# HYBRID_METHOD='grub2' # use manifold with GRUB 2
# HYBRID_METHOD='manifold' # use manifold with ISOLINUX (default)
-# By default Secure Boot is enabled using the approach from Ubuntu.
-# Currently only the Ubuntu approach is supported, which is restricted
-# to loading Linux kernels and using a minimal version of GRUB.
-# If unset defaults to "ubuntu"
-# SECURE_BOOT='disable' # do not enable Secure Boot
-# SECURE_BOOT="ubuntu" # use approach from Ubuntu
+# Secure Boot method that should be used (amd64 only).
+# If unset defaults to "disabled" (which means no Secure Boot will be present)
+# The following approaches are supported:
+# debian: use the Debian GRUB version which requires a signed kernel,
+# this is the recommended way to use Secure Boot with Grml
+# ubuntu: use an older Ubuntu GRUB version which doesn't require a signed kernel,
+# though has a limited feature set only and requires customized GRUB
+# templates (the files shipped templates/boot/grub/ don't work as such)
+# SECURE_BOOT='disable' # do not enable Secure Boot (default)
+# SECURE_BOOT='debian' # use approach from Debian
+# SECURE_BOOT='ubuntu' # use approach from Ubuntu
# Binary that should be used for creating the squashfs file.
# Defaults to the executable matching the kernel version, falls back to mksquashfs.
[ -n "$ARCH" ] && echo " Architecture: $ARCH"
[ -n "$BOOT_METHOD" ] && echo " Boot method: $BOOT_METHOD"
[ -n "$HYBRID_METHOD" ] && echo " Hybrid method: $HYBRID_METHOD"
+ [ -n "$SECURE_BOOT" ] && echo " Secure Boot: $SECURE_BOOT"
[ -n "$TEMPLATE_DIRECTORY" ] && echo " Template files: $TEMPLATE_DIRECTORY"
[ -n "$CHROOT_INSTALL" ] && echo " Install files from directory to chroot: $CHROOT_INSTALL"
[ -n "$BOOTID" ] && echo " Boot identifier: $BOOTID"
log "Generated 64-bit EFI image $BOOTX64"
einfo "Generated 64-bit EFI image $BOOTX64" ; eend 0
else
- log "Secure Boot is enabled [mode: $SECURE_BOOT]"
- einfo "Secure Boot is enabled [mode: $SECURE_BOOT]" ; eend 0
+ case "${SECURE_BOOT}" in
+ disable*)
+ log "Secure Boot is disabled [mode: ${SECURE_BOOT}]"
+ einfo "Secure Boot is disabled [mode: ${SECURE_BOOT}]" ; eend 0
+ ;;
+ debian|ubuntu)
+ log "Secure Boot is enabled [mode: ${SECURE_BOOT}]"
+ einfo "Secure Boot is enabled [mode: ${SECURE_BOOT}]" ; eend 0
+
+ local GRUBCFG_TEMPLATE="${TEMPLATE_DIRECTORY}/secureboot/grub.cfg"
+ local GRUBCFG_TMP=$(mktemp)
+
+ if ! [ -r "${GRUBCFG_TEMPLATE}" ] ; then
+ log "Secure Boot template for GRUB [${GRUBCFG_TEMPLATE}] not found."
+ eerror "Secure Boot template for GRUB [${GRUBCFG_TEMPLATE}] not found." ; eend 1
+ bailout 54
+ fi
- if [ "${SECURE_BOOT}" = "ubuntu" ] ; then
- local GRUBCFG_TEMPLATE="${TEMPLATE_DIRECTORY}/secureboot/grub.cfg"
- local GRUBCFG_TMP=$(mktemp)
+ cp "${GRUBCFG_TEMPLATE}" "${GRUBCFG_TMP}"
+ adjust_boot_files "${GRUBCFG_TMP}"
- if ! [ -r "${GRUBCFG_TEMPLATE}" ] ; then
- log "Secure Boot template for GRUB [${GRUBCFG_TEMPLATE}] not found."
