From 29cdac161d500e9259f2a342cb20d2965fb6a686 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Mon, 10 Apr 2023 14:33:16 +0300 Subject: [PATCH 1/6] [secure boot]Fix mokutil check issue with ONIE version older than 2021.11 by using efivar tool instead --- installer/default_platform.conf | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/installer/default_platform.conf b/installer/default_platform.conf index ddf59baffdc8..b3c778e676a4 100755 --- a/installer/default_platform.conf +++ b/installer/default_platform.conf @@ -435,13 +435,20 @@ bootloader_menu_config() mv $onie_initrd_tmp/tmp/onie-support*.tar.bz2 $demo_mnt/$image_dir/ if [ "$firmware" = "uefi" ] ; then - secure_boot_state=$(mokutil --sb-state) + reg_sb_guid=$(efivar -l | grep "SecureBoot") + secure_boot_state="" + if echo "$reg_sb_guid" | grep -q "SecureBoot";then + secure_boot_state=$(efivar -d --name $reg_sb_guid) + else + echo "Current UEFI do not support Secure Boot feature" + secure_boot_state="0" + fi echo secure_boot_state=$secure_boot_state - if [ "$secure_boot_state" = "SecureBoot enabled" ]; then - echo "UEFI Secure Boot is enabled" + if [ "$secure_boot_state" -eq 1 ]; then + echo "UEFI Secure Boot is enabled - Installing shim bootloader" demo_install_uefi_shim "$demo_mnt" "$blk_dev" else - echo "UEFI Secure Boot is disabled" + echo "UEFI Secure Boot is disabled - installing regular grub bootloader" demo_install_uefi_grub "$demo_mnt" "$blk_dev" fi else From 81d08745b53c437338707c0f07cca7e2c1d9f04f Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Thu, 13 Apr 2023 09:55:40 +0300 Subject: [PATCH 2/6] [secure boot]define a MACRO for enable state --- installer/default_platform.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/installer/default_platform.conf b/installer/default_platform.conf index b3c778e676a4..c1aad95dab85 100755 --- a/installer/default_platform.conf +++ b/installer/default_platform.conf @@ -435,8 +435,10 @@ bootloader_menu_config() mv $onie_initrd_tmp/tmp/onie-support*.tar.bz2 $demo_mnt/$image_dir/ if [ "$firmware" = "uefi" ] ; then - reg_sb_guid=$(efivar -l | grep "SecureBoot") secure_boot_state="" + reg_sb_guid="" + ENABLED=1 + reg_sb_guid=$(efivar -l | grep "SecureBoot") if echo "$reg_sb_guid" | grep -q "SecureBoot";then secure_boot_state=$(efivar -d --name $reg_sb_guid) else @@ -444,7 +446,7 @@ bootloader_menu_config() secure_boot_state="0" fi echo secure_boot_state=$secure_boot_state - if [ "$secure_boot_state" -eq 1 ]; then + if [ "$secure_boot_state" -eq "$ENABLED" ]; then echo "UEFI Secure Boot is enabled - Installing shim bootloader" demo_install_uefi_shim "$demo_mnt" "$blk_dev" else From 67051ff7f07c8f798089abe53f79e19f21480c05 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Sat, 15 Apr 2023 00:41:34 +0300 Subject: [PATCH 3/6] [secure boot]Made the condition of secure boot state more safe --- installer/default_platform.conf | 27 ++++++++------------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/installer/default_platform.conf b/installer/default_platform.conf index c1aad95dab85..c441856e969f 100755 --- a/installer/default_platform.conf +++ b/installer/default_platform.conf @@ -434,19 +434,19 @@ bootloader_menu_config() ${onie_bin} onie-support /tmp mv $onie_initrd_tmp/tmp/onie-support*.tar.bz2 $demo_mnt/$image_dir/ + echo "firmware=$firmware" if [ "$firmware" = "uefi" ] ; then - secure_boot_state="" + secure_boot_state=0 reg_sb_guid="" ENABLED=1 - reg_sb_guid=$(efivar -l | grep "SecureBoot") - if echo "$reg_sb_guid" | grep -q "SecureBoot";then - secure_boot_state=$(efivar -d --name $reg_sb_guid) - else - echo "Current UEFI do not support Secure Boot feature" - secure_boot_state="0" + echo "checking secure boot state" + reg_sb_guid=$(efivar -l | grep "SecureBoot") || echo "Secure Boot