kamel: replace mokutil w/ efivar (PR sonic-net#14589)

kamelnetworks · Jan 22, 2024 · 1e994f1 · 1e994f1
1 parent 130224b
commit 1e994f1
Showing 1 changed file with 14 additions and 16 deletions.
diff --git a/installer/default_platform.conf b/installer/default_platform.conf
@@ -434,14 +434,23 @@ bootloader_menu_config()
         ${onie_bin} onie-support /tmp
         mv $onie_initrd_tmp/tmp/onie-support*.tar.bz2 $demo_mnt/$image_dir/
 
+        echo "firmware=$firmware"
         if [ "$firmware" = "uefi" ] ; then
-            secure_boot_state=$(mokutil --sb-state)
+            secure_boot_state=0
+            reg_sb_guid=""
+            ENABLED=1
+            echo "checking secure boot state"
+            reg_sb_guid=$(efivar -l | grep "SecureBoot$") || echo "Secure Boot GUID not found in efivar list"
+            echo "Secure Boot GUID=$reg_sb_guid"
+            if [ -n "$reg_sb_guid" ]; then
+                secure_boot_state=$(efivar -d --name $reg_sb_guid) || echo "Could not read Secure Boot state from efivar"
+            fi
             echo secure_boot_state=$secure_boot_state
-            if [ "$secure_boot_state" = "SecureBoot enabled" ]; then
-                echo "UEFI Secure Boot is enabled"
+            if expr "$secure_boot_state" : '[[:digit:]]\{1,\}' >/dev/null && [ "$secure_boot_state" -eq "$ENABLED" ]; then
+                echo "UEFI Secure Boot is enabled - Installing shim bootloader"
                 demo_install_uefi_shim "$demo_mnt" "$blk_dev"
             else
-                echo "UEFI Secure Boot is disabled"
+                echo "UEFI Secure Boot is disabled - Installing regular grub bootloader"
                 demo_install_uefi_grub "$demo_mnt" "$blk_dev"
             fi
         else
@@ -561,7 +570,7 @@ echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX $extra_cmdline_linux"
 GRUB_CFG_LINUX_CMD=""
 GRUB_CFG_INITRD_CMD=""
-if [ "$firmware" = "uefi" ] ; then
+if [ "$firmware" = "uefi" ] &&  expr "$secure_boot_state" : '[[:digit:]]\{1,\}' >/dev/null && [ "$secure_boot_state" -eq "$ENABLED" ]; then
     # grub.cfg when BIOS is UEFI and support Secure Boot
     GRUB_CFG_LINUX_CMD="linuxefi"
     GRUB_CFG_INITRD_CMD="initrdefi"
@@ -608,17 +617,6 @@ EOF
         cp $grub_cfg $onie_initrd_tmp/$demo_mnt/grub/grub.cfg
     fi
 
-    if [ "$secure_boot_state" = "SecureBoot enabled" ]; then
-        # Secure Boot grub.cfg support
-        # Saving grub_cfg in the same place where is grubx64.efi, 
-        # this grub_cfg file will be called by first grub.cfg file from: /boot/efi/EFI/debian/grub.cfg
-        if [ -f $NVOS_BOOT_DIR/grub.cfg ]; then
-            rm $NVOS_BOOT_DIR/grub.cfg
-        fi
-
-        cp $grub_cfg $NVOS_BOOT_DIR/grub.cfg
-    fi
-
     cd /
 
     echo "Installed SONiC base image $demo_volume_label successfully"