sys: add helper to get bootmode and secureboot status

Helper that return the current boot_mode and secureboot status. Detection works the same as in pve, we use `/sys/firmware/efi` and the `efivars/SecureBoot-xxx..` file. Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
2023-11-29 14:28:57 +01:00 · 2023-11-29 14:28:57 +01:00 · 12657f89b3
commit 12657f89b3
parent a815fc4f56
2 changed files with 61 additions and 0 deletions
--- a/proxmox-sys/src/boot_mode.rs
+++ b/proxmox-sys/src/boot_mode.rs
@ -0,0 +1,60 @@
+use std::{io::Read, sync::OnceLock};
+
+/// The SecureBoot status
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+pub enum SecureBoot {
+    /// SecureBoot is enabled
+    Enabled,
+    /// SecureBoot is disabled
+    Disabled,
+}
+
+/// The possible BootModes
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+pub enum BootMode {
+    /// The BootMode is EFI/UEFI
+    Efi,
+    /// The BootMode is Legacy BIOS
+    Bios,
+}
+
+static BOOT_MODE: OnceLock<BootMode> = OnceLock::new();
+static SECURE_BOOT: OnceLock<SecureBoot> = OnceLock::new();
+
+impl BootMode {
+    /// Returns the current bootmode (BIOS or EFI)
+    pub fn query() -> BootMode {
+        let value: &BootMode = BOOT_MODE.get_or_init(|| {
+            if std::path::Path::new("/sys/firmware/efi").exists() {
+                BootMode::Efi
+            } else {
+                BootMode::Bios
+            }
+        });
+        *value
+    }
+}
+
+impl SecureBoot {
+    /// Checks if secure boot is enabled
+    pub fn query() -> SecureBoot {
+        let value: &SecureBoot = SECURE_BOOT.get_or_init(|| {
+            // Check if SecureBoot is enabled
+            // Attention: this file is not seekable!
+            // Spec: https://uefi.org/specs/UEFI/2.10/03_Boot_Manager.html?highlight=8be4d#globally-defined-variables
+            let mut buf = [0; 5];
+            if std::fs::File::open(
+                "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c",
+            )
+            .and_then(|mut file| file.read_exact(&mut buf))
+            .is_ok()
+                && buf[4] == 1
+            {
+                SecureBoot::Enabled
+            } else {
+                SecureBoot::Disabled
+            }
+        });
+        *value
+    }
+}
--- a/proxmox-sys/src/lib.rs
+++ b/proxmox-sys/src/lib.rs
@ -1,5 +1,6 @@
 use std::os::unix::ffi::OsStrExt;

+pub mod boot_mode;
 pub mod command;
 #[cfg(feature = "crypt")]
 pub mod crypt;