for secure boot
1.Patch for secure boot support using AUR's shim-signed package and mokutil,sbsigntools.
diff --git a/src/modules/bootloader/main.py b/src/modules/bootloader/main.py
index d7f4a71..ca1c298 100644
--- a/src/modules/bootloader/main.py
+++ b/src/modules/bootloader/main.py
@@ -568,17 +568,37 @@ def run_grub_install(fw_type, partitions, efi_directory):
assert efi_directory is not None
efi_bootloader_id = efi_label(efi_directory)
efi_target, efi_grub_file, efi_boot_file = get_grub_efi_parameters()
+ grub_modules = get_modules()
+ install_path = libcalamares.globalstorage.value("rootMountPoint")
+ grubInstall = libcalamares.job.configuration["grubInstall"]
if is_zfs:
- check_target_env_call(["sh", "-c", "ZPOOL_VDEV_NAME_PATH=1 " + libcalamares.job.configuration["grubInstall"]
+ check_target_env_call(["sh", "-c", "ZPOOL_VDEV_NAME_PATH=1 " + grubInstall
+ " --target=" + efi_target + " --efi-directory=" + efi_directory
+ + " --modules=\"" + grub_modules + "\" --sbat=/usr/share/grub/sbat.csv"
+ + " --disable-shim-lock"
+ " --bootloader-id=" + efi_bootloader_id + " --force"])
else:
- check_target_env_call([libcalamares.job.configuration["grubInstall"],
+ check_target_env_call(["sh", "-c", grubInstall,
"--target=" + efi_target,
"--efi-directory=" + efi_directory,
+ '--modules="' + grub_modules + '"',
+ "--disable-shim-lock",
+ "--sbat=/usr/share/grub/sbat.csv",
"--bootloader-id=" + efi_bootloader_id,
"--force"])
+ MOK_path = "/etc/secureboot/"
+ if os.path.exists(install_path + MOK_path + "MOK.key"):
+ grub_path = efi_directory + "/EFI/" + efi_bootloader_id + "/" + efi_grub_file
+ check_target_env_call(["sh", "-c", "/usr/bin/find /boot/ -maxdepth 1 -name 'vmlinuz-*' | /usr/bin/xargs -I{} /bin/sh -c 'if ! /usr/bin/sbverify --cert /etc/secureboot/MOK.crt {} >/dev/null 2>&1 ;then sudo /usr/bin/sbsign --key " + MOK_path + "MOK.key --cert " + MOK_path + "MOK.crt --output {} {}; fi'"])
+ check_target_env_call(["sh", "-c", "/usr/bin/sbsign --key " + MOK_path + "MOK.key --cert " + MOK_path + "MOK.crt --output " + grub_path + " " + grub_path])
+ check_target_env_call(["sh", "-c", "/usr/bin/mokutil --import " + MOK_path + "MOK.cer --root-pw"])
+ install_efi_directory = install_path + efi_directory
+ os.mkdir(os.path.join(install_efi_directory, "EFI", "boot"))
+ shutil.copy2(os.path.join(install_efi_directory, "EFI", efi_bootloader_id, "grubx64.efi") , os.path.join(install_efi_directory, "EFI", "boot", "bootx64.efi"))
+ shutil.copy2(os.path.join(install_path, "/usr/share/shim-signed/shimx64.efi") , os.path.join(install_efi_directory, "EFI", efi_bootloader_id))
+ shutil.copy2(os.path.join(install_path, "/usr/share/shim-signed/mmx64.efi") , os.path.join(install_efi_directory, "EFI", efi_bootloader_id))
+ install_secureboot(efi_directory)
else:
assert efi_directory is None
if libcalamares.globalstorage.value("bootLoader") is None:
@@ -683,34 +703,35 @@ def install_secureboot(efi_directory):
