summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/build/binary_grub-efi90
-rwxr-xr-xscripts/build/config11
2 files changed, 99 insertions, 2 deletions
diff --git a/scripts/build/binary_grub-efi b/scripts/build/binary_grub-efi
index aea42a693..ab6630b3b 100755
--- a/scripts/build/binary_grub-efi
+++ b/scripts/build/binary_grub-efi
@@ -58,6 +58,57 @@ Check_package chroot /usr/bin/grub-mkimage grub-common
Check_package chroot /usr/bin/mcopy mtools
Check_package chroot /sbin/mkfs.msdos dosfstools
+# Check UEFI Secure Boot setting and depends
+# By default (auto) do a best-effort build: if the signed binaries are available use
+# them, but don't fail if they are not, just print a warning.
+case "${LB_ARCHITECTURES}" in
+ amd64|i386)
+ _SB_EFI_PLATFORM="x86_64"
+ _SB_EFI_NAME="x64"
+ _SB_EFI_DEB="amd64"
+ ;;
+ arm64)
+ _SB_EFI_PLATFORM="arm64"
+ _SB_EFI_NAME="aa64"
+ _SB_EFI_DEB="arm64"
+ ;;
+esac
+
+_PRE_SB_PACKAGES="${_LB_PACKAGES}"
+_LB_PACKAGES="shim-signed grub-efi-${_SB_EFI_DEB}-signed"
+case "${LB_UEFI_SECURE_BOOT}" in
+ auto)
+ # Use Check_installed, as Check_package will error out immediately
+ set +e
+ Install_package
+ set -e
+ Check_installed chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/grub${_SB_EFI_NAME}.efi.signed \
+ grub-efi-${_SB_EFI_DEB}-signed
+ _GRUB_INSTALL_STATUS="${INSTALL_STATUS}"
+ Check_installed chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \
+ shim-signed
+
+ if [ "${INSTALL_STATUS}" -ne 0 -o "${_GRUB_INSTALL_STATUS}" -ne 0 ]
+ then
+ Echo_warning "UEFI Secure Boot disabled due to missing signed Grub/Shim."
+ else
+ Echo_message "UEFI Secure Boot support enabled."
+ fi
+ ;;
+ enable)
+ Check_package chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/grub${_SB_EFI_NAME}.efi.signed \
+ grub-efi-${_SB_EFI_DEB}-signed
+ Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \
+ shim-signed
+ Install_package
+ Echo_message "UEFI Secure Boot support enabled."
+ ;;
+ disable)
+ Echo_message "UEFI Secure Boot support disabled."
+ ;;
+esac
+_LB_PACKAGES="${_PRE_SB_PACKAGES}"
+
# Setting destination directory
case "${LIVE_IMAGE_TYPE}" in
hdd*|netboot)
@@ -109,6 +160,27 @@ gen_efi_boot_img(){
mkdir -p ${_CHROOT_DIR}/grub-efi-temp/efi/boot
mcopy -n -i ${_CHROOT_DIR}/\$outdir/efi.img '::efi/boot/boot*.efi' ${_CHROOT_DIR}/grub-efi-temp/efi/boot
cp -r "${_CHROOT_DIR}"/\$outdir/* "${_CHROOT_DIR}/grub-efi-temp/"
+
+ # Secure Boot support:
+ # - use shim as the boot<arch>.efi that gets loaded first by the firmware
+ # - drop a grub.cfg (same reason as below) in the cfg directory as configured
+ # by the signed grub efi binary creation. At the moment that is efi/debian
+ # as set by grub2/debian/build-efi-images and cannot be changed without
+ # rebuilding grub2
+ # - the source paths are taken from shim-signed:
+ # https://packages.debian.org/sid/amd64/shim-signed/filelist
+ # and grub-efi-amd64-signed, currently in Ubuntu:
+ # https://packages.ubuntu.com/xenial/amd64/grub-efi-amd64-signed/filelist
+ # https://packages.ubuntu.com/bionic/arm64/grub-efi-arm64-signed/filelist
+ if [ -r ${_CHROOT_DIR}/usr/lib/grub/\$platform-signed/grub\$efi_name.efi.signed -a \
+ -r ${_CHROOT_DIR}/usr/lib/shim/shim\$efi_name.efi.signed -a \
+ "${LB_UEFI_SECURE_BOOT}" != "disable" ]; then
+ mkdir -p ${_CHROOT_DIR}/grub-efi-temp/efi/debian
+ cp ${_CHROOT_DIR}/usr/lib/grub/\$platform-signed/grub\$efi_name.efi.signed \
