Support secure-boot bootloader where possible

As of grub2 >= 2.02-95 on redhat family distros, calling grub2-install
on an EFI partition will fail with: "this utility cannot be used for
EFI platforms because it does not support UEFI Secure Boot."

This version of grub is now in centos8-stream and non-eus repos of
RHEL-8. It is not currently possible to build whole-disk UEFI images
on these distros, and when this package is promoted this will also
affect centos8 and RHEL-8 eus. The grub maintainers made this change
because the grub2-install generated /boot/efi/EFI/BOOT/BOOTX64.EFI
will never be capable of booting with Secure Boot.

This change defines a $EFI_BOOT_DIR for every distro element. When
directory /boot/efi/$EFI_BOOT_DIR exists a grub.cfg file in will be
generated there. This change also installs the shim package on redhat
family distros, which installs a copy of the shim bootloader to
/boot/efi/EFI/BOOT/BOOTX64.EFI. Using centos as an example, this
allows UEFI to boot the shim /boot/efi/EFI/BOOT/BOOTX64.EFI which
then chains to /boot/efi/EFI/centos/grubx64.efi.

If /boot/efi/$EFI_BOOT_DIR doesn't exist (such as for Ubuntu,
/boot/efi/EFI/ubuntu) the current behaviour of running grub-install to
generate /boot/efi/EFI/BOOT/BOOTX64.EFI will continue. For distros
such as Ubutnu where packaging does not populate /boot/efi/EFI/ubuntu
with .efi files, secure boot can be added in the future by copying
.efi files to /boot/efi/EFI/ubuntu and copying the shim file to
/boot/efi/EFI/BOOT/BOOTX64.EFI.

Change-Id: I90925218ff2aa4c4daffcf86e686b6d98d6b0f21

diskimage_builder/elements/bootloader/finalise.d/50-bootloader

@@ -79,6 +79,12 @@ function install_grub2 {
         GRUBNAME=$(type -p grub2-install)
     fi
 
+    if type grub2-mkconfig >/dev/null; then
+        GRUB_MKCONFIG="grub2-mkconfig"
+    else
+        GRUB_MKCONFIG="grub-mkconfig"
+    fi
+
     # If no GRUB2 is found, fallback to extlinux
     if [ -z "$GRUBNAME" ] || [ $($GRUBNAME --version | grep "0.97" | wc -l) -ne 0 ]; then
         echo "No GRUB2 found. Fallback to Extlinux..."
@@ -150,7 +156,7 @@ function install_grub2 {
         modules="part_msdos part_gpt lvm"
         extra_options=""
         if [[ ${DIB_BLOCK_DEVICE} == "mbr" || ${DIB_BLOCK_DEVICE} == "gpt" ]]; then
-            modules="$modules biosdisk"
+            $GRUBNAME --modules="$modules biosdisk" $GRUB_OPTS $BOOT_DEV
         elif [[ ${DIB_BLOCK_DEVICE} == "efi" ]]; then
             # This tells the EFI install to put the EFI binaries into
             # the generic /BOOT directory and avoids trying to update
@@ -168,8 +174,14 @@ function install_grub2 {
                 # At this point, we don't need to override the target
                 # for any other architectures.
             esac
+            if [ -d /boot/efi/$EFI_BOOT_DIR ]; then
+                # Make the grub config in the EFI directory for UEFI boot
+                $GRUB_MKCONFIG -o /boot/efi/$EFI_BOOT_DIR/grub.cfg
+            else
+                echo "WARNING: /boot/efi/$EFI_BOOT_DIR does not exist, UEFI secure boot not supported"
+                $GRUBNAME --modules="$modules" $extra_options $GRUB_OPTS $BOOT_DEV
+            fi
         fi
-        $GRUBNAME --modules="$modules" $extra_options $GRUB_OPTS $BOOT_DEV
     fi
 
     # This might be better factored out into a per-distro 'install-bootblock'
@@ -204,12 +216,6 @@ function install_grub2 {
     echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${GRUB_CMDLINE_LINUX_DEFAULT} ${DIB_BOOTLOADER_DEFAULT_CMDLINE}\"" >>/etc/default/grub
     echo 'GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"' >>/etc/default/grub
 
