From d2de389cbaab78610737f2cbfee1717804337c7a Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 28 Feb 2014 11:02:18 -0500 Subject: [PATCH] Make lorax's installation of lockdown.efi conditional on its existence. lockdown.efi only exists in the beta, but it'll probably also exist in the 7.1 beta. So don't toss this stuff out completely, but don't use it if shim doesn't provide lockdown.efi either. Resolves: rhbz#1071380 Signed-off-by: Peter Jones --- share/config_files/x86/grub2-efi-lockdown.cfg | 43 +++++++++++++++++++ share/config_files/x86/grub2-efi.cfg | 3 -- share/efi.tmpl | 10 ++++- .../config_files/x86/grub2-efi-lockdown.cfg | 43 +++++++++++++++++++ share/live/config_files/x86/grub2-efi.cfg | 3 -- share/live/efi.tmpl | 10 ++++- 6 files changed, 102 insertions(+), 10 deletions(-) create mode 100644 share/config_files/x86/grub2-efi-lockdown.cfg create mode 100644 share/live/config_files/x86/grub2-efi-lockdown.cfg diff --git a/share/config_files/x86/grub2-efi-lockdown.cfg b/share/config_files/x86/grub2-efi-lockdown.cfg new file mode 100644 index 00000000..74888fc1 --- /dev/null +++ b/share/config_files/x86/grub2-efi-lockdown.cfg @@ -0,0 +1,43 @@ +set default="1" + +function load_video { + insmod efi_gop + insmod efi_uga + insmod video_bochs + insmod video_cirrus + insmod all_video +} + +load_video +set gfxpayload=keep +insmod gzio +insmod part_gpt +insmod ext2 + +set timeout=60 +### END /etc/grub.d/00_header ### + +search --no-floppy --set=root -l '@ISOLABEL@' + +### BEGIN /etc/grub.d/10_linux ### +menuentry 'Install @PRODUCT@ @VERSION@' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ quiet + initrdefi @INITRDPATH@ +} +menuentry 'Test this media & install @PRODUCT@ @VERSION@' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ rd.live.check quiet + initrdefi @INITRDPATH@ +} +submenu 'Troubleshooting -->' { + menuentry 'Install @PRODUCT@ @VERSION@ in basic graphics mode' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ xdriver=vesa nomodeset quiet + initrdefi @INITRDPATH@ + } + menuentry 'Rescue a @PRODUCT@ system' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ rescue quiet + initrdefi @INITRDPATH@ + } + menuentry '@PRODUCT@ @VERSION@ Secure Boot Lockdown' { + chainloader /EFI/BOOT/lockdown.efi + } +} diff --git a/share/config_files/x86/grub2-efi.cfg b/share/config_files/x86/grub2-efi.cfg index 74888fc1..3301bc1b 100644 --- a/share/config_files/x86/grub2-efi.cfg +++ b/share/config_files/x86/grub2-efi.cfg @@ -37,7 +37,4 @@ submenu 'Troubleshooting -->' { linuxefi @KERNELPATH@ @ROOT@ rescue quiet initrdefi @INITRDPATH@ } - menuentry '@PRODUCT@ @VERSION@ Secure Boot Lockdown' { - chainloader /EFI/BOOT/lockdown.efi - } } diff --git a/share/efi.tmpl b/share/efi.tmpl index 7a845bb0..d38416d7 100644 --- a/share/efi.tmpl +++ b/share/efi.tmpl @@ -13,10 +13,12 @@ install boot/efi/EFI/*/grubaa64.efi ${EFIBOOTDIR}/grubaa64.efi %else: install boot/efi/EFI/*/shim.efi ${EFIBOOTDIR}/BOOT${efiarch}.efi install boot/efi/EFI/*/MokManager.efi ${EFIBOOTDIR}/ -install usr/share/shim/lockdown.efi ${EFIBOOTDIR}/ install boot/efi/EFI/*/gcdx64.efi ${EFIBOOTDIR}/grubx64.efi %endif install boot/efi/EFI/*/fonts/unicode.pf2 ${EFIBOOTDIR}/fonts/ +%if exists("usr/share/shim/lockdown.efi"): + install usr/share/shim/lockdown.efi ${EFIBOOTDIR}/ +%endif ## actually make the EFI images ${make_efiboot("images/efiboot.img")} @@ -37,7 +39,11 @@ ${make_efiboot("images/efiboot.img")} copy ${KERNELDIR}/vmlinuz ${EFIBOOTDIR} copy ${KERNELDIR}/initrd.img ${EFIBOOTDIR} %endif - install ${configdir}/grub2-efi.cfg ${eficonf} + %if exists("usr/share/shim/lockdown.efi"): + install ${configdir}/grub2-efi-lockdown.cfg ${eficonf} + %else: + install ${configdir}/grub2-efi.cfg ${eficonf} + %endif replace @PRODUCT@ '${product.name}' ${eficonf} replace @VERSION@ ${product.version} ${eficonf} replace @KERNELNAME@ vmlinuz ${eficonf} diff --git a/share/live/config_files/x86/grub2-efi-lockdown.cfg b/share/live/config_files/x86/grub2-efi-lockdown.cfg new file mode 100644 index 00000000..aa003bd6 --- /dev/null +++ b/share/live/config_files/x86/grub2-efi-lockdown.cfg @@ -0,0 +1,43 @@ +set default="1" + +function load_video { + insmod efi_gop + insmod efi_uga + insmod video_bochs + insmod video_cirrus + insmod all_video +} + +load_video +set gfxpayload=keep +insmod gzio +insmod part_gpt +insmod ext2 + +set timeout=60 +### END /etc/grub.d/00_header ### + +search --no-floppy --set=root -l '@ISOLABEL@' + +### BEGIN /etc/grub.d/10_linux ### +menuentry 'Start @PRODUCT@ @VERSION@' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ rd.live.image quiet + initrdefi @INITRDPATH@ +} +menuentry 'Test this media & start @PRODUCT@ @VERSION@' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ rd.live.image rd.live.check quiet + initrdefi @INITRDPATH@ +} +submenu 'Troubleshooting -->' { + menuentry 'Start @PRODUCT@ @VERSION@ in basic graphics mode' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ rd.live.image xdriver=vesa nomodeset quiet + initrdefi @INITRDPATH@ + } + menuentry 'Rescue a @PRODUCT@ system' --class fedora --class gnu-linux --class gnu --class os { + linuxefi @KERNELPATH@ @ROOT@ rd.live.image rescue quiet + initrdefi @INITRDPATH@ + } + menuentry '@PRODUCT@ @VERSION@ Secure Boot Lockdown' { + chainloader /EFI/BOOT/lockdown.efi + } +} diff --git a/share/live/config_files/x86/grub2-efi.cfg b/share/live/config_files/x86/grub2-efi.cfg index aa003bd6..f99f459c 100644 --- a/share/live/config_files/x86/grub2-efi.cfg +++ b/share/live/config_files/x86/grub2-efi.cfg @@ -37,7 +37,4 @@ submenu 'Troubleshooting -->' { linuxefi @KERNELPATH@ @ROOT@ rd.live.image rescue quiet initrdefi @INITRDPATH@ } - menuentry '@PRODUCT@ @VERSION@ Secure Boot Lockdown' { - chainloader /EFI/BOOT/lockdown.efi - } } diff --git a/share/live/efi.tmpl b/share/live/efi.tmpl index bd4e02ff..77460d83 100644 --- a/share/live/efi.tmpl +++ b/share/live/efi.tmpl @@ -9,9 +9,11 @@ mkdir ${EFIBOOTDIR} mkdir ${EFIBOOTDIR}/fonts/ install boot/efi/EFI/*/shim.efi ${EFIBOOTDIR}/BOOT${efiarch}.efi install boot/efi/EFI/*/MokManager.efi ${EFIBOOTDIR}/ -install usr/share/shim/lockdown.efi ${EFIBOOTDIR}/ install boot/efi/EFI/*/gcdx64.efi ${EFIBOOTDIR}/grubx64.efi install boot/efi/EFI/*/fonts/unicode.pf2 ${EFIBOOTDIR}/fonts/ +%if exists("usr/share/shim/lockdown.efi"): + install usr/share/shim/lockdown.efi ${EFIBOOTDIR}/ +%endif ## actually make the EFI images ${make_efiboot("images/efiboot.img")} @@ -32,7 +34,11 @@ ${make_efiboot("images/efiboot.img")} copy ${KERNELDIR}/vmlinuz ${EFIBOOTDIR} copy ${KERNELDIR}/initrd.img ${EFIBOOTDIR} %endif - install ${configdir}/grub2-efi.cfg ${eficonf} + %if exists("usr/share/shim/lockdown.efi"): + install ${configdir}/grub2-efi-lockdown.cfg ${eficonf} + %else: + install ${configdir}/grub2-efi.cfg ${eficonf} + %endif replace @PRODUCT@ '${product.name}' ${eficonf} replace @VERSION@ ${product.version} ${eficonf} replace @KERNELNAME@ vmlinuz ${eficonf}