check for non-availability of EFI variables

curtin/commands/curthooks.py

@@ -813,7 +813,11 @@ def setup_grub(cfg, target, osfamily=DISTROS.debian, variant=None):
     else:
         instdevs = ["none"]
 
-    update_nvram = grubcfg.get('update_nvram', True)
+    if util.is_efivars_writable():
+        update_nvram = grubcfg.get('update_nvram', True)
+    else:
+        update_nvram = False
+
     if uefi_bootable and update_nvram:
         efi_orig_output = util.get_efibootmgr(target)
         uefi_remove_old_loaders(grubcfg, target)

curtin/commands/install_grub.py

@@ -259,7 +259,9 @@ def get_grub_install_command(uefi, distroinfo, target):
 
 def gen_uefi_install_commands(grub_name, grub_target, grub_cmd, update_nvram,
                               distroinfo, devices, target):
-    install_cmds = [['efibootmgr', '-v']]
+    install_cmds = []
+    if util.is_efivars_writeable():
+        install_cmds.append(['efibootmgr', '-v'])
     post_cmds = []
     bootid = distroinfo.variant
     efidir = '/boot/efi'
@@ -371,7 +373,11 @@ def install_grub(devices, target, uefi=None, grubcfg=None):
 
     LOG.debug("installing grub to target=%s devices=%s [replace_defaults=%s]",
               target, devices, grubcfg.get('replace_default'))
-    update_nvram = config.value_as_boolean(grubcfg.get('update_nvram', True))
+    if util.is_efivars_writable():
+        update_nvram = config.value_as_boolean(
+                            grubcfg.get('update_nvram', True))
+    else:
+        update_nvram = False
     distroinfo = distro.get_distroinfo(target=target)
     target_arch = distro.get_architecture(target=target)
     rhel_ver = (distro.rpm_get_dist_id(target)

curtin/util.py

@@ -721,7 +721,7 @@ def __init__(self, target, allow_daemons=False, sys_resolvconf=True,
             self.mounts = mounts
         else:
             self.mounts = ["/dev", "/proc", "/run", "/sys"]
-            if is_uefi_bootable():
+            if is_uefi_bootable() and is_efivars_writable():
                 self.mounts.append('/sys/firmware/efi/efivars')
         self.umounts = []
         self.disabled_daemons = False
@@ -902,6 +902,42 @@ def set_unexecutable(fname, strict=False):
     return cur
 
 
+def set_mutable(filename):
+    """Remove immutable attribute"""
+    # Ignoring return value
+    try:
+        util.subp(['chattr', '-i', filename] )
+    except ProcessExecutionError:
+        pass
+
+
+def efi_set_variable(variable_name, vendor_guid, data):
+    """Set UEFI variable"""
+    filename = '/sys/firmware/efi/efivars/' + variable_name + '-' + vendor_guid
+    set_mutable(filename)
+    # attributes: NON_VOLATILE | BOOTSERVICE_ACCESS | RUNTIME_ACCESS
+    buf = b'\x07\x00\x00\x00' + data
+    try:
+        with open(filename, 'wb') as file:
+            file.write(buf)
+    except OSError:
+        return False
+    return True
+
+
+def is_efivars_writable():
+    """Check if EFI variables can be created"""
+    variable_name = 'dummy'
+    vendor_guid = '326689e8-0c62-4ed5-8892-51ae883a714a'
+    data = b'x'
+    # create variable
+    if not efi_set_variable(variable_name, vendor_guid, data):
+        return False
+        # delete variable
+    efi_set_variable(variable_name, vendor_guid, b'')
+    return True
+
+
 def is_uefi_bootable():
     return os.path.exists('/sys/firmware/efi') is True
 
@@ -964,7 +1000,10 @@ def get_efibootmgr(target=None):
         }
     """
     with ChrootableTarget(target=target) as in_chroot:
-        stdout, _ = in_chroot.subp(['efibootmgr', '-v'], capture=True)
+        if (os.path.exists('/sys/firmware/efi/efivars')):
+            stdout, _ = in_chroot.subp(['efibootmgr', '-v'], capture=True)
+        else:
+            stdout = ""
         output = parse_efibootmgr(stdout)
         return output
 

tests/unittests/test_commands_install_grub.py

@@ -920,13 +920,15 @@ def setUp(self):
         self.add_patch(base + 'gen_install_commands', 'm_gen_install_commands')
         self.add_patch(base + 'util.subp', 'm_subp')
         self.add_patch(base + 'os.environ.copy', 'm_environ')
+        self.add_patch('curtin.util.is_efivars_writable', 'm_evivars_writable')
 
         self.distroinfo = distro.DistroInfo('ubuntu', 'debian')
         self.m_distro_get_distroinfo.return_value = self.distroinfo
         self.m_distro_rpm_get_dist_id.return_value = '7'
         self.m_distro_get_architecture.return_value = 'amd64'
         self.m_platform_machine.return_value = 'amd64'
         self.m_environ.return_value = {}
+        self.m_evivars_writable.return_value = True
         self.env = {'DEBIAN_FRONTEND': 'noninteractive'}
         self.target = self.tmp_dir()
 

tests/unittests/test_util.py

@@ -606,9 +606,11 @@ def test_chrootable_target_default_mounts(self, m_uefi):
         self.assertEqual(sorted(default_mounts), sorted(in_chroot.mounts))
 
     @mock.patch('curtin.util.is_uefi_bootable')
+    @mock.patch('curtin.util.is_efivars_writable')
     @mock.patch.object(util.ChrootableTarget, "__enter__", new=lambda a: a)
-    def test_chrootable_target_default_mounts_uefi(self, m_uefi):
+    def test_chrootable_target_default_mounts_uefi(self, m_uefi, m_efivars):
         m_uefi.return_value = True
+        m_efivars.return_value = True
         in_chroot = util.ChrootableTarget("mytarget")
         default_mounts = ['/dev', '/proc', '/run', '/sys',
                           '/sys/firmware/efi/efivars']