Support secure-boot bootloader where possible
As of grub2 >= 2.02-95 on redhat family distros, calling grub2-install on an EFI partition will fail with: "this utility cannot be used for EFI platforms because it does not support UEFI Secure Boot." This version of grub is now in centos8-stream and non-eus repos of RHEL-8. It is not currently possible to build whole-disk UEFI images on these distros, and when this package is promoted this will also affect centos8 and RHEL-8 eus. The grub maintainers made this change because the grub2-install generated /boot/efi/EFI/BOOT/BOOTX64.EFI will never be capable of booting with Secure Boot. This change defines a $EFI_BOOT_DIR for every distro element. When directory /boot/efi/$EFI_BOOT_DIR exists a grub.cfg file in will be generated there. This change also installs the shim package on redhat family distros, which installs a copy of the shim bootloader to /boot/efi/EFI/BOOT/BOOTX64.EFI. Using centos as an example, this allows UEFI to boot the shim /boot/efi/EFI/BOOT/BOOTX64.EFI which then chains to /boot/efi/EFI/centos/grubx64.efi. If /boot/efi/$EFI_BOOT_DIR doesn't exist (such as for Ubuntu, /boot/efi/EFI/ubuntu) the current behaviour of running grub-install to generate /boot/efi/EFI/BOOT/BOOTX64.EFI will continue. For distros such as Ubutnu where packaging does not populate /boot/efi/EFI/ubuntu with .efi files, secure boot can be added in the future by copying .efi files to /boot/efi/EFI/ubuntu and copying the shim file to /boot/efi/EFI/BOOT/BOOTX64.EFI. Change-Id: I90925218ff2aa4c4daffcf86e686b6d98d6b0f21
This commit is contained in:
parent
a0fd571a3c
commit
27a326dafb
@ -79,6 +79,12 @@ function install_grub2 {
|
||||
GRUBNAME=$(type -p grub2-install)
|
||||
fi
|
||||
|
||||
if type grub2-mkconfig >/dev/null; then
|
||||
GRUB_MKCONFIG="grub2-mkconfig"
|
||||
else
|
||||
GRUB_MKCONFIG="grub-mkconfig"
|
||||
fi
|
||||
|
||||
# If no GRUB2 is found, fallback to extlinux
|
||||
if [ -z "$GRUBNAME" ] || [ $($GRUBNAME --version | grep "0.97" | wc -l) -ne 0 ]; then
|
||||
echo "No GRUB2 found. Fallback to Extlinux..."
|
||||
@ -150,7 +156,7 @@ function install_grub2 {
|
||||
modules="part_msdos part_gpt lvm"
|
||||
extra_options=""
|
||||
if [[ ${DIB_BLOCK_DEVICE} == "mbr" || ${DIB_BLOCK_DEVICE} == "gpt" ]]; then
|
||||
modules="$modules biosdisk"
|
||||
$GRUBNAME --modules="$modules biosdisk" $GRUB_OPTS $BOOT_DEV
|
||||
elif [[ ${DIB_BLOCK_DEVICE} == "efi" ]]; then
|
||||
# This tells the EFI install to put the EFI binaries into
|
||||
# the generic /BOOT directory and avoids trying to update
|
||||
@ -168,9 +174,15 @@ function install_grub2 {
|
||||
# At this point, we don't need to override the target
|
||||
# for any other architectures.
|
||||
esac
|
||||
fi
|
||||
if [ -d /boot/efi/$EFI_BOOT_DIR ]; then
|
||||
# Make the grub config in the EFI directory for UEFI boot
|
||||
$GRUB_MKCONFIG -o /boot/efi/$EFI_BOOT_DIR/grub.cfg
|
||||
else
|
||||
echo "WARNING: /boot/efi/$EFI_BOOT_DIR does not exist, UEFI secure boot not supported"
|
||||
$GRUBNAME --modules="$modules" $extra_options $GRUB_OPTS $BOOT_DEV
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# This might be better factored out into a per-distro 'install-bootblock'
