diff --git a/recipes-app/iot2050-efivarfs-helper/files/iot2050-efivarfs-helper.tmpl b/recipes-app/iot2050-efivarfs-helper/files/iot2050-efivarfs-helper.tmpl index 45c06872e..2551c5c49 100755 --- a/recipes-app/iot2050-efivarfs-helper/files/iot2050-efivarfs-helper.tmpl +++ b/recipes-app/iot2050-efivarfs-helper/files/iot2050-efivarfs-helper.tmpl @@ -79,9 +79,40 @@ def check_mount_efivarfs() -> bool: if 'rw' in mount_options and 'ro' not in mount_options: mount_err_msg = '' else: - mount_err_msg = 'not mounted as read & write.' + # efivarfs is mounted as read-only + mount_err_msg = 'mounted as read-only.' + # Try to remount as read-write + print("efivarfs mounted as read-only. Attempting to remount efivarfs as read-write...", end='') + try: + subprocess.run(['mount', '-o', 'remount,rw', '/sys/firmware/efi/efivars'], check=True) + print("Remount successful.") + mount_err_msg = '' # No error, remount was successful + except subprocess.CalledProcessError: + mount_err_msg = 'failed to remount as read-write.' break + if mount_err_msg == 'not mounted.': + ''' + By default, the kernel or systemd mounts efivarfs as read-only (ro) to prevent + accidental modifications to UEFI variables, which are critical for system operation. + However, the kernel permits remounting efivarfs as read-write (rw) since it is already + mounted, making this a controlled and intentional change when necessary. + ''' + print("Not mounted. Mounting efivarfs ...", end='') + try: + subprocess.run(['mount', '-t', 'efivarfs', 'efivarfs', '/sys/firmware/efi/efivars'], check=True) + print("Mount successful.") + print("Attempting to remount as read-write...", end='') + # Remount as read-write + try: + subprocess.run(['mount', '-o', 'remount,rw', '/sys/firmware/efi/efivars'], check=True) + print("Remount as read-write successful.") + mount_err_msg = '' # No error + except subprocess.CalledProcessError: + mount_err_msg = 'failed to remount as read-write.' + except subprocess.CalledProcessError: + mount_err_msg = 'failed to mount efivarfs.' + if mount_err_msg == '': print("Done.") return True diff --git a/recipes-app/iot2050-efivarfs-helper/files/postinst b/recipes-app/iot2050-efivarfs-helper/files/postinst deleted file mode 100644 index 9d7d917b4..000000000 --- a/recipes-app/iot2050-efivarfs-helper/files/postinst +++ /dev/null @@ -1,12 +0,0 @@ -# -# Copyright (c) Siemens AG, 2023 -# -# Authors: -# Su Baocheng -# -# This file is subject to the terms and conditions of the MIT License. See -# COPYING.MIT file in the top-level directory. -# - -# mount efivarfs as read and write -echo "efivarfs /sys/firmware/efi/efivars efivarfs rw,nosuid,nodev,noexec 0 0" >> /etc/fstab diff --git a/recipes-app/iot2050-efivarfs-helper/iot2050-efivarfs-helper_0.1.bb b/recipes-app/iot2050-efivarfs-helper/iot2050-efivarfs-helper_0.1.bb index 300d3b077..0c11c6ed6 100644 --- a/recipes-app/iot2050-efivarfs-helper/iot2050-efivarfs-helper_0.1.bb +++ b/recipes-app/iot2050-efivarfs-helper/iot2050-efivarfs-helper_0.1.bb @@ -12,8 +12,7 @@ inherit dpkg-raw DESCRIPTION = "Efivarfs Helper" MAINTAINER = "baocheng.su@siemens.com" -SRC_URI = "file://iot2050-efivarfs-helper.tmpl \ - file://postinst" +SRC_URI = "file://iot2050-efivarfs-helper.tmpl" TEMPLATE_FILES = "iot2050-efivarfs-helper.tmpl"