)
+      prewrite ? sysconfig.pre_write : sysconfig.write
+    end
+
   private
 
     def grub2bls_architecture

src/lib/bootloader/systemdboot.rb

@@ -182,7 +182,7 @@ def packages
 
       case Yast::Arch.architecture
       when "x86_64"
-        res << "shim" if secure_boot
+        res << "shim"
       else
         log.warn "Unknown architecture #{Yast::Arch.architecture} for systemdboot"
       end

src/lib/bootloader/systeminfo.rb

@@ -46,8 +46,6 @@ def secure_boot_available?(bootloader_name)
         return false if efi_arch == "i386"
         # no shim neither secure boot support for 32 bit arm nor riscv64 (bsc#1229070)
         return false if Yast::Arch.arm || Yast::Arch.riscv64
-        # not for grub2-bls
-        return false if bootloader_name == "grub2-bls"
 
         efi_used?(bootloader_name) || s390_secure_boot_available? || ppc_secure_boot_available?
       end