Skip to content

Commit

Permalink
[secure boot]Fix first grub.cfg to look for the sonic grub.cfg in the…
Browse files Browse the repository at this point in the history
… sonic fs (like original grub.cfg)instead in boot directory
  • Loading branch information
davidpil2002 authored and DavidZagury committed Feb 8, 2023
1 parent f76e792 commit de2522e
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 31 deletions.
35 changes: 14 additions & 21 deletions installer/default_platform.conf
Original file line number Diff line number Diff line change
Expand Up @@ -405,21 +405,11 @@ demo_install_uefi_shim()
exit 1
fi
if [ ! -f $demo_mnt/$image_dir/boot/grub.cfg ]; then
echo "ERROR: cp $demo_mnt/$image_dir/boot/grub.cfg file does not exist"
exit 1
fi
echo "copying signed shim, mm, grub, grub.cfg from $demo_mnt/$image_dir/boot/ to /boot/efi/EFI/$demo_volume_label directory"
cp $demo_mnt/$image_dir/boot/mmx64.efi /boot/efi/EFI/$demo_volume_label/mmx64.efi
cp $demo_mnt/$image_dir/boot/shimx64.efi /boot/efi/EFI/$demo_volume_label/shimx64.efi
cp $demo_mnt/$image_dir/boot/grubx64.efi /boot/efi/EFI/$demo_volume_label/grubx64.efi
# cp first grub.cfg as entrypoint to call real grub.cfg in nvos label
mkdir -p /boot/efi/EFI/debian/
echo "cp $demo_mnt/$image_dir/boot/grub.cfg /boot/efi/EFI/debian/"
cp $demo_mnt/$image_dir/boot/grub.cfg /boot/efi/EFI/debian/
# Configure EFI NVRAM Boot variables. --create also sets the
# new boot number as active.
efibootmgr --quiet --create \
Expand Down Expand Up @@ -550,6 +540,20 @@ EOF
fi
fi
# Make a first grub config file that located in default debian path:/boot/efi/EFI/debian/
# this first grub.cfg will call the complete grub.cfg created below with sonic configuration
tmp_config=$(mktemp)
cat <<EOF > $tmp_config
search --no-floppy --label --set=root $demo_volume_label
set prefix=(\$root)'/grub'
configfile \$prefix/grub.cfg
EOF
# Copy first grub.cfg as entrypoint to default debian path where grubx64.efi expected it.
mkdir -p /boot/efi/EFI/debian/
echo "cp $tmp_config /boot/efi/EFI/debian/grub.cfg"
cp $tmp_config /boot/efi/EFI/debian/grub.cfg
# Add extra linux command line
echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX $extra_cmdline_linux"
Expand Down Expand Up @@ -602,17 +606,6 @@ EOF
cp $grub_cfg $onie_initrd_tmp/$demo_mnt/grub/grub.cfg
fi
if [ "$secure_boot_state" = "SecureBoot enabled" ]; then
# Secure Boot grub.cfg support
# Saving grub_cfg in the same place where is grubx64.efi,
# this grub_cfg file will be called by first grub.cfg file from: /boot/efi/EFI/debian/grub.cfg
if [ -f $NVOS_BOOT_DIR/grub.cfg ]; then
rm $NVOS_BOOT_DIR/grub.cfg
fi
cp $grub_cfg $NVOS_BOOT_DIR/grub.cfg
fi
cd /
echo "Installed SONiC base image $demo_volume_label successfully"
Expand Down
10 changes: 0 additions & 10 deletions scripts/signing_secure_boot_dev.sh
Original file line number Diff line number Diff line change
Expand Up @@ -105,20 +105,10 @@ sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT
## grub signing
######################

# Make a config grub file that reads a grub.cfg from the EFI directory
# where the final grub binary is running.
tmp_config=$(mktemp)
cat <<EOF > $tmp_config
configfile \$cmdpath/grub.cfg
EOF

# clean old files
clean_file $FS_ROOT/boot/grub.cfg
clean_file ${GRUB_EFI_SRC}-signed
clean_file $FS_ROOT/boot/grub${EFI_ARCH}.efi

sudo cp $tmp_config $FS_ROOT/boot/grub.cfg

GRUB_DIR_SRC=$FS_ROOT/usr/lib/grub/x86_64-efi/monolithic/
GRUB_EFI_SRC=$GRUB_DIR_SRC/grub${EFI_ARCH}.efi

Expand Down

0 comments on commit de2522e

Please sign in to comment.