grub2/grub2-secureboot-provide-linuxefi-config.patch
Stephan Kulow ad4c1853ad Accepting request 143018 from devel:openSUSE:Factory
- ship a Secure Boot UEFI compatible bootloader (fate#314485)
- added secureboot patches which introduces new linuxefi module
  that is able to perform verifying signed images via exported
  protocol from shim. The insmod command will not function if
  secure boot enabled (as all modules should built in grub.efi
  and signed).
  - grub2-secureboot-add-linuxefi.patch
  - grub2-secureboot-use-linuxefi-on-uefi.patch
  - grub2-secureboot-no-insmod-on-sb.patch
  - grub2-secureboot-provide-linuxefi-config.patch
- Makefile.core.am : support building linuxefi module
- Make grub.efi image that is with all relevant modules incorporated
  and signed, it will be the second stage to the shim loader which
  will verified it when secureboot enabled.
- Make grub.efi's path to align with shim loader's default loader
  lookup path.
- The changes has been verified not affecting any factory instalation,
  but will allow us to run & test secure boot setup manually with shim. (forwarded request 143007 from michael-chang)

OBS-URL: https://build.opensuse.org/request/show/143018
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=52
2012-11-28 09:34:03 +00:00

67 lines
2.4 KiB
Diff

From 795ac61cba9674376d745813efdab395e35cff41 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Mon, 26 Nov 2012 15:38:54 +0800
Subject: [PATCH] provide option in config to enable linuxefi
References: fate#314485
Patch-Mainline: no
As linuxefi module requires kernel 3.6 or later which supports EFI
handover protocol, it may not be able to load kernels without that
supports in place.
In case that things would break, and the linuxefi is really too young to
take over the position of "linux" kernel loader module, we introduce a
option GRUB_USE_LINUXEFI in the config and only explicit set it to true
will enable it. Example usage is
GRUB_USE_LINUXEFI=true grub2-mkconfig -o /boot/efi/EFI/opensuse/grub.cfg
This will output a grub.cfg which uses linuxefi in replace of linux and
enable verification of kernel signature if in secureboot enabled and
has shim exported protocols available.
---
util/grub-mkconfig.in | 3 ++-
util/grub.d/10_linux.in | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index d789fcc..6555944 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -244,7 +244,8 @@ export GRUB_DEFAULT \
GRUB_SAVEDEFAULT \
GRUB_ENABLE_CRYPTODISK \
GRUB_BADRAM \
- GRUB_CMDLINE_LINUX_RECOVERY
+ GRUB_CMDLINE_LINUX_RECOVERY \
+ GRUB_USE_LINUXEFI
if test "x${grub_cfg}" != "x"; then
rm -f "${grub_cfg}.new"
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index 807a0db..b2f65c0 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -133,7 +133,7 @@ linux_entry ()
printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/"
fi
message="$(gettext_printf "Loading Linux %s ..." ${version})"
- if [ -d /sys/firmware/efi ]; then
+ if [ -d /sys/firmware/efi ] && [ "x${GRUB_USE_LINUXEFI}" = "xtrue" ]; then
sed "s/^/$submenu_indentation/" << EOF
echo '$message'
linuxefi ${rel_dirname}/${basename} root=${linux_root_device_thisversion} ro ${args}
@@ -147,7 +147,7 @@ EOF
if test -n "${initrd}" ; then
# TRANSLATORS: ramdisk isn't identifier. Should be translated.
message="$(gettext_printf "Loading initial ramdisk ...")"
- if [ -d /sys/firmware/efi ]; then
+ if [ -d /sys/firmware/efi ] && [ "x${GRUB_USE_LINUXEFI}" = "xtrue" ]; then
sed "s/^/$submenu_indentation/" << EOF
echo '$message'
initrdefi ${rel_dirname}/${initrd}
--
1.7.3.4