Accepting request 1041831 from home:joeyli:branches:devel:openSUSE:Factory
Modified shim-install, add patches to support full disk encryption: (jsc#PED-922) OBS-URL: https://build.opensuse.org/request/show/1041831 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=199
This commit is contained in:
Joey Lee
Git OBS Bridge
parent
34a594d236
commit
171b8de0fc
44
shim-install
44
shim-install
@ -17,6 +17,7 @@ source_dir="${datadir}/efi/${arch}"
|
||||
efibootmgr="/usr/sbin/efibootmgr"
|
||||
grub_probe="/usr/sbin/grub2-probe"
|
||||
grub_mkrelpath="/usr/bin/grub2-mkrelpath"
|
||||
no_grub_install=no
|
||||
grub_install="/usr/sbin/grub2-install"
|
||||
grub_install_target=
|
||||
self="`basename $0`"
|
||||
@ -127,6 +128,7 @@ usage () {
|
||||
echo "--config-file=FILE use FILE as config file, default is $grub_cfg."
|
||||
echo "--clean remove all installed files and configs."
|
||||
echo "--suse-enable-tpm install grub.efi with TPM support."
|
||||
echo "--no-grub-install Do not run grub2-install."
|
||||
echo
|
||||
echo "INSTALL_DEVICE must be system device filename."
|
||||
}
|
||||
@ -206,6 +208,9 @@ do
|
||||
--clean)
|
||||
clean=yes ;;
|
||||
|
||||
--no-grub-install)
|
||||
no_grub_install=yes ;;
|
||||
|
||||
-*)
|
||||
echo "Unrecognized option \`$option'" 1>&2
|
||||
usage
|
||||
@ -352,6 +357,39 @@ if test "$update_boot" = "yes"; then
|
||||
fi
|
||||
|
||||
|
||||
prepare_cryptodisk () {
|
||||
uuid="$1"
|
||||
|
||||
if [ "x$GRUB_CRYPTODISK_PASSWORD" != x ]; then
|
||||
echo "cryptomount -u $uuid -p \"$GRUB_CRYPTODISK_PASSWORD\""
|
||||
return
|
||||
fi
|
||||
|
||||
if [ "x$GRUB_TPM2_SEALED_KEY" = x ]; then
|
||||
echo "cryptomount -u $uuid"
|
||||
return
|
||||
fi
|
||||
|
||||
tpm_pcr_bank="${GRUB_TPM2_PCR_BANK:-sha256}"
|
||||
tpm_pcr_list="${GRUB_TPM2_PCR_LIST:-0,2,4,7,9}"
|
||||
tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}"
|
||||
|
||||
declare -g TPM_PCR_SNAPSHOT_TAKEN
|
||||
|
||||
if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then
|
||||
TPM_PCR_SNAPSHOT_TAKEN=1
|
||||
echo "tpm_record_pcrs 0-9"
|
||||
fi
|
||||
|
||||
cat <<EOF
|
||||
tpm2_key_protector_init -b $tpm_pcr_bank -p $tpm_pcr_list -k \$prefix/$tpm_sealed_key
|
||||
if ! cryptomount -u $uuid -k tpm2; then
|
||||
cryptomount -u $uuid
|
||||
fi
|
||||
EOF
|
||||
}
|
||||
|
||||
|
||||
make_grubcfg () {
|
||||
|
||||
grub_cfg_dirname=`dirname $grub_cfg`
|
||||
@ -374,7 +412,7 @@ fi
|
||||
|
||||
if [ x$GRUB_ENABLE_CRYPTODISK = xy ]; then
|
||||
for uuid in `"${grub_probe}" --target=cryptodisk_uuid --device-map= "${grub_cfg_dirname}"`; do
|
||||
echo "cryptomount -u $uuid"
|
||||
prepare_cryptodisk "$uuid"
|
||||
done
|
||||
fi
|
||||
|
||||
@ -390,7 +428,9 @@ EOF
|
||||
# invoke grub_install to initialize /boot/grub2 directory with files needed by grub.cfg
|
||||
# bsc#1118363 shim-install didn't specify the target for grub2-install
|
||||
# set the target explicitly for some special cases
|
||||
${grub_install} --target=${grub_install_target} --no-nvram
|
||||
if test "$no_grub_install" != "yes"; then
|
||||
${grub_install} --target=${grub_install_target} --no-nvram
|
||||
fi
|
||||
|
||||
# Making sure grub.cfg not overwritten by grub-install above
|
||||
make_grubcfg > "${efidir}/grub.cfg"
|
||||
|
||||
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Dec 9 08:38:14 UTC 2022 - Joey Lee <jlee@suse.com>
|
||||
|
||||
- Modified shim-install, add the following Olaf Kirch's patches to support
|
||||
full disk encryption: (jsc#PED-922)
|
||||
a5c57340740c Introduce --no-grub-install option
|
||||
5c2c3addc51f Handle different cases of controlling cryptomount volumes during first stage boot
|
||||
26c6bd5df7ae Have grub take a snapshot of "relevant" TPM PCRs
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 23 07:28:57 UTC 2022 - Joey Lee <jlee@suse.com>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user