- eerror "Secure Boot template for GRUB [${GRUBCFG_TEMPLATE}] not found." ; eend 1
- bailout 54
- fi
+ mmd -i "${CHROOT_OUTPUT}/${EFI_IMG}" ::boot || bailout 55
+ mmd -i "${CHROOT_OUTPUT}/${EFI_IMG}" ::boot/grub || bailout 55
+ mcopy -i "${CHROOT_OUTPUT}/${EFI_IMG}" "${GRUBCFG_TMP}" ::boot/grub/grub.cfg || bailout 56
- cp "${GRUBCFG_TEMPLATE}" "${GRUBCFG_TMP}"
- adjust_boot_files "${GRUBCFG_TMP}"
+ rm "${GRUBCFG_TMP}"
- mmd -i "${CHROOT_OUTPUT}/${EFI_IMG}" ::EFI/ubuntu || bailout 55
- mcopy -i "${CHROOT_OUTPUT}/${EFI_IMG}" "${GRUBCFG_TMP}" ::EFI/ubuntu/grub.cfg || bailout 56
- rm "${GRUBCFG_TMP}"
+ if [ -r "${TEMPLATE_DIRECTORY}/EFI/${SECURE_BOOT}/BOOT/grubx64.efi.signed" ] ; then
+ mcopy -i "${CHROOT_OUTPUT}/${EFI_IMG}" "${TEMPLATE_DIRECTORY}/EFI/${SECURE_BOOT}/BOOT/grubx64.efi.signed" ::EFI/BOOT/grubx64.efi >/dev/null || bailout 57
+ else
+ log "Secure Boot GRUB binary '${TEMPLATE_DIRECTORY}/EFI/${SECURE_BOOT}/BOOT/grubx64.efi.signed' not found."
+ eerror "Secure Boot GRUB binary '${TEMPLATE_DIRECTORY}/EFI/${SECURE_BOOT}/BOOT/grubx64.efi.signed' not found." ; eend 1
+ bailout 57
+ fi
- mcopy -i "${CHROOT_OUTPUT}/${EFI_IMG}" "${TEMPLATE_DIRECTORY}"/EFI/BOOT/grubx64.efi.signed ::EFI/BOOT/grubx64.efi >/dev/null || bailout 57
- mcopy -i "${CHROOT_OUTPUT}/${EFI_IMG}" "${TEMPLATE_DIRECTORY}"/EFI/BOOT/shimx64.efi.signed ::EFI/BOOT/bootx64.efi >/dev/null || bailout 58
+ if [ -r "${TEMPLATE_DIRECTORY}/EFI/${SECURE_BOOT}/BOOT/shimx64.efi.signed" ] ; then
+ mcopy -i "${CHROOT_OUTPUT}/${EFI_IMG}" "${TEMPLATE_DIRECTORY}/EFI/${SECURE_BOOT}/BOOT/shimx64.efi.signed" ::EFI/BOOT/bootx64.efi >/dev/null || bailout 58
+ else
+ log "Secure Boot GRUB binary '${TEMPLATE_DIRECTORY}/EFI/${SECURE_BOOT}/BOOT/shimx64.efi.signed' not found."
+ eerror "Secure Boot GRUB binary '${TEMPLATE_DIRECTORY}/EFI/${SECURE_BOOT}/BOOT/shimx64.efi.signed' not found." ; eend 1
+ bailout 57
+ fi
- log "Generated 64-bit Secure Boot (ubuntu) EFI image ${CHROOT_OUTPUT}/${EFI_IMG}"
- einfo "Generated 64-bit Secure Boot (ubuntu) EFI image ${CHROOT_OUTPUT}/${EFI_IMG}" ; eend 0
- fi
+ log "Generated 64-bit Secure Boot (${SECURE_BOOT}) EFI image ${CHROOT_OUTPUT}/${EFI_IMG}"
+ einfo "Generated 64-bit Secure Boot (${SECURE_BOOT}) EFI image ${CHROOT_OUTPUT}/${EFI_IMG}" ; eend 0
+ ;;
+ *)
+ log "Secure Boot method '${SECURE_BOOT}' is unsupported."
+ error "Secure Boot method '${SECURE_BOOT}' is unsupported." ; eend 1
+ bailout 59
+ ;;
+ esac
fi
fi
# adjust all variables in the templates with the according distribution information
adjust_boot_files "${BUILD_OUTPUT}"/boot/isolinux/*.cfg \
"${BUILD_OUTPUT}"/boot/isolinux/*.msg \
- "${BUILD_OUTPUT}"/boot/grub/* \
- "${BUILD_OUTPUT}"/boot/ubuntu/*
+ "${BUILD_OUTPUT}"/boot/grub/*
for param in ARCH DATE DISTRI_INFO DISTRI_NAME DISTRI_SPLASH GRML_NAME SQUASHFS_NAME \
RELEASE_INFO SHORT_NAME VERSION ; do
--- /dev/null
+# debian approach:
+shimx64.efi.signed = /usr/lib/shim/shimx64.efi.signed from http://ftp.de.debian.org/debian/pool/main/s/shim-signed/shim-signed_1.33+15+1533136590.3beb971-7_amd64.deb
+grubx64.efi.signed = /usr/lib/grub/x86_64-efi-signed/gcdx64.efi.signed from http://ftp.de.debian.org/debian/pool/main/g/grub-efi-amd64-signed/grub-efi-amd64-signed_1+2.02+dfsg1+20_amd64.deb
+# NOTE:
+# shimx64.efi.signed ends up as /EFI/BOOT/bootx64.efi inside [grml_cd]/boot/efi.img, and
+# grubx64.efi.signed ends up as /EFI/BOOT/grubx64.efi inside [grml_cd]/boot/efi.img, whereas
