From 944ac0aa3b8660bfdbf8a47b1e9618d9e355665a Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Sun, 13 Nov 2022 14:48:30 +0200 Subject: [PATCH] [secure boot]fix conflict --- installer/default_platform.conf | 15 +++++++++++++-- scripts/signing_secure_boot_dev.sh | 2 +- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/installer/default_platform.conf b/installer/default_platform.conf index 0c920b5b3c2c..8ff4fd4c5a39 100755 --- a/installer/default_platform.conf +++ b/installer/default_platform.conf @@ -577,13 +577,13 @@ menuentry '$demo_grub_entry' { if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_msdos insmod ext2 - linux /$image_dir/boot/vmlinuz-5.10.0-18-2-amd64 root=$grub_cfg_root rw $GRUB_CMDLINE_LINUX \ + $GRUB_CFG_LINUX_CMD /$image_dir/boot/vmlinuz-5.10.0-18-2-amd64 root=$grub_cfg_root rw $GRUB_CMDLINE_LINUX \ net.ifnames=0 biosdevname=0 \ loop=$image_dir/$FILESYSTEM_SQUASHFS loopfstype=squashfs \ systemd.unified_cgroup_hierarchy=0 \ apparmor=1 security=apparmor varlog_size=$VAR_LOG_SIZE usbcore.autosuspend=-1 $ONIE_PLATFORM_EXTRA_CMDLINE_LINUX echo 'Loading $demo_volume_label $demo_type initial ramdisk ...' - initrd /$image_dir/boot/initrd.img-5.10.0-18-2-amd64 + $GRUB_CFG_INITRD_CMD /$image_dir/boot/initrd.img-5.10.0-18-2-amd64 } EOF @@ -606,6 +606,17 @@ EOF cp $grub_cfg $onie_initrd_tmp/$demo_mnt/grub/grub.cfg fi + if [ "$secure_boot_state" = "SecureBoot enabled" ]; then + # Secure Boot grub.cfg support + # Saving grub_cfg in the same place where is grubx64.efi, + # this grub_cfg file will be called by first grub.cfg file from: /boot/efi/EFI/debian/grub.cfg + if [ -f $NVOS_BOOT_DIR/grub.cfg ]; then + rm $NVOS_BOOT_DIR/grub.cfg + fi + + cp $grub_cfg $NVOS_BOOT_DIR/grub.cfg + fi + cd / echo "Installed SONiC base image $demo_volume_label successfully" diff --git a/scripts/signing_secure_boot_dev.sh b/scripts/signing_secure_boot_dev.sh index c8702f79b8b3..b4a95efd84b2 100755 --- a/scripts/signing_secure_boot_dev.sh +++ b/scripts/signing_secure_boot_dev.sh @@ -149,4 +149,4 @@ sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e ${CURR_V ######################### sudo bash scripts/signing_kernel_modules.sh $LINUX_KERNEL_VERSION ${PEM_CERT} ${PEM_PRIV_KEY} -echo "$0 signing & verifying EFI files and Kernel Modules DONE" \ No newline at end of file +echo "$0 signing & verifying EFI files and Kernel Modules DONE"