From: Michael Prokop <mika@grml.org>
Date: Fri, 19 Jun 2020 13:13:36 +0000 (+0200)
Subject: Support Grml's new Secure Boot approach
X-Git-Tag: v0.18.3~5
X-Git-Url: http://git.grml.org/?p=grml2usb.git;a=commitdiff_plain;h=92ffc08bb28f73c79f195ded2fba02eeebfe925b;hp=92ffc08bb28f73c79f195ded2fba02eeebfe925b

Support Grml's new Secure Boot approach

Secure Boot support was kind of broken and in grml-live commit 518eb395d
we reworked the layout and handling of the configuration.
The main change is the new GRUB prefix /boot/grub/grub.cfg instead
of /EFI/ubuntu. We need to adopt this accordingly, though it's probably
not worth being backwards compatible (given that we never released
official Grml ISOs with Secure Boot).

NOTE: the configuration file /boot/grub/grub.cfg *inside* the efi.img
doesn't get adjusted via handle_grub_config() yet, so if we should ever
add custom boot entries directly into this grub configuration file
(which is known as the grml-live template file
templates/secureboot/grub.cfg), we'd have to adjust handle_grub_config()
or invoke handle_grub_config() from inside handle_secure_boot().

Also we install the grub.cfg from inside EFI as /boot/grub/x86_64-efi/grub.cfg.
Looking at GRUB's default configuration file (see `cat
(memdisk)/grub.cfg`) shows that if /boot/grub/x86_64-efi/grub.cfg exists
it's getting sourced before /boot/grub/grub.cfg.  Since our *actual*
GRUB configuration of the Grml ISO is residing as /boot/grub/grub.cfg,
we can use /boot/grub/x86_64-efi/grub.cfg to control behavior in Secure
Boot mode.

Also ensure we take over file /conf/bootfile_*, which we
rely on from with grml-live's templates/secureboot/grub.cfg.

This work was funded by Grml-Forensic.
---