X-Git-Url: https://git.grml.org/?p=grml-live.git;a=blobdiff_plain;f=templates%2Fsecureboot%2Fgrub.cfg;h=0fc7e267ca531a1b96ac77bfa49a6784734f8e62;hp=f98e37ede8b6d624cc6f711f0fbd8fc1a4e9530c;hb=518eb395d865;hpb=4b6fd81a229ade6a863452ec978eec6b9015d993 diff --git a/templates/secureboot/grub.cfg b/templates/secureboot/grub.cfg index f98e37e..0fc7e26 100644 --- a/templates/secureboot/grub.cfg +++ b/templates/secureboot/grub.cfg @@ -1,3 +1,6 @@ +# Secure Boot support +# We are supposed to end up in this file only when running with enabled Secure Boot + set grml_orig_prefix=$prefix export grml_orig_prefix set grml_orig_root=$root @@ -5,104 +8,36 @@ export grml_orig_root search.file %BOOT_FILE% root set prefix=($root)/boot/grub/ -source ($root)/boot/grub/grmlenv.cfg -if [ "$grml_secureboot" = false ] ; then - configfile /boot/grub/grub.cfg - # if that fails we need to fallback, but how? +# this is a simple test to identify whether GRUB is running in Secure Boot mode +# or not; "wrmsr" is in the list of disabled_mods of GRUB and is supposed to be +# invoked with two arguments (and if not fails with exit code 18), but when +# running under Secure Boot it fails with: "error: Secure Boot forbits loading +# module from [...]/boot/grub/x86_64-efi/wrmsr.mod" + returns with exit code 30 +wrmsr +if [ $? = 30 ] ; then + echo "It looks like Secure Boot is enabled." + set grml_secureboot=true + export grml_secureboot else - if [ "$grml_orig_prefix" != "" ] ; then - set prefix=$grml_orig_prefix - fi - - # this is basically a copy of templates/boot/grub/header.cfg but to avoid - # failures due to Secure Boot restrictions and sourcing addons.cfg via - # /boot/grub/loopback.cfg (and then showing entries that are at the wrong - # position as well as don't work at all) we have to specify the appropriate - # config here - set timeout=20 - if loadfont /boot/grub/ascii.pf2 ; then - set gfxmode=auto - insmod efi_gop - insmod efi_uga - insmod gfxterm - insmod png - terminal_output gfxterm - fi - - if [ -f /boot/grub/%GRML_NAME%-theme/theme.txt ] ; then - set theme=/boot/grub/%GRML_NAME%-theme/theme.txt - export theme - elif [ -f /boot/grub/grml-theme/theme.txt ] ; then - set theme=/boot/grub/grml-theme/theme.txt - export theme - else - set menu_color_normal=white/black - set menu_color_highlight=black/light-gray - set color_normal=white/black - fi - - menuentry "Boot %GRML_NAME% in normal mode (release %VERSION%, Secure Boot enabled)" { - set gfxpayload=keep - echo 'Loading kernel...' - linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 - echo 'Loading initrd...' - initrd /boot/%SHORT_NAME%/initrd.img - } - - menuentry "Boot %GRML_NAME% - enable persistency" { - set gfxpayload=keep - echo 'Loading kernel...' - linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 persistence - echo 'Loading initrd...' - initrd /boot/%SHORT_NAME%/initrd.img - } - - menuentry "Boot %GRML_NAME% - copy %GRML_NAME% to RAM" { - set gfxpayload=keep - echo 'Loading kernel...' - linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 toram=%GRML_NAME%.squashfs - echo 'Loading initrd...' - initrd /boot/%SHORT_NAME%/initrd.img - } + echo "It looks like Secure Boot is NOT enabled." + set grml_secureboot=false + export grml_secureboot +fi - menuentry "Boot %GRML_NAME% - copy whole medium to RAM" { - set gfxpayload=keep - echo 'Loading kernel...' - linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 toram - echo 'Loading initrd...' - initrd /boot/%SHORT_NAME%/initrd.img - } +if [ -e /boot/grub/grub.cfg ] ; then + configfile /boot/grub/grub.cfg +else + echo "ERROR: It looks like SecureBoot is enabled but reading GRUB configuration failed. - menuentry "Boot %GRML_NAME% - disable framebuffer/kernel mode setting" { - set gfxpayload=keep - echo 'Loading kernel...' - linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 video=vesafb:off cirrus.modeset=0 i915.modeset=0 mgag200.modeset=0 nomodeset nouveau.modeset=0 radeon.modeset=0 - echo 'Loading initrd...' - initrd /boot/%SHORT_NAME%/initrd.img - } +Please execute the following commands and provide the output to the Grml team: - menuentry "Boot %GRML_NAME% - enable forensic mode" { - set gfxpayload=keep - echo 'Loading kernel...' - linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 read-only nofstab noraid nodmraid nolvm noautoconfig noswap raid=noautodetect - echo 'Loading initrd...' - initrd /boot/%SHORT_NAME%/initrd.img - } +echo \$prefix +echo \$root +echo \$grml_orig_prefix +echo \$grml_orig_root +search.file /boot/grub/grub.cfg - menuentry "Boot %GRML_NAME% - enable serial console" { - set gfxpayload=keep - echo 'Loading kernel...' - linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 video=vesafb:off console=tty1 console=ttyS0,9600n8 - echo 'Loading initrd...' - initrd /boot/%SHORT_NAME%/initrd.img - } +Hint: Create a screenshot or a picture with your digital camera or mobile phone." - menuentry "Boot %GRML_NAME% - debug mode" { - set gfxpayload=keep - echo 'Loading kernel...' - linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 initcall verbose debug=vc systemd.log_level=debug systemd.log_target=kmsg log_buf_len=1M - echo 'Loading initrd...' - initrd /boot/%SHORT_NAME%/initrd.img - } fi