Support Grml's new Secure Boot approach

Secure Boot support was kind of broken and in grml-live commit 518eb395d
we reworked the layout and handling of the configuration.
The main change is the new GRUB prefix /boot/grub/grub.cfg instead
of /EFI/ubuntu. We need to adopt this accordingly, though it's probably
not worth being backwards compatible (given that we never released
official Grml ISOs with Secure Boot).

NOTE: the configuration file /boot/grub/grub.cfg *inside* the efi.img
doesn't get adjusted via handle_grub_config() yet, so if we should ever
add custom boot entries directly into this grub configuration file
(which is known as the grml-live template file
templates/secureboot/grub.cfg), we'd have to adjust handle_grub_config()
or invoke handle_grub_config() from inside handle_secure_boot().

Also we install the grub.cfg from inside EFI as /boot/grub/x86_64-efi/grub.cfg.
Looking at GRUB's default configuration file (see `cat
(memdisk)/grub.cfg`) shows that if /boot/grub/x86_64-efi/grub.cfg exists
it's getting sourced before /boot/grub/grub.cfg.  Since our *actual*
GRUB configuration of the Grml ISO is residing as /boot/grub/grub.cfg,
we can use /boot/grub/x86_64-efi/grub.cfg to control behavior in Secure
Boot mode.

Also ensure we take over file /conf/bootfile_*, which we
rely on from with grml-live's templates/secureboot/grub.cfg.

This work was funded by Grml-Forensic.

diff --git a/grml2usb b/grml2usb
index 223dae2..0199fd6 100755 (executable)
--- a/grml2usb
+++ b/grml2usb
@@ -1314,6 +1314,9 @@ def copy_bootloader_files(iso_mount, target, grml_flavour):
         exec_rsync(efi_img, target + "/boot/efi.img")
         handle_secure_boot(target, efi_img)
 
+    execute(mkdir, target + "/conf/")
+    glob_and_copy(iso_mount + "/conf/bootfile_*", target + "/conf/")
+
     for ffile in ["f%d" % number for number in range(1, 11)]:
         search_and_copy(ffile, iso_mount, syslinux_target + ffile)
 
@@ -1493,7 +1496,6 @@ def handle_grub_config(grml_flavour, device, target):
     logging.debug("Updating grub configuration")
 
     grub_target = target + "/boot/grub/"
-    secureboot_target = target + "/EFI/ubuntu/"
 
     bootid_re = re.compile(r"bootid=[\w_-]+")
     live_media_path_re = re.compile(r"live-media-path=[\w_/-]+")
@@ -1508,9 +1510,7 @@ def handle_grub_config(grml_flavour, device, target):
             remove_regexes.append(re.compile(regex))
 
     shortname = get_shortname(grml_flavour)
-    for filename in glob.glob(grub_target + "*.cfg") + glob.glob(
-        secureboot_target + "*.cfg"
-    ):
+    for filename in glob.glob(grub_target + "*.cfg"):
         for line in fileinput.input(filename, inplace=1):
             line = line.rstrip("\r\n")
             if option_re.search(line):
@@ -1760,18 +1760,18 @@ def handle_secure_boot(target, efi_img):
         logging.critical("Fatal: %s", error)
         sys.exit(1)
 
-    ubuntu_cfg = search_file("grub.cfg", efi_mountpoint + "/EFI/ubuntu")
-    logging.debug("ubuntu_cfg = %s" % ubuntu_cfg)
-    if not ubuntu_cfg:
+    grub_cfg = efi_mountpoint + "/boot/grub/grub.cfg"
+    logging.debug("grub_cfg = %s" % grub_cfg)
+    if not grub_cfg:
         logging.info(
-            "No /EFI/ubuntu/grub.cfg found inside EFI image, looks like Secure Boot support is missing."
+            "No /boot/grub/grub.cfg found inside EFI image, looks like Secure Boot support is missing."
         )
     else:
-        mkdir(target + "/efi/ubuntu")
+        mkdir(target + "/boot/grub/x86_64-efi/")
         logging.debug(
-            "exec_rsync(%s, %s + '/efi/ubuntu/grub.cfg')" % (ubuntu_cfg, target)
+            "exec_rsync(%s, %s + '/boot/grub/x86_64-efi/grub.cfg')" % (grub_cfg, target)
         )
-        exec_rsync(ubuntu_cfg, target + "/efi/ubuntu/grub.cfg")
+        exec_rsync(grub_cfg, target + "/boot/grub/x86_64-efi/grub.cfg")
 
         logging.debug(
             "exec_rsync(%s + '/EFI/BOOT/grubx64.efi', %s + '/efi/boot/grubx64.efi')'"