-    if type grub2-mkconfig >/dev/null; then
-        GRUB_MKCONFIG="grub2-mkconfig -o $GRUB_CFG"
-    else
-        GRUB_MKCONFIG="grub-mkconfig -o $GRUB_CFG"
-    fi
-
     # os-prober leaks /dev/sda into config file in dual-boot host
     # Disable grub-os-prober to avoid the issue  while running
     # grub-mkconfig
@@ -220,7 +226,7 @@ function install_grub2 {
         echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
     fi
 
-    $GRUB_MKCONFIG
+    $GRUB_MKCONFIG -o $GRUB_CFG
 
     # Remove the fix to disable os_prober
     if [ -n "$PROBER_DISABLED" ]; then

diskimage_builder/elements/bootloader/pkg-map

@@ -18,11 +18,11 @@
     "redhat": {
       "extlinux": "syslinux-extlinux",
       "grub-pc": "grub2-tools grub2",
-      "grub-efi-amd64": "grub2-tools grub2-pc grub2-efi-x64 grub2-efi-x64-modules efibootmgr",
-      "grub-efi-arm64": "grub2-tools grub2-efi-aa64 grub2-efi-aa64-modules efibootmgr",
-      "grub-efi-aarch64": "grub2-tools grub2-efi-aa64 grub2-efi-aa64-modules efibootmgr",
+      "grub-efi-amd64": "grub2-tools grub2 grub2-pc grub2-efi-x64 grub2-efi-x64-modules efibootmgr shim-x64",
+      "grub-efi-arm64": "grub2-tools grub2-efi-aa64 grub2-efi-aa64-modules efibootmgr shim-aa64",
+      "grub-efi-aarch64": "grub2-tools grub2-efi-aa64 grub2-efi-aa64-modules efibootmgr shim-aa64",
       "grub-efi": "grub2-tools grub2-efi efibootmgr",
-      "grub-efi-x86_64": "grub2-tools grub2-efi-x64 grub2-efi-x64-modules efibootmgr",
+      "grub-efi-x86_64": "grub2-tools grub2 grub2-efi-x64 grub2-efi-x64-modules efibootmgr shim-x64",
       "grub-ppc64": "grub2-tools grub2"
     }
   },
@@ -31,7 +31,7 @@
     "extlinux": "extlinux",
     "grub-pc": "grub-pc",
     "grub-efi-amd64": "grub-efi grub-pc-bin efibootmgr",
-    "grub-efi-arm64": "grub-efi-arm64 efibootmgr",
+    "grub-efi-arm64": "grub-efi-arm64 grub-efi-arm64-bin efibootmgr",
     "grub-ppc64": "grub-ieee1275"
   }
 }

diskimage_builder/elements/centos-minimal/environment.d/10-centos-distro-name.bash

@@ -1,5 +1,6 @@
 export DISTRO_NAME=centos
 export DIB_RELEASE=${DIB_RELEASE:-7}
+export EFI_BOOT_DIR="EFI/centos"
 
 # by default, enable DHCP configuration of eth0 & eth1 in network
 # scripts for centos 7.  See yum-minimal for full details.  CentOS 8

diskimage_builder/elements/centos/environment.d/10-centos-distro-name.bash

@@ -1,2 +1,3 @@
 export DISTRO_NAME=centos
 export DIB_RELEASE=${DIB_RELEASE:-8}
+export EFI_BOOT_DIR="EFI/centos"

diskimage_builder/elements/centos7/environment.d/10-centos7-distro-name.bash

@@ -1,5 +1,6 @@
 export DISTRO_NAME=centos7
 export DIB_RELEASE=7
+export EFI_BOOT_DIR="EFI/centos"
 
 # Useful for elements that work with fedora (dnf) & centos
 export YUM=${YUM:-yum}

diskimage_builder/elements/debian-minimal/environment.d/10-debian-minimal.bash

@@ -1,6 +1,7 @@
 export DISTRO_NAME=debian
 export DIB_RELEASE=${DIB_RELEASE:-stable}
 export DIB_INIT_SYSTEM=systemd
+export EFI_BOOT_DIR="EFI/debian"
 
 if [ -n "${DIB_DEBIAN_DISTRIBUTION_MIRROR:-}" ]; then
     DIB_DISTRIBUTION_MIRROR=$DIB_DEBIAN_DISTRIBUTION_MIRROR

diskimage_builder/elements/fedora-minimal/environment.d/10-fedora-distro-name.bash

