manuel
/
live-build
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
live-build/scripts/build/binary_grub-efi

297 lines
9.4 KiB
Plaintext
Raw Normal View History

Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
#!/bin/sh
## live-build(7) - System Build Scripts
## Copyright (C) 2016 Adrian Gibanel Lopez <adrian15sgd@gmail.com>
##
## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
## This is free software, and you are welcome to redistribute it
## under certain conditions; see COPYING for details.
set -e
# Including common functions
[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh
# Setting static variables
DESCRIPTION="$(Echo 'prepares and installs Grub based EFI support into binary')"
HELP=""
USAGE="${PROGRAM} [--force]"
Arguments "${@}"
# Reading configuration files
Read_conffiles config/all config/common config/bootstrap config/chroot config/binary config/source
Set_defaults
Check_Any_Bootloader_Role "grub-efi"
Echo_message "Begin preparing Grub based EFI support..."
# Requiring stage file
Require_stagefile .build/config .build/bootstrap
# Checking stage file
Check_stagefile .build/binary_grub-efi
# Checking lock file
Check_lockfile .lock
# Creating lock file
Create_lockfile .lock
# Check architecture
Add grub-based UEFI boot support for ARM64 Closes: #885692 Fixes: !2 Signed-off-by: Raphaël Hertzog <hertzog@debian.org>
2018-02-28 13:39:32 -01:00
Check_architectures amd64 i386 arm64
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
Check_crossarchitectures
# Checking depends
Add grub-based UEFI boot support for ARM64 Closes: #885692 Fixes: !2 Signed-off-by: Raphaël Hertzog <hertzog@debian.org>
2018-02-28 13:39:32 -01:00
case "${LB_ARCHITECTURES}" in
amd64|i386)
Check_package chroot /usr/lib/grub/x86_64-efi/configfile.mod grub-efi-amd64-bin
Check_package chroot /usr/lib/grub/i386-efi/configfile.mod grub-efi-ia32-bin
;;
arm64)
Check_package chroot /usr/lib/grub/arm64-efi/configfile.mod grub-efi-arm64-bin
;;
esac
Check all dependencies independent of LB_BUILD_WITH_CHROOT Since commit fdc9250bc (Changing package dependency checks within chroot to work outside as well), Check_package automatically checks for LB_BUILD_WITH_CHROOT and works inside as well as outside of the chroot, so no need to check LB_BUILD_WITH_CHROOT before calling them. Install_package and Remove_package are just a no-op when building without chroot, so they can also be called unconditionally. Restore_cache and Save_cache do not check LB_BUILD_WITH_CHROOT but it it should not hurt to call them when not needed (which already happened in some cases). This commit makes all Check_package calls unconditional on LB_BUILD_WITH_CHROOT. For binary_syslinux, this fixes the check (which used outdated paths outside the chroot since 7b6dfd9d1), for binary_grub-efi, binary_package-lists and chroot_package-lists this simplifies the code (but also causes the check to become package-based instead of file-based on apt-based systems), and for binary_loadlin and binary_win32-loader this adds the check outside the chroot which was previously missing.
2017-08-28 09:29:54 +00:00
Check_package chroot /usr/bin/grub-mkimage grub-common
Check_package chroot /usr/bin/mcopy mtools
Check_package chroot /sbin/mkfs.msdos dosfstools
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
UEFI: add support for Secure Boot on amd64 and arm64 Support for UEFI Secure Boot is modelled after how it currently works in Ubuntu and on how it is going to work on Debian. A minimal bootloader, shim, is used as the first-stage and it then loads grub. Both have to be signed. shim-signed is already available in Debian so the filenames are already established, and the grub2 repository and packaging is common between the 2 distros so we can already be reasonably sure of what it is going to be. So if both are available, copy /usr/lib/shim/shim[x64|aa64].efi.signed as boot[x64|aa64].efi so that UEFI loads it first, and copy /usr/lib/grub/[x86_64|arm64]-efi-signed/grub[x64|aa64].efi.signed as grub[x64|aa64].efi. This grub2 EFI monolithic image is currently hard-coded in grub2's repository to look for a config file in efi/debian, so make a copy of the previously added minimal grub.cfg that loads the real one in that directory in both the fat32 and ISO 9660 partitions. The new option --uefi-secure-boot can be set to auto (default, enable or disable. In auto, the lack of the signed EFI binaries is intentionally left as a soft failure - live-build will simply fallback to using the locally generated non-signed grub2 monolithic EFI binary as the only bootloader. Given the difficulties surrounding the Secure Boot signing infrastructure this approach gives the most flexibility and makes sure things will "just work" once the packages are available, without the need to change anything in the configuration. This will also greatly help downstream distributions and users who want to do self-signing. The enable or disable options work as expected. Closes: #821084
