several: add --no-enhanced-secureboot flag

It disables all core boot types really. But this is the only planned core boot type at this point.
2023-08-24 18:11:36 -06:00 · 2023-08-24 18:11:36 -06:00 · 5cdf879a55
parent 05892f41c7
commit 5cdf879a55
3 changed files with 42 additions and 0 deletions
--- a/subiquity/cmd/server.py
+++ b/subiquity/cmd/server.py
@ -129,6 +129,13 @@ def make_server_args_parser():
        default=".subiquity",
        help="in dryrun, control basedir of files",
    )
+    parser.add_argument(
+        "--no-enhanced-secureboot",
+        dest="enhanced_secureboot",
+        action="store_false",
+        default=True,
+    )
+
    parser.add_argument("--storage-version", action="store", type=int)
    parser.add_argument("--use-os-prober", action="store_true", default=False)
    parser.add_argument(
--- a/subiquity/server/controllers/filesystem.py
+++ b/subiquity/server/controllers/filesystem.py
@ -373,6 +373,9 @@ class FilesystemController(SubiquityController, FilesystemManipulator):
                system = await self._get_system(name, label)
            log.debug("got system %s for variation %s", system, name)
            if system is not None and len(system.volumes) > 0:
+                if not self.app.opts.enhanced_secureboot:
+                    log.debug("Not offering enhanced_secureboot: commandline disabled")
+                    continue
                info = self.info_for_system(name, label, system)
                if info is not None:
                    self._variation_info[name] = info
@ -607,6 +610,10 @@ class FilesystemController(SubiquityController, FilesystemManipulator):
        disk = self.model._one(id=choice.target.disk_id)

        if self.is_core_boot_classic():
+            if not self.app.opts.enhanced_secureboot:
+                raise ValueError(
+                    "Not using enhanced_secureboot: disabled on commandline"
+                )
            assert isinstance(choice.target, GuidedStorageTargetReformat)
            self.use_tpm = choice.capability == GuidedCapability.CORE_BOOT_ENCRYPTED
            await self.guided_core_boot(disk)
--- a/subiquity/tests/api/test_api.py
+++ b/subiquity/tests/api/test_api.py
@ -644,6 +644,34 @@ class TestCore(TestAPI):
            self.assertDictSubset(dict(mount=None), p3)
            self.assertDictSubset(dict(mount="/"), p4)

+    @timeout()
+    async def test_basic_core_boot_cmdline_disable(self):
+        cfg = self.machineConfig("examples/machines/simple.json")
+        with cfg.edit() as data:
+            attrs = data["storage"]["blockdev"]["/dev/sda"]["attrs"]
+            attrs["size"] = str(25 << 30)
+        kw = dict(
+            bootloader="uefi",
+            extra_args=[
+                "--storage-version",
+                "2",
+                "--source-catalog",
+                "examples/sources/install-canary.yaml",
+                "--dry-run-config",
+                "examples/dry-run-configs/tpm.yaml",
+                "--no-enhanced-secureboot",
+            ],
+        )
+        async with start_server(cfg, **kw) as inst:
+            await inst.post("/source", source_id="ubuntu-desktop")
+            resp = await inst.get("/storage/v2/guided", wait=True)
+            [reformat, manual] = resp["targets"]
+            for capability in reformat["allowed"]:
+                self.assertNotIn("CORE_BOOT", capability)
+            data = dict(target=reformat, capability="CORE_BOOT_ENCRYPTED")
+            with self.assertRaises(ClientResponseError):
+                await inst.post("/storage/v2/guided", data)
+

 class TestAdd(TestAPI):
    @timeout()