From d1b118edbdc664e2d5fb690748051280b6a7ae21 Mon Sep 17 00:00:00 2001
From: Rakesh Kumar <kumar.rakesh@siemens.com>
Date: Thu, 30 Jan 2025 11:06:20 +0530
Subject: [PATCH] iot2050-efivarfs-helper: handle efivarfs dynamically during
 runtime

Instead of enforcing a persistent read-write (rw) mount via /etc/fstab,
this change ensures efivarfs is mounted and remounted dynamically during
command execution. This approach improves flexibility, avoids potential
conflicts, and ensures efivarfs is available with the correct permissions
only when needed.
Key improvements:

* Removed the need for a persistent rw entry in /etc/fstab.
* Ensures efivarfs is correctly mounted and remounted as needed during execution.
* Prevents unnecessary system-wide modifications while maintaining secure access.

This update enhances robustness and ensures a controlled, on-demand handling of
efivarfs.

Signed-off-by: Rakesh Kumar <kumar.rakesh@siemens.com>
---
 .../files/iot2050-efivarfs-helper.tmpl        | 33 ++++++++++++++++++-
 .../iot2050-efivarfs-helper/files/postinst    | 12 -------
 .../iot2050-efivarfs-helper_0.1.bb            |  3 +-
 3 files changed, 33 insertions(+), 15 deletions(-)
 delete mode 100644 recipes-app/iot2050-efivarfs-helper/files/postinst

diff --git a/recipes-app/iot2050-efivarfs-helper/files/iot2050-efivarfs-helper.tmpl b/recipes-app/iot2050-efivarfs-helper/files/iot2050-efivarfs-helper.tmpl
index 45c06872e..2551c5c49 100755
--- a/recipes-app/iot2050-efivarfs-helper/files/iot2050-efivarfs-helper.tmpl
+++ b/recipes-app/iot2050-efivarfs-helper/files/iot2050-efivarfs-helper.tmpl
@@ -79,9 +79,40 @@ def check_mount_efivarfs() -> bool:
                 if 'rw' in mount_options and 'ro' not in mount_options:
                     mount_err_msg = ''
                 else:
-                    mount_err_msg = 'not mounted as read & write.'
+                    # efivarfs is mounted as read-only
+                    mount_err_msg = 'mounted as read-only.'
+                    # Try to remount as read-write
+                    print("efivarfs mounted as read-only. Attempting to remount efivarfs as read-write...", end='')
+                    try:
+                        subprocess.run(['mount', '-o', 'remount,rw', '/sys/firmware/efi/efivars'], check=True)
+                        print("Remount successful.")
+                        mount_err_msg = ''  # No error, remount was successful
+                    except subprocess.CalledProcessError:
+                        mount_err_msg = 'failed to remount as read-write.'
                 break
 
+    if mount_err_msg == 'not mounted.':
+        '''
+        By default, the kernel or systemd mounts efivarfs as read-only (ro) to prevent
+        accidental modifications to UEFI variables, which are critical for system operation.
+        However, the kernel permits remounting efivarfs as read-write (rw) since it is already
+        mounted, making this a controlled and intentional change when necessary.
+        '''
+        print("Not mounted. Mounting efivarfs ...", end='')
+        try:
+            subprocess.run(['mount', '-t', 'efivarfs', 'efivarfs', '/sys/firmware/efi/efivars'], check=True)
+            print("Mount successful.")
+            print("Attempting to remount as read-write...", end='')
+            # Remount as read-write
+            try:
+                subprocess.run(['mount', '-o', 'remount,rw', '/sys/firmware/efi/efivars'], check=True)
+                print("Remount as read-write successful.")
+                mount_err_msg = ''  # No error
+            except subprocess.CalledProcessError:
+                mount_err_msg = 'failed to remount as read-write.'
+        except subprocess.CalledProcessError:
+            mount_err_msg = 'failed to mount efivarfs.'
+
     if mount_err_msg == '':
         print("Done.")
         return True
diff --git a/recipes-app/iot2050-efivarfs-helper/files/postinst b/recipes-app/iot2050-efivarfs-helper/files/postinst
deleted file mode 100644
index 9d7d917b4..000000000
--- a/recipes-app/iot2050-efivarfs-helper/files/postinst
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# Copyright (c) Siemens AG, 2023
-#
-# Authors:
-#  Su Baocheng <baocheng.su@siemens.com>
-#
-# This file is subject to the terms and conditions of the MIT License.  See
-# COPYING.MIT file in the top-level directory.
-#
-
-# mount efivarfs as read and write
-echo "efivarfs /sys/firmware/efi/efivars efivarfs rw,nosuid,nodev,noexec  0 0" >> /etc/fstab
diff --git a/recipes-app/iot2050-efivarfs-helper/iot2050-efivarfs-helper_0.1.bb b/recipes-app/iot2050-efivarfs-helper/iot2050-efivarfs-helper_0.1.bb
index 300d3b077..0c11c6ed6 100644
--- a/recipes-app/iot2050-efivarfs-helper/iot2050-efivarfs-helper_0.1.bb
+++ b/recipes-app/iot2050-efivarfs-helper/iot2050-efivarfs-helper_0.1.bb
@@ -12,8 +12,7 @@ inherit dpkg-raw
 DESCRIPTION = "Efivarfs Helper"
 MAINTAINER = "baocheng.su@siemens.com"
 
-SRC_URI = "file://iot2050-efivarfs-helper.tmpl \
-    file://postinst"
+SRC_URI = "file://iot2050-efivarfs-helper.tmpl"
 
 TEMPLATE_FILES = "iot2050-efivarfs-helper.tmpl"