2018-02-27 18:28:33 -01:00
# Check UEFI Secure Boot setting and depends
# By default (auto) do a best-effort build: if the signed binaries are available use
# them, but don't fail if they are not, just print a warning.
case "${LB_ARCHITECTURES}" in
amd64|i386)
_SB_EFI_PLATFORM="x86_64"
_SB_EFI_NAME="x64"
_SB_EFI_DEB="amd64"
;;
arm64)
_SB_EFI_PLATFORM="arm64"
_SB_EFI_NAME="aa64"
_SB_EFI_DEB="arm64"
;;
esac
_PRE_SB_PACKAGES="${_LB_PACKAGES}"
_LB_PACKAGES="shim-signed grub-efi-${_SB_EFI_DEB}-signed"
case "${LB_UEFI_SECURE_BOOT}" in
auto)
# Use Check_installed, as Check_package will error out immediately
set +e
Install_package
set -e
Use gcd{x64.aa64}.efi.signed for amd64/arm64 arch. For secured boot in binary_grub-efi, the gcdx64.efi.signed is the boot loader for removable device, like CD or USB flash drive, while grubx64.efi.signed is for hard drive. Therefore for live system, use gcdx64.efi.signed for amd64 and gcdaa64.efi.signed for arm64.
2018-08-22 03:43:40 +00:00
Check_installed chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \
UEFI: add support for Secure Boot on amd64 and arm64 Support for UEFI Secure Boot is modelled after how it currently works in Ubuntu and on how it is going to work on Debian. A minimal bootloader, shim, is used as the first-stage and it then loads grub. Both have to be signed. shim-signed is already available in Debian so the filenames are already established, and the grub2 repository and packaging is common between the 2 distros so we can already be reasonably sure of what it is going to be. So if both are available, copy /usr/lib/shim/shim[x64|aa64].efi.signed as boot[x64|aa64].efi so that UEFI loads it first, and copy /usr/lib/grub/[x86_64|arm64]-efi-signed/grub[x64|aa64].efi.signed as grub[x64|aa64].efi. This grub2 EFI monolithic image is currently hard-coded in grub2's repository to look for a config file in efi/debian, so make a copy of the previously added minimal grub.cfg that loads the real one in that directory in both the fat32 and ISO 9660 partitions. The new option --uefi-secure-boot can be set to auto (default, enable or disable. In auto, the lack of the signed EFI binaries is intentionally left as a soft failure - live-build will simply fallback to using the locally generated non-signed grub2 monolithic EFI binary as the only bootloader. Given the difficulties surrounding the Secure Boot signing infrastructure this approach gives the most flexibility and makes sure things will "just work" once the packages are available, without the need to change anything in the configuration. This will also greatly help downstream distributions and users who want to do self-signing. The enable or disable options work as expected. Closes: #821084
2018-02-27 18:28:33 -01:00
grub-efi-${_SB_EFI_DEB}-signed
_GRUB_INSTALL_STATUS="${INSTALL_STATUS}"
Check_installed chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \
shim-signed
if [ "${INSTALL_STATUS}" -ne 0 -o "${_GRUB_INSTALL_STATUS}" -ne 0 ]
then
Echo_warning "UEFI Secure Boot disabled due to missing signed Grub/Shim."
else
Echo_message "UEFI Secure Boot support enabled."
fi
;;
enable)
Use gcd{x64.aa64}.efi.signed for amd64/arm64 arch. For secured boot in binary_grub-efi, the gcdx64.efi.signed is the boot loader for removable device, like CD or USB flash drive, while grubx64.efi.signed is for hard drive. Therefore for live system, use gcdx64.efi.signed for amd64 and gcdaa64.efi.signed for arm64.