+# [grml_cd]/boot/efi.img is used as `boot/efi.img` inside `xorriso -as mkisofs [...] -e boot/efi.img -no-emul-boot [...]` ISO generation [inside grml_cd directory]
# ubuntu approach:
shimx64.efi.signed = /usr/lib/shim/shimx64.efi.signed from http://de.archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_1.34.9+13-0ubuntu2_amd64.deb
-grubx64.efi.signed = /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed from http://de.archive.ubuntu.com/ubuntu/pool/main/g/grub2-signed/grub-efi-amd64-signed_1.93+2.02-2ubuntu8_amd64.deb
+grubx64.efi.signed = /usr/lib/grub/x86_64-efi-signed/gcdx64.efi.signed from http://de.archive.ubuntu.com/ubuntu/pool/main/g/grub2-signed/grub-efi-amd64-signed_1.93+2.02-2ubuntu8_amd64.deb
# NOTE:
# shimx64.efi.signed ends up as /EFI/BOOT/bootx64.efi inside [grml_cd]/boot/efi.img, and
# grubx64.efi.signed ends up as /EFI/BOOT/grubx64.efi inside [grml_cd]/boot/efi.img, whereas
--- /dev/null
+# This is the theme to be used in Secure Boot mode
+
+title-text: ""
+title-color: "#FFFFFF"
+desktop-image: "black.png"
+message-color: "#FFFFFF"
+
++ image {
+ file = "grml-logo.png"
+ left = 45%
+ top = 2%
+}
++ boot_menu {
+ left = 15%
+ width = 70%
+ top = 16%
+ height = 36%
+ item_color = "#FFFFFF"
+ selected_item_color = "orange"
+ item_spacing = 4
+ item_height = 12
+ border_color = "#FFFFFF"
+}
+
+
+# Show an informational message.
++ vbox {
+ top = 55%
+ left = 20%
+ + label {text = "Running in Secure Boot mode" color = "white" align = "left"}
+ + label {text = ""}
+ + label {text = "Press ENTER to boot or E to edit menu entry " color = "white"}
+ + label {text = "Press C to enter the Grub commandline" color = "white"}
+}
+
++ progress_bar {
+ id = "__timeout__"
+ top = 75%
+ left = 20%
+ text_color = "#FFFFFF"
+ fg_color = "orange"
+ bg_color = #66B
+ border_color = #006
+ text = "@TIMEOUT_NOTIFICATION_LONG@"
+}
+# This is the default GRUB theme of Grml
+
title-text: ""
title-color: "#FFFFFF"
desktop-image: "black.png"
-message-color: "#FFFFFF"
+message-color: "#FFFFFF"
+ image {
file = "grml-logo.png"
top = 2%
}
+ boot_menu {
- left = 15%
- width = 70%
- top = 16%
- height = 36%
- item_color = "#FFFFFF"
- selected_item_color = "orange"
- item_spacing = 4
- item_height = 12
- border_color = "#FFFFFF"
-
+ left = 15%
+ width = 70%
+ top = 16%
+ height = 36%
+ item_color = "#FFFFFF"
+ selected_item_color = "orange"
+ item_spacing = 4
+ item_height = 12
+ border_color = "#FFFFFF"
}
# Show an informational message.
+ vbox {
- top = 55%
- left = 20%
- + label {text = "Press ENTER to boot or E to edit menu entry " color = "white" align = "left"}
- + label {text = "Press C to enter the Grub commandline" color = "white"}
+ top = 55%
+ left = 20%
+ + label {text = "Press ENTER to boot or E to edit menu entry " color = "white" align = "left"}
+ + label {text = "Press C to enter the Grub commandline" color = "white"}
}
-+ progress_bar
-{
++ progress_bar {
id = "__timeout__"
top = 75%
left = 20%
bg_color = #66B
border_color = #006
text = "@TIMEOUT_NOTIFICATION_LONG@"
-
}
+++ /dev/null
-# this is a simple test to identify whether it looks like the Secure Boot enabled/signed
-# GRUB is running or if it's a full featured GRUB version, the former doesn't
-# fail with invalid usage, while the later will fail with "error: device name required."
-if probe ; then
- echo "It looks like Secure Boot is enabled."
- set grml_secureboot=true
- export grml_secureboot
-else
- echo "It looks like Secure Boot is NOT enabled."
