Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding NVRAM entries manually to support secureboot #4

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Adding NVRAM entries manually to support secureboot #4

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d17d275
- Disable bootloader-id and manually adding EFI entries to NVRAM to s…
SoerenBusse Oct 3, 2019
2b74e69
- Boot shimx64.efi to properply support secure boot
SoerenBusse Oct 3, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 46 additions & 13 deletions debian-buster-zfs-root.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@
# with this program. If not, see <http://www.gnu.org/licenses/gpl-3.0.txt>.
#

### Constants
BIOS="bios"
EFI="efi"

### Static settings

ZPOOL=rpool
Expand Down Expand Up @@ -87,10 +91,10 @@ fi
RAIDLEVEL=$(head -n1 "$TMPFILE" | tr '[:upper:]' '[:lower:]')

case "$RAIDLEVEL" in
raid0)
raid0)
RAIDDEF="${ZFSPARTITIONS[*]}"
;;
raid1)
;;
raid1)
if [ $((${#ZFSPARTITIONS[@]} % 2)) -ne 0 ]; then
echo "Need an even number of disks for RAID level '$RAIDLEVEL': ${ZFSPARTITIONS[@]}" >&2
exit 1
Expand All @@ -103,17 +107,17 @@ case "$RAIDLEVEL" in
RAIDDEF+=" $ZFSPARTITION"
((I++)) || true
done
;;
*)
;;
*)
if [ ${#ZFSPARTITIONS[@]} -lt 3 ]; then
echo "Need at least 3 disks for RAID level '$RAIDLEVEL': ${ZFSPARTITIONS[@]}" >&2
exit 1
fi
RAIDDEF="$RAIDLEVEL ${ZFSPARTITIONS[*]}"
;;
;;
esac

GRUBPKG=grub-pc
GRUBTYPE=$BIOS
if [ -d /sys/firmware/efi ]; then
whiptail --backtitle "$0" --title "EFI boot" --separate-output \
--menu "\nYour hardware supports EFI. Which boot method should be used in the new to be installed system?\n" 20 74 8 \
Expand All @@ -123,8 +127,9 @@ if [ -d /sys/firmware/efi ]; then
if [ $? -ne 0 ]; then
exit 1
fi

if grep -qi EFI $TMPFILE; then
GRUBPKG=grub-efi-amd64
GRUBTYPE=$EFI
fi
fi

Expand Down Expand Up @@ -163,6 +168,10 @@ if [ ! -f /sbin/zpool ]; then NEED_PACKAGES+=(zfsutils-linux); fi
if [ ! -f /usr/sbin/debootstrap ]; then NEED_PACKAGES+=(debootstrap); fi
if [ ! -f /sbin/sgdisk ]; then NEED_PACKAGES+=(gdisk); fi
if [ ! -f /sbin/mkdosfs ]; then NEED_PACKAGES+=(dosfstools); fi

# Required packages for EFI
if [ "$GRUBTYPE" == "$EFI" ] && [ ! -f /usr/bin/efibootmgr ]; then NEED_PACKAGES+=(efibootmgr); fi

echo "Need packages: ${NEED_PACKAGES[@]}"
if [ -n "${NEED_PACKAGES[*]}" ]; then DEBIAN_FRONTEND=noninteractive apt-get install --yes "${NEED_PACKAGES[@]}"; fi

Expand All @@ -179,8 +188,8 @@ for DISK in "${DISKS[@]}"; do
sgdisk --zap-all $DISK

sgdisk -a1 -n$PARTBIOS:34:2047 -t$PARTBIOS:EF02 \
-n$PARTEFI:2048:+512M -t$PARTEFI:EF00 \
-n$PARTZFS:0:0 -t$PARTZFS:BF01 $DISK
-n$PARTEFI:2048:+512M -t$PARTEFI:EF00 \
-n$PARTZFS:0:0 -t$PARTZFS:BF01 $DISK
done

sleep 2
Expand Down Expand Up @@ -256,21 +265,45 @@ chroot /target /usr/sbin/locale-gen

chroot /target /usr/bin/apt-get update

# Select correct grub for the requested plattform
if [ "$GRUBTYPE" == "$EFI" ]; then
GRUBPKG="grub-efi-amd64"
else
GRUBPKG="grub-pc"
fi

chroot /target /usr/bin/apt-get install --yes grub2-common $GRUBPKG zfs-initramfs zfs-dkms
grep -q zfs /target/etc/default/grub || perl -i -pe 's/quiet/boot=zfs quiet/' /target/etc/default/grub
chroot /target /usr/sbin/update-grub

if [ "${GRUBPKG:0:8}" == "grub-efi" ]; then

if [ "$GRUBTYPE" == "$EFI" ]; then
# "This is arguably a mis-design in the UEFI specification - the ESP is a single point of failure on one disk."
# https://wiki.debian.org/UEFI#RAID_for_the_EFI_System_Partition

mkdir -pv /target/boot/efi
I=0
for EFIPARTITION in "${EFIPARTITIONS[@]}"; do
BOOTLOADERID="Debian $TARGETDIST (RAID disk $I)"

mkdosfs -F 32 -n EFI-$I $EFIPARTITION
mount $EFIPARTITION /target/boot/efi
chroot /target /usr/sbin/grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id="Debian $TARGETDIST (RAID disk $I)" --recheck --no-floppy

# Install grub to the EFI directory without setting an EFI entry to the NVRAM
# We need to add the EFI entry manually because the --bootloader-id doesn't work when using secure boot
# This is because the grubx64.efi has /EFI/debian/grub hardcoreded for secure boot reasons
# As a workaround we install grub into /EFI/debian/grub and add the EFI entrys per disk manually
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23925309
chroot /target /usr/sbin/grub-install --target=x86_64-efi --efi-directory=/boot/efi --no-nvram --recheck --no-floppy
umount $EFIPARTITION

# Delete entry from EFI if it already exists
while read -r bootnum; do
efibootmgr -b $bootnum --delete-bootnum
done < <(efibootmgr | grep "$BOOTLOADERID" | sed "s/^Boot\(....\).*$/\1/g")

# Add EFI entry for this disk
efibootmgr -c --label "$BOOTLOADERID" --loader "\EFI\debian\shimx64.efi" --disk "$EFIPARTITION" --part $PARTEFI

if [ $I -gt 0 ]; then
EFIBAKPART="#"
fi
Expand Down