GUID not found in efivar list" + echo "Secure Boot GUID=$reg_sb_guid" + if [ -n "$reg_sb_guid" ]; then + secure_boot_state=$(efivar -d --name $reg_sb_guid) || echo "Could not read Secure Boot state from efivar" fi echo secure_boot_state=$secure_boot_state - if [ "$secure_boot_state" -eq "$ENABLED" ]; then + if expr "$secure_boot_state" : '[[:digit:]]\{1,\}' >/dev/null && [ "$secure_boot_state" -eq "$ENABLED" ]; then echo "UEFI Secure Boot is enabled - Installing shim bootloader" demo_install_uefi_shim "$demo_mnt" "$blk_dev" else @@ -617,17 +617,6 @@ EOF cp $grub_cfg $onie_initrd_tmp/$demo_mnt/grub/grub.cfg fi - if [ "$secure_boot_state" = "SecureBoot enabled" ]; then - # Secure Boot grub.cfg support - # Saving grub_cfg in the same place where is grubx64.efi, - # this grub_cfg file will be called by first grub.cfg file from: /boot/efi/EFI/debian/grub.cfg - if [ -f $NVOS_BOOT_DIR/grub.cfg ]; then - rm $NVOS_BOOT_DIR/grub.cfg - fi - - cp $grub_cfg $NVOS_BOOT_DIR/grub.cfg - fi - cd / echo "Installed SONiC base image $demo_volume_label successfully" From b4807e481df6023b79e05862e2121bb3731fac70 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Wed, 19 Apr 2023 09:06:28 +0300 Subject: [PATCH 4/6] [secure boot]Fix lower case print --- installer/default_platform.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installer/default_platform.conf b/installer/default_platform.conf index c441856e969f..bebd6f563298 100755 --- a/installer/default_platform.conf +++ b/installer/default_platform.conf @@ -450,7 +450,7 @@ bootloader_menu_config() echo "UEFI Secure Boot is enabled - Installing shim bootloader" demo_install_uefi_shim "$demo_mnt" "$blk_dev" else - echo "UEFI Secure Boot is disabled - installing regular grub bootloader" + echo "UEFI Secure Boot is disabled - Installing regular grub bootloader" demo_install_uefi_grub "$demo_mnt" "$blk_dev" fi else From 1130effc13b3013fa99ac3ade8f1da18dca196b5 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Sun, 23 Apr 2023 13:48:19 +0300 Subject: [PATCH 5/6] [secure boot]Fix Grub linuxefi call issue, by using this cmd only in case secure boot enabled, other use linux cmd --- installer/default_platform.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installer/default_platform.conf b/installer/default_platform.conf index bebd6f563298..52f92d2dcd33 100755 --- a/installer/default_platform.conf +++ b/installer/default_platform.conf @@ -570,7 +570,7 @@ echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX $extra_cmdline_linux" GRUB_CFG_LINUX_CMD="" GRUB_CFG_INITRD_CMD="" -if [ "$firmware" = "uefi" ] ; then +if [ "$firmware" = "uefi" ] && expr "$secure_boot_state" : '[[:digit:]]\{1,\}' >/dev/null && [ "$secure_boot_state" -eq "$ENABLED" ]; then # grub.cfg when BIOS is UEFI and support Secure Boot GRUB_CFG_LINUX_CMD="linuxefi" GRUB_CFG_INITRD_CMD="initrdefi" From c48f111619594fc6d13bc6fcf13b75816d18cf89 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Sun, 7 May 2023 13:15:42 +0300 Subject: [PATCH 6/6] secure boot: add delimiter to reggex --- installer/default_platform.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installer/default_platform.conf b/installer/default_platform.conf index 52f92d2dcd33..559e7ab3cf89 100755 --- a/installer/default_platform.conf +++ b/installer/default_platform.conf @@ -440,7 +440,7 @@ bootloader_menu_config() reg_sb_guid="" ENABLED=1 echo "checking secure boot state" - reg_sb_guid=$(efivar -l | grep "SecureBoot") || echo "Secure Boot GUID not found in efivar list" + reg_sb_guid=$(efivar -l | grep "SecureBoot$") || echo "Secure Boot GUID not found in efivar list" echo "Secure Boot GUID=$reg_sb_guid" if [ -n "$reg_sb_guid" ]; then secure_boot_state=$(efivar -d --name $reg_sb_guid) || echo "Could not read Secure Boot state from efivar"