@@ -1,2 +1,3 @@
 export DISTRO_NAME=fedora
 export DIB_RELEASE=${DIB_RELEASE:-32}
+export EFI_BOOT_DIR="EFI/fedora"

diskimage_builder/elements/fedora/environment.d/10-fedora-distro-name.bash

@@ -1,5 +1,6 @@
 export DISTRO_NAME=fedora
 export DIB_RELEASE=${DIB_RELEASE:-32}
+export EFI_BOOT_DIR="EFI/fedora"
 
 # Note the filename URL has a "sub-release" in it
 #  http:// ... Fedora-Cloud-Base-25-1.3.x86_64.qcow2

diskimage_builder/elements/gentoo/environment.d/00-gentoo-envars.bash

@@ -1,5 +1,6 @@
 export DIB_RELEASE=gentoo
 export DISTRO_NAME=gentoo
+export EFI_BOOT_DIR="EFI/gentoo"
 export GENTOO_PROFILE=${GENTOO_PROFILE:-'default/linux/amd64/17.1'}
 export GENTOO_PORTAGE_CLEANUP=${GENTOO_PORTAGE_CLEANUP:-'True'}
 export GENTOO_PYTHON_TARGETS=${GENTOO_PYTHON_TARGETS:-'python3_8'}

diskimage_builder/elements/iso/cleanup.d/100-build-iso

@@ -63,15 +63,12 @@ function build_iso() {
     SCRIPTDIR=$(dirname $0)
     MKISOFS="/usr/bin/mkisofs"
     if [ $DISTRO_NAME = "fedora" ]; then
-        EFI_BOOT_DIR="EFI/fedora"
         EXTRA_KERNEL_PARAMS="usbcore.autosuspend=-1"
     #debian
     elif [ $DISTRO_NAME = "debian" ]; then
-        EFI_BOOT_DIR="EFI/debian"
         EXTRA_KERNEL_PARAMS=""
     #ubuntu:
     else
-        EFI_BOOT_DIR="EFI/ubuntu"
         EXTRA_KERNEL_PARAMS=""
     fi
 

diskimage_builder/elements/opensuse-minimal/environment.d/10-opensuse-distro-name.bash

@@ -1,5 +1,6 @@
 export DISTRO_NAME=opensuse
 DIB_RELEASE=${DIB_RELEASE:-15.1}
 export DIB_RELEASE=${DIB_RELEASE,,}
+export EFI_BOOT_DIR="EFI/opensuse"
 export DIB_OPENSUSE_PATTERNS=patterns-openSUSE-base
 export DIB_INIT_SYSTEM=systemd

diskimage_builder/elements/opensuse/environment.d/10-opensuse-distro-name.bash

@@ -1,5 +1,6 @@
 export DISTRO_NAME=opensuse
 export DIB_RELEASE=${DIB_RELEASE:-15.1}
+export EFI_BOOT_DIR="EFI/opensuse"
 export DIB_OPENSUSE_PATTERNS=patterns-openSUSE-base
 export DIB_INIT_SYSTEM=systemd
 case ${DIB_RELEASE} in

diskimage_builder/elements/rhel/environment.d/10-rhel-distro-name.bash

@@ -1,2 +1,3 @@
 export DISTRO_NAME=rhel
 export DIB_RELEASE=${DIB_RELEASE:-8}
+export EFI_BOOT_DIR="EFI/redhat"

diskimage_builder/elements/ubuntu-common/environment.d/10-ubuntu-distro-name.bash

@@ -1,6 +1,7 @@
 export DISTRO_NAME=${DISTRO_NAME:-ubuntu}
 export DIB_RELEASE=${DIB_RELEASE:-bionic}
 export DIB_DEBIAN_COMPONENTS=${DIB_DEBIAN_COMPONENTS:-main,universe}
+export EFI_BOOT_DIR="EFI/ubuntu"
 
 # There are two default distro mirrors depending on architecture
 ARCH=${ARCH:-}