UEFI secure boot support for iso element.
This adds support to UEFI secure boot by copying signed shim and grub bootloaders into ramdisk image. Closes-Bug: 1419707 Change-Id: I1193cd3a9011855a6804966a31c7c0e28da90ada
This commit is contained in:
parent
c5cbc93693
commit
0bbe91af82
@ -21,25 +21,21 @@ set -eu
|
||||
set -o pipefail
|
||||
|
||||
function build_efiboot_img() {
|
||||
# Signed bootloader files are saved at tmp/bootloader_files during
|
||||
# post-install stage needs to copy them into image.
|
||||
# Signed bootloader packages used are:-
|
||||
# Ubuntu: grub-efi-amd64-signed and shim-signed
|
||||
# Fedora: grub2-efi and shim
|
||||
|
||||
cat > "$TMP_BUILD_DIR/grub-embedded.cfg" << END_CONFIG
|
||||
search --set=root --label VMEDIA_BOOT_ISO
|
||||
set prefix=(\$root)/EFI/BOOT/
|
||||
END_CONFIG
|
||||
if [ $DISTRO_NAME = "fedora" ]; then
|
||||
cp $TMP_BOOTLOADER_DIR/shim.efi $TMP_BUILD_DIR/bootx64.efi
|
||||
cp $TMP_BOOTLOADER_DIR/grubx64.efi $TMP_BUILD_DIR/grubx64.efi
|
||||
else
|
||||
cp $TMP_BOOTLOADER_DIR/shim.efi.signed $TMP_BUILD_DIR/bootx64.efi
|
||||
cp $TMP_BOOTLOADER_DIR/grubx64.efi.signed $TMP_BUILD_DIR/grubx64.efi
|
||||
fi
|
||||
|
||||
grub-mkimage --format=x86_64-efi --output=$TMP_BUILD_DIR/bootx64.efi \
|
||||
--config=$TMP_BUILD_DIR/grub-embedded.cfg --compression=xz \
|
||||
--prefix=/EFI/BOOT part_gpt part_msdos fat ext2 hfs hfsplus \
|
||||
iso9660 udf ufs1 ufs2 zfs chain linux boot appleldr ahci \
|
||||
configfile normal regexp minicmd reboot halt search \
|
||||
search_fs_file search_fs_uuid search_label gfxterm gfxmenu \
|
||||
efi_gop efi_uga all_video loadbios gzio echo true probe \
|
||||
loadenv bitmap_scale font cat help ls png jpeg tga test \
|
||||
at_keyboard usb_keyboard
|
||||
|
||||
# Create a FAT formatted image that contains bootx64.efi in the /EFI/BOOT
|
||||
# directory. This is used to bootstrap GRUB from the ISO image.
|
||||
dd if=/dev/zero of=$TMP_BUILD_DIR/efiboot.img bs=1K count=1440
|
||||
dd if=/dev/zero of=$TMP_BUILD_DIR/efiboot.img bs=1K count=5760
|
||||
mkdosfs -F 12 $TMP_BUILD_DIR/efiboot.img
|
||||
|
||||
# Create a temporary mount point:
|
||||
@ -48,6 +44,7 @@ END_CONFIG
|
||||
sudo mount -o loop $TMP_BUILD_DIR/efiboot.img $MOUNTPOINT
|
||||
sudo mkdir -p $MOUNTPOINT/EFI/BOOT
|
||||
sudo cp $TMP_BUILD_DIR/bootx64.efi $MOUNTPOINT/EFI/BOOT
|
||||
sudo cp $TMP_BUILD_DIR/grubx64.efi $MOUNTPOINT/EFI/BOOT
|
||||
sudo umount $MOUNTPOINT
|
||||
rmdir $MOUNTPOINT
|
||||
cp $TMP_BUILD_DIR/efiboot.img $TMP_IMAGE_DIR/isolinux
|
||||
@ -63,7 +60,18 @@ function build_iso() {
|
||||
SCRIPTNAME=$(basename $0)
|
||||
SCRIPTDIR=$(dirname $0)
|
||||
MKISOFS="/usr/bin/mkisofs"
|
||||
EFI_BOOT_DIR="EFI/BOOT"
|
||||
|
||||
if [ $DISTRO_NAME = "fedora" ]; then
|
||||
EFI_BOOT_DIR="EFI/fedora"
|
||||
GRUB_LINUX_TAG="linuxefi"
|
||||
GRUB_INITRD_TAG="initrdefi"
|
||||
EXTRA_KERNEL_PARAMS="usbcore.autosuspend=-1"
|
||||
else
|
||||
EFI_BOOT_DIR="EFI/ubuntu"
|
||||
GRUB_LINUX_TAG="linux"
|
||||
GRUB_INITRD_TAG="initrd"
|
||||
EXTRA_KERNEL_PARAMS=""
|
||||
fi
|
||||
|
||||
# Create a temporary build directory for holiding the contents of iso
|
||||
TMP_IMAGE_DIR="$TMP_BUILD_DIR/image"
|
||||
@ -74,13 +82,7 @@ function build_iso() {
|
||||
mkdir -p "$TMP_IMAGE_DIR/isolinux"
|
||||
echo "Copying isolinux.bin"
