livecd-light-root,livecd: review EFI support for x86 target after changes for secure boot support

This commit is contained in:
Silvan Calarco 2024-11-23 17:10:42 +01:00
parent a34e6c2466
commit 1b5546a3ee
3 changed files with 32 additions and 8 deletions

View File

@ -25,7 +25,7 @@ $(MAKEDIST_TARGET)-livecd-light-root: \
mambatray \ mambatray \
$(MAKEDIST_TARGET)-livecd-light $(MAKEDIST_TARGET)-livecd-light
$(MAKEDIST_TARGET)-livecd-light-root-x86_64: VirtualBox-guest $(MAKEDIST_TARGET)-livecd-light-root-x86_64: VirtualBox-guest sbsigntools shim-signed
# Localization targets # Localization targets
$(MAKEDIST_TARGET)-livecd-light-root-de: langpacks-de firefox-langpack-de $(MAKEDIST_TARGET)-livecd-light-root-de: langpacks-de firefox-langpack-de

View File

@ -1,5 +1,6 @@
$(MAKEDIST_TARGET)-livecd: openmamba-release breeze-grub-theme memtest86+ \ $(MAKEDIST_TARGET)-livecd: openmamba-release breeze-grub-theme memtest86+ \
memtest86+-efi dracut grub-efi-x86_64 shim-signed sbsigntools memtest86+-efi dracut grub-efi-x86_64 shim-signed sbsigntools
$(MAKEDIST_TARGET)-livecd-i586: grub-efi
# Localized targets # Localized targets
$(MAKEDIST_TARGET)-livecd-en: $(MAKEDIST_TARGET)-livecd-en:
$(MAKEDIST_TARGET)-livecd-it: $(MAKEDIST_TARGET)-livecd-it:

