From 92ffc08bb28f73c79f195ded2fba02eeebfe925b Mon Sep 17 00:00:00 2001 From: Michael Prokop Date: Fri, 19 Jun 2020 15:13:36 +0200 Subject: [PATCH] Support Grml's new Secure Boot approach Secure Boot support was kind of broken and in grml-live commit 518eb395d we reworked the layout and handling of the configuration. The main change is the new GRUB prefix /boot/grub/grub.cfg instead of /EFI/ubuntu. We need to adopt this accordingly, though it's probably not worth being backwards compatible (given that we never released official Grml ISOs with Secure Boot). NOTE: the configuration file /boot/grub/grub.cfg *inside* the efi.img doesn't get adjusted via handle_grub_config() yet, so if we should ever add custom boot entries directly into this grub configuration file (which is known as the grml-live template file templates/secureboot/grub.cfg), we'd have to adjust handle_grub_config() or invoke handle_grub_config() from inside handle_secure_boot(). Also we install the grub.cfg from inside EFI as /boot/grub/x86_64-efi/grub.cfg. Looking at GRUB's default configuration file (see `cat (memdisk)/grub.cfg`) shows that if /boot/grub/x86_64-efi/grub.cfg exists it's getting sourced before /boot/grub/grub.cfg. Since our *actual* GRUB configuration of the Grml ISO is residing as /boot/grub/grub.cfg, we can use /boot/grub/x86_64-efi/grub.cfg to control behavior in Secure Boot mode. Also ensure we take over file /conf/bootfile_*, which we rely on from with grml-live's templates/secureboot/grub.cfg. This work was funded by Grml-Forensic. --- grml2usb | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/grml2usb b/grml2usb index 223dae2..0199fd6 100755 --- a/grml2usb +++ b/grml2usb @@ -1314,6 +1314,9 @@ def copy_bootloader_files(iso_mount, target, grml_flavour): exec_rsync(efi_img, target + "/boot/efi.img") handle_secure_boot(target, efi_img) + execute(mkdir, target + "/conf/") + glob_and_copy(iso_mount + "/conf/bootfile_*", target + "/conf/") + for ffile in ["f%d" % number for number in range(1, 11)]: search_and_copy(ffile, iso_mount, syslinux_target + ffile) @@ -1493,7 +1496,6 @@ def handle_grub_config(grml_flavour, device, target): logging.debug("Updating grub configuration") grub_target = target + "/boot/grub/" - secureboot_target = target + "/EFI/ubuntu/" bootid_re = re.compile(r"bootid=[\w_-]+") live_media_path_re = re.compile(r"live-media-path=[\w_/-]+") @@ -1508,9 +1510,7 @@ def handle_grub_config(grml_flavour, device, target): remove_regexes.append(re.compile(regex)) shortname = get_shortname(grml_flavour) - for filename in glob.glob(grub_target + "*.cfg") + glob.glob( - secureboot_target + "*.cfg" - ): + for filename in glob.glob(grub_target + "*.cfg"): for line in fileinput.input(filename, inplace=1): line = line.rstrip("\r\n") if option_re.search(line): @@ -1760,18 +1760,18 @@ def handle_secure_boot(target, efi_img): logging.critical("Fatal: %s", error) sys.exit(1) - ubuntu_cfg = search_file("grub.cfg", efi_mountpoint + "/EFI/ubuntu") - logging.debug("ubuntu_cfg = %s" % ubuntu_cfg) - if not ubuntu_cfg: + grub_cfg = efi_mountpoint + "/boot/grub/grub.cfg" + logging.debug("grub_cfg = %s" % grub_cfg) + if not grub_cfg: logging.info( - "No /EFI/ubuntu/grub.cfg found inside EFI image, looks like Secure Boot support is missing." + "No /boot/grub/grub.cfg found inside EFI image, looks like Secure Boot support is missing." ) else: - mkdir(target + "/efi/ubuntu") + mkdir(target + "/boot/grub/x86_64-efi/") logging.debug( - "exec_rsync(%s, %s + '/efi/ubuntu/grub.cfg')" % (ubuntu_cfg, target) + "exec_rsync(%s, %s + '/boot/grub/x86_64-efi/grub.cfg')" % (grub_cfg, target) ) - exec_rsync(ubuntu_cfg, target + "/efi/ubuntu/grub.cfg") + exec_rsync(grub_cfg, target + "/boot/grub/x86_64-efi/grub.cfg") logging.debug( "exec_rsync(%s + '/EFI/BOOT/grubx64.efi', %s + '/efi/boot/grubx64.efi')'" -- 2.1.4