File rear23a-grub2-efi-install.patch of Package rear23a.32111

Backport 675_install_shim.sh from ReaR devel

Backport script 675_install_shim.sh from ReaR, upstream revision
8217c5ccee091e68844eb79294758cb269043ab0.

Modifications and notes:
* The script is extended to make /proc, /sys and /dev available in
  TARGET_FS_ROOT for shim-install/grub2-install to work correctly. The same
  logic is in the upstream code factored out and shared in
  usr/share/rear/finalize/default/110_bind_mount_proc_sys_dev_run.sh.
* Invocation of shim-install has the --no-nvram option removed because the
  switch is available starting only from SLE12-SP3. This is ok because not
  updating NVRAM is implied by the option --removable that the script passes to
  the tool.
* The script checks whether EFI_STUB is true and returns early if this is the
  case. EFI_STUB is never set by the patched ReaR version so this condition
  always evaluates as false.
--- /dev/null
+++ b/usr/share/rear/finalize/SUSE_LINUX/i386/675_install_shim.sh
@@ -0,0 +1,79 @@
+# PAN, 2019-04-09: Introduce SUSE-specific EFI shim install
+
+# Only useful for UEFI systems in combination with grub[2]-efi
+
+# Begin of same tests as in finalize/Linux-i386/670_run_efibootmgr.sh
+
+# USING_UEFI_BOOTLOADER empty or not true means using BIOS:
+is_true $USING_UEFI_BOOTLOADER || return 0
+
+# EFISTUB will handle boot entry creation separately
+# (cf. finalize/Linux-i386/610_EFISTUB_run_efibootmgr.sh): 
+is_true $EFI_STUB && return
+
+# When UEFI_BOOTLOADER is not a regular file in the restored target system
+# (cf. how esp_mountpoint is set below) it means BIOS is used
+# (cf. rescue/default/850_save_sysfs_uefi_vars.sh)
+# which includes that also an empty UEFI_BOOTLOADER means using BIOS
+# because when UEFI_BOOTLOADER is empty the test below evaluates to
+#   test -f /mnt/local/
+# which also returns false because /mnt/local/ is a directory
+# (cf. https://github.com/rear/rear/pull/2051/files#r258826856):
+test -f "$TARGET_FS_ROOT/$UEFI_BOOTLOADER" || return 0
+
+# Determine where the EFI System Partition (ESP) is mounted in the currently running recovery system:
+esp_mountpoint=$( df -P "$TARGET_FS_ROOT/$UEFI_BOOTLOADER" | tail -1 | awk '{print $6}' )
+# Use TARGET_FS_ROOT/boot/efi as fallback ESP mountpoint:
+test "$esp_mountpoint" || esp_mountpoint="$TARGET_FS_ROOT/boot/efi"
+
+# Skip if there is no esp_mountpoint directory (e.g. the fallback ESP mountpoint may not exist).
+# Double quotes are mandatory here because 'test -d' without any (possibly empty) argument results true:
+test -d "$esp_mountpoint" || return 0
+
+# End of same tests as in finalize/Linux-i386/670_run_efibootmgr.sh
+
+# If the BOOTLOADER variable (read by finalize/default/050_prepare_checks.sh)
+# is not "GRUB2-EFI", skip this script:
+test "GRUB2-EFI" = "$BOOTLOADER" || return 0
+
+# Skip if GRUB2 (cf. "GRUB2-EFI" = "$BOOTLOADER" above) was not successfully installed
+# because a successfully installed GRUB2 bootloader is a precondition for installing shim.
+# In this case NOBOOTLOADER is true, cf. finalize/default/050_prepare_checks.sh
+if is_true $NOBOOTLOADER ; then
+    LogPrintError "Cannot install secure boot loader (shim) because GRUB2 was not successfully installed"
+    return 1
+fi
+
+LogPrint "Installing secure boot loader (shim)..."
+
+local shiminstall_binary=$( chroot $TARGET_FS_ROOT /bin/bash -c 'PATH=/sbin:/usr/sbin:/usr/bin:/bin type -P shim-install' )
+
+if ! test "$shiminstall_binary" ; then
+    LogPrintError "Cannot run shim-install (no shim-install found in $TARGET_FS_ROOT)"
+    # Tell the user we did not install the bootloader completely (cf. finalize/default/050_prepare_checks.sh)
+    # shim-install is needed in addition to GRUB2 at least on SUSE systems, see https://github.com/rear/rear/issues/2116
+    NOBOOTLOADER=1
+    return 1
+fi
+
+# Make /proc /sys /dev available in TARGET_FS_ROOT
+# so that later things work in the "chroot TARGET_FS_ROOT" environment,
+# cf. https://github.com/rear/rear/issues/1828#issuecomment-398717889
+# and do not umount them when leaving this script because
+# it is better when also after "rear recover" things still
+# work in the "chroot TARGET_FS_ROOT" environment so that
+# the user could more easily adapt things after "rear recover":
+for mount_device in proc sys dev ; do
+    umount $TARGET_FS_ROOT/$mount_device && sleep 1
+    mount --bind /$mount_device $TARGET_FS_ROOT/$mount_device
+done
+
+# PATH must be set for shim-install to run successfully:
+if ! chroot $TARGET_FS_ROOT /bin/bash -c "PATH=/sbin:/usr/sbin:/usr/bin:/bin $shiminstall_binary --config-file=/boot/grub2/grub.cfg --removable" ; then
+    LogPrintError "$shiminstall_binary failed to install secure boot loader (shim) in $TARGET_FS_ROOT"
+    # Tell the user we did not install the bootloader completely (cf. finalize/default/050_prepare_checks.sh)
+    # shim-install is needed in addition to GRUB2 at least on SUSE systems, see https://github.com/rear/rear/issues/2116
+    NOBOOTLOADER=1
+    return 1
+fi
+