Merge pull request #2278 from OliverO2/feature-rawdisk-and-opalpba-im…

…provements

Feature RAWDISK and OPALPBA improvements:
RAWDISK: include additional Grub modules from
/boot/grub (and /boot/grub2) which had formerly been missing
OPALPBA: improve Plymouth boot animation on Ubuntu,
provide integration capabilities for other distros
RAWDISK: add support for distros which use 'grub2' naming,
see #2275

usr/share/rear/build/OPALPBA/Linux-i386/820_store_settings.sh

@@ -2,4 +2,5 @@
 
 cat > "$ROOTFS_DIR/.OPAL_PBA_SETTINGS.sh" << -EOF-
 OPAL_PBA_DEBUG_PASSWORD="$OPAL_PBA_DEBUG_PASSWORD"
+OPAL_PBA_DEBUG_DEVICE_COUNT="$OPAL_PBA_DEBUG_DEVICE_COUNT"
 -EOF-

usr/share/rear/conf/Ubuntu.conf

@@ -1,2 +1,22 @@
 PROGS=( "${PROGS[@]}" initctl MAKEDEV )
 
+#####
+# TCG Opal 2 PBA system only: Include Plymouth graphical boot animation
+
+OPAL_PBA_PROGS+=( plymouth plymouthd )
+
+OPAL_PBA_COPY_AS_IS+=( /etc/alternatives/*plymouth* /usr/lib/x86_64-linux-gnu/plymouth /usr/share/plymouth /usr/share/fonts/truetype/ubuntu )
+
+# NOTE: 'build/GNU/Linux/100_copy_as_is.sh' auto-detects shared libraries referenced by executables from COPY_AS_IS
+# but fails to consider shared libraries (*.so) from COPY_AS_IS. Adding those to LIBS gets them covered.
+OPAL_PBA_LIBS+=( /usr/lib/x86_64-linux-gnu/plymouth/*.so /usr/lib/x86_64-linux-gnu/plymouth/renderers/*.so )
+
+if grep --quiet 'vt.handoff=1' /proc/cmdline; then
+    # vt.handoff=1 triggers an Ubuntu-specifc mechanism to ensure a smooth boot splash transition
+    # Cf. https://help.ubuntu.com/community/vt.handoff
+    # Only do this on systems where it was originally enabled, otherwise the PBA might boot into a black screen.
+    # (In case of the latter, pressing ESC helps).
+    OPAL_PBA_KERNEL_CMDLINE+=" vt.handoff=1"
+fi
+
+OPAL_PBA_USE_SERIAL_CONSOLE="No"

usr/share/rear/conf/default.conf

@@ -523,11 +523,26 @@ OPAL_PBA_OUTPUT_URL="file://$VAR_DIR/TCG-Opal-PBA"
 # determined by OPAL_PBA_OUTPUT_URL.
 OPAL_PBA_IMAGE_FILE=""
 #
-# PBA debug password (empty for not using the debug facility).
-# If this pseudo password is entered when the PBA asks for a password to unlock disks,
+# These variables extend their non-prefixed counterparts (PROGS, COPY_AS_IS, etc.) for the PBA system only.
+# Their main purpose is to include the necessary files for a Plymouth graphical boot animation, which
+# provides a nice looking user interface to enter the disk password.
+OPAL_PBA_PROGS=()
+OPAL_PBA_COPY_AS_IS=()
+OPAL_PBA_LIBS=()
+OPAL_PBA_KERNEL_CMDLINE=""
+# The following variable sets USE_SERIAL_CONSOLE for the PBA system.
+OPAL_PBA_USE_SERIAL_CONSOLE=""
+#
+# PBA debug password (empty for not using the debug shell facility).
+# If this pseudo-password is entered when the PBA asks for a password to unlock disks,
 # an interactive emergency shell will be started.
 # Used to debug the PBA system.
 OPAL_PBA_DEBUG_PASSWORD=""
+#
+# When not empty, OPAL_PBA_DEBUG_DEVICE_COUNT overrides the number of TCG Opal 2-compliant self-encrypting disks
+# installed. To test the PBA system on a machine without any Opal 2-compliant disk, set OPAL_PBA_DEBUG_DEVICE_COUNT=1.
+# Used to debug the PBA system.
+OPAL_PBA_DEBUG_DEVICE_COUNT=""
 
