sig_cloud/diskimage-builder
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a4354d14d4
diskimage-builder/diskimage_builder/elements/fedora/environment.d/10-fedora-distro-name.bash
Steve Baker 27a326dafb Support secure-boot bootloader where possible 
As of grub2 >= 2.02-95 on redhat family distros, calling grub2-install
on an EFI partition will fail with: "this utility cannot be used for
EFI platforms because it does not support UEFI Secure Boot."

This version of grub is now in centos8-stream and non-eus repos of
RHEL-8. It is not currently possible to build whole-disk UEFI images
on these distros, and when this package is promoted this will also
affect centos8 and RHEL-8 eus. The grub maintainers made this change
because the grub2-install generated /boot/efi/EFI/BOOT/BOOTX64.EFI
will never be capable of booting with Secure Boot.

This change defines a $EFI_BOOT_DIR for every distro element. When
directory /boot/efi/$EFI_BOOT_DIR exists a grub.cfg file in will be
generated there. This change also installs the shim package on redhat
family distros, which installs a copy of the shim bootloader to
/boot/efi/EFI/BOOT/BOOTX64.EFI. Using centos as an example, this
allows UEFI to boot the shim /boot/efi/EFI/BOOT/BOOTX64.EFI which
then chains to /boot/efi/EFI/centos/grubx64.efi.

If /boot/efi/$EFI_BOOT_DIR doesn't exist (such as for Ubuntu,
/boot/efi/EFI/ubuntu) the current behaviour of running grub-install to
generate /boot/efi/EFI/BOOT/BOOTX64.EFI will continue. For distros
such as Ubutnu where packaging does not populate /boot/efi/EFI/ubuntu
with .efi files, secure boot can be added in the future by copying
.efi files to /boot/efi/EFI/ubuntu and copying the shim file to
/boot/efi/EFI/BOOT/BOOTX64.EFI.

Change-Id: I90925218ff2aa4c4daffcf86e686b6d98d6b0f21
2021-03-11 10:27:59 +13:00

29 lines
1.0 KiB
Bash
Raw Blame History

export DISTRO_NAME=fedora
export DIB_RELEASE=${DIB_RELEASE:-32}
export EFI_BOOT_DIR="EFI/fedora"
# Note the filename URL has a "sub-release" in it
# http:// ... Fedora-Cloud-Base-25-1.3.x86_64.qcow2
# ^^^
# It's not exactly clear how this is generated, or how we could
# determine this programatically. Other projects have more
# complicated regex-based scripts to find this, which we can examine
# if this becomes an issue ... see thread at [1]
#
# [1] https://lists.fedoraproject.org/archives/list/cloud@lists.fedoraproject.org/thread/2WFO2FKIGUQYRQXIR35UVJGRHF7LQENJ/
if [[ ${DIB_RELEASE} == '28' ]]; then
export DIB_FEDORA_SUBRELEASE=1.1
elif [[ ${DIB_RELEASE} == '29' ]]; then
export DIB_FEDORA_SUBRELEASE=1.2
elif [[ ${DIB_RELEASE} == '30' ]]; then
export DIB_FEDORA_SUBRELEASE=1.2
elif [[ ${DIB_RELEASE} == '31' ]]; then
export DIB_FEDORA_SUBRELEASE=1.9
elif [[ ${DIB_RELEASE} == '32' ]]; then
export DIB_FEDORA_SUBRELEASE=1.6
else
echo "Unsupported Fedora release"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink