diskimage-builder/diskimage_builder/elements/debian-minimal/environment.d/10-debian-minimal.bash

33 lines
1.5 KiB
Bash
Raw Normal View History

export DISTRO_NAME=debian
export DIB_RELEASE=${DIB_RELEASE:-stable}
export DIB_INIT_SYSTEM=systemd
Support secure-boot bootloader where possible As of grub2 >= 2.02-95 on redhat family distros, calling grub2-install on an EFI partition will fail with: "this utility cannot be used for EFI platforms because it does not support UEFI Secure Boot." This version of grub is now in centos8-stream and non-eus repos of RHEL-8. It is not currently possible to build whole-disk UEFI images on these distros, and when this package is promoted this will also affect centos8 and RHEL-8 eus. The grub maintainers made this change because the grub2-install generated /boot/efi/EFI/BOOT/BOOTX64.EFI will never be capable of booting with Secure Boot. This change defines a $EFI_BOOT_DIR for every distro element. When directory /boot/efi/$EFI_BOOT_DIR exists a grub.cfg file in will be generated there. This change also installs the shim package on redhat family distros, which installs a copy of the shim bootloader to /boot/efi/EFI/BOOT/BOOTX64.EFI. Using centos as an example, this allows UEFI to boot the shim /boot/efi/EFI/BOOT/BOOTX64.EFI which then chains to /boot/efi/EFI/centos/grubx64.efi. If /boot/efi/$EFI_BOOT_DIR doesn't exist (such as for Ubuntu, /boot/efi/EFI/ubuntu) the current behaviour of running grub-install to generate /boot/efi/EFI/BOOT/BOOTX64.EFI will continue. For distros such as Ubutnu where packaging does not populate /boot/efi/EFI/ubuntu with .efi files, secure boot can be added in the future by copying .efi files to /boot/efi/EFI/ubuntu and copying the shim file to /boot/efi/EFI/BOOT/BOOTX64.EFI. Change-Id: I90925218ff2aa4c4daffcf86e686b6d98d6b0f21
2021-03-05 03:35:21 +00:00
export EFI_BOOT_DIR="EFI/debian"
if [ -n "${DIB_DEBIAN_DISTRIBUTION_MIRROR:-}" ]; then
DIB_DISTRIBUTION_MIRROR=$DIB_DEBIAN_DISTRIBUTION_MIRROR
fi
export DIB_DISTRIBUTION_MIRROR=${DIB_DISTRIBUTION_MIRROR:-http://deb.debian.org/debian}
# With Debian, security is in a different repository. We can't, say,
# assume "${DIB_DISTRIBUTION_MIRROR}-security" is valid. The only
# choice is for people to add it separately, otherwise we use
# upstream.
DIB_DEBIAN_SECURITY_MIRROR=${DIB_DEBIAN_SECURITY_MIRROR:-http://security.debian.org/}
DIB_DEBIAN_SECURITY_SUBPATH=${DIB_DEBIAN_SECURITY_SUBPATH:-/updates}
export DIB_DEBIAN_COMPONENTS=${DIB_DEBIAN_COMPONENTS:-main}
export DIB_DEBIAN_COMPONENTS_WS=${DIB_DEBIAN_COMPONENTS//,/ }
DIB_APT_SOURCES_CONF_DEFAULT=\
"default:deb ${DIB_DISTRIBUTION_MIRROR} ${DIB_RELEASE} ${DIB_DEBIAN_COMPONENTS_WS}
backports:deb ${DIB_DISTRIBUTION_MIRROR} ${DIB_RELEASE}-backports ${DIB_DEBIAN_COMPONENTS_WS}
updates:deb ${DIB_DISTRIBUTION_MIRROR} ${DIB_RELEASE}-updates ${DIB_DEBIAN_COMPONENTS_WS}
security:deb ${DIB_DEBIAN_SECURITY_MIRROR} ${DIB_RELEASE}${DIB_DEBIAN_SECURITY_SUBPATH} ${DIB_DEBIAN_COMPONENTS_WS}
"
if [ "${DIB_RELEASE}" = "testing" -o "${DIB_RELEASE}" = "unstable" ]; then
DIB_APT_SOURCES_CONF_DEFAULT="default:deb ${DIB_DISTRIBUTION_MIRROR} ${DIB_RELEASE} ${DIB_DEBIAN_COMPONENTS_WS}"
fi
export DIB_APT_SOURCES_CONF=${DIB_APT_SOURCES_CONF:-${DIB_APT_SOURCES_CONF_DEFAULT}}