UEFI-secure: Don't attempt to load unsigned modules
The part_*.mod modules are not inside the signed .efi-file, so they must not be 'insmod'ed in secure boot mode.
This commit is contained in:
Roland Clobus
parent
2944c4652a
commit
7b36f5b0ad
|
|
@ -57,17 +57,22 @@ EOF
|
|||
find $workdir -newermt "$(date -d@${SOURCE_DATE_EPOCH} '+%Y-%m-%d %H:%M:%S')" -exec touch '{}' -d@${SOURCE_DATE_EPOCH} ';'
|
||||
|
||||
mkdir -p "$outdir/boot/grub/$platform"
|
||||
(for i in /usr/lib/grub/$platform/part_*.mod; do
|
||||
# All partition modules will be activated, unless UEFI secure boot is active (they are not signed)
|
||||
PARTITIONLIST=""
|
||||
(echo "if [ x$grub_platform == xefi -a x$lockdown != xy ] ; then "; \
|
||||
for i in /usr/lib/grub/$platform/part_*.mod; do
|
||||
i=`echo $i | sed 's?^.*/??g;s?\.mod$??g;'`
|
||||
echo "insmod $i"
|
||||
PARTITIONLIST="${PARTITIONLIST} $i"
|
||||
done; \
|
||||
echo "fi"; \
|
||||
echo "source /boot/grub/grub.cfg") >"$outdir/boot/grub/$platform/grub.cfg"
|
||||
|
||||
# Build the core image.
|
||||
(cd "$workdir"; tar -cf - boot) >"$memdisk_img"
|
||||
grub-mkimage -O "$platform" -m "$memdisk_img" \
|
||||
-o "$workdir/boot$efi_name.efi" -p '(memdisk)/boot/grub' \
|
||||
search iso9660 configfile normal memdisk tar part_msdos part_gpt fat
|
||||
search iso9660 configfile normal memdisk tar ${PARTITIONLIST} fat
|
||||
|
||||
grub-mkimage -O "$platform" \
|
||||
-o "$outdir/bootnet$efi_name.efi" -p "$netboot_prefix/grub" \
|
||||
|
|
|
|||
Loading…
Reference in New Issue