2018-08-22 03:43:40 +00:00
Check_package chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \
UEFI: add support for Secure Boot on amd64 and arm64 Support for UEFI Secure Boot is modelled after how it currently works in Ubuntu and on how it is going to work on Debian. A minimal bootloader, shim, is used as the first-stage and it then loads grub. Both have to be signed. shim-signed is already available in Debian so the filenames are already established, and the grub2 repository and packaging is common between the 2 distros so we can already be reasonably sure of what it is going to be. So if both are available, copy /usr/lib/shim/shim[x64|aa64].efi.signed as boot[x64|aa64].efi so that UEFI loads it first, and copy /usr/lib/grub/[x86_64|arm64]-efi-signed/grub[x64|aa64].efi.signed as grub[x64|aa64].efi. This grub2 EFI monolithic image is currently hard-coded in grub2's repository to look for a config file in efi/debian, so make a copy of the previously added minimal grub.cfg that loads the real one in that directory in both the fat32 and ISO 9660 partitions. The new option --uefi-secure-boot can be set to auto (default, enable or disable. In auto, the lack of the signed EFI binaries is intentionally left as a soft failure - live-build will simply fallback to using the locally generated non-signed grub2 monolithic EFI binary as the only bootloader. Given the difficulties surrounding the Secure Boot signing infrastructure this approach gives the most flexibility and makes sure things will "just work" once the packages are available, without the need to change anything in the configuration. This will also greatly help downstream distributions and users who want to do self-signing. The enable or disable options work as expected. Closes: #821084
2018-02-27 18:28:33 -01:00
grub-efi-${_SB_EFI_DEB}-signed
Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \
shim-signed
Install_package
Echo_message "UEFI Secure Boot support enabled."
;;
disable)
Echo_message "UEFI Secure Boot support disabled."
;;
esac
_LB_PACKAGES="${_PRE_SB_PACKAGES}"
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
# Setting destination directory
case "${LIVE_IMAGE_TYPE}" in
hdd*|netboot)
Echo_warning "Bootloader in this image type not yet supported by live-build."
Echo_warning "This would produce a not bootable image, aborting (FIXME)."
exit 1
;;
esac
# Restoring cache
Restore_cache cache/packages.binary
# Installing depends
Install_package
# Cleanup files that we generate
Add grub-based UEFI boot support for ARM64 Closes: #885692 Fixes: !2 Signed-off-by: Raphaël Hertzog <hertzog@debian.org>
2018-02-28 13:39:32 -01:00
rm -rf binary/boot/efi.img binary/boot/grub/i386-efi/ binary/boot/grub/x86_64-efi binary/boot/grub/arm64-efi
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
# This is workaround till both efi-image and grub-cpmodules are put into a binary package
case "${LB_BUILD_WITH_CHROOT}" in
true)
if [ ! -e "${LIVE_BUILD}" ] ; then
LIVE_BUILD_PATH="/usr/lib/live/build"
else
LIVE_BUILD_PATH="${LIVE_BUILD}/scripts/build"
fi
mkdir -p chroot/${LIVE_BUILD_PATH}
cp "${LIVE_BUILD_PATH}/efi-image" "chroot/${LIVE_BUILD_PATH}"
cp "${LIVE_BUILD_PATH}/grub-cpmodules" "chroot/${LIVE_BUILD_PATH}"
Check all dependencies independent of LB_BUILD_WITH_CHROOT Since commit fdc9250bc (Changing package dependency checks within chroot to work outside as well), Check_package automatically checks for LB_BUILD_WITH_CHROOT and works inside as well as outside of the chroot, so no need to check LB_BUILD_WITH_CHROOT before calling them. Install_package and Remove_package are just a no-op when building without chroot, so they can also be called unconditionally. Restore_cache and Save_cache do not check LB_BUILD_WITH_CHROOT but it it should not hurt to call them when not needed (which already happened in some cases). This commit makes all Check_package calls unconditional on LB_BUILD_WITH_CHROOT. For binary_syslinux, this fixes the check (which used outdated paths outside the chroot since 7b6dfd9d1), for binary_grub-efi, binary_package-lists and chroot_package-lists this simplifies the code (but also causes the check to become package-based instead of file-based on apt-based systems), and for binary_loadlin and binary_win32-loader this adds the check outside the chroot which was previously missing.
2017-08-28 09:29:54 +00:00
_CHROOT_DIR=""
;;
false)
_CHROOT_DIR="chroot"
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
;;
esac
#####
cat >binary.sh <<END
#!/bin/sh
set -e
Add grub-based UEFI boot support for ARM64 Closes: #885692 Fixes: !2 Signed-off-by: Raphaël Hertzog <hertzog@debian.org>
2018-02-28 13:39:32 -01:00
gen_efi_boot_img(){
local platform="\$1"
local efi_name="\$2"
local netboot_prefix="\$3"
local outdir="grub-efi-temp-\${platform}"
"\${LIVE_BUILD_PATH}/efi-image" "${_CHROOT_DIR}/\$outdir" "\$platform" "\$efi_name" "\$netboot_prefix"
UEFI: use uppercase EFI directory name for Tianocore The Tianocore reference UEFI implementation, used for example by Qemu, wants the EFI directory name to be uppercase in the fat32 partition when Secure Boot is enabled, and will fail to load otherwise.
