mkarchiso: preload more GRUB modules and disable shim_lock verifier

--disable-shim-lock is required to support Secure Boot with custom signatures without using shim.
Otherwise GRUB will trow an error when trying to boot a kernel:

    error: shim_lock protocol not found.
    error: you need to load the kernel first.

The modules GRUB will use need to be preloaded otherwise the EFI binaries cannot be signed and used for Secure Boot.
See https://bugs.archlinux.org/task/71382.
GRUB will trow en error:

    error: verification requested but nobody cares

These changes are done to support Secure Boot using custom keys (not shim) by simply extracting the boot loader
(BOOTx64.EFI and BOOTIA32.EFI), kernel, UEFI shell, signing them and then repacking the ISO.

For example.
Extract the files:

    $ osirrox -indev archlinux-YYYY.MM.DD-x86_64.iso \
        -extract_boot_images ./ \
        -extract /EFI/BOOT/BOOTx64.EFI BOOTx64.EFI \
        -extract /EFI/BOOT/BOOTIA32.EFI BOOTIA32.EFI \
        -extract /shellx64.efi shellx64.efi \
        -extract /shellia32.efi shellia32.efi \
        -extract /arch/boot/x86_64/vmlinuz-linux vmlinuz-linux

Make the files writable:

    $ chmod +w BOOTx64.EFI BOOTIA32.EFI shellx64.efi shellia32.efi vmlinuz-linux

Sign the files:

    $ sbsign --key db.key --cert db.crt --output BOOTx64.EFI BOOTx64.EFI
    $ sbsign --key db.key --cert db.crt --output BOOTIA32.EFI BOOTIA32.EFI
    $ sbsign --key db.key --cert db.crt --output shellx64.efi shellx64.efi
    $ sbsign --key db.key --cert db.crt --output shellia32.efi shellia32.efi
    $ sbsign --key db.key --cert db.crt --output vmlinuz-linux vmlinuz-linux

Copy the boot loader and UEFI shell to the EFI system partition image:

    $ mcopy -D oO -i eltorito_img2_uefi.img BOOTx64.EFI BOOTIA32.EFI ::/EFI/BOOT/
    $ mcopy -D oO -i eltorito_img2_uefi.img shellx64.efi shellia32.efi ::/

Repack the ISO using the modified El Torito UEFI boot image and add the signed boot loader files, UEFI shell and
kernel to ISO9660:

    $ xorriso -indev archlinux-YYYY.MM.DD-x86_64.iso \
        -outdev archlinux-YYYY.MM.DD-x86_64-Secure_Boot.iso \
        -boot_image any replay \
        -append_partition 2 0xef eltorito_img2_uefi.img \
        -map BOOTx64.EFI /EFI/BOOT/BOOTx64.EFI \
        -map BOOTIA32.EFI /EFI/BOOT/BOOTIA32.EFI \
        -map shellx64.efi /shellx64.efi \
        -map shellia32.efi /shellia32.efi \
        -map vmlinuz-linux /arch/boot/x86_64/vmlinuz-linux

Boot the resulting archlinux-YYYY.MM.DD-x86_64-Secure_Boot.iso.
This commit is contained in:
nl6720 2022-08-08 16:31:12 +03:00
parent b13e5e3379
commit 7bc4c54245
No known key found for this signature in database
GPG Key ID: 5CE88535E188D369
2 changed files with 23 additions and 2 deletions

View File

@ -14,6 +14,9 @@ Added
Changed Changed
------- -------
- Disable GRUB's shim_lock verifier and preload more modules. This allows reusing the GRUB EFI binaries when repacking
the ISO to support Secure Boot with custom signatures.
Removed Removed
------- -------

View File

@ -583,15 +583,24 @@ EOF
} }
_make_bootmode_uefi-ia32.grub.esp() { _make_bootmode_uefi-ia32.grub.esp() {
local grubmodules=()
# Prepare configuration files # Prepare configuration files
_run_once _make_common_bootmode_grub_cfg _run_once _make_common_bootmode_grub_cfg
# Create EFI binary # Create EFI binary
# Module list from https://bugs.archlinux.org/task/71382#comment202911
grubmodules=(all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font \
gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap \
minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file \
search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 \
usbserial_usbdebug video xfs zstd)
grub-mkstandalone -O i386-efi \ grub-mkstandalone -O i386-efi \
--modules="part_gpt part_msdos fat iso9660" \ --modules="${grubmodules[*]}" \
--locales="en@quot" \ --locales="en@quot" \
--themes="" \ --themes="" \
--sbat=/usr/share/grub/sbat.csv \ --sbat=/usr/share/grub/sbat.csv \
--disable-shim-lock \
-o "${work_dir}/BOOTIA32.EFI" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg" -o "${work_dir}/BOOTIA32.EFI" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg"
# Add GRUB to the list of files used to calculate the required FAT image size. # Add GRUB to the list of files used to calculate the required FAT image size.
efiboot_files+=("${work_dir}/BOOTIA32.EFI" efiboot_files+=("${work_dir}/BOOTIA32.EFI"
@ -651,15 +660,24 @@ _make_bootmode_uefi-ia32.grub.eltorito() {
} }
_make_bootmode_uefi-x64.grub.esp() { _make_bootmode_uefi-x64.grub.esp() {
local grubmodules=()
# Prepare configuration files # Prepare configuration files
_run_once _make_common_bootmode_grub_cfg _run_once _make_common_bootmode_grub_cfg
# Create EFI binary # Create EFI binary
# Module list from https://bugs.archlinux.org/task/71382#comment202911
grubmodules=(all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font \
gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap \
minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file \
search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 \
usbserial_usbdebug video xfs zstd)
grub-mkstandalone -O x86_64-efi \ grub-mkstandalone -O x86_64-efi \
--modules="part_gpt part_msdos fat iso9660" \ --modules="${grubmodules[*]}" \
--locales="en@quot" \ --locales="en@quot" \
--themes="" \ --themes="" \
--sbat=/usr/share/grub/sbat.csv \ --sbat=/usr/share/grub/sbat.csv \
--disable-shim-lock \
-o "${work_dir}/BOOTx64.EFI" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg" -o "${work_dir}/BOOTx64.EFI" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg"
# Add GRUB to the list of files used to calculate the required FAT image size. # Add GRUB to the list of files used to calculate the required FAT image size.
efiboot_files+=("${work_dir}/BOOTx64.EFI" efiboot_files+=("${work_dir}/BOOTx64.EFI"