Compare commits
2 Commits
546989ac38
...
1.1
| Author | SHA256 | Date | |
|---|---|---|---|
| 93d13824d9 | |||
| 58ba8cc5cf |
68
shim-install
68
shim-install
@@ -84,6 +84,22 @@ case "$OS_ID" in
|
||||
ca_string='SUSE Linux Enterprise Secure Boot CA1';;
|
||||
esac
|
||||
|
||||
# bsc#1230316 Check if the system is encrypted SL-Micro
|
||||
is_encrypted_slm () {
|
||||
if test "$GRUB_DISTRIBUTOR" = "SL Micro" && test -n "$GRUB_TPM2_SEALED_KEY" ; then
|
||||
# return true
|
||||
return 0
|
||||
fi
|
||||
|
||||
# return false
|
||||
return 1
|
||||
}
|
||||
|
||||
# bsc#1230316 For encrypted SL-Micro, always install shim/grub2 with the "removable" way
|
||||
if is_encrypted_slm; then
|
||||
removable=yes
|
||||
fi
|
||||
|
||||
is_azure () {
|
||||
local bios_vendor;
|
||||
local product_name;
|
||||
@@ -471,32 +487,36 @@ if test "$no_nvram" = no && test -n "$bootloader_id"; then
|
||||
$efibootmgr -b "$bootnum" -B
|
||||
done
|
||||
|
||||
efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")"
|
||||
efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")"
|
||||
if test -z "$efidir_drive" || test -z "$efidir_disk"; then
|
||||
echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2
|
||||
# bsc#1119762 If the MD device is partitioned, we just need to create one
|
||||
# boot entry since the partitions are nested partitions and the mirrored
|
||||
# partitions share the same UUID.
|
||||
elif [[ "$efidir_drive" == \(mduuid/* && "$efidir_drive" != \(mduuid/*,* ]]; then
|
||||
eval $(mdadm --detail --export "$efidir_disk" |
|
||||
perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$});
|
||||
sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};')
|
||||
if [ "$MD_LEVEL" != "raid1" ]; then
|
||||
echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2
|
||||
fi
|
||||
for mddev in $MD_DEVS; do
|
||||
efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")"
|
||||
efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")"
|
||||
# bsc#1230316 Skip the creation of the boot option for encrypted SL-Micro to make
|
||||
# the system always boot from the default boot path (\EFI\BOOT\boot<arch>.efi)
|
||||
if ! is_encrypted_slm; then
|
||||
efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")"
|
||||
efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")"
|
||||
if test -z "$efidir_drive" || test -z "$efidir_disk"; then
|
||||
echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2
|
||||
# bsc#1119762 If the MD device is partitioned, we just need to create one
|
||||
# boot entry since the partitions are nested partitions and the mirrored
|
||||
# partitions share the same UUID.
|
||||
elif [[ "$efidir_drive" == \(mduuid/* && "$efidir_drive" != \(mduuid/*,* ]]; then
|
||||
eval $(mdadm --detail --export "$efidir_disk" |
|
||||
perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$});
|
||||
sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};')
|
||||
if [ "$MD_LEVEL" != "raid1" ]; then
|
||||
echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2
|
||||
fi
|
||||
for mddev in $MD_DEVS; do
|
||||
efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")"
|
||||
efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")"
|
||||
efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
|
||||
efidir_d=${mddev#/dev/}
|
||||
$efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
|
||||
-L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file"
|
||||
done
|
||||
else
|
||||
efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
|
||||
efidir_d=${mddev#/dev/}
|
||||
$efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
|
||||
-L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file"
|
||||
done
|
||||
else
|
||||
efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
|
||||
$efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
|
||||
-L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file"
|
||||
-L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
14
shim.changes
14
shim.changes
@@ -1,3 +1,17 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 19 06:27:27 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Update shim-install to limit the scope of the 'removable'
|
||||
SL-Micro to the image booting with TPM2 unsealing (bsc#1210382)
|
||||
* 769e41d Limit the removable option to encrypted SL-Micro
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 16 07:28:57 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Update shim-install to use the 'removable' way for SL-Micro
|
||||
(bsc#1230316)
|
||||
* 433cc4e Always use the removable way for SL-Micro
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun May 19 15:08:27 UTC 2024 - Dennis Tseng <dennis.tseng@suse.com>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user