2018-02-27 18:30:19 -01:00
mkdir -p ${_CHROOT_DIR}/grub-efi-temp/EFI/boot
mcopy -n -i ${_CHROOT_DIR}/\$outdir/efi.img '::efi/boot/boot*.efi' ${_CHROOT_DIR}/grub-efi-temp/EFI/boot
Add grub-based UEFI boot support for ARM64 Closes: #885692 Fixes: !2 Signed-off-by: Raphaël Hertzog <hertzog@debian.org>
2018-02-28 13:39:32 -01:00
cp -r "${_CHROOT_DIR}"/\$outdir/* "${_CHROOT_DIR}/grub-efi-temp/"
UEFI: add support for Secure Boot on amd64 and arm64 Support for UEFI Secure Boot is modelled after how it currently works in Ubuntu and on how it is going to work on Debian. A minimal bootloader, shim, is used as the first-stage and it then loads grub. Both have to be signed. shim-signed is already available in Debian so the filenames are already established, and the grub2 repository and packaging is common between the 2 distros so we can already be reasonably sure of what it is going to be. So if both are available, copy /usr/lib/shim/shim[x64|aa64].efi.signed as boot[x64|aa64].efi so that UEFI loads it first, and copy /usr/lib/grub/[x86_64|arm64]-efi-signed/grub[x64|aa64].efi.signed as grub[x64|aa64].efi. This grub2 EFI monolithic image is currently hard-coded in grub2's repository to look for a config file in efi/debian, so make a copy of the previously added minimal grub.cfg that loads the real one in that directory in both the fat32 and ISO 9660 partitions. The new option --uefi-secure-boot can be set to auto (default, enable or disable. In auto, the lack of the signed EFI binaries is intentionally left as a soft failure - live-build will simply fallback to using the locally generated non-signed grub2 monolithic EFI binary as the only bootloader. Given the difficulties surrounding the Secure Boot signing infrastructure this approach gives the most flexibility and makes sure things will "just work" once the packages are available, without the need to change anything in the configuration. This will also greatly help downstream distributions and users who want to do self-signing. The enable or disable options work as expected. Closes: #821084
2018-02-27 18:28:33 -01:00
# Secure Boot support:
UEFI: use uppercase EFI directory name for Tianocore The Tianocore reference UEFI implementation, used for example by Qemu, wants the EFI directory name to be uppercase in the fat32 partition when Secure Boot is enabled, and will fail to load otherwise.
2018-02-27 18:30:19 -01:00
# - create the EFI directory in the ESP with uppercase letters to make
# certain firmwares (eg: TianoCore) happy
UEFI: add support for Secure Boot on amd64 and arm64 Support for UEFI Secure Boot is modelled after how it currently works in Ubuntu and on how it is going to work on Debian. A minimal bootloader, shim, is used as the first-stage and it then loads grub. Both have to be signed. shim-signed is already available in Debian so the filenames are already established, and the grub2 repository and packaging is common between the 2 distros so we can already be reasonably sure of what it is going to be. So if both are available, copy /usr/lib/shim/shim[x64|aa64].efi.signed as boot[x64|aa64].efi so that UEFI loads it first, and copy /usr/lib/grub/[x86_64|arm64]-efi-signed/grub[x64|aa64].efi.signed as grub[x64|aa64].efi. This grub2 EFI monolithic image is currently hard-coded in grub2's repository to look for a config file in efi/debian, so make a copy of the previously added minimal grub.cfg that loads the real one in that directory in both the fat32 and ISO 9660 partitions. The new option --uefi-secure-boot can be set to auto (default, enable or disable. In auto, the lack of the signed EFI binaries is intentionally left as a soft failure - live-build will simply fallback to using the locally generated non-signed grub2 monolithic EFI binary as the only bootloader. Given the difficulties surrounding the Secure Boot signing infrastructure this approach gives the most flexibility and makes sure things will "just work" once the packages are available, without the need to change anything in the configuration. This will also greatly help downstream distributions and users who want to do self-signing. The enable or disable options work as expected. Closes: #821084
2018-02-27 18:28:33 -01:00
# - use shim as the boot<arch>.efi that gets loaded first by the firmware
# - drop a grub.cfg (same reason as below) in the cfg directory as configured
UEFI: parse vendor from Grub package metadata When using Secure Boot, grub2 as built by Debian will now load a config file from EFI/$VENDOR instead of having EFI/debian hardcoded. $VENDOR comes from dpkg-vendor or from the user building grub2. The vendor string is stored in the control metadata as Efi-Vendor, so retrieve it when building the EFI image.
