From 7a2bb6d3f108994b753af7f596c175444cd32faa Mon Sep 17 00:00:00 2001 From: davidpil2002 <91657985+davidpil2002@users.noreply.github.com> Date: Wed, 31 May 2023 22:11:19 +0300 Subject: [PATCH] =?UTF-8?q?[secure=20boot]Fix=20mokutil=20check=20issue=20?= =?UTF-8?q?with=20ONIE=20version=20older=20than=20202=E2=80=A6=20(#14589)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit …1.11 by using efivar tool instead #### Why I did it solution to BUG below/ https://github.com/sonic-net/sonic-buildimage/issues/14316 bug report also in this issue: backport: secureboot support #14246 #### How I did it When installing an image secure boot is checking if the UEFI have the secure boot flag enabled or disabled using a tool name `mokutil` this tool its not exist in ONIE version older than 2021.11 so its crasshing the install. To fix that we add a coded that checking secure boot enabled/disabled by using efivar tool that should exist in any UEFI system #### How to verify it Install the image in a device with ONIE version older than 2021.11 and check that the installation and boot succeed (all docker up). --- installer/default_platform.conf | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/installer/default_platform.conf b/installer/default_platform.conf index ddf59baffdc8..559e7ab3cf89 100755 --- a/installer/default_platform.conf +++ b/installer/default_platform.conf @@ -434,14 +434,23 @@ bootloader_menu_config() ${onie_bin} onie-support /tmp mv $onie_initrd_tmp/tmp/onie-support*.tar.bz2 $demo_mnt/$image_dir/ + echo "firmware=$firmware" if [ "$firmware" = "uefi" ] ; then - secure_boot_state=$(mokutil --sb-state) + secure_boot_state=0 + reg_sb_guid="" + ENABLED=1 + echo "checking secure boot state" + reg_sb_guid=$(efivar -l | grep "SecureBoot$") || echo "Secure Boot GUID not found in efivar list" + echo "Secure Boot GUID=$reg_sb_guid" + if [ -n "$reg_sb_guid" ]; then + secure_boot_state=$(efivar -d --name $reg_sb_guid) || echo "Could not read Secure Boot state from efivar" + fi echo secure_boot_state=$secure_boot_state - if [ "$secure_boot_state" = "SecureBoot enabled" ]; then - echo "UEFI Secure Boot is enabled" + if expr "$secure_boot_state" : '[[:digit:]]\{1,\}' >/dev/null && [ "$secure_boot_state" -eq "$ENABLED" ]; then + echo "UEFI Secure Boot is enabled - Installing shim bootloader" demo_install_uefi_shim "$demo_mnt" "$blk_dev" else - echo "UEFI Secure Boot is disabled" + echo "UEFI Secure Boot is disabled - Installing regular grub bootloader" demo_install_uefi_grub "$demo_mnt" "$blk_dev" fi else @@ -561,7 +570,7 @@ echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX $extra_cmdline_linux" GRUB_CFG_LINUX_CMD="" GRUB_CFG_INITRD_CMD="" -if [ "$firmware" = "uefi" ] ; then +if [ "$firmware" = "uefi" ] && expr "$secure_boot_state" : '[[:digit:]]\{1,\}' >/dev/null && [ "$secure_boot_state" -eq "$ENABLED" ]; then # grub.cfg when BIOS is UEFI and support Secure Boot GRUB_CFG_LINUX_CMD="linuxefi" GRUB_CFG_INITRD_CMD="initrdefi" @@ -608,17 +617,6 @@ EOF cp $grub_cfg $onie_initrd_tmp/$demo_mnt/grub/grub.cfg fi - if [ "$secure_boot_state" = "SecureBoot enabled" ]; then - # Secure Boot grub.cfg support - # Saving grub_cfg in the same place where is grubx64.efi, - # this grub_cfg file will be called by first grub.cfg file from: /boot/efi/EFI/debian/grub.cfg - if [ -f $NVOS_BOOT_DIR/grub.cfg ]; then - rm $NVOS_BOOT_DIR/grub.cfg - fi - - cp $grub_cfg $NVOS_BOOT_DIR/grub.cfg - fi - cd / echo "Installed SONiC base image $demo_volume_label successfully"