UEFI secure boot support for iso element.
This adds support to UEFI secure boot by copying signed shim and grub bootloaders into ramdisk image. Closes-Bug: 1419707 Change-Id: I1193cd3a9011855a6804966a31c7c0e28da90ada
This commit is contained in:
Shivanand Tendulker
parent
c5cbc93693
commit
0bbe91af82
@ -21,25 +21,21 @@ set -eu
|
|||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
|
||||||
function build_efiboot_img() {
|
function build_efiboot_img() {
|
||||||
|
# Signed bootloader files are saved at tmp/bootloader_files during
|
||||||
|
# post-install stage needs to copy them into image.
|
||||||
|
# Signed bootloader packages used are:-
|
||||||
|
# Ubuntu: grub-efi-amd64-signed and shim-signed
|
||||||
|
# Fedora: grub2-efi and shim
|
||||||
|
|
||||||
cat > "$TMP_BUILD_DIR/grub-embedded.cfg" << END_CONFIG
|
if [ $DISTRO_NAME = "fedora" ]; then
|
||||||
search --set=root --label VMEDIA_BOOT_ISO
|
cp $TMP_BOOTLOADER_DIR/shim.efi $TMP_BUILD_DIR/bootx64.efi
|
||||||
set prefix=(\$root)/EFI/BOOT/
|
cp $TMP_BOOTLOADER_DIR/grubx64.efi $TMP_BUILD_DIR/grubx64.efi
|
||||||
END_CONFIG
|
else
|
||||||
|
cp $TMP_BOOTLOADER_DIR/shim.efi.signed $TMP_BUILD_DIR/bootx64.efi
|
||||||
|
cp $TMP_BOOTLOADER_DIR/grubx64.efi.signed $TMP_BUILD_DIR/grubx64.efi
|
||||||
|
fi
|
||||||
|
|
||||||
grub-mkimage --format=x86_64-efi --output=$TMP_BUILD_DIR/bootx64.efi \
|
dd if=/dev/zero of=$TMP_BUILD_DIR/efiboot.img bs=1K count=5760
|
||||||
--config=$TMP_BUILD_DIR/grub-embedded.cfg --compression=xz \
|
|
||||||
--prefix=/EFI/BOOT part_gpt part_msdos fat ext2 hfs hfsplus \
|
|
||||||
iso9660 udf ufs1 ufs2 zfs chain linux boot appleldr ahci \
|
|
||||||
configfile normal regexp minicmd reboot halt search \
|
|
||||||
search_fs_file search_fs_uuid search_label gfxterm gfxmenu \
|
|
||||||
efi_gop efi_uga all_video loadbios gzio echo true probe \
|
|
||||||
loadenv bitmap_scale font cat help ls png jpeg tga test \
|
|
||||||
at_keyboard usb_keyboard
|
|
||||||
|
|
||||||
# Create a FAT formatted image that contains bootx64.efi in the /EFI/BOOT
|
|
||||||
# directory. This is used to bootstrap GRUB from the ISO image.
|
|
||||||
dd if=/dev/zero of=$TMP_BUILD_DIR/efiboot.img bs=1K count=1440
|
|
||||||
mkdosfs -F 12 $TMP_BUILD_DIR/efiboot.img
|
mkdosfs -F 12 $TMP_BUILD_DIR/efiboot.img
|
||||||
|
|
||||||
# Create a temporary mount point:
|
# Create a temporary mount point:
|
||||||
@ -48,6 +44,7 @@ END_CONFIG
|
|||||||
sudo mount -o loop $TMP_BUILD_DIR/efiboot.img $MOUNTPOINT
|
sudo mount -o loop $TMP_BUILD_DIR/efiboot.img $MOUNTPOINT
|
||||||
sudo mkdir -p $MOUNTPOINT/EFI/BOOT
|
sudo mkdir -p $MOUNTPOINT/EFI/BOOT
|
||||||
sudo cp $TMP_BUILD_DIR/bootx64.efi $MOUNTPOINT/EFI/BOOT
|
sudo cp $TMP_BUILD_DIR/bootx64.efi $MOUNTPOINT/EFI/BOOT
|
||||||
|
sudo cp $TMP_BUILD_DIR/grubx64.efi $MOUNTPOINT/EFI/BOOT
|
||||||
sudo umount $MOUNTPOINT
|
sudo umount $MOUNTPOINT
|
||||||
rmdir $MOUNTPOINT
|
rmdir $MOUNTPOINT
|
||||||
cp $TMP_BUILD_DIR/efiboot.img $TMP_IMAGE_DIR/isolinux
|
cp $TMP_BUILD_DIR/efiboot.img $TMP_IMAGE_DIR/isolinux
|
||||||
@ -63,7 +60,18 @@ function build_iso() {
|
|||||||
SCRIPTNAME=$(basename $0)
|
SCRIPTNAME=$(basename $0)
|
||||||
SCRIPTDIR=$(dirname $0)
|
SCRIPTDIR=$(dirname $0)
|
||||||
MKISOFS="/usr/bin/mkisofs"