2018-06-06 12:41:35 +00:00
# by the signed grub efi binary creation. This is set dynamically when grub2 is
# built with the ouput of dpkg-vendor, and can be overridden by the builder, so
# we do the same here in live-build.
UEFI: add support for Secure Boot on amd64 and arm64 Support for UEFI Secure Boot is modelled after how it currently works in Ubuntu and on how it is going to work on Debian. A minimal bootloader, shim, is used as the first-stage and it then loads grub. Both have to be signed. shim-signed is already available in Debian so the filenames are already established, and the grub2 repository and packaging is common between the 2 distros so we can already be reasonably sure of what it is going to be. So if both are available, copy /usr/lib/shim/shim[x64|aa64].efi.signed as boot[x64|aa64].efi so that UEFI loads it first, and copy /usr/lib/grub/[x86_64|arm64]-efi-signed/grub[x64|aa64].efi.signed as grub[x64|aa64].efi. This grub2 EFI monolithic image is currently hard-coded in grub2's repository to look for a config file in efi/debian, so make a copy of the previously added minimal grub.cfg that loads the real one in that directory in both the fat32 and ISO 9660 partitions. The new option --uefi-secure-boot can be set to auto (default, enable or disable. In auto, the lack of the signed EFI binaries is intentionally left as a soft failure - live-build will simply fallback to using the locally generated non-signed grub2 monolithic EFI binary as the only bootloader. Given the difficulties surrounding the Secure Boot signing infrastructure this approach gives the most flexibility and makes sure things will "just work" once the packages are available, without the need to change anything in the configuration. This will also greatly help downstream distributions and users who want to do self-signing. The enable or disable options work as expected. Closes: #821084
2018-02-27 18:28:33 -01:00
# - the source paths are taken from shim-signed:
# https://packages.debian.org/sid/amd64/shim-signed/filelist
# and grub-efi-amd64-signed, currently in Ubuntu:
# https://packages.ubuntu.com/xenial/amd64/grub-efi-amd64-signed/filelist
# https://packages.ubuntu.com/bionic/arm64/grub-efi-arm64-signed/filelist
Use gcd{x64.aa64}.efi.signed for amd64/arm64 arch. For secured boot in binary_grub-efi, the gcdx64.efi.signed is the boot loader for removable device, like CD or USB flash drive, while grubx64.efi.signed is for hard drive. Therefore for live system, use gcdx64.efi.signed for amd64 and gcdaa64.efi.signed for arm64.
2018-08-22 03:43:40 +00:00
# E.g., gcdx64.efi.signed is the boot loader for removable device, like CD or
# USB flash drive, while grubx64.efi.signed is for hard drive.
# Therefore here gcdx64.efi.signed is used for amd64 and gcdaa64.efi.signed is
# for arm64.
if [ -r ${_CHROOT_DIR}/usr/lib/grub/\$platform-signed/gcd\$efi_name.efi.signed -a \
UEFI: add support for Secure Boot on amd64 and arm64 Support for UEFI Secure Boot is modelled after how it currently works in Ubuntu and on how it is going to work on Debian. A minimal bootloader, shim, is used as the first-stage and it then loads grub. Both have to be signed. shim-signed is already available in Debian so the filenames are already established, and the grub2 repository and packaging is common between the 2 distros so we can already be reasonably sure of what it is going to be. So if both are available, copy /usr/lib/shim/shim[x64|aa64].efi.signed as boot[x64|aa64].efi so that UEFI loads it first, and copy /usr/lib/grub/[x86_64|arm64]-efi-signed/grub[x64|aa64].efi.signed as grub[x64|aa64].efi. This grub2 EFI monolithic image is currently hard-coded in grub2's repository to look for a config file in efi/debian, so make a copy of the previously added minimal grub.cfg that loads the real one in that directory in both the fat32 and ISO 9660 partitions. The new option --uefi-secure-boot can be set to auto (default, enable or disable. In auto, the lack of the signed EFI binaries is intentionally left as a soft failure - live-build will simply fallback to using the locally generated non-signed grub2 monolithic EFI binary as the only bootloader. Given the difficulties surrounding the Secure Boot signing infrastructure this approach gives the most flexibility and makes sure things will "just work" once the packages are available, without the need to change anything in the configuration. This will also greatly help downstream distributions and users who want to do self-signing. The enable or disable options work as expected. Closes: #821084
2018-02-27 18:28:33 -01:00
-r ${_CHROOT_DIR}/usr/lib/shim/shim\$efi_name.efi.signed -a \
"${LB_UEFI_SECURE_BOOT}" != "disable" ]; then
Use gcd{x64.aa64}.efi.signed for amd64/arm64 arch. For secured boot in binary_grub-efi, the gcdx64.efi.signed is the boot loader for removable device, like CD or USB flash drive, while grubx64.efi.signed is for hard drive. Therefore for live system, use gcdx64.efi.signed for amd64 and gcdaa64.efi.signed for arm64.
