diff options
| -rwxr-xr-x | functions/defaults.sh | 3 | ||||
| -rw-r--r-- | manpages/en/lb_config.1 | 4 | ||||
| -rwxr-xr-x | scripts/build/binary_grub-efi | 90 | ||||
| -rwxr-xr-x | scripts/build/config | 11 |
4 files changed, 106 insertions, 2 deletions
diff --git a/functions/defaults.sh b/functions/defaults.sh index 78ca358d1..2ba7d475f 100755 --- a/functions/defaults.sh +++ b/functions/defaults.sh @@ -770,6 +770,9 @@ Set_defaults () # Setting swap file LB_SWAP_FILE_SIZE="${LB_SWAP_FILE_SIZE:-512}" + # Setting UEFI Secure Boot + LB_UEFI_SECURE_BOOT="${LB_UEFI_SECURE_BOOT:-auto}" + ## config/source # Setting source option diff --git a/manpages/en/lb_config.1 b/manpages/en/lb_config.1 index 750a6f2fd..c90f85de3 100644 --- a/manpages/en/lb_config.1 +++ b/manpages/en/lb_config.1 @@ -215,6 +215,8 @@ .br [\fB\-\-templates\fR \fIPATH\fR] .br + [\fB\-\-uefi\-secure\-boot\fR \fIauto|enable|disable\fR] +.br [\fB\-\-hdd\-size \fIMB\fR] .br [\fB\-\-updates\fR true|false] @@ -454,6 +456,8 @@ defines what size in megabytes the swap file should be, if one is to be created. selects which program is used to install tasks. By default, this is set to tasksel. .IP "\fB\-\-templates\fR \fIPATH\fR" 4 sets the path to the templates that live\-build is going to use, e.g. for bootloaders. By default, this is set to /usr/share/live/build/templates/. +.IP "\fB\-\-uefi\-secure\-boot\fR \fIauto|enable|disable\fR" 4 +enables or disables Secure Boot support when using grub-efi, by installing signed shim and grub-efi packages. By default, this is set to auto, which means if the packages are available they will be installed, but if not only a warning will be printed and the normal non-signed grub-efi will be used. .IP "\fB\-\-hdd\-size\fR MB" 4 defines what size the hdd image should be. Note that although the default is set to 10000 (= 10GB), it will not need 10GB space on your harddisk as the files are created as sparse files. .IP "\fB\-\-updates\fR true|false" 4 diff --git a/scripts/build/binary_grub-efi b/scripts/build/binary_grub-efi index aea42a693..ab6630b3b 100755 --- a/scripts/build/binary_grub-efi +++ b/scripts/build/binary_grub-efi @@ -58,6 +58,57 @@ Check_package chroot /usr/bin/grub-mkimage grub-common Check_package chroot /usr/bin/mcopy mtools Check_package chroot /sbin/mkfs.msdos dosfstools +# Check UEFI Secure Boot setting and depends +# By default (auto) do a best-effort build: if the signed binaries are available use +# them, but don't fail if they are not, just print a warning. +case "${LB_ARCHITECTURES}" in + amd64|i386) + _SB_EFI_PLATFORM="x86_64" + _SB_EFI_NAME="x64" + _SB_EFI_DEB="amd64" + ;; + arm64) + _SB_EFI_PLATFORM="arm64" + _SB_EFI_NAME="aa64" + _SB_EFI_DEB="arm64" + ;; +esac + +_PRE_SB_PACKAGES="${_LB_PACKAGES}" +_LB_PACKAGES="shim-signed grub-efi-${_SB_EFI_DEB}-signed" +case "${LB_UEFI_SECURE_BOOT}" in + auto) + # Use Check_installed, as Check_package will error out immediately + set +e + Install_package + set -e + Check_installed chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/grub${_SB_EFI_NAME}.efi.signed \ + grub-efi-${_SB_EFI_DEB}-signed + _GRUB_INSTALL_STATUS="${INSTALL_STATUS}" + Check_installed chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ + shim-signed + + if [ "${INSTALL_STATUS}" -ne 0 -o "${_GRUB_INSTALL_STATUS}" -ne 0 ] + then + Echo_warning "UEFI Secure Boot disabled due to missing signed Grub/Shim." + else + Echo_message "UEFI Secure Boot support enabled." + fi + ;; + enable) + Check_package chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/grub${_SB_EFI_NAME}.efi.signed \ + grub-efi-${_SB_EFI_DEB}-signed + Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ + shim-signed + Install_package + Echo_message "UEFI Secure Boot support enabled." + ;; + disable) + Echo_message "UEFI Secure Boot support disabled." + ;; +esac +_LB_PACKAGES="${_PRE_SB_PACKAGES}" + # Setting destination directory case "${LIVE_IMAGE_TYPE}" in hdd*|netboot) @@ -109,6 +160,27 @@ gen_efi_boot_img(){ mkdir -p ${_CHROOT_DIR}/grub-efi-temp/efi/boot mcopy -n -i ${_CHROOT_DIR}/\$outdir/efi.img '::efi/boot/boot*.efi' ${_CHROOT_DIR}/grub-efi-temp/efi/boot cp -r "${_CHROOT_DIR}"/\$outdir/* "${_CHROOT_DIR}/grub-efi-temp/" + + # Secure Boot support: + # - use shim as the boot<arch>.efi that gets loaded first by the