[secure boot]Fix mokutil check issue with ONIE version older than 202… (

#14589) …1.11 by using efivar tool instead #### Why I did it solution to BUG below/ #14316 bug report also in this issue: backport: secureboot support #14246 #### How I did it When installing an image secure boot is checking if the UEFI have the secure boot flag enabled or disabled using a tool name `mokutil` this tool its not exist in ONIE version older than 2021.11 so its crasshing the install. To fix that we add a coded that checking secure boot enabled/disabled by using efivar tool that should exist in any UEFI system #### How to verify it Install the image in a device with ONIE version older than 2021.11 and check that the installation and boot succeed (all docker up).
sonic-net · May 31, 2023 · 7a2bb6d · 7a2bb6d
1 parent 6ebad6f
commit 7a2bb6d
Showing 1 changed file with 14 additions and 16 deletions.
diff --git a/installer/default_platform.conf b/installer/default_platform.conf
@@ -434,14 +434,23 @@ bootloader_menu_config()
         ${onie_bin} onie-support /tmp
         mv $onie_initrd_tmp/tmp/onie-support*.tar.bz2 $demo_mnt/$image_dir/
 
+        echo "firmware=$firmware"
         if [ "$firmware" = "uefi" ] ; then
-            secure_boot_state=$(mokutil --sb-state)
+            secure_boot_state=0
+            reg_sb_guid=""
+            ENABLED=1
+            echo "checking secure boot state"
+            reg_sb_guid=$(efivar -l | grep "SecureBoot$") || echo "Secure Boot GUID not found in efivar list"
+            echo "Secure Boot GUID=$reg_sb_guid"
+            if [ -n "$reg_sb_guid" ]; then
+                secure_boot_state=$(efivar -d --name $reg_sb_guid) || echo "Could not read Secure Boot state from efivar"
+            fi
             echo secure_boot_state=$secure_boot_state
-            if [ "$secure_boot_state" = "SecureBoot enabled" ]; then
-                echo "UEFI Secure Boot is enabled"
+            if expr "$secure_boot_state" : '[[:digit:]]\{1,\}' >/dev/null && [ "$secure_boot_state" -eq "$ENABLED" ]; then
+                echo "UEFI Secure Boot is enabled - Installing shim bootloader"
                 demo_install_uefi_shim "$demo_mnt" "$blk_dev"
             else
-                echo "UEFI Secure Boot is disabled"
+                echo "UEFI Secure Boot is disabled - Installing regular grub bootloader"
                 demo_install_uefi_grub "$demo_mnt" "$blk_dev"
             fi
         else
@@ -561,7 +570,7 @@ echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX $extra_cmdline_linux"
 GRUB_CFG_LINUX_CMD=""
 GRUB_CFG_INITRD_CMD=""
-if [ "$firmware" = "uefi" ] ; then
+if [ "$firmware" = "uefi" ] &&  expr "$secure_boot_state" : '[[:digit:]]\{1,\}' >/dev/null && [ "$secure_boot_state" -eq "$ENABLED" ]; then
     # grub.cfg when BIOS is UEFI and support Secure Boot
     GRUB_CFG_LINUX_CMD="linuxefi"
     GRUB_CFG_INITRD_CMD="initrdefi"
@@ -608,17 +617,6 @@ EOF
         cp $grub_cfg $onie_initrd_tmp/$demo_mnt/grub/grub.cfg
     fi
 
-    if [ "$secure_boot_state" = "SecureBoot enabled" ]; then
-        # Secure Boot grub.cfg support
-        # Saving grub_cfg in the same place where is grubx64.efi, 
-        # this grub_cfg file will be called by first grub.cfg file from: /boot/efi/EFI/debian/grub.cfg
-        if [ -f $NVOS_BOOT_DIR/grub.cfg ]; then
-            rm $NVOS_BOOT_DIR/grub.cfg
-        fi
-
-        cp $grub_cfg $NVOS_BOOT_DIR/grub.cfg
-    fi
-
     cd /
 
     echo "Installed SONiC base image $demo_volume_label successfully"