Merge branch '3006.x' into merge/3007.x/3006.x

.github/workflows/nightly.yml

@@ -538,7 +538,7 @@ jobs:
       python-version: "3.10.15"
       source: "onedir"
       environment: nightly
-      sign-macos-packages: true
+      sign-macos-packages: false
       sign-windows-packages: false
     secrets: inherit
 
@@ -556,7 +556,7 @@ jobs:
       python-version: "3.10.15"
       source: "src"
       environment: nightly
-      sign-macos-packages: true
+      sign-macos-packages: false
       sign-windows-packages: false
     secrets: inherit
   build-ci-deps:

.github/workflows/staging.yml

@@ -520,7 +520,7 @@ jobs:
       python-version: "3.10.15"
       source: "onedir"
       environment: staging
-      sign-macos-packages: true
+      sign-macos-packages: false
       sign-windows-packages: ${{ inputs.sign-windows-packages }}
     secrets: inherit
 
@@ -538,7 +538,7 @@ jobs:
       python-version: "3.10.15"
       source: "src"
       environment: staging
-      sign-macos-packages: true
+      sign-macos-packages: false
       sign-windows-packages: ${{ inputs.sign-windows-packages }}
     secrets: inherit
   build-ci-deps:

.github/workflows/templates/build-packages.yml.jinja

@@ -19,7 +19,7 @@
       source: "<{ backend }>"
     <%- if gh_environment != "ci" %>
       environment: <{ gh_environment }>
-      sign-macos-packages: true
+      sign-macos-packages: false
       sign-windows-packages: <% if gh_environment == 'nightly' -%> false <%- else -%> ${{ inputs.sign-windows-packages }} <%- endif %>
     secrets: inherit
     <%- endif %>

changelog/66955.fixed.md

@@ -0,0 +1 @@
+Allow for secure-boot efivars directory having SecureBoot-xxx files, not directories with a data file

salt/grains/extra.py

@@ -66,7 +66,10 @@ def config():
 def __secure_boot(efivars_dir):
     """Detect if secure-boot is enabled."""
     enabled = False
-    sboot = glob.glob(os.path.join(efivars_dir, "SecureBoot-*/data"))
+    if "efivars" == os.path.basename(efivars_dir):
+        sboot = glob.glob(os.path.join(efivars_dir, "SecureBoot-*"))
+    else:
+        sboot = glob.glob(os.path.join(efivars_dir, "SecureBoot-*/data"))
     if len(sboot) == 1:
         # The minion is usually running as a privileged user, but is
         # not the case for the master.  Seems that the master can also
@@ -79,6 +82,17 @@ def __secure_boot(efivars_dir):
     return enabled
 
 
+def get_secure_boot_path():
+    """
+    Provide paths for secure boot directories and files
+    """
+    efivars_path = next(
+        filter(os.path.exists, ["/sys/firmware/efi/efivars", "/sys/firmware/efi/vars"]),
+        None,
+    )
+    return efivars_path
+
+
 def uefi():
     """Populate UEFI grains."""
     if salt.utils.platform.is_freebsd():
@@ -89,18 +103,11 @@ def uefi():
             "efi-secure-boot": False,
         }
     else:
-        # Works on Linux and Apple ?
-        efivars_dir = next(
-            filter(
-                os.path.exists, ["/sys/firmware/efi/efivars", "/sys/firmware/efi/vars"]
-            ),
-            None,
-        )
+        efivars_dir = get_secure_boot_path()
         grains = {
             "efi": bool(efivars_dir),
             "efi-secure-boot": __secure_boot(efivars_dir) if efivars_dir else False,
         }
-
     return grains
 
