Commit 6640f13c authored by Steve McIntyre's avatar Steve McIntyre

Updates for building signed EFI images

Add Build-Depends on shim-signed and grub-efi-ARCH-signed for
amd64/i386/arm64
Use the signed shim and grub for all 3 arches for EFI images
efi-image: use an extra command-line arg to track if we should be
using signed grub and shim etc.
parent 00d8918b
......@@ -18,8 +18,11 @@ SYSLINUX_CFG=standard
VIDEO_MODE="vga=788"
VIDEO_MODE_GTK="vga=788"
# Configuration for generating EFI images
GRUB_EFI=y
GRUB_PLATFORM=x86_64-efi
GRUB_EFI_NAME=x64
# We have support for UEFI Secure Boot on this arch
EFI_SIGNED=y
include config/x86.cfg
......@@ -7,7 +7,7 @@ GRUB_FONT = /usr/share/grub/ascii.pf2
.PHONY: arm_grub_efi
arm_grub_efi:
ifeq ($(GRUB_EFI),y)
efi-image $(TEMP_GRUB_EFI) $(GRUB_PLATFORM) $(GRUB_EFI_NAME) $(NETBOOT_PATH)
efi-image $(TEMP_GRUB_EFI) $(GRUB_PLATFORM) $(GRUB_EFI_NAME) $(NETBOOT_PATH) $(EFI_SIGNED)
endif
# Supply GRUB EFI configuration.
......
......@@ -5,9 +5,12 @@ KERNELMAJOR = 2.6
KERNELVERSION = $(LINUX_KERNEL_ABI)-arm64
KERNELNAME = vmlinuz
# Configuration for generating EFI images
GRUB_EFI=y
GRUB_PLATFORM=arm64-efi
GRUB_EFI_NAME=aa64
# We have support for UEFI Secure Boot on this arch
EFI_SIGNED=y
arch_boot_screens:
arch_tree:
......
......@@ -7,9 +7,12 @@ KERNELMAJOR = 2.6
KERNELVERSION = $(LINUX_KERNEL_ABI)-armmp
KERNELNAME = vmlinuz
# Configuration for generating EFI images
GRUB_EFI=y
GRUB_PLATFORM=arm-efi
GRUB_EFI_NAME=arm
# We do *NOT* have support for UEFI Secure Boot on this arch
EFI_SIGNED=n
arch_boot_screens:
arch_tree:
......
......@@ -20,8 +20,11 @@ SYSLINUX_CFG=standard
VIDEO_MODE="vga=788"
VIDEO_MODE_GTK="vga=788"
# Configuration for generating EFI images
GRUB_EFI=y
GRUB_PLATFORM=i386-efi
GRUB_EFI_NAME=ia32
# We have support for UEFI Secure Boot on this arch
EFI_SIGNED=y
include config/x86.cfg
......@@ -9,9 +9,12 @@ DEBIAN_RELEASE = unstable
KEYRING = /usr/share/keyrings/debian-ports-archive-keyring.gpg
# Configuration for generating EFI images
GRUB_EFI=y
GRUB_PLATFORM=ia64-efi
GRUB_EFI_NAME=ia64
# We do *NOT* have support for UEFI Secure Boot on this arch
EFI_SIGNED=n
arch_boot_screens:
arch_tree:
......@@ -23,7 +26,7 @@ GRUB_FONT = /usr/share/grub/ascii.pf2
.PHONY: ia64_grub_efi
ia64_grub_efi:
ifeq ($(GRUB_EFI),y)
efi-image $(TEMP_GRUB_EFI) $(GRUB_PLATFORM) $(GRUB_EFI_NAME) $(NETBOOT_PATH)
efi-image $(TEMP_GRUB_EFI) $(GRUB_PLATFORM) $(GRUB_EFI_NAME) $(NETBOOT_PATH) $(EFI_SIGNED)
endif
# Supply GRUB EFI configuration.
......
......@@ -35,7 +35,7 @@ x86_syslinux:
.PHONY: x86_grub_efi
x86_grub_efi:
ifeq ($(GRUB_EFI),y)
efi-image $(TEMP_GRUB_EFI) $(GRUB_PLATFORM) $(GRUB_EFI_NAME) $(NETBOOT_PATH)
efi-image $(TEMP_GRUB_EFI) $(GRUB_PLATFORM) $(GRUB_EFI_NAME) $(NETBOOT_PATH) $(EFI_SIGNED)
endif
# Compress binaries to save more space.
......
......@@ -21,7 +21,7 @@ set -e
# Make an EFI boot image.
if [ -z "$1" ] || [ -z "$2" ]; then
echo "usage: $0 OUTPUT-DIRECTORY GRUB-PLATFORM EFI-NAME NETBOOT-PREFIX"
echo "usage: $0 OUTPUT-DIRECTORY GRUB-PLATFORM EFI-NAME NETBOOT-PREFIX EFI-SIGNED"
exit 1
fi
......@@ -29,15 +29,7 @@ outdir="$1"
platform="$2"
efi_name="$3"
netboot_prefix="$4"
# Should we be using already-built and already-signed monolithic grub
# and shim binaries? If not, fall back to old code and generate
# non-signed grub here. So far, we only have shim-signed for amd64 so
# that's the only architecture where we do things differently.
signed=0
if [ "$platform"x = "x86_64-efi"x ]; then
signed=1
fi
efi_signed="$5"
memdisk_img=
workdir=
......@@ -69,7 +61,7 @@ mkdir -p "$outdir/boot/grub/$platform"
done; \
echo "source /boot/grub/grub.cfg") >"$outdir/boot/grub/$platform/grub.cfg"
if [ $signed = 1 ]; then
if [ $efi_signed = y ]; then
# Just copy existing binaries into place
# First, the binaries we use for disc or CD boot
echo "$0: Using pre-signed grub-efi binaries for $efi_name"
......@@ -122,7 +114,7 @@ mmd -i "$outdir/efi.img" ::efi/boot
mcopy -i "$outdir/efi.img" "$workdir/boot$efi_name.efi" \
"::efi/boot/boot$efi_name.efi"
if [ $signed = 1 ]; then
if [ $efi_signed = y ]; then
# In this case, also add the grub binary
mcopy -i "$outdir/efi.img" "$workdir/grub$efi_name.efi" \
"::efi/boot/grub$efi_name.efi"
......
......@@ -38,6 +38,13 @@ debian-installer (20190411) UNRELEASED; urgency=medium
[ Vagrant Cascadian ]
* [arm64] Add support for netboot SD-card-images.
[ Steve McIntyre ]
* Add Build-Depends on shim-signed and grub-efi-ARCH-signed for
amd64/i386/arm64
* Use the signed shim and grub for all 3 arches for EFI images
* efi-image: use an extra command-line arg to track if we should be
using signed grub and shim etc.
-- Cyril Brulebois <[email protected]> Fri, 19 Apr 2019 22:45:44 +0200
debian-installer (20190410) unstable; urgency=medium
......
......@@ -100,7 +100,10 @@ Build-Depends:
emile [m68k],
emile-bootblocks [m68k],
# Bootloader for m68k/mac machines.
shim-signed [amd64], grub-efi-amd64-signed [amd64],
shim-signed [amd64 i386 arm64],
grub-efi-amd64-signed [amd64],
grub-efi-ia32-signed [i386],
grub-efi-arm64-signed [arm64],
# Signed bootloader components for UEFI Secure Boot
grub-efi-arm64-bin [arm64],
grub-efi-ia32-bin [i386],
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment