+# Secure Boot support
+# We are supposed to end up in this file only when running with enabled Secure Boot
+
set grml_orig_prefix=$prefix
export grml_orig_prefix
set grml_orig_root=$root
export grml_orig_root
-search.file /boot/grub/grmlenv.cfg root
+search.file %BOOT_FILE% root
set prefix=($root)/boot/grub/
-source ($root)/boot/grub/grmlenv.cfg
-if [ "$grml_secureboot" = false ] ; then
- configfile /boot/grub/grub.cfg
- # if that fails we need to fallback, but how?
+# this is a simple test to identify whether GRUB is running in Secure Boot mode
+# or not; "wrmsr" is in the list of disabled_mods of GRUB and is supposed to be
+# invoked with two arguments (and if not fails with exit code 18), but when
+# running under Secure Boot it fails with: "error: Secure Boot forbits loading
+# module from [...]/boot/grub/x86_64-efi/wrmsr.mod" + returns with exit code 30
+wrmsr
+if [ $? = 30 ] ; then
+ echo "It looks like Secure Boot is enabled."
+ set grml_secureboot=true
+ export grml_secureboot
else
- if [ "$grml_orig_prefix" != "" ] ; then
- set prefix=$grml_orig_prefix
- fi
-
- # this is basically a copy of templates/boot/grub/header.cfg but to avoid
- # failures due to Secure Boot restrictions and sourcing addons.cfg via
- # /boot/grub/loopback.cfg (and then showing entries that are at the wrong
- # position as well as don't work at all) we have to specify the appropriate
- # config here
- set timeout=20
- if loadfont /boot/grub/ascii.pf2 ; then
- set gfxmode=auto
- insmod efi_gop
- insmod efi_uga
- insmod gfxterm
- insmod png
- terminal_output gfxterm
- fi
-
- if [ -f /boot/grub/%GRML_NAME%-theme/theme.txt ] ; then
- set theme=/boot/grub/%GRML_NAME%-theme/theme.txt
- export theme
- elif [ -f /boot/grub/grml-theme/theme.txt ] ; then
- set theme=/boot/grub/grml-theme/theme.txt
- export theme
- else
- set menu_color_normal=white/black
- set menu_color_highlight=black/light-gray
- set color_normal=white/black
- fi
-
- menuentry "Boot %GRML_NAME% in normal mode (release %VERSION%, Secure Boot enabled)" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
-
- menuentry "Boot %GRML_NAME% - enable persistency" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 persistence
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
-
- menuentry "Boot %GRML_NAME% - copy %GRML_NAME% to RAM" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 toram=%GRML_NAME%.squashfs
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
+ echo "It looks like Secure Boot is NOT enabled."
+ set grml_secureboot=false
+ export grml_secureboot
+fi
- menuentry "Boot %GRML_NAME% - copy whole medium to RAM" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 toram
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
+if [ -e /boot/grub/grub.cfg ] ; then
+ configfile /boot/grub/grub.cfg
+else
+ echo "ERROR: It looks like SecureBoot is enabled but reading GRUB configuration failed.
- menuentry "Boot %GRML_NAME% - disable framebuffer/kernel mode setting" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 video=vesafb:off cirrus.modeset=0 i915.modeset=0 mgag200.modeset=0 nomodeset nouveau.modeset=0 radeon.modeset=0
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
+Please execute the following commands and provide the output to the Grml team:
- menuentry "Boot %GRML_NAME% - enable forensic mode" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 read-only nofstab noraid nodmraid nolvm noautoconfig noswap raid=noautodetect
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
+echo \$prefix
+echo \$root
+echo \$grml_orig_prefix
+echo \$grml_orig_root
+search.file /boot/grub/grub.cfg
- menuentry "Boot %GRML_NAME% - enable serial console" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 video=vesafb:off console=tty1 console=ttyS0,9600n8
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
+Hint: Create a screenshot or a picture with your digital camera or mobile phone."
- menuentry "Boot %GRML_NAME% - debug mode" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 initcall verbose debug=vc systemd.log_level=debug systemd.log_target=kmsg log_buf_len=1M
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
fi