|
||||
# helper.
|
||||
@ -204,12 +216,6 @@ function install_grub2 {
|
||||
echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${GRUB_CMDLINE_LINUX_DEFAULT} ${DIB_BOOTLOADER_DEFAULT_CMDLINE}\"" >>/etc/default/grub
|
||||
echo 'GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"' >>/etc/default/grub
|
||||
|
||||
if type grub2-mkconfig >/dev/null; then
|
||||
GRUB_MKCONFIG="grub2-mkconfig -o $GRUB_CFG"
|
||||
else
|
||||
GRUB_MKCONFIG="grub-mkconfig -o $GRUB_CFG"
|
||||
fi
|
||||
|
||||
# os-prober leaks /dev/sda into config file in dual-boot host
|
||||
# Disable grub-os-prober to avoid the issue while running
|
||||
# grub-mkconfig
|
||||
@ -220,7 +226,7 @@ function install_grub2 {
|
||||
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
|
||||
fi
|
||||
|
||||
$GRUB_MKCONFIG
|
||||
$GRUB_MKCONFIG -o $GRUB_CFG
|
||||
|
||||
# Remove the fix to disable os_prober
|
||||
if [ -n "$PROBER_DISABLED" ]; then
|
||||
|
@ -18,11 +18,11 @@
|
||||
"redhat": {
|
||||
"extlinux": "syslinux-extlinux",
|
||||
"grub-pc": "grub2-tools grub2",
|
||||
"grub-efi-amd64": "grub2-tools grub2-pc grub2-efi-x64 grub2-efi-x64-modules efibootmgr",
|
||||
"grub-efi-arm64": "grub2-tools grub2-efi-aa64 grub2-efi-aa64-modules efibootmgr",
|
||||
"grub-efi-aarch64": "grub2-tools grub2-efi-aa64 grub2-efi-aa64-modules efibootmgr",
|
||||
"grub-efi-amd64": "grub2-tools grub2 grub2-pc grub2-efi-x64 grub2-efi-x64-modules efibootmgr shim-x64",
|
||||
"grub-efi-arm64": "grub2-tools grub2-efi-aa64 grub2-efi-aa64-modules efibootmgr shim-aa64",
|
||||
"grub-efi-aarch64": "grub2-tools grub2-efi-aa64 grub2-efi-aa64-modules efibootmgr shim-aa64",
|
||||
"grub-efi": "grub2-tools grub2-efi efibootmgr",
|
||||
"grub-efi-x86_64": "grub2-tools grub2-efi-x64 grub2-efi-x64-modules efibootmgr",
|
||||
"grub-efi-x86_64": "grub2-tools grub2 grub2-efi-x64 grub2-efi-x64-modules efibootmgr shim-x64",
|
||||
"grub-ppc64": "grub2-tools grub2"
|
||||
}
|
||||
},
|
||||
@ -31,7 +31,7 @@
|
||||
"extlinux": "extlinux",
|
||||
"grub-pc": "grub-pc",
|
||||
"grub-efi-amd64": "grub-efi grub-pc-bin efibootmgr",
|
||||
"grub-efi-arm64": "grub-efi-arm64 efibootmgr",
|
||||
"grub-efi-arm64": "grub-efi-arm64 grub-efi-arm64-bin efibootmgr",
|
||||
"grub-ppc64": "grub-ieee1275"
|
||||
}
|
||||
}
|
||||
|
@ -1,5 +1,6 @@
|
||||
export DISTRO_NAME=centos
|
||||
export DIB_RELEASE=${DIB_RELEASE:-7}
|
||||
export EFI_BOOT_DIR="EFI/centos"
|
||||
|
||||
# by default, enable DHCP configuration of eth0 & eth1 in network
|
||||
# scripts for centos 7. See yum-minimal for full details. CentOS 8
|
||||
|
@ -1,2 +1,3 @@
|
||||
export DISTRO_NAME=centos
|
||||
export DIB_RELEASE=${DIB_RELEASE:-8}
|
||||
export EFI_BOOT_DIR="EFI/centos"
|
||||
|
@ -1,5 +1,6 @@
|
||||
export DISTRO_NAME=centos7
|
||||
export DIB_RELEASE=7
