From e6764fcb73aa9ec9ebde34669d53d3a2be43c559 Mon Sep 17 00:00:00 2001 From: Ben Howard Date: Thu, 6 Feb 2020 12:31:26 -0700 Subject: [PATCH] create_disk: fix UEFI secure boot Ensure that all the efi binaries are included from the target. Fixes https://github.com/coreos/coreos-assembler/issues/1090 Fixes BZ 1799891 Our UEFI boot today is a bit lucky. This fixes a couple problems: 1. The full UEFI/EFI binaries were not copied over. In order to do a compliant EFI boot, BOOT.EFI should be there. 2. /usr/lib/ostree-boot/efi/BOOT/BOOT.EFI is a symlink to /usr/lib/ostree-boot/efi//shim.efi. This requires that a copy be made. 3. /boot/efi/EFI//grub2.cfg was not complete. It needed to load the /boot/grub2/grub2.cfg file and then boot. Previous images were booting using fallback. 4. Missing mmx64.efi means that secure UEFI could not happen since the the keys are no registered. mmx64.efi is needed to ensure GPL compliance on the shim. Without this file, the shim has is not recorded in the nvram. --- src/create_disk.sh | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/src/create_disk.sh b/src/create_disk.sh index aba7564f67..a04a11c829 100755 --- a/src/create_disk.sh +++ b/src/create_disk.sh @@ -307,23 +307,37 @@ install_uefi() { # change our build process to download+extract it separately. local source_efidir="${deploy_root}/usr/lib/ostree-boot/efi" local target_efi="$rootfs/boot/efi" - local target_efiboot="${target_efi}/EFI/BOOT" - mkdir -p "${target_efiboot}" - /usr/lib/coreos-assembler/cp-reflink "${source_efidir}/EFI/BOOT/BOOT"* "${target_efiboot}" - local src_grubefi=$(find "${source_efidir}"/EFI/ -name 'grub*.efi') - /usr/lib/coreos-assembler/cp-reflink "${src_grubefi}" "${target_efiboot}" + local src_grubefi=$(find "${source_efidir}"/EFI/ -maxdepth 1 -type d | grep -v BOOT) + local vendor_id="${src_grubefi##*/}" + local vendordir="${target_efi}/EFI/${vendor_id}" + + # Some of the files in EFI/BOOT are _symlinks_ to EFI/$VENDOR + # in the OS tree. We need to make copies here. + mkdir -p "${target_efi}"/EFI/BOOT "${vendordir}" + for t in BOOT "${vendor_id}"; + do + ( + cd "${source_efidir}"/EFI/${t} + for i in *; do + /usr/lib/coreos-assembler/cp-reflink -vRL \ + $(readlink -f $i) \ + "${target_efi}"/EFI/"${t}"/ + done + ) + done - local vendor_id="$(basename $(dirname ${src_grubefi}))" local vendordir="${target_efi}/EFI/${vendor_id}" mkdir -p "${vendordir}" cat > ${vendordir}/grub.cfg << 'EOF' search --label boot --set prefix -set prefix=($prefix)/grub2 -normal +set prefix=($prefix) +configfile $prefix/grub2/grub.cfg +boot EOF - mkdir -p $rootfs/boot/grub2 + # copy the grub config and any other files we might need - cp $grub_script $rootfs/boot/grub2/grub.cfg + mkdir -p $rootfs/boot/grub2 + cp -v $grub_script $rootfs/boot/grub2/grub.cfg } # Other arch-specific bootloader changes