[Git-commits] [grml/grml2usb] 92ffc0: Support Grml's new Secure Boot approach

Michael Prokop noreply at github.com
Fri Jun 19 15:15:05 CEST 2020


  Branch: refs/heads/master
  Home:   https://github.com/grml/grml2usb
  Commit: 92ffc08bb28f73c79f195ded2fba02eeebfe925b
      https://github.com/grml/grml2usb/commit/92ffc08bb28f73c79f195ded2fba02eeebfe925b
  Author: Michael Prokop <mika at grml.org>
  Date:   2020-06-19 (Fri, 19 Jun 2020)

  Changed paths:
    M grml2usb

  Log Message:
  -----------
  Support Grml's new Secure Boot approach

Secure Boot support was kind of broken and in grml-live commit 518eb395d
we reworked the layout and handling of the configuration.
The main change is the new GRUB prefix /boot/grub/grub.cfg instead
of /EFI/ubuntu. We need to adopt this accordingly, though it's probably
not worth being backwards compatible (given that we never released
official Grml ISOs with Secure Boot).

NOTE: the configuration file /boot/grub/grub.cfg *inside* the efi.img
doesn't get adjusted via handle_grub_config() yet, so if we should ever
add custom boot entries directly into this grub configuration file
(which is known as the grml-live template file
templates/secureboot/grub.cfg), we'd have to adjust handle_grub_config()
or invoke handle_grub_config() from inside handle_secure_boot().

Also we install the grub.cfg from inside EFI as /boot/grub/x86_64-efi/grub.cfg.
Looking at GRUB's default configuration file (see `cat
(memdisk)/grub.cfg`) shows that if /boot/grub/x86_64-efi/grub.cfg exists
it's getting sourced before /boot/grub/grub.cfg.  Since our *actual*
GRUB configuration of the Grml ISO is residing as /boot/grub/grub.cfg,
we can use /boot/grub/x86_64-efi/grub.cfg to control behavior in Secure
Boot mode.

Also ensure we take over file /conf/bootfile_*, which we
rely on from with grml-live's templates/secureboot/grub.cfg.

This work was funded by Grml-Forensic.




More information about the Git-commits mailing list