firmware + # - drop a grub.cfg (same reason as below) in the cfg directory as configured + # by the signed grub efi binary creation. At the moment that is efi/debian + # as set by grub2/debian/build-efi-images and cannot be changed without + # rebuilding grub2 + # - the source paths are taken from shim-signed: + # https://packages.debian.org/sid/amd64/shim-signed/filelist + # and grub-efi-amd64-signed, currently in Ubuntu: + # https://packages.ubuntu.com/xenial/amd64/grub-efi-amd64-signed/filelist + # https://packages.ubuntu.com/bionic/arm64/grub-efi-arm64-signed/filelist + if [ -r ${_CHROOT_DIR}/usr/lib/grub/\$platform-signed/grub\$efi_name.efi.signed -a \ + -r ${_CHROOT_DIR}/usr/lib/shim/shim\$efi_name.efi.signed -a \ + "${LB_UEFI_SECURE_BOOT}" != "disable" ]; then + mkdir -p ${_CHROOT_DIR}/grub-efi-temp/efi/debian + cp ${_CHROOT_DIR}/usr/lib/grub/\$platform-signed/grub\$efi_name.efi.signed \ + ${_CHROOT_DIR}/grub-efi-temp/efi/boot/grub\$efi_name.efi + cp ${_CHROOT_DIR}/usr/lib/shim/shim\$efi_name.efi.signed \ + ${_CHROOT_DIR}/grub-efi-temp/efi/boot/boot\$efi_name.efi + fi } PRE_EFI_IMAGE_PATH="${PATH}" @@ -158,7 +230,7 @@ EOF # the case of a multi-arch amd64/i386 image size=0 -for file in ${_CHROOT_DIR}/grub-efi-temp/efi/boot/boot*.efi \ +for file in ${_CHROOT_DIR}/grub-efi-temp/efi/boot/*.efi \ ${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg; do size=\$((\$size + \$(stat -c %s "\$file"))) done @@ -166,15 +238,29 @@ done # directories: efi efi/boot boot boot/grub size=\$((\$size + 4096 * 4)) +# efi/debian and additional grub.cfg +if [ -d ${_CHROOT_DIR}/grub-efi-temp/efi/debian ]; then + size=\$((\$size + 4096)) + size=\$((\$size + \$(stat -c %s "${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg"))) + cp ${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg \ + ${_CHROOT_DIR}/grub-efi-temp/efi/debian +fi + blocks=\$(((\$size / 1024 + 55) / 32 * 32 )) rm -f ${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img mkfs.msdos -C "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" \$blocks >/dev/null mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::efi mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::efi/boot -mcopy -o -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ${_CHROOT_DIR}/grub-efi-temp/efi/boot/boot*.efi \ +mcopy -o -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ${_CHROOT_DIR}/grub-efi-temp/efi/boot/*.efi \ "::efi/boot" +if [ -d ${_CHROOT_DIR}/grub-efi-temp/efi/debian ]; then + mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::efi/debian + mcopy -o -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" \ + ${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg "::efi/debian" +fi + mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::boot mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::boot/grub mcopy -o -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg \ diff --git a/scripts/build/config b/scripts/build/config index c692a926f..cad73b4cd 100755 --- a/scripts/build/config +++ b/scripts/build/config @@ -116,6 +116,7 @@ USAGE="${PROGRAM} [--apt apt|aptitude]\n\ \t [--swap-file-path PATH]\n\ \t [--swap-file-size MB]\n\ \t [--tasksel apt|aptitude|tasksel]\n\ +\t [--uefi-secure-boot auto|enable|disable]\n\ \t [--updates true|false]\n\ \t [--backports true|false]\n\ \t [--verbose]\n\ @@ -148,6 +149,7 @@ Local_arguments () net-cow-server:,net-tarball:,firmware-binary:,firmware-chroot:,swap-file-path:,swap-file-size:, loadlin:,win32-loader:,source:,source-images:,breakpoints,conffile:,debug,force, help,ignore-system-defaults,quiet,usage,verbose,version,bootstrap-qemu-static:,bootstrap-qemu-arch:, + uefi-secure-boot:, bootstrap-qemu-exclude:" # Remove spaces added by indentation LONG_OPTIONS="$(echo ${LONG_OPTIONS} | tr -d ' ')" @@ -674,6 +676,11 @@ Local_arguments () shift 2 ;; + --uefi-secure-boot) + LB_UEFI_SECURE_BOOT="${2}" + shift 2 + ;; + --loadlin) LB_LOADLIN="${2}" shift 2 @@ -1299,6 +1306,10 @@ LB_SWAP_FILE_PATH="${LB_SWAP_FILE_PATH}" # \$LB_SWAP_FILE_SIZE: set swap file size # (Default: ${LB_SWAP_FILE_SIZE}) LB_SWAP_FILE_SIZE="${LB_SWAP_FILE_SIZE}" + +# \$LB_UEFI_SECURE_BOOT: enable/disable UEFI secure boot +# (Default: ${LB_UEFI_SECURE_BOOT}) +LB_UEFI_SECURE_BOOT="${LB_UEFI_SECURE_BOOT}" EOF # Creating lb_source_* configuration |