From 33305d0fa55da07f4f56e6e2c7b2988691516170 Mon Sep 17 00:00:00 2001 From: Pavol Domin Date: Thu, 12 Nov 2015 14:52:17 +0100 Subject: [PATCH] support for UEFI secure boot --- usr/share/rear/lib/bootloader-functions.sh | 51 +++++++++++- usr/share/rear/lib/uefi-functions.sh | 16 ++++ .../ISO/Linux-i386/20_mount_efibootimg.sh | 9 +-- .../ISO/Linux-i386/25_populate_efibootimg.sh | 80 +++++++------------ 4 files changed, 94 insertions(+), 62 deletions(-) diff --git a/usr/share/rear/lib/bootloader-functions.sh b/usr/share/rear/lib/bootloader-functions.sh index 2f0bd48683..d4c0330329 100644 --- a/usr/share/rear/lib/bootloader-functions.sh +++ b/usr/share/rear/lib/bootloader-functions.sh @@ -445,12 +445,61 @@ function make_syslinux_config { # Create configuration file for elilo function create_ebiso_elilo_conf { -cat > $TMP_DIR/mnt/EFI/BOOT/elilo.conf << EOF +cat << EOF timeout = 5 default = "Relax and Recover (no Secure Boot)" image = kernel label = "Relax and Recover (no Secure Boot)" initrd = initrd.cgz +EOF + [[ -n $KERNEL_CMDLINE ]] && cat << EOF + append = "$KERNEL_CMDLINE" EOF } + +# Create configuration grub +function create_grub2_cfg { +cat << EOF +set default="0" + +insmod efi_gop +insmod efi_uga +insmod video_bochs +insmod video_cirrus +insmod all_video + +set gfxpayload=keep +insmod gzio +insmod part_gpt +insmod ext2 + +set timeout=5 + +search --no-floppy --file /boot/efiboot.img --set +#set root=(cd0) + +menuentry "Relax and Recover (no Secure Boot)" --class gnu-linux --class gnu --class os { + echo 'Loading kernel ...' + linux /isolinux/kernel $KERNEL_CMDLINE + echo 'Loading initial ramdisk ...' + initrd /isolinux/initrd.cgz +} + +menuentry "Relax and Recover (Secure Boot)" --class gnu-linux --class gnu --class os { + echo 'Loading kernel ...' + linuxefi /isolinux/kernel $KERNEL_CMDLINE + echo 'Loading initial ramdisk ...' + initrdefi /isolinux/initrd.cgz +} + +menuentry "Reboot" { + reboot +} + +menuentry "Exit to EFI Shell" { + exit +} +EOF +} + diff --git a/usr/share/rear/lib/uefi-functions.sh b/usr/share/rear/lib/uefi-functions.sh index 5826f67940..3017585702 100644 --- a/usr/share/rear/lib/uefi-functions.sh +++ b/usr/share/rear/lib/uefi-functions.sh @@ -50,3 +50,19 @@ function build_bootx86_efi { $gmkimage $v -O x86_64-efi -c $TMP_DIR/mnt/EFI/BOOT/embedded_grub.cfg -d /usr/lib/grub/x86_64-efi -o $TMP_DIR/mnt/EFI/BOOT/BOOTX64.efi -p "/EFI/BOOT" part_gpt part_msdos fat ext2 normal chain boot configfile linux linuxefi multiboot jfs iso9660 usb usbms usb_keyboard video udf ntfs all_video gzio efi_gop reboot search test echo StopIfError "Error occurred during $gmkimage of BOOTX64.efi" } + +# estimate size of efibooot image +function efiboot_img_size { + local size=32000 + if [[ $(basename $ISO_MKISOFS_BIN) = "ebiso" ]]; then + case "$(basename $UEFI_BOOTLOADER)" in + # we will need more space for initrd and kernel if elilo is used + # if shim is used, bootloader can be actually anything (also elilo) + # named as grub64.efi (follow-up loader is shim compile time option) + # http://www.rodsbooks.com/efi-bootloaders/secureboot.html#initial_shim + (shim.efi|elilo.efi) size=128000 ;; + (*) size=32000 + esac + fi + echo $size +} diff --git a/usr/share/rear/output/ISO/Linux-i386/20_mount_efibootimg.sh b/usr/share/rear/output/ISO/Linux-i386/20_mount_efibootimg.sh index 1d96ff67be..ed9c227e84 100755 --- a/usr/share/rear/output/ISO/Linux-i386/20_mount_efibootimg.sh +++ b/usr/share/rear/output/ISO/Linux-i386/20_mount_efibootimg.sh @@ -1,14 +1,7 @@ # 20_mount_efibootimg.sh (( USING_UEFI_BOOTLOADER )) || return -# we will need more space for initrd and kernel if elilo is used -if [[ $(basename $ISO_MKISOFS_BIN) = "ebiso" && $(basename ${UEFI_BOOTLOADER}) = "elilo.efi" ]]; then - size=128000 -else - size=32000 -fi - -dd if=/dev/zero of=$TMP_DIR/efiboot.img count=$size bs=1024 +dd if=/dev/zero of=$TMP_DIR/efiboot.img count=$(efiboot_img_size) bs=1024 # make sure we select FAT16 instead of FAT12 as size >30MB mkfs.vfat $v -F 16 $TMP_DIR/efiboot.img >&2 mkdir -p $v $TMP_DIR/mnt >&2 diff --git a/usr/share/rear/output/ISO/Linux-i386/25_populate_efibootimg.sh b/usr/share/rear/output/ISO/Linux-i386/25_populate_efibootimg.sh index 24b8a7b37f..ce3addd996 100755 --- a/usr/share/rear/output/ISO/Linux-i386/25_populate_efibootimg.sh +++ b/usr/share/rear/output/ISO/Linux-i386/25_populate_efibootimg.sh @@ -14,19 +14,33 @@ StopIfError "Could not create $TMP_DIR/mnt/EFI/BOOT/locale" # copy the grub*.efi executable to EFI/BOOT/BOOTX64.efi cp $v "${UEFI_BOOTLOADER}" $TMP_DIR/mnt/EFI/BOOT/BOOTX64.efi >&2 StopIfError "Could not find ${UEFI_BOOTLOADER}" +if [[ $(basename ${UEFI_BOOTLOADER}) = shim.efi ]]; then + # if shim is used, bootloader can be actually anything + # named as grub*.efi (follow-up loader is shim compile time option) + # http://www.rodsbooks.com/efi-bootloaders/secureboot.html#initial_shim + cp $v $(dirname ${UEFI_BOOTLOADER})/grub*.efi $TMP_DIR/mnt/EFI/BOOT/ +fi + -if [[ $(basename $ISO_MKISOFS_BIN) = "ebiso" && $(basename ${UEFI_BOOTLOADER}) = "elilo.efi" ]]; then - Log "Copying kernel" - - # copy initrd and kernel inside efi_boot image as - # elilo is not smart enough to look for them outside ... - cp -pL $v $KERNEL_FILE $TMP_DIR/mnt/EFI/BOOT/kernel >&2 - StopIfError "Could not copy kernel to UEFI" - cp $v $TMP_DIR/initrd.cgz $TMP_DIR/mnt/EFI/BOOT/initrd.cgz >&2 - StopIfError "Could not copy initrd to UEFI" - - # Create config file for elilo - create_ebiso_elilo_conf +# FIXME: do we need to test if we are ebiso at all? +# copying kernel should happen for any ueafi mkiso tool with elilo +if [[ $(basename $ISO_MKISOFS_BIN) = "ebiso" ]]; then + if [[ $(basename ${UEFI_BOOTLOADER}) =~ (shim.efi|elilo.efi) ]]; then + # if shim is used, bootloader can be actually anything (also elilo) + # named as grub*.efi (follow-up loader is shim compile time option) + # http://www.rodsbooks.com/efi-bootloaders/secureboot.html#initial_shim + # if shim is used, bootloader can be actually also elilo + # elilo is not smart enough to look for them outside ... + Log "Copying kernel" + + # copy initrd and kernel inside efi_boot image as + cp -pL $v $KERNEL_FILE $TMP_DIR/mnt/EFI/BOOT/kernel >&2 + StopIfError "Could not copy kernel to UEFI" + cp $v $TMP_DIR/initrd.cgz $TMP_DIR/mnt/EFI/BOOT/initrd.cgz >&2 + StopIfError "Could not copy initrd to UEFI" + create_ebiso_elilo_conf > $TMP_DIR/mnt/EFI/BOOT/elilo.conf + create_grub2_cfg > $TMP_DIR/mnt/EFI/BOOT/grub.cfg + fi fi if [[ -n "$(type -p grub)" ]]; then @@ -47,47 +61,7 @@ configfile /EFI/BOOT/grub.cfg EOF # create a grub.cfg -cat > $TMP_DIR/mnt/EFI/BOOT/grub.cfg << EOF -set default="0" - -insmod efi_gop -insmod efi_uga -insmod video_bochs -insmod video_cirrus -insmod all_video - -set gfxpayload=keep -insmod gzio -insmod part_gpt -insmod ext2 - -set timeout=5 - -search --no-floppy --file /boot/efiboot.img --set -#set root=(cd0) - -menuentry "Relax and Recover (no Secure Boot)" --class gnu-linux --class gnu --class os { - echo 'Loading kernel ...' - linux /isolinux/kernel - echo 'Loading initial ramdisk ...' - initrd /isolinux/initrd.cgz -} - -menuentry "Relax and Recover (Secure Boot)" --class gnu-linux --class gnu --class os { - echo 'Loading kernel ...' - linuxefi /isolinux/kernel - echo 'Loading initial ramdisk ...' - initrdefi /isolinux/initrd.cgz -} - -menuentry "Reboot" { - reboot -} - -menuentry "Exit to EFI Shell" { - quit -} -EOF + create_grub2_cfg > $TMP_DIR/mnt/EFI/BOOT/grub.cfg fi # create BOOTX86.efi build_bootx86_efi