diff --git a/share/config_files/x86/grub2-efi-lockdown.cfg b/share/config_files/x86/grub2-efi-lockdown.cfg new file mode 100644 index 00000000..74888fc1 --- /dev/null +++ b/share/config_files/x86/grub2-efi-lockdown.cfg @@ -0,0 +1,43 @@ +set default="1" + +function load_video { + insmod efi_gop + insmod efi_uga + insmod video_bochs + insmod video_cirrus + insmod all_video +} + +load_video +set gfxpayload=keep +insmod gzio +insmod part_gpt +insmod ext2 + +set timeout=60 +### END /etc/grub.d/00_header ### + +search --no-floppy --set=root -l '@ISOLABEL@' + +### BEGIN /etc/grub.d/10_linux ### +menuentry 'Install @PRODUCT@ @VERSION@' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ quiet + initrdefi @INITRDPATH@ +} +menuentry 'Test this media & install @PRODUCT@ @VERSION@' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ rd.live.check quiet + initrdefi @INITRDPATH@ +} +submenu 'Troubleshooting -->' { + menuentry 'Install @PRODUCT@ @VERSION@ in basic graphics mode' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ xdriver=vesa nomodeset quiet + initrdefi @INITRDPATH@ + } + menuentry 'Rescue a @PRODUCT@ system' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ rescue quiet + initrdefi @INITRDPATH@ + } + menuentry '@PRODUCT@ @VERSION@ Secure Boot Lockdown' { + chainloader /EFI/BOOT/lockdown.efi + } +} diff --git a/share/config_files/x86/grub2-efi.cfg b/share/config_files/x86/grub2-efi.cfg index 74888fc1..3301bc1b 100644 --- a/share/config_files/x86/grub2-efi.cfg +++ b/share/config_files/x86/grub2-efi.cfg @@ -37,7 +37,4 @@ submenu 'Troubleshooting -->' { linuxefi @KERNELPATH@ @ROOT@ rescue quiet initrdefi @INITRDPATH@ } - menuentry '@PRODUCT@ @VERSION@ Secure Boot Lockdown' { - chainloader /EFI/BOOT/lockdown.efi - } } diff --git a/share/efi.tmpl b/share/efi.tmpl index 7a845bb0..d38416d7 100644 --- a/share/efi.tmpl +++ b/share/efi.tmpl @@ -13,10 +13,12 @@ install boot/efi/EFI/*/grubaa64.efi ${EFIBOOTDIR}/grubaa64.efi %else: install boot/efi/EFI/*/shim.efi ${EFIBOOTDIR}/BOOT${efiarch}.efi install boot/efi/EFI/*/MokManager.efi ${EFIBOOTDIR}/ -install usr/share/shim/lockdown.efi ${EFIBOOTDIR}/ install boot/efi/EFI/*/gcdx64.efi ${EFIBOOTDIR}/grubx64.efi %endif install boot/efi/EFI/*/fonts/unicode.pf2 ${EFIBOOTDIR}/fonts/ +%if exists("usr/share/shim/lockdown.efi"): + install usr/share/shim/lockdown.efi ${EFIBOOTDIR}/ +%endif ## actually make the EFI images ${make_efiboot("images/efiboot.img")} @@ -37,7 +39,11 @@ ${make_efiboot("images/efiboot.img")} copy ${KERNELDIR}/vmlinuz ${EFIBOOTDIR} copy ${KERNELDIR}/initrd.img ${EFIBOOTDIR} %endif - install ${configdir}/grub2-efi.cfg ${eficonf} + %if exists("usr/share/shim/lockdown.efi"): + install ${configdir}/grub2-efi-lockdown.cfg ${eficonf} + %else: + install ${configdir}/grub2-efi.cfg ${eficonf} + %endif replace @PRODUCT@ '${product.name}' ${eficonf} replace @VERSION@ ${product.version} ${eficonf} replace @KERNELNAME@ vmlinuz ${eficonf} diff --git a/share/live/config_files/x86/grub2-efi-lockdown.cfg