 ##
 # Output/backup locations

usr/share/rear/output/RAWDISK/Linux-i386/270_create_grub2_efi_bootloader.sh

@@ -4,9 +4,22 @@
 
 ### Check prerequisites
 
-# Run only if no EFI bootloader has been created yet and Grub 2 EFI is available
-([[ -n "$RAWDISK_BOOT_EFI_STAGING_ROOT" ]] || ! has_binary grub-mkimage || ! [[ -d /usr/lib/grub/x86_64-efi ]]) && return 0
+# (1) An EFI bootloader must not have been created yet
+[[ -n "$RAWDISK_BOOT_EFI_STAGING_ROOT" ]] && return 0
 
+# (2) Grub 2 (which has a *-probe executable while Grub 1 does not) must exist
+if has_binary grub-probe; then
+    grub2_name="grub"  # The name prefixes executables and determines the installation directory under /boot
+elif has_binary grub2-probe; then
+    grub2_name="grub2"
+else
+    return 0
+fi
+
+# (3) Grub 2 EFI components must exist
+[[ -d /usr/lib/grub/x86_64-efi ]] || return 0
+
+# (4) Grub 2 must not have been excluded
 if is_true "${RAWDISK_BOOT_EXCLUDE_GRUB2_EFI:-no}"; then
     LogPrint "DISABLED: Using Grub 2 to create an EFI bootloader"
     return 0
@@ -23,9 +36,9 @@ fi
 
 RAWDISK_BOOT_EFI_STAGING_ROOT="$TMP_DIR/EFI"
 
-# Create a Grub 2 configuration file
-local new_grub_config_file="$TMP_DIR/grub.cfg"
-cat > "$new_grub_config_file" << EOF
+# Set up contents of a Grub 2 configuration file
+local new_grub_configuration
+read -r -d '' new_grub_configuration << EOF
 set timeout=0
 set default=0
 menuentry "${RAWDISK_BOOT_GRUB_MENUENTRY_TITLE:-Recovery System}" {
@@ -41,28 +54,46 @@ if [[ -n "$SECURE_BOOT_BOOTLOADER" ]]; then
     # breaking Secure Boot and we cannot know which companion files are actually required, so we play it safe
     # and copy the entire EFI tree as is.
     local original_efi_root="$(findmnt --noheadings --output TARGET --target "$SECURE_BOOT_BOOTLOADER")/EFI"
+    [[ "$original_efi_root" == "/EFI" ]] && Error "Could not find original EFI root directory"
     LogPrint "Secure Boot: Using the original EFI configuration from '$original_efi_root'"
     cp -a $v "$original_efi_root/." "$RAWDISK_BOOT_EFI_STAGING_ROOT" || Error "Could not copy EFI configuration"
 
+    # If /boot/$grub2_name exists, it contains additional Grub modules, which are not compiled into the grub core image.
+    # Pick required ones from there, too.
+    local additional_grub_directory="/boot/$grub2_name"
+    local grub_modules_directory="x86_64-efi"
+    local additional_grub_modules=( all_video.mod )
+    if [[ -d "$additional_grub_directory/$grub_modules_directory" ]]; then
+        local grub_target_directory="$(dirname "$(find "$RAWDISK_BOOT_EFI_STAGING_ROOT" -iname grubx64.efi -print)")"
+        [[ "$grub_target_directory" == "." ]] && Error "Could not find Grub executable"  # dirname "" returns "."
+
+        mkdir "$grub_target_directory/$grub_modules_directory" || Error "Could not create Grub modules directory"
+        for module in "${additional_grub_modules[@]}"; do
+            cp -a $v "$additional_grub_directory/$grub_modules_directory/$module" "$grub_target_directory/$grub_modules_directory"
+            StopIfError "Could not copy additional Grub module '$module'"
+            new_grub_configuration="insmod ${module%.mod}"$'\n'"$new_grub_configuration"
+        done
+    fi
+
     # Now we look for existing Grub configuration files and overwrite those with our own configuration. Again, to
     # be safe, we are prepared for the situation where we might find more than one grub.cfg without knowing which
-    # one is effective, so we overwrite every one.
-    find "$RAWDISK_BOOT_EFI_STAGING_ROOT" -iname grub.cfg -print -exec cp $v "$new_grub_config_file" '{}' \;
-    StopIfError "Could not copy Grub configuration"
+    # one is effective, so we overwrite each one.
+    for target_config_path in $(find "$RAWDISK_BOOT_EFI_STAGING_ROOT" -iname grub.cfg -print); do
+        echo "$new_grub_configuration" > "$target_config_path"
+        StopIfError "Could not copy Grub configuration to '$target_config_path'"
+    done
 else
     # Not Using Secure Boot:
     # Populate the EFI file system with a newly created Grub boot loader image and the Grub configuration file.
     local efi_boot_directory="$RAWDISK_BOOT_EFI_STAGING_ROOT/BOOT"
     mkdir $v -p "$efi_boot_directory" || Error "Could not create $efi_boot_directory"
 
