Properly set grub2 root device when using efi

We've noticed that centos8 arm64 images have a root devices of
/dev/mapper/loop7p3 which make sense within a dib image build context
but not at boot time. Dib intends to use labels to set the root device
but when efi is used we end up running grub2-mkconfig against the efi
grub config path before we configure grub to use labels.

Fix this by running grub2-mkconfig after its configuration is set.
This should avoid confusion and complicated paths through the scripts
that configure this for us. We then copy the resulting config to the efi
specific grub.cfg location for platforms that have it.

There is also a small refactoring that is done to try and make the ~3
boot variants more clear:

 1) Booting with legacy bios
 2) Booting with uefi without a signed shim that directly calls grub
 3) Booting with uefi and a signed shim that calls grub

Options 1 and 2 share the /boot/grub*/grub.cfg file. Option 3 needs its
grub.cfg to live alongside distro specific efi target.

Change-Id: Ie9790da9d1bbea58197b37b15a48e77f8a93c1ac
This commit is contained in:
Clark Boylan 2021-04-07 10:59:24 -07:00
parent b4f768117f
commit 3294aecca2

View File

@ -154,31 +154,31 @@ function install_grub2 {
else else
# This set of modules is sufficient for all installs (mbr/gpt/efi) # This set of modules is sufficient for all installs (mbr/gpt/efi)
modules="part_msdos part_gpt lvm" modules="part_msdos part_gpt lvm"
extra_options=""
if [[ ${DIB_BLOCK_DEVICE} == "mbr" || ${DIB_BLOCK_DEVICE} == "gpt" ]]; then if [[ ${DIB_BLOCK_DEVICE} == "mbr" || ${DIB_BLOCK_DEVICE} == "gpt" ]]; then
$GRUBNAME --modules="$modules biosdisk" $GRUB_OPTS $BOOT_DEV $GRUBNAME --modules="$modules biosdisk" $GRUB_OPTS $BOOT_DEV
elif [[ ${DIB_BLOCK_DEVICE} == "efi" ]]; then elif [[ ${DIB_BLOCK_DEVICE} == "efi" ]]; then
# This tells the EFI install to put the EFI binaries into
# the generic /BOOT directory and avoids trying to update
# nvram settings.
extra_options="--removable"
# We need to manually set the target if it's different to # We need to manually set the target if it's different to
# the host. Setup for EFI # the host. Setup for EFI
case $ARCH in case $ARCH in
"x86_64"|"amd64") "x86_64"|"amd64")
GRUB_OPTS="--target=x86_64-efi"
# This call installs grub for BIOS compatability # This call installs grub for BIOS compatability
# which makes portable EFI/BIOS images. # which makes portable EFI/BIOS images.
$GRUBNAME --modules="$modules" --target=i386-pc $BOOT_DEV $GRUBNAME --modules="$modules" --target=i386-pc $BOOT_DEV
# Set the x86_64 specific efi target for the generic
# installation below.
GRUB_OPTS="--target=x86_64-efi"
;; ;;
# At this point, we don't need to override the target # At this point, we don't need to override the target
# for any other architectures. # for any other architectures.
esac esac
if [ -d /boot/efi/$EFI_BOOT_DIR ]; then # If we don't have a distro specific dir with presigned efi targets
# Make the grub config in the EFI directory for UEFI boot # we install a generic one.
$GRUB_MKCONFIG -o /boot/efi/$EFI_BOOT_DIR/grub.cfg if [ ! -d /boot/efi/$EFI_BOOT_DIR ]; then
else
echo "WARNING: /boot/efi/$EFI_BOOT_DIR does not exist, UEFI secure boot not supported" echo "WARNING: /boot/efi/$EFI_BOOT_DIR does not exist, UEFI secure boot not supported"
# This tells the EFI install to put the EFI binaries into
# the generic /BOOT directory and avoids trying to update
# nvram settings.
extra_options="--removable"
$GRUBNAME --modules="$modules" $extra_options $GRUB_OPTS $BOOT_DEV $GRUBNAME --modules="$modules" $extra_options $GRUB_OPTS $BOOT_DEV
fi fi
fi fi
@ -226,6 +226,13 @@ function install_grub2 {
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
fi fi
# GRUB_MKCONFIG call needs to happen after we configure
# /etc/default/grub above. Without this we can set inappropriate
# root device labels and then images don't boot.
#
# This produces a legacy config which both bios and uefi can boot
# Later we copy the final config to an efi specific location to
# support uefi specific functionality like secure boot.
$GRUB_MKCONFIG -o $GRUB_CFG $GRUB_MKCONFIG -o $GRUB_CFG
# Remove the fix to disable os_prober # Remove the fix to disable os_prober
@ -252,6 +259,14 @@ function install_grub2 {
# linuxefi/initrdefi for the image to boot under efi # linuxefi/initrdefi for the image to boot under efi
if [[ ${DIB_BLOCK_DEVICE} == "efi" ]]; then if [[ ${DIB_BLOCK_DEVICE} == "efi" ]]; then
sed -i 's%\(linux\|initrd\)16 /boot%\1efi /boot%g' $GRUB_CFG sed -i 's%\(linux\|initrd\)16 /boot%\1efi /boot%g' $GRUB_CFG
# Finally copy the grub.cfg to the EFI specific dir to support
# functionality like secure boot. We make a copy because
# /boot and /boot/efi may be different partitions and uefi looks
# for a specific partition UUID preventing symlinks from working.
if [ -d /boot/efi/$EFI_BOOT_DIR ] ; then
cp $GRUB_CFG /boot/efi/$EFI_BOOT_DIR/grub.cfg
fi
fi fi
} }