48a2e836ff
This is done for moving packages that are related to secure boot
out of LAT and into integ.
Use grub version: 2.06-1 .
Port grub-efi from LAT and make its build independent from grub2.
The patches for code and changes for debian build are ported from
layers ( meta-lat and meta-secure-core ) of yocto upstream.
Make grub-efi independent from grub2 because some code changes
for secure boot can make grub-pc's build fail.
This porting of grub-efi customizes grub images and grub.cfg for
efi boot. Install those files customized to grub-efi-amd64 package.
Test Plan:
The tests are done with all the changes for this porting,
which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
they are in a chain for secure boot verification.
- PASS: secure boot OK on qemu.
- PASS: secure boot OK on PowerEdge R430 lab.
- PASS: secure boot NG on qemu/hardware when shim/grub-efi images
are without the right signatures.
Story: 2009221
Task: 46402
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia3b482c1959b5e6462fe54f0b0e59a69db1b1ca7
124 lines
4.1 KiB
INI
124 lines
4.1 KiB
INI
set default="0"
|
|
set timeout=3
|
|
set color_normal='light-gray/black'
|
|
set color_highlight='light-green/blue'
|
|
|
|
set boot_part="otaboot"
|
|
set root_part="otaroot"
|
|
set flux_part="fluxdata"
|
|
set rollback_part="_b"
|
|
set ab="1"
|
|
set ostree_console="%OSTREE_CONSOLE%"
|
|
set kernel=vmlinuz
|
|
set kernel_rollback=vmlinuz
|
|
set kernel_params=""
|
|
set kernel_params_ext=""
|
|
|
|
if [ "${legacy_bios}" != "1" ]; then
|
|
set boot_env_path=${prefix}
|
|
fi
|
|
|
|
if [ -e ${boot_env_path}/boot.env ]; then
|
|
load_env -s -f ${boot_env_path}/boot.env
|
|
|
|
if [ "${boot_tried_count}" -eq "0" ]; then
|
|
set boot_tried_count="1"
|
|
elif [ "${boot_tried_count}" -eq "1" ]; then
|
|
set boot_tried_count="2"
|
|
elif [ "${boot_tried_count}" -eq "2" ]; then
|
|
set boot_tried_count="3"
|
|
elif [ "${boot_tried_count}" -eq "3" ]; then
|
|
if [ "${default}" -eq "1" ]; then
|
|
set default="0"
|
|
else
|
|
set default="1"
|
|
fi
|
|
save_env -f ${boot_env_path}/boot.env default
|
|
set boot_tried_count="0"
|
|
fi
|
|
save_env -f ${boot_env_path}/boot.env boot_tried_count
|
|
fi
|
|
|
|
search --no-floppy --label --set=avol ${boot_part}${boot_mode}
|
|
if [ -e ($avol)/1/kernel.env ] ; then
|
|
load_env -s -f ($avol)/1/kernel.env kernel
|
|
fi
|
|
if [ "$ab" = "1" ] ; then
|
|
search --no-floppy --label --set=bvol ${boot_part}${rollback_part}
|
|
if [ -e ($avol)/1/kernel.env ] ; then
|
|
load_env -s -f ($avol)/1/kernel.env kernel_rollback
|
|
fi
|
|
else
|
|
if [ -e ($avol)/2/kernel.env ] ; then
|
|
load_env -s -f ($avol)/2/kernel.env kernel_rollback
|
|
fi
|
|
fi
|
|
|
|
get_efivar -f uint8 -s secured SecureBoot
|
|
if [ "${secured}" = "1" ]; then
|
|
# Enable user authentication to make grub unlockable
|
|
set superusers="%OSTREE_GRUB_USER%"
|
|
%OSTREE_GRUB_PW%
|
|
else
|
|
get_efivar -f uint8 -s unprovisioned SetupMode
|
|
if [ "${unprovisioned}" = "1" ]; then
|
|
set timeout=0
|
|
|
|
menuentry "Automatic Certificate Provision" --unrestricted {
|
|
chainloader ${prefix}/LockDown.efi
|
|
}
|
|
fi
|
|
fi
|
|
|
|
menuentry "%DISTRO_NAME% %DISTRO_VERSION% ostree${boot_mode} ${kernel}" --unrestricted {
|
|
set fallback=1
|
|
if [ "${legacy_bios}" != "1" ]; then
|
|
efi-watchdog enable 0 180
|
|
fi
|
|
search --no-floppy --label --set=root ${boot_part}${boot_mode}
|
|
if [ -e /1/kernel.env ] ; then
|
|
load_env -s -f /1/kernel.env kernel_params_ext
|
|
fi
|
|
linux /1/${kernel} rw rootwait ostree_boot=LABEL=${boot_part}${boot_mode} ostree_root=LABEL=${root_part}${boot_mode} flux=${flux_part} ostree=/ostree/1 $ostree_console $kernel_params $kernel_params_ext
|
|
initrd /1/initramfs
|
|
}
|
|
|
|
if [ "$ab" = "1" ] ; then
|
|
menuentry "%DISTRO_NAME% %DISTRO_VERSION% ostree ${kernel_rollback} rollback${rollback_part}" --unrestricted {
|
|
search --no-floppy --label --set=root ${boot_part}${rollback_part}
|
|
if [ -e /1/kernel.env ] ; then
|
|
load_env -s -f /1/kernel.env kernel_params_ext
|
|
fi
|
|
linux /1/${kernel_rollback} rw rootwait ostree_boot=LABEL=${boot_part}${rollback_part} ostree_root=LABEL=${root_part}${rollback_part} flux=${flux_part} ostree=/ostree/1 $ostree_console $kernel_params $kernel_params_ext
|
|
initrd /1/initramfs
|
|
}
|
|
else
|
|
menuentry "%DISTRO_NAME% %DISTRO_VERSION% ostree${boot_mode} ${kernel_rollback} rollback" --unrestricted {
|
|
set fallback=1
|
|
if [ "${legacy_bios}" != "1" ]; then
|
|
efi-watchdog enable 0 180
|
|
fi
|
|
search --no-floppy --label --set=root ${boot_part}${boot_mode}
|
|
if [ -e /2/kernel.env ] ; then
|
|
load_env -s -f /2/kernel.env kernel_params_ext
|
|
fi
|
|
linux /2/${kernel_rollback} rw rootwait ostree_boot=LABEL=${boot_part}${boot_mode} ostree_root=LABEL=${root_part}${boot_mode} flux=${flux_part} ostree=/ostree/2 $ostree_console $kernel_params $kernel_params_ext
|
|
initrd /2/initramfs
|
|
}
|
|
fi
|
|
|
|
if [ -s ${prefix}/igrub.cfg ] ; then
|
|
source ${prefix}/igrub.cfg
|
|
search --no-floppy --label --set=avol ${boot_part}${boot_mode}
|
|
if [ "$ab" = "1" ] ; then
|
|
search --no-floppy --label --set=bvol ${boot_part}${rollback_part}
|
|
if [ ! -s ($avol)/1/${kernel} -a ! -s ($bvol)/1/${kernel_rollback} ] ; then
|
|
set default="2"
|
|
fi
|
|
else
|
|
if [ ! -s ($avol)/1/${kernel} -a ! -s ($avol)/2/${kernel_rollback} ] ; then
|
|
set default="2"
|
|
fi
|
|
fi
|
|
fi
|