 

tests/pytests/unit/grains/test_secure_boot.py

@@ -0,0 +1,129 @@
+"""
+    :codeauthor: :email:`David Murphy <david-dm.murphy@broadcom.com`
+"""
+
+import shutil
+
+import pytest
+
+import salt.grains.extra
+from tests.support.mock import patch
+
+pytestmark = [
+    pytest.mark.skip_unless_on_linux(reason="Only supported on Linux family"),
+]
+
+
+@pytest.mark.parametrize(
+    "setting_secure, extra_file, expected_enabled",
+    (
+        (True, False, True),
+        (True, True, False),
+        (False, False, False),
+        (False, True, False),
+    ),
+)
+def test_secure_boot_efivars(tmp_path, setting_secure, extra_file, expected_enabled):
+    secure_boot_path = tmp_path / "secure-boot"
+    secure_boot_path_vars = secure_boot_path / "efivars"
+    secure_boot_path_vars.mkdir(parents=True, exist_ok=True)
+    secure_boot_filepath = secure_boot_path_vars / "SecureBoot-dog"
+
+    if setting_secure:
+        secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x01")
+    else:
+        secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x00")
+
+    if extra_file:
+        secure_boot_filepath2 = secure_boot_path_vars / "SecureBoot-kat"
+        if setting_secure:
+            secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x01")
+        else:
+            secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x00")
+
+    with patch(
+        "salt.grains.extra.get_secure_boot_path", return_value=secure_boot_path_vars
+    ):
+        grains = salt.grains.extra.uefi()
+        expected = {"efi": True, "efi-secure-boot": expected_enabled}
+        assert grains == expected
+
+    shutil.rmtree(secure_boot_path)
+
+
+@pytest.mark.parametrize(
+    "setting_secure, extra_file, expected_enabled",
+    (
+        (True, False, True),
+        (True, True, False),
+        (False, False, False),
+        (False, True, False),
+    ),
+)
+def test_secure_boot_vars(tmp_path, setting_secure, extra_file, expected_enabled):
+    secure_boot_path = tmp_path / "secure-boot"
+    secure_boot_path_vars = secure_boot_path / "vars" / "SecureBoot-dog"
+    secure_boot_path_vars1 = secure_boot_path_vars / "SecureBoot-dog"
+    secure_boot_path_vars1.mkdir(parents=True, exist_ok=True)
+    secure_boot_filepath = secure_boot_path_vars1 / "data"
+
+    if setting_secure:
+        secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x01")
+    else:
+        secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x00")
+
+    if extra_file:
+        secure_boot_path_vars2 = secure_boot_path_vars / "SecureBoot-kat"
+        secure_boot_path_vars2.mkdir(parents=True, exist_ok=True)
+        secure_boot_filepath2 = secure_boot_path_vars2 / "data"
+        if setting_secure:
+            secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x01")
+        else:
+            secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x00")
+
+    with patch(
+        "salt.grains.extra.get_secure_boot_path", return_value=secure_boot_path_vars
+    ):
+        grains = salt.grains.extra.uefi()
+        expected = {"efi": True, "efi-secure-boot": expected_enabled}
+        assert grains == expected
+
+    shutil.rmtree(secure_boot_path)
+
+
+@pytest.mark.parametrize(
+    "setting_secure, expected_enabled",
+    (
+        (True, True),
+        (False, False),
+        (False, False),
+        (False, False),
+    ),
+)
+def test_secure_boot_efivars_and_vars(tmp_path, setting_secure, expected_enabled):
+    secure_boot_path = tmp_path / "secure-boot"
+    secure_boot_path_vars = secure_boot_path / "efivars"
+    secure_boot_path_vars.mkdir(parents=True, exist_ok=True)
+    secure_boot_filepath = secure_boot_path_vars / "SecureBoot-dog"
+
+    secure_boot_path_vars2 = secure_boot_path / "vars" / "SecureBoot-kat"
+    secure_boot_path_vars2.mkdir(parents=True, exist_ok=True)
+    secure_boot_filepath2 = secure_boot_path_vars2 / "data"
+
+    if setting_secure:
+        # efivars True, vars / data False
+        secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x01")
+        secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x00")
+    else:
+        # efivars false, vars / data True
+        secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x00")
+        secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x01")
+
+    with patch(
+        "salt.grains.extra.get_secure_boot_path", return_value=secure_boot_path_vars
+    ):
+        grains = salt.grains.extra.uefi()
+        expected = {"efi": True, "efi-secure-boot": expected_enabled}
+        assert grains == expected
+
+    shutil.rmtree(secure_boot_path)