From f0315b4ed4e2426904db1ed2885f17becddffd9c Mon Sep 17 00:00:00 2001 From: Shivanand Tendulker Date: Sun, 12 Apr 2015 08:10:57 -0700 Subject: [PATCH] Fix to load only signed kernel in UEFI secure boot This fix prevents loading of unsigned ubuntu kernel in UEFI secure boot environment when image is created using 'iso' element. 'iso' element uses 'linux' and 'initrd' modules of grub2 to load kernel and initrd respectively. The grub2 implementation of Ubuntu can load unsigned kernel when these modules are used. Ubuntu has Grub2 modules 'linuxefi' and 'initrdefi' which exits boot process if unsigned kernel is used in UEFI secure boot mode. The 'iso' element should use these modules in grub.cfg to prevent loading of unsigned kernel when node is booted in the UEFI secure boot environment. 'linuxefi' and 'initrdefi' works seamlessly when node is booted in normal UEFI boot mode (non-secure). Fedora do not have this issue. This fix has been tested in Fedora environment. It works fine. Closes-Bug: 1443114 Change-Id: If256ba1f7d7c149482d0f37fabcdfa8ed22e3f91 --- elements/iso/cleanup.d/100-build-iso | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/elements/iso/cleanup.d/100-build-iso b/elements/iso/cleanup.d/100-build-iso index b2d15a2f..62d4b9d2 100755 --- a/elements/iso/cleanup.d/100-build-iso +++ b/elements/iso/cleanup.d/100-build-iso @@ -60,16 +60,11 @@ function build_iso() { SCRIPTNAME=$(basename $0) SCRIPTDIR=$(dirname $0) MKISOFS="/usr/bin/mkisofs" - if [ $DISTRO_NAME = "fedora" ]; then EFI_BOOT_DIR="EFI/fedora" - GRUB_LINUX_TAG="linuxefi" - GRUB_INITRD_TAG="initrdefi" EXTRA_KERNEL_PARAMS="usbcore.autosuspend=-1" else EFI_BOOT_DIR="EFI/ubuntu" - GRUB_LINUX_TAG="linux" - GRUB_INITRD_TAG="initrd" EXTRA_KERNEL_PARAMS="" fi @@ -117,8 +112,8 @@ set hidden_timeout_quiet=false menuentry "install" { search --set=root --label VMEDIA_BOOT_ISO - $GRUB_LINUX_TAG /vmlinuz $EXTRA_KERNEL_PARAMS $KERNEL_CMDLINE_ARGS -- - $GRUB_INITRD_TAG /initrd + linuxefi /vmlinuz $EXTRA_KERNEL_PARAMS $KERNEL_CMDLINE_ARGS -- + initrdefi /initrd } END_CONFIG