2018-08-22 03:43:40 +00:00
cp ${_CHROOT_DIR}/usr/lib/grub/\$platform-signed/gcd\$efi_name.efi.signed \
UEFI: use uppercase EFI directory name for Tianocore The Tianocore reference UEFI implementation, used for example by Qemu, wants the EFI directory name to be uppercase in the fat32 partition when Secure Boot is enabled, and will fail to load otherwise.
2018-02-27 18:30:19 -01:00
${_CHROOT_DIR}/grub-efi-temp/EFI/boot/grub\$efi_name.efi
UEFI: add support for Secure Boot on amd64 and arm64 Support for UEFI Secure Boot is modelled after how it currently works in Ubuntu and on how it is going to work on Debian. A minimal bootloader, shim, is used as the first-stage and it then loads grub. Both have to be signed. shim-signed is already available in Debian so the filenames are already established, and the grub2 repository and packaging is common between the 2 distros so we can already be reasonably sure of what it is going to be. So if both are available, copy /usr/lib/shim/shim[x64|aa64].efi.signed as boot[x64|aa64].efi so that UEFI loads it first, and copy /usr/lib/grub/[x86_64|arm64]-efi-signed/grub[x64|aa64].efi.signed as grub[x64|aa64].efi. This grub2 EFI monolithic image is currently hard-coded in grub2's repository to look for a config file in efi/debian, so make a copy of the previously added minimal grub.cfg that loads the real one in that directory in both the fat32 and ISO 9660 partitions. The new option --uefi-secure-boot can be set to auto (default, enable or disable. In auto, the lack of the signed EFI binaries is intentionally left as a soft failure - live-build will simply fallback to using the locally generated non-signed grub2 monolithic EFI binary as the only bootloader. Given the difficulties surrounding the Secure Boot signing infrastructure this approach gives the most flexibility and makes sure things will "just work" once the packages are available, without the need to change anything in the configuration. This will also greatly help downstream distributions and users who want to do self-signing. The enable or disable options work as expected. Closes: #821084
2018-02-27 18:28:33 -01:00
cp ${_CHROOT_DIR}/usr/lib/shim/shim\$efi_name.efi.signed \
UEFI: use uppercase EFI directory name for Tianocore The Tianocore reference UEFI implementation, used for example by Qemu, wants the EFI directory name to be uppercase in the fat32 partition when Secure Boot is enabled, and will fail to load otherwise.
