#!/bin/sh ## live-build(7) - System Build Scripts ## Copyright (C) 2016 Adrian Gibanel Lopez ## ## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING. ## This is free software, and you are welcome to redistribute it ## under certain conditions; see COPYING for details. set -e # Including common functions [ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh # Setting static variables DESCRIPTION="$(Echo 'prepares and installs Grub based EFI support into binary')" HELP="" USAGE="${PROGRAM} [--force]" Arguments "${@}" # Reading configuration files Read_conffiles config/all config/common config/bootstrap config/chroot config/binary config/source Set_defaults Check_Any_Bootloader_Role "grub-efi" Echo_message "Begin preparing Grub based EFI support..." # Requiring stage file Require_stagefile .build/config .build/bootstrap # Checking stage file Check_stagefile .build/binary_grub-efi # Checking lock file Check_lockfile .lock # Creating lock file Create_lockfile .lock # Check architecture Check_architectures amd64 i386 arm64 Check_crossarchitectures # Checking depends case "${LB_ARCHITECTURES}" in amd64|i386) Check_package chroot /usr/lib/grub/x86_64-efi/configfile.mod grub-efi-amd64-bin Check_package chroot /usr/lib/grub/i386-efi/configfile.mod grub-efi-ia32-bin ;; arm64) Check_package chroot /usr/lib/grub/arm64-efi/configfile.mod grub-efi-arm64-bin ;; esac Check_package chroot /usr/bin/grub-mkimage grub-common Check_package chroot /usr/bin/mcopy mtools Check_package chroot /sbin/mkfs.msdos dosfstools # Check UEFI Secure Boot setting and depends # By default (auto) do a best-effort build: if the signed binaries are available use # them, but don't fail if they are not, just print a warning. case "${LB_ARCHITECTURES}" in amd64|i386) _SB_EFI_PLATFORM="x86_64" _SB_EFI_NAME="x64" _SB_EFI_DEB="amd64" ;; arm64) _SB_EFI_PLATFORM="arm64" _SB_EFI_NAME="aa64" _SB_EFI_DEB="arm64" ;; esac _PRE_SB_PACKAGES="${_LB_PACKAGES}" _LB_PACKAGES="shim-signed grub-efi-${_SB_EFI_DEB}-signed" case "${LB_UEFI_SECURE_BOOT}" in auto) # Use Check_installed, as Check_package will error out immediately set +e Install_package set -e Check_installed chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/grub${_SB_EFI_NAME}.efi.signed \ grub-efi-${_SB_EFI_DEB}-signed _GRUB_INSTALL_STATUS="${INSTALL_STATUS}" Check_installed chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ shim-signed if [ "${INSTALL_STATUS}" -ne 0 -o "${_GRUB_INSTALL_STATUS}" -ne 0 ] then Echo_warning "UEFI Secure Boot disabled due to missing signed Grub/Shim." else Echo_message "UEFI Secure Boot support enabled." fi ;; enable) Check_package chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/grub${_SB_EFI_NAME}.efi.signed \ grub-efi-${_SB_EFI_DEB}-signed Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ shim-signed Install_package Echo_message "UEFI Secure Boot support enabled." ;; disable) Echo_message "UEFI Secure Boot support disabled." ;; esac _LB_PACKAGES="${_PRE_SB_PACKAGES}" # Setting destination directory case "${LIVE_IMAGE_TYPE}" in hdd*|netboot) Echo_warning "Bootloader in this image type not yet supported by live-build." Echo_warning "This would produce a not bootable image, aborting (FIXME)." exit 1 ;; esac # Restoring cache Restore_cache cache/packages.binary # Installing depends Install_package # Cleanup files that we generate rm -rf binary/boot/efi.img binary/boot/grub/i386-efi/ binary/boot/grub/x86_64-efi binary/boot/grub/arm64-efi # This is workaround till both efi-image and grub-cpmodules are put into a binary package case "${LB_BUILD_WITH_CHROOT}" in true) if [ ! -e "${LIVE_BUILD}" ] ; then LIVE_BUILD_PATH="/usr/lib/live/build" else LIVE_BUILD_PATH="${LIVE_BUILD}/scripts/build" fi mkdir -p chroot/${LIVE_BUILD_PATH} cp "${LIVE_BUILD_PATH}/efi-image" "chroot/${LIVE_BUILD_PATH}" cp "${LIVE_BUILD_PATH}/grub-cpmodules" "chroot/${LIVE_BUILD_PATH}" _CHROOT_DIR="" ;; false) _CHROOT_DIR="chroot" ;; esac ##### cat >binary.sh <.efi that gets loaded first by the firmware # - drop a grub.cfg (same reason as below) in the cfg directory as configured # by the signed grub efi binary creation. At the moment that is EFI/debian # as set by grub2/debian/build-efi-images and cannot be changed without # rebuilding grub2 # - the source paths are taken from shim-signed: # https://packages.debian.org/sid/amd64/shim-signed/filelist # and grub-efi-amd64-signed, currently in Ubuntu: # https://packages.ubuntu.com/xenial/amd64/grub-efi-amd64-signed/filelist # https://packages.ubuntu.com/bionic/arm64/grub-efi-arm64-signed/filelist if [ -r ${_CHROOT_DIR}/usr/lib/grub/\$platform-signed/grub\$efi_name.efi.signed -a \ -r ${_CHROOT_DIR}/usr/lib/shim/shim\$efi_name.efi.signed -a \ "${LB_UEFI_SECURE_BOOT}" != "disable" ]; then mkdir -p ${_CHROOT_DIR}/grub-efi-temp/EFI/debian cp ${_CHROOT_DIR}/usr/lib/grub/\$platform-signed/grub\$efi_name.efi.signed \ ${_CHROOT_DIR}/grub-efi-temp/EFI/boot/grub\$efi_name.efi cp ${_CHROOT_DIR}/usr/lib/shim/shim\$efi_name.efi.signed \ ${_CHROOT_DIR}/grub-efi-temp/EFI/boot/boot\$efi_name.efi fi } PRE_EFI_IMAGE_PATH="${PATH}" if [ ! -e "${LIVE_BUILD}" ] ; then LIVE_BUILD_PATH="/usr/lib/live/build" else LIVE_BUILD_PATH="${LIVE_BUILD}/scripts/build" fi PATH="${PATH}:\${LIVE_BUILD_PATH}" # Make sure grub-cpmodules is used as if it was installed in the system case "${LB_ARCHITECTURES}" in amd64|i386) gen_efi_boot_img "x86_64-efi" "x64" "debian-live/amd64" gen_efi_boot_img "i386-efi" "ia32" "debian-live/i386" PATH="\${PRE_EFI_IMAGE_PATH}" ;; arm64) gen_efi_boot_img "arm64-efi" "aa64" "debian-live/arm64" PATH="\${PRE_EFI_IMAGE_PATH}" ;; esac # On some platforms the EFI grub image will be loaded, so grub's root # variable will be set to the EFI partition. This means that grub will # look in that partition for a grub.cfg file, and even if it finds it # it will not be able to find the vmlinuz and initrd. # Drop a minimal grub.cfg in the EFI partition that sets the root and prefix # to whatever partition holds the /live/vmlinuz image, and load the grub # config from that same partition. # This is what the Ubuntu livecd already does. mkdir -p ${_CHROOT_DIR}/grub-efi-temp-cfg cat >${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg </dev/null mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::EFI mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::EFI/boot mcopy -o -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ${_CHROOT_DIR}/grub-efi-temp/EFI/boot/*.efi \ "::EFI/boot" if [ -d ${_CHROOT_DIR}/grub-efi-temp/EFI/debian ]; then mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::EFI/debian mcopy -o -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" \ ${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg "::EFI/debian" fi mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::boot mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::boot/grub mcopy -o -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg \ "::boot/grub" END case "${LB_BUILD_WITH_CHROOT}" in true) mv binary.sh chroot/ Chroot chroot "sh binary.sh" rm -f chroot/binary.sh # Saving cache Save_cache cache/packages.binary # Removing depends Remove_package ;; false) sh binary.sh rm -f binary.sh ;; esac # Remove unnecessary files rm -f chroot/grub-efi-temp/bootnetia32.efi rm -f chroot/grub-efi-temp/bootnetx64.efi rm -f chroot/grub-efi-temp/bootnetaa64.efi mkdir -p binary cp -r chroot/grub-efi-temp/* binary/ rm -rf chroot/grub-efi-temp-x86_64-efi rm -rf chroot/grub-efi-temp-i386-efi rm -rf chroot/grub-efi-temp-arm64-efi rm -rf chroot/grub-efi-temp-cfg rm -rf chroot/grub-efi-temp # We rely on: binary_loopback_cfg to generate grub.cfg and other configuration files # Creating stage file Create_stagefile .build/binary_grub-efi