From 3294aecca2d03d8070b5650e25664f0ca8c759ef Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 7 Apr 2021 10:59:24 -0700 Subject: [PATCH] Properly set grub2 root device when using efi We've noticed that centos8 arm64 images have a root devices of /dev/mapper/loop7p3 which make sense within a dib image build context but not at boot time. Dib intends to use labels to set the root device but when efi is used we end up running grub2-mkconfig against the efi grub config path before we configure grub to use labels. Fix this by running grub2-mkconfig after its configuration is set. This should avoid confusion and complicated paths through the scripts that configure this for us. We then copy the resulting config to the efi specific grub.cfg location for platforms that have it. There is also a small refactoring that is done to try and make the ~3 boot variants more clear: 1) Booting with legacy bios 2) Booting with uefi without a signed shim that directly calls grub 3) Booting with uefi and a signed shim that calls grub Options 1 and 2 share the /boot/grub*/grub.cfg file. Option 3 needs its grub.cfg to live alongside distro specific efi target. Change-Id: Ie9790da9d1bbea58197b37b15a48e77f8a93c1ac --- .../bootloader/finalise.d/50-bootloader | 35 +++++++++++++------ 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/diskimage_builder/elements/bootloader/finalise.d/50-bootloader b/diskimage_builder/elements/bootloader/finalise.d/50-bootloader index ed79b069..69810f49 100755 --- a/diskimage_builder/elements/bootloader/finalise.d/50-bootloader +++ b/diskimage_builder/elements/bootloader/finalise.d/50-bootloader @@ -154,31 +154,31 @@ function install_grub2 { else # This set of modules is sufficient for all installs (mbr/gpt/efi) modules="part_msdos part_gpt lvm" - extra_options="" if [[ ${DIB_BLOCK_DEVICE} == "mbr" || ${DIB_BLOCK_DEVICE} == "gpt" ]]; then $GRUBNAME --modules="$modules biosdisk" $GRUB_OPTS $BOOT_DEV elif [[ ${DIB_BLOCK_DEVICE} == "efi" ]]; then - # This tells the EFI install to put the EFI binaries into - # the generic /BOOT directory and avoids trying to update - # nvram settings. - extra_options="--removable" # We need to manually set the target if it's different to # the host. Setup for EFI case $ARCH in "x86_64"|"amd64") - GRUB_OPTS="--target=x86_64-efi" # This call installs grub for BIOS compatability # which makes portable EFI/BIOS images. $GRUBNAME --modules="$modules" --target=i386-pc $BOOT_DEV + # Set the x86_64 specific efi target for the generic + # installation below. + GRUB_OPTS="--target=x86_64-efi" ;; # At this point, we don't need to override the target # for any other architectures. esac - if [ -d /boot/efi/$EFI_BOOT_DIR ]; then - # Make the grub config in the EFI directory for UEFI boot - $GRUB_MKCONFIG -o /boot/efi/$EFI_BOOT_DIR/grub.cfg - else + # If we don't have a distro specific dir with presigned efi targets + # we install a generic one. + if [ ! -d /boot/efi/$EFI_BOOT_DIR ]; then echo "WARNING: /boot/efi/$EFI_BOOT_DIR does not exist, UEFI secure boot not supported" + # This tells the EFI install to put the EFI binaries into + # the generic /BOOT directory and avoids trying to update + # nvram settings. + extra_options="--removable" $GRUBNAME --modules="$modules" $extra_options $GRUB_OPTS $BOOT_DEV fi fi @@ -226,6 +226,13 @@ function install_grub2 { echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub fi + # GRUB_MKCONFIG call needs to happen after we configure + # /etc/default/grub above. Without this we can set inappropriate + # root device labels and then images don't boot. + # + # This produces a legacy config which both bios and uefi can boot + # Later we copy the final config to an efi specific location to + # support uefi specific functionality like secure boot. $GRUB_MKCONFIG -o $GRUB_CFG # Remove the fix to disable os_prober @@ -252,6 +259,14 @@ function install_grub2 { # linuxefi/initrdefi for the image to boot under efi if [[ ${DIB_BLOCK_DEVICE} == "efi" ]]; then sed -i 's%\(linux\|initrd\)16 /boot%\1efi /boot%g' $GRUB_CFG + + # Finally copy the grub.cfg to the EFI specific dir to support + # functionality like secure boot. We make a copy because + # /boot and /boot/efi may be different partitions and uefi looks + # for a specific partition UUID preventing symlinks from working. + if [ -d /boot/efi/$EFI_BOOT_DIR ] ; then + cp $GRUB_CFG /boot/efi/$EFI_BOOT_DIR/grub.cfg + fi fi }