create_disk: fix UEFI secure boot

Ensure that all the efi binaries are included from the target. Fixes #1090 Fixes BZ 1799891 Our UEFI boot today is a bit lucky. This fixes a couple problems: 1. The full UEFI/EFI binaries were not copied over. In order to do a compliant EFI boot, BOOT<ARCH>.EFI should be there. 2. /usr/lib/ostree-boot/efi/BOOT/BOOT<ARCH>.EFI is a symlink to /usr/lib/ostree-boot/efi/<VENDOR>/shim<ARCH>.efi. This requires that a copy be made. 3. /boot/efi/EFI/<VENDOR>/grub2.cfg was not complete. It needed to load the /boot/grub2/grub2.cfg file and then boot. Previous images were booting using fallback. 4. Missing mmx64.efi means that secure UEFI could not happen since the the keys are no registered. mmx64.efi is needed to ensure GPL compliance on the shim. Without this file, the shim has is not recorded in the nvram.
coreos · Feb 6, 2020 · 1159022 · 1159022
1 parent ec5c0ee
commit 1159022
Showing 1 changed file with 24 additions and 10 deletions.
diff --git a/src/create_disk.sh b/src/create_disk.sh
@@ -307,23 +307,37 @@ install_uefi() {
     # change our build process to download+extract it separately.
     local source_efidir="${deploy_root}/usr/lib/ostree-boot/efi"
     local target_efi="$rootfs/boot/efi"
-    local target_efiboot="${target_efi}/EFI/BOOT"
-    mkdir -p "${target_efiboot}"
-    /usr/lib/coreos-assembler/cp-reflink "${source_efidir}/EFI/BOOT/BOOT"* "${target_efiboot}"
-    local src_grubefi=$(find "${source_efidir}"/EFI/ -name 'grub*.efi')
-    /usr/lib/coreos-assembler/cp-reflink "${src_grubefi}" "${target_efiboot}"
+    local src_grubefi=$(find "${source_efidir}"/EFI/ -maxdepth 1 -type d | grep -v BOOT)
+    local vendor_id="${src_grubefi##*/}"
+    local vendordir="${target_efi}/EFI/${vendor_id}"
+
+    # Some of the files in EFI/BOOT are _symlinks_ to EFI/$VENDOR
+    # in the OS tree. We need to make copies here.
+    mkdir -p "${target_efi}"/EFI/BOOT "${vendordir}"
+    for t in BOOT "${vendor_id}";
+    do
+        (
+            cd "${source_efidir}"/EFI/${t}
+            for i in *; do
+                /usr/lib/coreos-assembler/cp-reflink -vRL \
+                    $(readlink -f $i) \
+                    "${target_efi}"/EFI/"${t}"/
+            done
+        )
+    done
 
-    local vendor_id="$(basename $(dirname ${src_grubefi}))"
     local vendordir="${target_efi}/EFI/${vendor_id}"
     mkdir -p "${vendordir}"
 	cat > ${vendordir}/grub.cfg << 'EOF'
 search --label boot --set prefix
-set prefix=($prefix)/grub2
-normal
+set prefix=($prefix)
+configfile $prefix/grub2/grub.cfg
+boot
 EOF
-    mkdir -p $rootfs/boot/grub2
+
     # copy the grub config and any other files we might need
-    cp $grub_script $rootfs/boot/grub2/grub.cfg
+    mkdir -p $rootfs/boot/grub2
+    cp -v $grub_script $rootfs/boot/grub2/grub.cfg
 }
 
 # Other arch-specific bootloader changes