|
||||
|
||||
# TODO(rameshg87): Something similar to pkg-map can be used here.
|
||||
# But pkg-map doesn't work for cleanup scripts right now.
|
||||
if [ $DISTRO_NAME = "fedora" ]; then
|
||||
ISOLINUX_BIN=/usr/share/syslinux/isolinux.bin
|
||||
else
|
||||
ISOLINUX_BIN=/usr/lib/syslinux/isolinux.bin
|
||||
fi
|
||||
ISOLINUX_BIN=$TMP_BOOTLOADER_DIR/isolinux.bin
|
||||
|
||||
cp $ISOLINUX_BIN "$TMP_IMAGE_DIR/isolinux"
|
||||
|
||||
@ -103,8 +105,7 @@ TIMEOUT 5
|
||||
PROMPT 0
|
||||
END_CONFIG
|
||||
|
||||
|
||||
echo "Creating EFI/BOOT directory"
|
||||
echo "Creating EFI/ubuntu directory"
|
||||
mkdir -p "$TMP_IMAGE_DIR/$EFI_BOOT_DIR"
|
||||
|
||||
# Generate grub.cfg for default booting
|
||||
@ -115,18 +116,13 @@ set timeout="5"
|
||||
set hidden_timeout_quiet=false
|
||||
|
||||
menuentry "install" {
|
||||
linux /vmlinuz $KERNEL_CMDLINE_ARGS --
|
||||
initrd /initrd
|
||||
search --set=root --label VMEDIA_BOOT_ISO
|
||||
$GRUB_LINUX_TAG /vmlinuz $EXTRA_KERNEL_PARAMS $KERNEL_CMDLINE_ARGS --
|
||||
$GRUB_INITRD_TAG /initrd
|
||||
}
|
||||
END_CONFIG
|
||||
|
||||
|
||||
DIB_UEFI_ISO_BUILD_EFIBOOT=${DIB_UEFI_ISO_BUILD_EFIBOOT:-}
|
||||
if [ -n "$DIB_UEFI_ISO_BUILD_EFIBOOT" ]; then
|
||||
build_efiboot_img
|
||||
else
|
||||
cp $SCRIPTDIR/efiboot.img $TMP_IMAGE_DIR/isolinux
|
||||
fi
|
||||
|
||||
# Create the ISO
|
||||
echo "Generating the ISO"
|
||||
@ -145,6 +141,11 @@ if echo $IMAGE_ELEMENT | grep -q '\bramdisk\b'; then
|
||||
EMITTED_RAMDISK=$IMAGE_NAME.initramfs
|
||||
EMITTED_KERNEL_CMDLINE_ARGS="boot_method=vmedia"
|
||||
EMITTED_ISO_FILENAME=$IMAGE_NAME.iso
|
||||
elif echo $IMAGE_ELEMENT | grep -q '\bironic-agent\b'; then
|
||||
EMITTED_KERNEL=$IMAGE_NAME.vmlinuz
|
||||
EMITTED_RAMDISK=$IMAGE_NAME.initramfs
|
||||
EMITTED_KERNEL_CMDLINE_ARGS="boot_method=vmedia"
|
||||
EMITTED_ISO_FILENAME=$IMAGE_NAME.iso
|
||||
elif echo $IMAGE_ELEMENT | grep -q '\bbaremetal\b'; then
|
||||
EMITTED_KERNEL=${IMAGE_NAME}.vmlinuz
|
||||
EMITTED_RAMDISK=${IMAGE_NAME}.initrd
|
||||
@ -159,5 +160,10 @@ else
|
||||
echo "Please use 'iso' element with either 'baremetal' or 'ramdisk' elements"
|
||||
fi
|
||||
|
||||