b/share/live/config_files/x86/grub2-efi-lockdown.cfg new file mode 100644 index 00000000..aa003bd6 --- /dev/null +++ b/share/live/config_files/x86/grub2-efi-lockdown.cfg @@ -0,0 +1,43 @@ +set default="1" + +function load_video { + insmod efi_gop + insmod efi_uga + insmod video_bochs + insmod video_cirrus + insmod all_video +} + +load_video +set gfxpayload=keep +insmod gzio +insmod part_gpt +insmod ext2 + +set timeout=60 +### END /etc/grub.d/00_header ### + +search --no-floppy --set=root -l '@ISOLABEL@' + +### BEGIN /etc/grub.d/10_linux ### +menuentry 'Start @PRODUCT@ @VERSION@' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ rd.live.image quiet + initrdefi @INITRDPATH@ +} +menuentry 'Test this media & start @PRODUCT@ @VERSION@' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ rd.live.image rd.live.check quiet + initrdefi @INITRDPATH@ +} +submenu 'Troubleshooting -->' { + menuentry 'Start @PRODUCT@ @VERSION@ in basic graphics mode' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ rd.live.image xdriver=vesa nomodeset quiet + initrdefi @INITRDPATH@ + } + menuentry 'Rescue a @PRODUCT@ system' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ rd.live.image rescue quiet + initrdefi @INITRDPATH@ + } + menuentry '@PRODUCT@ @VERSION@ Secure Boot Lockdown' { + chainloader /EFI/BOOT/lockdown.efi + } +} diff --git a/share/live/config_files/x86/grub2-efi.cfg b/share/live/config_files/x86/grub2-efi.cfg index aa003bd6..f99f459c 100644 --- a/share/live/config_files/x86/grub2-efi.cfg +++ b/share/live/config_files/x86/grub2-efi.cfg @@ -37,7 +37,4 @@ submenu 'Troubleshooting -->' { linuxefi @KERNELPATH@ @ROOT@ rd.live.image rescue quiet initrdefi @INITRDPATH@ } - menuentry '@PRODUCT@ @VERSION@ Secure Boot Lockdown' { - chainloader /EFI/BOOT/lockdown.efi - } } diff --git a/share/live/efi.tmpl b/share/live/efi.tmpl index bd4e02ff..77460d83 100644 --- a/share/live/efi.tmpl +++ b/share/live/efi.tmpl @@ -9,9 +9,11 @@ mkdir ${EFIBOOTDIR} mkdir ${EFIBOOTDIR}/fonts/ install boot/efi/EFI/*/shim.efi ${EFIBOOTDIR}/BOOT${efiarch}.efi install boot/efi/EFI/*/MokManager.efi ${EFIBOOTDIR}/ -install usr/share/shim/lockdown.efi ${EFIBOOTDIR}/ install boot/efi/EFI/*/gcdx64.efi ${EFIBOOTDIR}/grubx64.efi install boot/efi/EFI/*/fonts/unicode.pf2 ${EFIBOOTDIR}/fonts/ +%if exists("usr/share/shim/lockdown.efi"): + install usr/share/shim/lockdown.efi ${EFIBOOTDIR}/ +%endif ## actually make the EFI images ${make_efiboot("images/efiboot.img")} @@ -32,7 +34,11 @@ ${make_efiboot("images/efiboot.img")} copy ${KERNELDIR}/vmlinuz ${EFIBOOTDIR} copy ${KERNELDIR}/initrd.img ${EFIBOOTDIR} %endif - install ${configdir}/grub2-efi.cfg ${eficonf} + %if exists("usr/share/shim/lockdown.efi"): + install ${configdir}/grub2-efi-lockdown.cfg ${eficonf} + %else: + install ${configdir}/grub2-efi.cfg ${eficonf} + %endif replace @PRODUCT@ '${product.name}' ${eficonf} replace @VERSION@ ${product.version} ${eficonf} replace @KERNELNAME@ vmlinuz ${eficonf}