diff options
author | Luca Boccassi <bluca@debian.org> | 2018-02-27 19:28:33 +0000 |
---|---|---|
committer | Luca Boccassi <bluca@debian.org> | 2018-03-09 20:57:54 +0000 |
commit | 035518ff69a97fa5d3fa432e13c9593a9f459a4e (patch) | |
tree | 98d07bcaf0927518c0a3a78b87893a6c6955bf71 /scripts/build/config | |
parent | ac3ed23638cbc4b10059f9678283d08b4a082136 (diff) | |
download | vyos-live-build-035518ff69a97fa5d3fa432e13c9593a9f459a4e.tar.gz vyos-live-build-035518ff69a97fa5d3fa432e13c9593a9f459a4e.zip |
UEFI: add support for Secure Boot on amd64 and arm64
Support for UEFI Secure Boot is modelled after how it currently works
in Ubuntu and on how it is going to work on Debian.
A minimal bootloader, shim, is used as the first-stage and it then
loads grub. Both have to be signed.
shim-signed is already available in Debian so the filenames are
already established, and the grub2 repository and packaging is common
between the 2 distros so we can already be reasonably sure of what it
is going to be.
So if both are available, copy /usr/lib/shim/shim[x64|aa64].efi.signed
as boot[x64|aa64].efi so that UEFI loads it first, and copy
/usr/lib/grub/[x86_64|arm64]-efi-signed/grub[x64|aa64].efi.signed as
grub[x64|aa64].efi.
This grub2 EFI monolithic image is currently hard-coded in grub2's
repository to look for a config file in efi/debian, so make a copy
of the previously added minimal grub.cfg that loads the real one in
that directory in both the fat32 and ISO 9660 partitions.
The new option --uefi-secure-boot can be set to auto (default,
enable or disable.
In auto, the lack of the signed EFI binaries is intentionally left as a
soft failure - live-build will simply fallback to using the locally
generated non-signed grub2 monolithic EFI binary as the only
bootloader. Given the difficulties surrounding the Secure Boot
signing infrastructure this approach gives the most flexibility and
makes sure things will "just work" once the packages are available,
without the need to change anything in the configuration.
This will also greatly help downstream distributions and users who
want to do self-signing.
The enable or disable options work as expected.
Closes: #821084
Diffstat (limited to 'scripts/build/config')
-rwxr-xr-x | scripts/build/config | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/scripts/build/config b/scripts/build/config index c692a926f..cad73b4cd 100755 --- a/scripts/build/config +++ b/scripts/build/config @@ -116,6 +116,7 @@ USAGE="${PROGRAM} [--apt apt|aptitude]\n\ \t [--swap-file-path PATH]\n\ \t [--swap-file-size MB]\n\ \t [--tasksel apt|aptitude|tasksel]\n\ +\t [--uefi-secure-boot auto|enable|disable]\n\ \t [--updates true|false]\n\ \t [--backports true|false]\n\ \t [--verbose]\n\ @@ -148,6 +149,7 @@ Local_arguments () net-cow-server:,net-tarball:,firmware-binary:,firmware-chroot:,swap-file-path:,swap-file-size:, loadlin:,win32-loader:,source:,source-images:,breakpoints,conffile:,debug,force, help,ignore-system-defaults,quiet,usage,verbose,version,bootstrap-qemu-static:,bootstrap-qemu-arch:, + uefi-secure-boot:, bootstrap-qemu-exclude:" # Remove spaces added by indentation LONG_OPTIONS="$(echo ${LONG_OPTIONS} | tr -d ' ')" @@ -674,6 +676,11 @@ Local_arguments () shift 2 ;; + --uefi-secure-boot) + LB_UEFI_SECURE_BOOT="${2}" + shift 2 + ;; + --loadlin) LB_LOADLIN="${2}" shift 2 @@ -1299,6 +1306,10 @@ LB_SWAP_FILE_PATH="${LB_SWAP_FILE_PATH}" # \$LB_SWAP_FILE_SIZE: set swap file size # (Default: ${LB_SWAP_FILE_SIZE}) LB_SWAP_FILE_SIZE="${LB_SWAP_FILE_SIZE}" + +# \$LB_UEFI_SECURE_BOOT: enable/disable UEFI secure boot +# (Default: ${LB_UEFI_SECURE_BOOT}) +LB_UEFI_SECURE_BOOT="${LB_UEFI_SECURE_BOOT}" EOF # Creating lb_source_* configuration |