-    cp $v "$new_grub_config_file" "$efi_boot_directory/grub.cfg"
+    echo "$new_grub_configuration" > "$efi_boot_directory/grub.cfg"
 
     # Create a Grub 2 EFI core image and install it as boot loader. (NOTE: This version will not be signed.)
     # Use the UEFI default boot loader name, so that firmware will find it without an existing boot entry.
     local boot_loader="$efi_boot_directory/BOOTX64.EFI"
     local grub_modules=( part_gpt fat normal configfile linux video all_video )
-    grub-mkimage -O x86_64-efi -o "$boot_loader" -p "/EFI/BOOT" "${grub_modules[@]}"
-    StopIfError "Error occurred during grub-mkimage of $boot_loader"
+    $grub2_name-mkimage -O x86_64-efi -o "$boot_loader" -p "/EFI/BOOT" "${grub_modules[@]}"
+    StopIfError "Error occurred during $grub2_name-mkimage of $boot_loader"
 fi
-
-rm "$new_grub_config_file"

usr/share/rear/prep/OPALPBA/Linux-i386/001_configure_workflow.sh

@@ -5,7 +5,8 @@ has_binary sedutil-cli || Error "Executable sedutil-cli is missing. Cannot creat
 LogPrint "Re-configuring Relax-and-Recover to create a TCG Opal pre-boot authentication (PBA) image"
 
 # Configure kernel
-KERNEL_CMDLINE+=" quiet splash systemd.volatile=yes systemd.unit=sysinit-opalpba.target"
+KERNEL_CMDLINE+=" quiet splash systemd.volatile=yes systemd.unit=sysinit-opalpba.target $OPAL_PBA_KERNEL_CMDLINE"
+USE_SERIAL_CONSOLE="$OPAL_PBA_USE_SERIAL_CONSOLE"
 
 # Strip kernel files to a reasonable minimum
 FIRMWARE_FILES=( 'no' )
@@ -22,9 +23,14 @@ SSH_FILES='no'
 USE_DHCLIENT='no'
 USE_RESOLV_CONF='no'
 
-# Include plymouth boot animation and 'clear' if available
-PROGS+=( plymouth plymouthd clear )
-COPY_AS_IS+=( /etc/alternatives/*plymouth* /usr/lib/x86_64-linux-gnu/plymouth /usr/share/plymouth )
+# Add programs, files and libraries
+if (( ${#OPAL_PBA_PROGS[@]} == 0 && ${#OPAL_PBA_COPY_AS_IS[@]} == 0)) && has_binary plymouth; then
+    LogPrintError "TIP: Your system seems to include a Plymouth graphical boot animation. You can achieve a nicer user"
+    LogPrintError "     interface for the PBA by setting OPAL_PBA_{PROGS,COPY_AS_IS,LIBS} to include Plymouth components."
+fi
+PROGS+=( "${OPAL_PBA_PROGS[@]}" clear )
+COPY_AS_IS+=( "${OPAL_PBA_COPY_AS_IS[@]}" )
+LIBS+=( "${OPAL_PBA_LIBS[@]}" )
 
 # Redirect output
 [[ -n "$OPAL_PBA_OUTPUT_URL" ]] || Error "The OPAL_PBA_OUTPUT_URL configuration variable must be set."

usr/share/rear/skel/default/etc/scripts/unlock-opal-disks

@@ -154,6 +154,7 @@ done
 # Find TCG Opal 2-compliant disks
 devices=( $(opal_devices) )
 declare -i device_count=${#devices[@]}
+[[ -n "$OPAL_PBA_DEBUG_DEVICE_COUNT" ]] && device_count="$OPAL_PBA_DEBUG_DEVICE_COUNT"
 if (( device_count == 0 )); then
     display_message "Could not detect TCG Opal 2-compliant disks."
     echo "Could not detect TCG Opal 2-compliant disks." >&2