+ ${_CHROOT_DIR}/grub-efi-temp/efi/boot/grub\$efi_name.efi
+ cp ${_CHROOT_DIR}/usr/lib/shim/shim\$efi_name.efi.signed \
+ ${_CHROOT_DIR}/grub-efi-temp/efi/boot/boot\$efi_name.efi
+ fi
}
PRE_EFI_IMAGE_PATH="${PATH}"
@@ -158,7 +230,7 @@ EOF
# the case of a multi-arch amd64/i386 image
size=0
-for file in ${_CHROOT_DIR}/grub-efi-temp/efi/boot/boot*.efi \
+for file in ${_CHROOT_DIR}/grub-efi-temp/efi/boot/*.efi \
${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg; do
size=\$((\$size + \$(stat -c %s "\$file")))
done
@@ -166,15 +238,29 @@ done
# directories: efi efi/boot boot boot/grub
size=\$((\$size + 4096 * 4))
+# efi/debian and additional grub.cfg
+if [ -d ${_CHROOT_DIR}/grub-efi-temp/efi/debian ]; then
+ size=\$((\$size + 4096))
+ size=\$((\$size + \$(stat -c %s "${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg")))
+ cp ${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg \
+ ${_CHROOT_DIR}/grub-efi-temp/efi/debian
+fi
+
blocks=\$(((\$size / 1024 + 55) / 32 * 32 ))
rm -f ${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img
mkfs.msdos -C "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" \$blocks >/dev/null
mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::efi
mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::efi/boot
-mcopy -o -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ${_CHROOT_DIR}/grub-efi-temp/efi/boot/boot*.efi \
+mcopy -o -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ${_CHROOT_DIR}/grub-efi-temp/efi/boot/*.efi \
"::efi/boot"
+if [ -d ${_CHROOT_DIR}/grub-efi-temp/efi/debian ]; then
+ mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::efi/debian
+ mcopy -o -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" \
+ ${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg "::efi/debian"
+fi
+
mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::boot
mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::boot/grub
mcopy -o -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg \
diff --git a/scripts/build/config b/scripts/build/config
index c692a926f..cad73b4cd 100755
--- a/scripts/build/config
+++ b/scripts/build/config
@@ -116,6 +116,7 @@ USAGE="${PROGRAM} [--apt apt|aptitude]\n\
\t [--swap-file-path PATH]\n\
\t [--swap-file-size MB]\n\
\t [--tasksel apt|aptitude|tasksel]\n\
+\t [--uefi-secure-boot auto|enable|disable]\n\
\t [--updates true|false]\n\
\t [--backports true|false]\n\
\t [--verbose]\n\
@@ -148,6 +149,7 @@ Local_arguments ()
net-cow-server:,net-tarball:,firmware-binary:,firmware-chroot:,swap-file-path:,swap-file-size:,
loadlin:,win32-loader:,source:,source-images:,breakpoints,conffile:,debug,force,
help,ignore-system-defaults,quiet,usage,verbose,version,bootstrap-qemu-static:,bootstrap-qemu-arch:,
+ uefi-secure-boot:,
bootstrap-qemu-exclude:"
# Remove spaces added by indentation
LONG_OPTIONS="$(echo ${LONG_OPTIONS} | tr -d ' ')"
@@ -674,6 +676,11 @@ Local_arguments ()
shift 2
;;
+ --uefi-secure-boot)
+ LB_UEFI_SECURE_BOOT="${2}"
+ shift 2
+ ;;
+
--loadlin)
LB_LOADLIN="${2}"
shift 2
@@ -1299,6 +1306,10 @@ LB_SWAP_FILE_PATH="${LB_SWAP_FILE_PATH}"
# \$LB_SWAP_FILE_SIZE: set swap file size
# (Default: ${LB_SWAP_FILE_SIZE})
LB_SWAP_FILE_SIZE="${LB_SWAP_FILE_SIZE}"
+
+# \$LB_UEFI_SECURE_BOOT: enable/disable UEFI secure boot
+# (Default: ${LB_UEFI_SECURE_BOOT})
+LB_UEFI_SECURE_BOOT="${LB_UEFI_SECURE_BOOT}"
EOF
# Creating lb_source_* configuration