|
MKISOFS="/usr/bin/mkisofs"
|
||||||
EFI_BOOT_DIR="EFI/BOOT"
|
|
||||||
|
if [ $DISTRO_NAME = "fedora" ]; then
|
||||||
|
EFI_BOOT_DIR="EFI/fedora"
|
||||||
|
GRUB_LINUX_TAG="linuxefi"
|
||||||
|
GRUB_INITRD_TAG="initrdefi"
|
||||||
|
EXTRA_KERNEL_PARAMS="usbcore.autosuspend=-1"
|
||||||
|
else
|
||||||
|
EFI_BOOT_DIR="EFI/ubuntu"
|
||||||
|
GRUB_LINUX_TAG="linux"
|
||||||
|
GRUB_INITRD_TAG="initrd"
|
||||||
|
EXTRA_KERNEL_PARAMS=""
|
||||||
|
fi
|
||||||
|
|
||||||
# Create a temporary build directory for holiding the contents of iso
|
# Create a temporary build directory for holiding the contents of iso
|
||||||
TMP_IMAGE_DIR="$TMP_BUILD_DIR/image"
|
TMP_IMAGE_DIR="$TMP_BUILD_DIR/image"
|
||||||
@ -74,13 +82,7 @@ function build_iso() {
|
|||||||
mkdir -p "$TMP_IMAGE_DIR/isolinux"
|
mkdir -p "$TMP_IMAGE_DIR/isolinux"
|
||||||
echo "Copying isolinux.bin"
|
echo "Copying isolinux.bin"
|
||||||
|
|
||||||
# TODO(rameshg87): Something similar to pkg-map can be used here.
|
ISOLINUX_BIN=$TMP_BOOTLOADER_DIR/isolinux.bin
|
||||||
# But pkg-map doesn't work for cleanup scripts right now.
|
|
||||||
if [ $DISTRO_NAME = "fedora" ]; then
|
|
||||||
ISOLINUX_BIN=/usr/share/syslinux/isolinux.bin
|
|
||||||
else
|
|
||||||
ISOLINUX_BIN=/usr/lib/syslinux/isolinux.bin
|
|
||||||
fi
|
|
||||||
|
|
||||||
cp $ISOLINUX_BIN "$TMP_IMAGE_DIR/isolinux"
|
cp $ISOLINUX_BIN "$TMP_IMAGE_DIR/isolinux"
|
||||||
|
|
||||||
@ -103,8 +105,7 @@ TIMEOUT 5
|
|||||||
PROMPT 0
|
PROMPT 0
|
||||||
END_CONFIG
|
END_CONFIG
|
||||||
|
|
||||||
|
echo "Creating EFI/ubuntu directory"
|
||||||
echo "Creating EFI/BOOT directory"
|
|
||||||
mkdir -p "$TMP_IMAGE_DIR/$EFI_BOOT_DIR"
|
mkdir -p "$TMP_IMAGE_DIR/$EFI_BOOT_DIR"
|
||||||
|
|
||||||
# Generate grub.cfg for default booting
|
# Generate grub.cfg for default booting
|
||||||
@ -115,18 +116,13 @@ set timeout="5"
|
|||||||
set hidden_timeout_quiet=false
|
set hidden_timeout_quiet=false
|
||||||
|
|
||||||
menuentry "install" {
|
menuentry "install" {
|
||||||
linux /vmlinuz $KERNEL_CMDLINE_ARGS --
|
search --set=root --label VMEDIA_BOOT_ISO
|
||||||
initrd /initrd
|
$GRUB_LINUX_TAG /vmlinuz $EXTRA_KERNEL_PARAMS $KERNEL_CMDLINE_ARGS --
|
||||||
|
$GRUB_INITRD_TAG /initrd
|
||||||
}
|
}
|
||||||
END_CONFIG
|
END_CONFIG
|
||||||
|
|
||||||
|
build_efiboot_img
|
||||||
DIB_UEFI_ISO_BUILD_EFIBOOT=${DIB_UEFI_ISO_BUILD_EFIBOOT:-}
|
|
||||||
if [ -n "$DIB_UEFI_ISO_BUILD_EFIBOOT" ]; then
|
|
||||||
build_efiboot_img
|
|
||||||
else
|
|
||||||
cp $SCRIPTDIR/efiboot.img $TMP_IMAGE_DIR/isolinux
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Create the ISO
|
# Create the ISO
|
||||||
echo "Generating the ISO"
|
echo "Generating the ISO"
|
||||||
@ -145,6 +141,11 @@ if echo $IMAGE_ELEMENT | grep -q '\bramdisk\b'; then
|
|||||||
EMITTED_RAMDISK=$IMAGE_NAME.initramfs
|
EMITTED_RAMDISK=$IMAGE_NAME.initramfs
|
||||||
EMITTED_KERNEL_CMDLINE_ARGS="boot_method=vmedia"
|
EMITTED_KERNEL_CMDLINE_ARGS="boot_method=vmedia"
|
||||||
EMITTED_ISO_FILENAME=$IMAGE_NAME.iso
|
EMITTED_ISO_FILENAME=$IMAGE_NAME.iso
|
||||||
|
elif echo $IMAGE_ELEMENT | grep -q '\bironic-agent\b'; then
|
||||||
|
EMITTED_KERNEL=$IMAGE_NAME.vmlinuz
|
||||||
|
EMITTED_RAMDISK=$IMAGE_NAME.initramfs
|
||||||
|
EMITTED_KERNEL_CMDLINE_ARGS="boot_method=vmedia"