export TMP_BOOTLOADER_DIR=$TARGET_ROOT/tmp/bootloader_files
|
||||
build_iso "$EMITTED_KERNEL" "$EMITTED_RAMDISK" "$EMITTED_KERNEL_CMDLINE_ARGS" \
|
||||
"$EMITTED_ISO_FILENAME"
|
||||
|
||||
# Clean-up the bootloaders directory
|
||||
sudo rm -fr $TMP_BOOTLOADER_DIR
|
||||
|
||||
|
Binary file not shown.
1
elements/iso/element-deps
Normal file
1
elements/iso/element-deps
Normal file
@ -0,0 +1 @@
|
||||
package-installs
|
3
elements/iso/package-installs.yaml
Normal file
3
elements/iso/package-installs.yaml
Normal file
@ -0,0 +1,3 @@
|
||||
signed_grub:
|
||||
signed_shim:
|
||||
syslinux:
|
20
elements/iso/pkg-map
Normal file
20
elements/iso/pkg-map
Normal file
@ -0,0 +1,20 @@
|
||||
{
|
||||
"family":{
|
||||
"debian":{
|
||||
"signed_grub": "grub-efi-amd64-signed",
|
||||
"signed_shim": "shim-signed",
|
||||
"syslinux": "syslinux"
|
||||
},
|
||||
"redhat":{
|
||||
"signed_grub": "grub2-efi",
|
||||
"signed_shim": "shim",
|
||||
"syslinux": ""
|
||||
}
|
||||
},
|
||||
"default":{
|
||||
"signed_grub": "grub-efi-amd64-signed",
|
||||
"signed_shim": "shim-signed",
|
||||
"syslinux": "syslinux"
|
||||
}
|
||||
}
|
||||
|
33
elements/iso/post-install.d/01-copy-bootloaders
Executable file
33
elements/iso/post-install.d/01-copy-bootloaders
Executable file
@ -0,0 +1,33 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
|
||||
set -eux
|
||||
set -o pipefail
|
||||
|
||||
TMP_BOOTLOADER_DIR=/tmp/bootloader_files
|
||||
mkdir -p $TMP_BOOTLOADER_DIR
|
||||
|
||||
if [ $DISTRO_NAME = "fedora" ]; then
|
||||
GRUB_FILE="/boot/efi/EFI/fedora/grubx64.efi"
|
||||
else
|
||||
GRUB_FILE="/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed"
|
||||
fi
|
||||
|
||||
if [ $DISTRO_NAME = "fedora" ]; then
|
||||
SHIM_FILE="/boot/efi/EFI/fedora/shim.efi"
|
||||
else
|
||||
SHIM_FILE="/usr/lib/shim/shim.efi.signed"
|
||||
fi
|
||||
|
||||
if [ $DISTRO_NAME = "fedora" ]; then
|
||||
SYSLINUX_FILE="/usr/share/syslinux/isolinux.bin"
|
||||
else
|
||||
SYSLINUX_FILE="/usr/lib/syslinux/isolinux.bin"
|
||||
fi
|
||||
|
||||
cp $GRUB_FILE $TMP_BOOTLOADER_DIR
|
||||
cp $SHIM_FILE $TMP_BOOTLOADER_DIR
|
||||
cp $SYSLINUX_FILE $TMP_BOOTLOADER_DIR
|
Loading…
Reference in New Issue
Block a user