# of that tuple.
efi_drive = subprocess.check_output([
libcalamares.job.configuration["grubProbe"],
- "-t", "drive", "--device-map=", install_efi_directory]).decode("ascii")
- efi_disk = subprocess.check_output([
- libcalamares.job.configuration["grubProbe"],
- "-t", "disk", "--device-map=", install_efi_directory]).decode("ascii")
+ "-t", "device", install_efi_directory]).decode("ascii")
- efi_drive_partition = efi_drive.replace("(","").replace(")","").split(",")[1]
+ efi_drive_partition = efi_drive
# Get the first run of digits from the partition
efi_partition_number = None
- c = 0
- start = None
- while c < len(efi_drive_partition):
- if efi_drive_partition[c].isdigit() and start is None:
- start = c
- if not efi_drive_partition[c].isdigit() and start is not None:
- efi_partition_number = efi_drive_partition[start:c]
+ c = len(efi_drive_partition) - 1
+ end = None
+ while c >= 0:
+ if efi_drive_partition[c].isdigit() and end is None:
+ end = c + 1
+ if not efi_drive_partition[c].isdigit() and end is not None:
+ efi_partition_number = efi_drive_partition[c+1:end]
+ efi_disk = efi_drive_partition[0:c+1]
break
- c += 1
+ c -= 1
if efi_partition_number is None:
raise ValueError("No partition number found for %s" % install_efi_directory)
+ boot_mgr = libcalamares.job.configuration["efiBootMgr"]
+ efi_disk = efi_disk.rsplit()[0]
+ efi_bin_path = os.path.join("/EFI", efi_bootloader_id, install_efi_bin)
subprocess.call([
- libcalamares.job.configuration["efiBootMgr"],
+ boot_mgr,
"-c",
- "-w",
- "-L", efi_bootloader_id,
+ "-u",
+ "-L", efi_bootloader_id + "Shim",
"-d", efi_disk,
- "-p", efi_partition_number,
- "-l", install_efi_directory + "/" + install_efi_bin])
+ "-p", str(efi_partition_number),
+ "-l", efi_bin_path])
efi_boot_next()
@@ -751,6 +772,110 @@ def prepare_bootloader(fw_type):
"boot-loader '{!s}' and firmware '{!s}' "
"is not supported.".format(efi_boot_loader, fw_type) )
+def get_modules():
+ platform=os.uname().machine
+
+ CD_MODULES="""
+ all_video
+ boot
+ btrfs
+ cat
+ chain
+ configfile
+ echo
+ efifwsetup
+ efinet
+ ext2
+ fat
+ font
+ gettext
+ gfxmenu
+ gfxterm
+ gfxterm_background
+ gzio
+ halt
+ help
+ hfsplus
+ iso9660
+ jpeg
+ keystatus
+ loadenv
+ loopback
+ linux
+ ls
+ lsefi
+ lsefimmap
+ lsefisystab
+ lssal
+ memdisk
+ minicmd
+ normal
+ ntfs
+ part_apple
+ part_msdos
+ part_gpt
+ password_pbkdf2
+ png
+ probe
+ reboot
+ regexp
+ search
+ search_fs_uuid
+ search_fs_file
+ search_label
+ sleep
+ smbios
+ squash4
+ test
+ true
+ video
+ xfs
+ zfs
+ zfscrypt
+ zfsinfo
+ """
+
+ # Platform-specific modules
+ if platform in ['x86_64', 'i386']:
+ CD_MODULES+="""
+ cpuid
+ play
+ tpm
+ """
+
+ GRUB_MODULES = CD_MODULES + """
+ cryptodisk
+ gcry_arcfour
+ gcry_blowfish
+ gcry_camellia
+ gcry_cast5
+ gcry_crc
+ gcry_des
+ gcry_dsa
+ gcry_idea
+ gcry_md4
+ gcry_md5
+ gcry_rfc2268
+ gcry_rijndael
+ gcry_rmd160
+ gcry_rsa
+ gcry_seed
+ gcry_serpent
+ gcry_sha1
+ gcry_sha256
+ gcry_sha512
+ gcry_tiger
+ gcry_twofish
+ gcry_whirlpool
+ luks
+ lvm
+ mdraid09
+ mdraid1x
+ raid5rec
+ raid6rec
+ """
+ GRUB_MODULES=" ".join(GRUB_MODULES.split())
+ return GRUB_MODULES
def run():
"""