|
||||||
|
EMITTED_ISO_FILENAME=$IMAGE_NAME.iso
|
||||||
elif echo $IMAGE_ELEMENT | grep -q '\bbaremetal\b'; then
|
elif echo $IMAGE_ELEMENT | grep -q '\bbaremetal\b'; then
|
||||||
EMITTED_KERNEL=${IMAGE_NAME}.vmlinuz
|
EMITTED_KERNEL=${IMAGE_NAME}.vmlinuz
|
||||||
EMITTED_RAMDISK=${IMAGE_NAME}.initrd
|
EMITTED_RAMDISK=${IMAGE_NAME}.initrd
|
||||||
@ -159,5 +160,10 @@ else
|
|||||||
echo "Please use 'iso' element with either 'baremetal' or 'ramdisk' elements"
|
echo "Please use 'iso' element with either 'baremetal' or 'ramdisk' elements"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
export TMP_BOOTLOADER_DIR=$TARGET_ROOT/tmp/bootloader_files
|
||||||
build_iso "$EMITTED_KERNEL" "$EMITTED_RAMDISK" "$EMITTED_KERNEL_CMDLINE_ARGS" \
|
build_iso "$EMITTED_KERNEL" "$EMITTED_RAMDISK" "$EMITTED_KERNEL_CMDLINE_ARGS" \
|
||||||
"$EMITTED_ISO_FILENAME"
|
"$EMITTED_ISO_FILENAME"
|
||||||
|
|
||||||
|
# Clean-up the bootloaders directory
|
||||||
|
sudo rm -fr $TMP_BOOTLOADER_DIR
|
||||||
|
|
||||||
|
|||||||
Binary file not shown.
1
elements/iso/element-deps
Normal file
1
elements/iso/element-deps
Normal file
@ -0,0 +1 @@
|
|||||||
|
package-installs
|
||||||
3
elements/iso/package-installs.yaml
Normal file
3
elements/iso/package-installs.yaml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
signed_grub:
|
||||||
|
signed_shim:
|
||||||
|
syslinux:
|
||||||
20
elements/iso/pkg-map
Normal file
20
elements/iso/pkg-map
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
{
|
||||||
|
"family":{
|
||||||
|
"debian":{
|
||||||
|
"signed_grub": "grub-efi-amd64-signed",
|
||||||
|
"signed_shim": "shim-signed",
|
||||||
|
"syslinux": "syslinux"
|
||||||
|
},
|
||||||
|
"redhat":{
|
||||||
|
"signed_grub": "grub2-efi",
|
||||||
|
"signed_shim": "shim",
|
||||||
|
"syslinux": ""
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"default":{
|
||||||
|
"signed_grub": "grub-efi-amd64-signed",
|
||||||
|
"signed_shim": "shim-signed",
|
||||||
|
"syslinux": "syslinux"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
33
elements/iso/post-install.d/01-copy-bootloaders
Executable file
33
elements/iso/post-install.d/01-copy-bootloaders
Executable file
@ -0,0 +1,33 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
|
||||||
|
set -x
|
||||||
|
fi
|
||||||
|
|
||||||
|
set -eux
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
TMP_BOOTLOADER_DIR=/tmp/bootloader_files
|
||||||
|
mkdir -p $TMP_BOOTLOADER_DIR
|
||||||
|
|
||||||
|
if [ $DISTRO_NAME = "fedora" ]; then
|
||||||
|
GRUB_FILE="/boot/efi/EFI/fedora/grubx64.efi"
|
||||||
|
else
|
||||||
|
GRUB_FILE="/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $DISTRO_NAME = "fedora" ]; then
|
||||||
|
SHIM_FILE="/boot/efi/EFI/fedora/shim.efi"
|
||||||
|
else
|
||||||
|
SHIM_FILE="/usr/lib/shim/shim.efi.signed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $DISTRO_NAME = "fedora" ]; then
|
||||||
|
SYSLINUX_FILE="/usr/share/syslinux/isolinux.bin"
|
||||||
|
else
|
||||||
|
SYSLINUX_FILE="/usr/lib/syslinux/isolinux.bin"
|
||||||
|
fi
|
||||||
|
|
||||||
|
cp $GRUB_FILE $TMP_BOOTLOADER_DIR
|
||||||
|
cp $SHIM_FILE $TMP_BOOTLOADER_DIR
|
||||||
|
cp $SYSLINUX_FILE $TMP_BOOTLOADER_DIR
|
||||||
Loading…
Reference in New Issue
Block a user