2018-02-27 18:30:19 -01:00
${_CHROOT_DIR}/grub-efi-temp/EFI/boot/boot\$efi_name.efi
UEFI: add support for Secure Boot on amd64 and arm64 Support for UEFI Secure Boot is modelled after how it currently works in Ubuntu and on how it is going to work on Debian. A minimal bootloader, shim, is used as the first-stage and it then loads grub. Both have to be signed. shim-signed is already available in Debian so the filenames are already established, and the grub2 repository and packaging is common between the 2 distros so we can already be reasonably sure of what it is going to be. So if both are available, copy /usr/lib/shim/shim[x64|aa64].efi.signed as boot[x64|aa64].efi so that UEFI loads it first, and copy /usr/lib/grub/[x86_64|arm64]-efi-signed/grub[x64|aa64].efi.signed as grub[x64|aa64].efi. This grub2 EFI monolithic image is currently hard-coded in grub2's repository to look for a config file in efi/debian, so make a copy of the previously added minimal grub.cfg that loads the real one in that directory in both the fat32 and ISO 9660 partitions. The new option --uefi-secure-boot can be set to auto (default, enable or disable. In auto, the lack of the signed EFI binaries is intentionally left as a soft failure - live-build will simply fallback to using the locally generated non-signed grub2 monolithic EFI binary as the only bootloader. Given the difficulties surrounding the Secure Boot signing infrastructure this approach gives the most flexibility and makes sure things will "just work" once the packages are available, without the need to change anything in the configuration. This will also greatly help downstream distributions and users who want to do self-signing. The enable or disable options work as expected. Closes: #821084
2018-02-27 18:28:33 -01:00
fi
Add grub-based UEFI boot support for ARM64 Closes: #885692 Fixes: !2 Signed-off-by: Raphaël Hertzog <hertzog@debian.org>
2018-02-28 13:39:32 -01:00
}
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
PRE_EFI_IMAGE_PATH="${PATH}"
if [ ! -e "${LIVE_BUILD}" ] ; then
LIVE_BUILD_PATH="/usr/lib/live/build"
else
LIVE_BUILD_PATH="${LIVE_BUILD}/scripts/build"
fi
PATH="${PATH}:\${LIVE_BUILD_PATH}" # Make sure grub-cpmodules is used as if it was installed in the system
Add grub-based UEFI boot support for ARM64 Closes: #885692 Fixes: !2 Signed-off-by: Raphaël Hertzog <hertzog@debian.org>
2018-02-28 13:39:32 -01:00
case "${LB_ARCHITECTURES}" in
amd64|i386)
gen_efi_boot_img "x86_64-efi" "x64" "debian-live/amd64"
gen_efi_boot_img "i386-efi" "ia32" "debian-live/i386"
PATH="\${PRE_EFI_IMAGE_PATH}"
;;
arm64)
gen_efi_boot_img "arm64-efi" "aa64" "debian-live/arm64"
PATH="\${PRE_EFI_IMAGE_PATH}"
;;
esac
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
UEFI: add minimal grub.cfg to fat32 partition On some UEFI implementations, like the AMI found in the Supermicro X10SDV-TP8F development board, the fat32 partition will be loaded first and so Grub will set it the root, and then drop to the console as it cannot find any config on it. Add a minimal grub.cfg that allows Grub to find the main config on the ISO 9660 partition and load it. Closes: #892406
2018-02-27 18:23:41 -01:00
# On some platforms the EFI grub image will be loaded, so grub's root
# variable will be set to the EFI partition. This means that grub will
# look in that partition for a grub.cfg file, and even if it finds it
# it will not be able to find the vmlinuz and initrd.
# Drop a minimal grub.cfg in the EFI partition that sets the root and prefix
# to whatever partition holds the /live/vmlinuz image, and load the grub
# config from that same partition.
# This is what the Ubuntu livecd already does.
mkdir -p ${_CHROOT_DIR}/grub-efi-temp-cfg
cat >${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg <<EOF
search --set=root --file /live/vmlinuz
set prefix=(\\\$root)/boot/grub
configfile (\\\$root)/boot/grub/grub.cfg
EOF
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
# The code below is adapted from tools/boot/jessie/boot-x86
# in debian-cd
# Stuff the EFI boot files into a FAT filesystem, making it as
# small as possible. 24KiB headroom seems to be enough;
# (x+31)/32*32 rounds up to multiple of 32.
# This is the same as in efi-image, but we need to redo it here in
# the case of a multi-arch amd64/i386 image
size=0
UEFI: use uppercase EFI directory name for Tianocore The Tianocore reference UEFI implementation, used for example by Qemu, wants the EFI directory name to be uppercase in the fat32 partition when Secure Boot is enabled, and will fail to load otherwise.
2018-02-27 18:30:19 -01:00
for file in ${_CHROOT_DIR}/grub-efi-temp/EFI/boot/*.efi \
UEFI: add minimal grub.cfg to fat32 partition On some UEFI implementations, like the AMI found in the Supermicro X10SDV-TP8F development board, the fat32 partition will be loaded first and so Grub will set it the root, and then drop to the console as it cannot find any config on it. Add a minimal grub.cfg that allows Grub to find the main config on the ISO 9660 partition and load it. Closes: #892406
2018-02-27 18:23:41 -01:00
${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg; do
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
size=\$((\$size + \$(stat -c %s "\$file")))
done
UEFI: use uppercase EFI directory name for Tianocore The Tianocore reference UEFI implementation, used for example by Qemu, wants the EFI directory name to be uppercase in the fat32 partition when Secure Boot is enabled, and will fail to load otherwise.
