From: Michael Prokop Date: Fri, 19 Jun 2020 13:10:56 +0000 (+0200) Subject: Refresh Secure Boot support, supporting new 'debian' method X-Git-Tag: v0.36.0~1 X-Git-Url: http://git.grml.org/?p=grml-live.git;a=commitdiff_plain;h=518eb395d8652ccf260e4fe6fc15af7946fc7c49;hp=518eb395d8652ccf260e4fe6fc15af7946fc7c49 Refresh Secure Boot support, supporting new 'debian' method Secure Boot mode wasn't reliably working, e.g. failing to boot in EFI mode with disabled Secure Boot, but also hard to debug. Now with our move from our own Grml kernel packages to the official Debian kernel ones (which are signed and intended for usage with enabled Secure Boot) it makes sense to support a proper Secure Boot chain without hacks like we used to do (like relying on and old GRUB binary from Ubuntu which supported booting unsigned kernels). We do NOT enable Secure Boot support by default *yet* though, since we need to get more testing of this and right now we're in the middle of an RC version (2020.06-rc1) and the upcoming new stable version of Grml. Relevant changes: * minimize templates/secureboot/grub.cfg: while it's certainly nice to display only entries that are actually working under Secure Boot, it's annoying to have to maintain yet another place of boot menus. Also if something fails with detection of Secure Boot then it's annoying to have to debug this, instead let's display an error message, inform the user about it and ask for debugging information. Instead introduce a new GRUB theme (/boot/grub/grml-theme/sb-theme.txt) which displays a message that we're running in Secure Boot mode. While at it, unify indention in existing /boot/grub/grml-theme/theme.txt. * move templates/EFI/BOOT towards templates/EFI/ubuntu/BOOT/ to be able to support debian and ubuntu methods at the same time * ship GRUB binaries in templates/EFI/debian/, similar to the ones in templates/EFI/ubuntu * switch Ubuntu's grubx64.efi.signed from grubx64.efi.signed to gcdx64.efi.signed; they differ in what GRUB's $prefix variable is set to: * gcdx64.efi.signed uses boot/grub/ * grubx64.efi.signed uses EFI/ubuntu/ -> the code in grml-live itself was adjusted accordingly and this also enables us to generalize the Secure Boot methods debian + ubuntu to use the same code path * drop templates/boot/grub/grmlenv.cfg: everything what's relevant can be taken care of from inside templates/secureboot/grub.cfg, so let's avoid another indirection. We also moved the detection of Secure Boot into templates/secureboot/grub.cfg and reworked it: while Ubuntu's patches have a C function grub_efi_secure_boot(), there's no ready-to-use way to detect Secure Boot. But the wrmsr command is amongst the list of GRUB's disabled_mods and we can distingiush between exit code 18 (wrong invocation/argument usage) and 30 (Secure Boot forbits loading module). * mention secure boot method in execution prompt/summary to be aware of its (non) presence ahead of execution * update etc/grml/grml-live.conf to properly reflect current state of Secure Boot support Thanks: Jordan Uggla for feedback This work was funded by Grml-Forensic. ---