|
||||
export EFI_BOOT_DIR="EFI/centos"
|
||||
|
||||
# Useful for elements that work with fedora (dnf) & centos
|
||||
export YUM=${YUM:-yum}
|
||||
|
@ -1,6 +1,7 @@
|
||||
export DISTRO_NAME=debian
|
||||
export DIB_RELEASE=${DIB_RELEASE:-stable}
|
||||
export DIB_INIT_SYSTEM=systemd
|
||||
export EFI_BOOT_DIR="EFI/debian"
|
||||
|
||||
if [ -n "${DIB_DEBIAN_DISTRIBUTION_MIRROR:-}" ]; then
|
||||
DIB_DISTRIBUTION_MIRROR=$DIB_DEBIAN_DISTRIBUTION_MIRROR
|
||||
|
@ -1,2 +1,3 @@
|
||||
export DISTRO_NAME=fedora
|
||||
export DIB_RELEASE=${DIB_RELEASE:-32}
|
||||
export EFI_BOOT_DIR="EFI/fedora"
|
||||
|
@ -1,5 +1,6 @@
|
||||
export DISTRO_NAME=fedora
|
||||
export DIB_RELEASE=${DIB_RELEASE:-32}
|
||||
export EFI_BOOT_DIR="EFI/fedora"
|
||||
|
||||
# Note the filename URL has a "sub-release" in it
|
||||
# http:// ... Fedora-Cloud-Base-25-1.3.x86_64.qcow2
|
||||
|
@ -1,5 +1,6 @@
|
||||
export DIB_RELEASE=gentoo
|
||||
export DISTRO_NAME=gentoo
|
||||
export EFI_BOOT_DIR="EFI/gentoo"
|
||||
export GENTOO_PROFILE=${GENTOO_PROFILE:-'default/linux/amd64/17.1'}
|
||||
export GENTOO_PORTAGE_CLEANUP=${GENTOO_PORTAGE_CLEANUP:-'True'}
|
||||
export GENTOO_PYTHON_TARGETS=${GENTOO_PYTHON_TARGETS:-'python3_8'}
|
||||
|
@ -63,15 +63,12 @@ function build_iso() {
|
||||
SCRIPTDIR=$(dirname $0)
|
||||
MKISOFS="/usr/bin/mkisofs"
|
||||
if [ $DISTRO_NAME = "fedora" ]; then
|
||||
EFI_BOOT_DIR="EFI/fedora"
|
||||
EXTRA_KERNEL_PARAMS="usbcore.autosuspend=-1"
|
||||
#debian
|
||||
elif [ $DISTRO_NAME = "debian" ]; then
|
||||
EFI_BOOT_DIR="EFI/debian"
|
||||
EXTRA_KERNEL_PARAMS=""
|
||||
#ubuntu:
|
||||
else
|
||||
EFI_BOOT_DIR="EFI/ubuntu"
|
||||
EXTRA_KERNEL_PARAMS=""
|
||||
fi
|
||||
|
||||
|
@ -1,5 +1,6 @@
|
||||
export DISTRO_NAME=opensuse
|
||||
DIB_RELEASE=${DIB_RELEASE:-15.1}
|
||||
export DIB_RELEASE=${DIB_RELEASE,,}
|
||||
export EFI_BOOT_DIR="EFI/opensuse"
|
||||
export DIB_OPENSUSE_PATTERNS=patterns-openSUSE-base
|
||||
export DIB_INIT_SYSTEM=systemd
|
||||
|
@ -1,5 +1,6 @@
|
||||
export DISTRO_NAME=opensuse
|
||||
export DIB_RELEASE=${DIB_RELEASE:-15.1}
|
||||
export EFI_BOOT_DIR="EFI/opensuse"
|
||||
export DIB_OPENSUSE_PATTERNS=patterns-openSUSE-base
|
||||
export DIB_INIT_SYSTEM=systemd
|
||||
case ${DIB_RELEASE} in
|
||||
|
@ -1,2 +1,3 @@
|
||||
export DISTRO_NAME=rhel
|
||||
export DIB_RELEASE=${DIB_RELEASE:-8}
|
||||
export EFI_BOOT_DIR="EFI/redhat"
|
||||
|
@ -1,6 +1,7 @@
|
||||
export DISTRO_NAME=${DISTRO_NAME:-ubuntu}
|
||||
export DIB_RELEASE=${DIB_RELEASE:-bionic}
|
||||
export DIB_DEBIAN_COMPONENTS=${DIB_DEBIAN_COMPONENTS:-main,universe}
|
||||
export EFI_BOOT_DIR="EFI/ubuntu"
|
||||
|
||||
# There are two default distro mirrors depending on architecture
|
||||
ARCH=${ARCH:-}
|
||||
|
Loading…
Reference in New Issue
Block a user