- set grml_secureboot=false
- export grml_secureboot
-fi
terminal_output gfxterm
fi
-if [ -f /boot/grub/grml-theme/theme.txt ] ; then
+if [ "${grml_secureboot}" = "true" ] ; then
+ if [ -f /boot/grub/grml-theme/sb-theme.txt ] ; then
+ set theme=/boot/grub/grml-theme/sb-theme.txt
+ export theme
+ else
+ set menu_color_normal=white/black
+ set menu_color_highlight=black/orange
+ export menu_color_normal
+ export menu_color_highlight
+ fi
+elif [ -f /boot/grub/grml-theme/theme.txt ] ; then
set theme=/boot/grub/grml-theme/theme.txt
export theme
else
+# Secure Boot support
+# We are supposed to end up in this file only when running with enabled Secure Boot
+
set grml_orig_prefix=$prefix
export grml_orig_prefix
set grml_orig_root=$root
search.file %BOOT_FILE% root
set prefix=($root)/boot/grub/
-source ($root)/boot/grub/grmlenv.cfg
-if [ "$grml_secureboot" = false ] ; then
- configfile /boot/grub/grub.cfg
- # if that fails we need to fallback, but how?
+# this is a simple test to identify whether GRUB is running in Secure Boot mode
+# or not; "wrmsr" is in the list of disabled_mods of GRUB and is supposed to be
+# invoked with two arguments (and if not fails with exit code 18), but when
+# running under Secure Boot it fails with: "error: Secure Boot forbits loading
+# module from [...]/boot/grub/x86_64-efi/wrmsr.mod" + returns with exit code 30
+wrmsr
+if [ $? = 30 ] ; then
+ echo "It looks like Secure Boot is enabled."
+ set grml_secureboot=true
+ export grml_secureboot
else
- if [ "$grml_orig_prefix" != "" ] ; then
- set prefix=$grml_orig_prefix
- fi
-
- # this is basically a copy of templates/boot/grub/header.cfg but to avoid
- # failures due to Secure Boot restrictions and sourcing addons.cfg via
- # /boot/grub/loopback.cfg (and then showing entries that are at the wrong
- # position as well as don't work at all) we have to specify the appropriate
- # config here
- set timeout=20
- if loadfont /boot/grub/ascii.pf2 ; then
- set gfxmode=auto
- insmod efi_gop
- insmod efi_uga
- insmod gfxterm
- insmod png
- terminal_output gfxterm
- fi
-
- if [ -f /boot/grub/%GRML_NAME%-theme/theme.txt ] ; then
- set theme=/boot/grub/%GRML_NAME%-theme/theme.txt
- export theme
- elif [ -f /boot/grub/grml-theme/theme.txt ] ; then
- set theme=/boot/grub/grml-theme/theme.txt
- export theme
- else
- set menu_color_normal=white/black
- set menu_color_highlight=black/light-gray
- set color_normal=white/black
- fi
-
- menuentry "Boot %GRML_NAME% in normal mode (release %VERSION%, Secure Boot enabled)" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
-
- menuentry "Boot %GRML_NAME% - enable persistency" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 persistence
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
-
- menuentry "Boot %GRML_NAME% - copy %GRML_NAME% to RAM" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 toram=%GRML_NAME%.squashfs
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
+ echo "It looks like Secure Boot is NOT enabled."
+ set grml_secureboot=false
+ export grml_secureboot
+fi
- menuentry "Boot %GRML_NAME% - copy whole medium to RAM" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 toram
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
+if [ -e /boot/grub/grub.cfg ] ; then
+ configfile /boot/grub/grub.cfg
+else
+ echo "ERROR: It looks like SecureBoot is enabled but reading GRUB configuration failed.
- menuentry "Boot %GRML_NAME% - disable framebuffer/kernel mode setting" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 video=vesafb:off cirrus.modeset=0 i915.modeset=0 mgag200.modeset=0 nomodeset nouveau.modeset=0 radeon.modeset=0
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
+Please execute the following commands and provide the output to the Grml team:
- menuentry "Boot %GRML_NAME% - enable forensic mode" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 read-only nofstab noraid nodmraid nolvm noautoconfig noswap raid=noautodetect
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
+echo \$prefix
+echo \$root
+echo \$grml_orig_prefix
+echo \$grml_orig_root
+search.file /boot/grub/grub.cfg
- menuentry "Boot %GRML_NAME% - enable serial console" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 video=vesafb:off console=tty1 console=ttyS0,9600n8
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
+Hint: Create a screenshot or a picture with your digital camera or mobile phone."
- menuentry "Boot %GRML_NAME% - debug mode" {
- set gfxpayload=keep
- echo 'Loading kernel...'
- linux /boot/%SHORT_NAME%/vmlinuz apm=power-off boot=live live-media-path=/live/%GRML_NAME%/ bootid=%BOOTID% "${loopback}" "${kernelopts}" nomce net.ifnames=0 initcall verbose debug=vc systemd.log_level=debug systemd.log_target=kmsg log_buf_len=1M
- echo 'Loading initrd...'
- initrd /boot/%SHORT_NAME%/initrd.img
- }
fi