View File

@ -156,22 +156,42 @@ fi
# create EFI grub 32 and 64 bit images # create EFI grub 32 and 64 bit images
mkdir -p $MOUNTDIR/boot/efi/EFI/openmamba/ mkdir -p $MOUNTDIR/boot/efi/EFI/openmamba/
chroot $MOUNTDIR grub-mkimage -o /boot/efi/EFI/openmamba/grubx64.efi -O x86_64-efi \ if [ "${ARCH}" == "x86_64" ]; then
-p /boot/grub --sbat /usr/share/grub/sbat.csv \ GRUB_ADD="--sbat /usr/share/grub/sbat.csv \
all_video bli boot chain configfile cpuid echo efifwsetup efi_gop efi_uga efinet ext2 \ all_video bli boot chain configfile cpuid echo efifwsetup efi_gop efi_uga efinet ext2 \
fat font gettext gfxmenu gfxterm gfxterm gfxterm_background gzio halt help hfsplus \ fat font gettext gfxmenu gfxterm gfxterm gfxterm_background gzio halt help hfsplus \
iso9660 jpeg keystatus linux loadenv loopback ls lsefi lsefimmap lsefisystab lssal \ iso9660 jpeg keystatus linux loadenv loopback ls lsefi lsefimmap lsefisystab lssal \
memdisk minicmd normal ntfs ntfscomp part_apple part_gpt part_msdos password_pbkdf2 \ memdisk minicmd normal ntfs ntfscomp part_apple part_gpt part_msdos password_pbkdf2 \
play png probe reboot regexp search search_fs_file search_fs_uuid search_label sleep \ play png probe reboot regexp search search_fs_file search_fs_uuid search_label sleep \
smbios squash4 test tpm true video video_bochs video_cirrus xfs zfs zfscrypt zfsinfo || { smbios squash4 test tpm true video video_bochs video_cirrus xfs zfs zfscrypt zfsinfo"
else
# FIXME: i586 provides grub 204 which does not support --sbat and other modules for SB
GRUB_ADD="\
part_gpt part_msdos ntfs ntfscomp hfsplus fat ext2 normal chain boot linux echo \
help gfxterm gettext png efi_gop efi_uga search search_label search_fs_uuid \
iso9660 configfile"
fi
chroot $MOUNTDIR grub-mkimage -o /boot/efi/EFI/openmamba/grubx64.efi -O x86_64-efi \
-p /boot/grub ${GRUB_ADD} || {
echo $"Error: unable to create GRUB x86_64-efi image" echo $"Error: unable to create GRUB x86_64-efi image"
exit 1 exit 1
} }
if [ "${ARCH}" == "i586" ]; then
# 32 bit image
chroot $MOUNTDIR grub-mkimage -o /boot/efi/EFI/openmamba/grubia32.efi -O i386-efi \
-p /boot/grub ${GRUB_ADD} || {
echo $"Error: unable to create GRUB i386-efi image"
exit 1
}
fi
# Sign EFI image for secure boot # Sign EFI image for secure boot
chroot $MOUNTDIR openssl req -newkey rsa:2048 -nodes -keyout /root/MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=openmamba Machine Owner Key/" -out /root/MOK.crt chroot $MOUNTDIR openssl req -newkey rsa:2048 -nodes -keyout /root/MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=openmamba Machine Owner Key/" -out /root/MOK.crt
chroot $MOUNTDIR openssl x509 -outform DER -in /root/MOK.crt -out /root/MOK.cer chroot $MOUNTDIR openssl x509 -outform DER -in /root/MOK.crt -out /root/MOK.cer
chroot $MOUNTDIR sbsign --key /root/MOK.key --cert /root/MOK.crt --output /boot/efi/EFI/openmamba/grubx64.efi /boot/efi/EFI/openmamba/grubx64.efi chroot $MOUNTDIR sbsign --key /root/MOK.key --cert /root/MOK.crt --output /boot/efi/EFI/openmamba/grubx64.efi /boot/efi/EFI/openmamba/grubx64.efi
chroot $MOUNTDIR sbsign --key /root/MOK.key --cert /root/MOK.crt --output /boot/efi/EFI/openmamba/grubia32.efi /boot/efi/EFI/openmamba/grubia32.efi
ISOID= ISOID=
for K in $KERNEL_EXTRAVER $KERNEL_MORE_EXTRAVER; do for K in $KERNEL_EXTRAVER $KERNEL_MORE_EXTRAVER; do
chroot $MOUNTDIR sbsign --key /root/MOK.key --cert /root/MOK.crt --output /boot/vmlinuz-${KERNEL_MAJVER}${K} /boot/vmlinuz-${KERNEL_MAJVER}${K} chroot $MOUNTDIR sbsign --key /root/MOK.key --cert /root/MOK.crt --output /boot/vmlinuz-${KERNEL_MAJVER}${K} /boot/vmlinuz-${KERNEL_MAJVER}${K}
@ -183,6 +203,9 @@ done
mkdir -p $MOUNTDIR2/EFI/BOOT/ mkdir -p $MOUNTDIR2/EFI/BOOT/
cp $MOUNTDIR/root/MOK.cer $MOUNTDIR2/EFI/ cp $MOUNTDIR/root/MOK.cer $MOUNTDIR2/EFI/
cp $MOUNTDIR/boot/efi/EFI/openmamba/grubx64.efi $MOUNTDIR2/EFI/BOOT/grubx64.efi cp $MOUNTDIR/boot/efi/EFI/openmamba/grubx64.efi $MOUNTDIR2/EFI/BOOT/grubx64.efi
if [ "${ARCH}" == "i586" ]; then
cp $MOUNTDIR/boot/efi/EFI/openmamba/grubia32.efi $MOUNTDIR2/EFI/BOOT/bootia32.efi
fi
# Install shim-signed # Install shim-signed
cp $MOUNTDIR/usr/share/shim-signed/shimx64.efi $MOUNTDIR2/EFI/BOOT/bootx64.efi cp $MOUNTDIR/usr/share/shim-signed/shimx64.efi $MOUNTDIR2/EFI/BOOT/bootx64.efi