2018-02-27 18:30:19 -01:00
# directories: EFI EFI/boot boot boot/grub
UEFI: add minimal grub.cfg to fat32 partition On some UEFI implementations, like the AMI found in the Supermicro X10SDV-TP8F development board, the fat32 partition will be loaded first and so Grub will set it the root, and then drop to the console as it cannot find any config on it. Add a minimal grub.cfg that allows Grub to find the main config on the ISO 9660 partition and load it. Closes: #892406
2018-02-27 18:23:41 -01:00
size=\$((\$size + 4096 * 4))
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
blocks=\$(((\$size / 1024 + 55) / 32 * 32 ))
rm -f ${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img
mkfs.msdos -C "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" \$blocks >/dev/null
UEFI: use uppercase EFI directory name for Tianocore The Tianocore reference UEFI implementation, used for example by Qemu, wants the EFI directory name to be uppercase in the fat32 partition when Secure Boot is enabled, and will fail to load otherwise.
2018-02-27 18:30:19 -01:00
mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::EFI
mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::EFI/boot
mcopy -o -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ${_CHROOT_DIR}/grub-efi-temp/EFI/boot/*.efi \
"::EFI/boot"
UEFI: add minimal grub.cfg to fat32 partition On some UEFI implementations, like the AMI found in the Supermicro X10SDV-TP8F development board, the fat32 partition will be loaded first and so Grub will set it the root, and then drop to the console as it cannot find any config on it. Add a minimal grub.cfg that allows Grub to find the main config on the ISO 9660 partition and load it. Closes: #892406
2018-02-27 18:23:41 -01:00
mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::boot
mmd -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ::boot/grub
mcopy -o -i "${_CHROOT_DIR}/grub-efi-temp/boot/grub/efi.img" ${_CHROOT_DIR}/grub-efi-temp-cfg/grub.cfg \
"::boot/grub"
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
END
case "${LB_BUILD_WITH_CHROOT}" in
true)
Drop useless code in binary_grub-efi
2016-12-02 12:57:45 -01:00
mv binary.sh chroot/
Chroot chroot "sh binary.sh"
rm -f chroot/binary.sh
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
Drop useless code in binary_grub-efi
2016-12-02 12:57:45 -01:00
# Saving cache
Save_cache cache/packages.binary
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
Drop useless code in binary_grub-efi
2016-12-02 12:57:45 -01:00
# Removing depends
Remove_package
;;
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
Drop useless code in binary_grub-efi
2016-12-02 12:57:45 -01:00
false)
sh binary.sh
rm -f binary.sh
;;
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
esac
# Remove unnecessary files
rm -f chroot/grub-efi-temp/bootnetia32.efi
rm -f chroot/grub-efi-temp/bootnetx64.efi
Add grub-based UEFI boot support for ARM64 Closes: #885692 Fixes: !2 Signed-off-by: Raphaël Hertzog <hertzog@debian.org>
2018-02-28 13:39:32 -01:00
rm -f chroot/grub-efi-temp/bootnetaa64.efi
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
mkdir -p binary
cp -r chroot/grub-efi-temp/* binary/
rm -rf chroot/grub-efi-temp-x86_64-efi
rm -rf chroot/grub-efi-temp-i386-efi
Add grub-based UEFI boot support for ARM64 Closes: #885692 Fixes: !2 Signed-off-by: Raphaël Hertzog <hertzog@debian.org>
2018-02-28 13:39:32 -01:00
rm -rf chroot/grub-efi-temp-arm64-efi
UEFI: add minimal grub.cfg to fat32 partition On some UEFI implementations, like the AMI found in the Supermicro X10SDV-TP8F development board, the fat32 partition will be loaded first and so Grub will set it the root, and then drop to the console as it cannot find any config on it. Add a minimal grub.cfg that allows Grub to find the main config on the ISO 9660 partition and load it. Closes: #892406
2018-02-27 18:23:41 -01:00
rm -rf chroot/grub-efi-temp-cfg
Added EFI support by the means of grub-efi This work is based on debian-cd team work and uses, as much as possible, the same mkisofs options than the Debian Installation CD disk does. It assumes that /boot/grub/grub.cfg (and other design items) is generated by: binary_loopback_cfg . It relies on efi-image and grub-cpmodules being setup as build scripts on live-build package. In the future event of these two files being moved to a binary package (they are originally from: src: live-installer) the binary_grub-efi script would have to be rewritten to take the new paths into account.
2016-01-18 02:21:39 -01:00
rm -rf chroot/grub-efi-temp
# We rely on: binary_loopback_cfg to generate grub.cfg and other configuration files
# Creating stage file
Create_stagefile .build/binary_grub-efi