7127299ebe
- ship a Secure Boot UEFI compatible bootloader (fate#314485) - added secureboot patches which introduces new linuxefi module that is able to perform verifying signed images via exported protocol from shim. The insmod command will not function if secure boot enabled (as all modules should built in grub.efi and signed). - grub2-secureboot-add-linuxefi.patch - grub2-secureboot-use-linuxefi-on-uefi.patch - grub2-secureboot-no-insmod-on-sb.patch - grub2-secureboot-provide-linuxefi-config.patch - Makefile.core.am : support building linuxefi module - Make grub.efi image that is with all relevant modules incorporated and signed, it will be the second stage to the shim loader which will verified it when secureboot enabled. - Make grub.efi's path to align with shim loader's default loader lookup path. - The changes has been verified not affecting any factory instalation, but will allow us to run & test secure boot setup manually with shim. (forwarded request 143007 from michael-chang) OBS-URL: https://build.opensuse.org/request/show/143018 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=52
67 lines
2.4 KiB
Diff
67 lines
2.4 KiB
Diff
From 795ac61cba9674376d745813efdab395e35cff41 Mon Sep 17 00:00:00 2001
|
|
From: Michael Chang <mchang@suse.com>
|
|
Date: Mon, 26 Nov 2012 15:38:54 +0800
|
|
Subject: [PATCH] provide option in config to enable linuxefi
|
|
|
|
References: fate#314485
|
|
Patch-Mainline: no
|
|
|
|
As linuxefi module requires kernel 3.6 or later which supports EFI
|
|
handover protocol, it may not be able to load kernels without that
|
|
supports in place.
|
|
|
|
In case that things would break, and the linuxefi is really too young to
|
|
take over the position of "linux" kernel loader module, we introduce a
|
|
option GRUB_USE_LINUXEFI in the config and only explicit set it to true
|
|
will enable it. Example usage is
|
|
|
|
GRUB_USE_LINUXEFI=true grub2-mkconfig -o /boot/efi/EFI/opensuse/grub.cfg
|
|
|
|
This will output a grub.cfg which uses linuxefi in replace of linux and
|
|
enable verification of kernel signature if in secureboot enabled and
|
|
has shim exported protocols available.
|
|
---
|
|
util/grub-mkconfig.in | 3 ++-
|
|
util/grub.d/10_linux.in | 4 ++--
|
|
2 files changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
|
index d789fcc..6555944 100644
|
|
--- a/util/grub-mkconfig.in
|
|
+++ b/util/grub-mkconfig.in
|
|
@@ -244,7 +244,8 @@ export GRUB_DEFAULT \
|
|
GRUB_SAVEDEFAULT \
|
|
GRUB_ENABLE_CRYPTODISK \
|
|
GRUB_BADRAM \
|
|
- GRUB_CMDLINE_LINUX_RECOVERY
|
|
+ GRUB_CMDLINE_LINUX_RECOVERY \
|
|
+ GRUB_USE_LINUXEFI
|
|
|
|
if test "x${grub_cfg}" != "x"; then
|
|
rm -f "${grub_cfg}.new"
|
|
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
|
|
index 807a0db..b2f65c0 100644
|
|
--- a/util/grub.d/10_linux.in
|
|
+++ b/util/grub.d/10_linux.in
|
|
@@ -133,7 +133,7 @@ linux_entry ()
|
|
printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/"
|
|
fi
|
|
message="$(gettext_printf "Loading Linux %s ..." ${version})"
|
|
- if [ -d /sys/firmware/efi ]; then
|
|
+ if [ -d /sys/firmware/efi ] && [ "x${GRUB_USE_LINUXEFI}" = "xtrue" ]; then
|
|
sed "s/^/$submenu_indentation/" << EOF
|
|
echo '$message'
|
|
linuxefi ${rel_dirname}/${basename} root=${linux_root_device_thisversion} ro ${args}
|
|
@@ -147,7 +147,7 @@ EOF
|
|
if test -n "${initrd}" ; then
|
|
# TRANSLATORS: ramdisk isn't identifier. Should be translated.
|
|
message="$(gettext_printf "Loading initial ramdisk ...")"
|
|
- if [ -d /sys/firmware/efi ]; then
|
|
+ if [ -d /sys/firmware/efi ] && [ "x${GRUB_USE_LINUXEFI}" = "xtrue" ]; then
|
|
sed "s/^/$submenu_indentation/" << EOF
|
|
echo '$message'
|
|
initrdefi ${rel_dirname}/${initrd}
|
|
--
|
|
1.7.3.4
|
|
|