From 869bb9808a02ecaba4a07751aaf48def1ddb58d6 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Wed, 23 Aug 2017 19:25:12 -0400 Subject: [PATCH 1/2] Clean up GRUB_MODULES_PRELOAD / grub_modules. Remove the modules already loaded in stock signed grub EFI binaries. --- .../ubuntu-cpc/hooks/033-disk-image-uefi.binary | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/live-build/ubuntu-cpc/hooks/033-disk-image-uefi.binary b/live-build/ubuntu-cpc/hooks/033-disk-image-uefi.binary index 3ceb7cd0..638c020c 100755 --- a/live-build/ubuntu-cpc/hooks/033-disk-image-uefi.binary +++ b/live-build/ubuntu-cpc/hooks/033-disk-image-uefi.binary @@ -62,15 +62,20 @@ install_grub() { efi_boot_dir="/boot/efi/EFI/BOOT" chroot mountpoint mkdir -p "${efi_boot_dir}" + # The modules below only make sense on non-Secure Boot UEFI systems. + # Otherwise, with Secure Boot enabled GRUB will refuse to load them. + # Any modules already in debian/build-efi-images do not need to be listed. + # Furthermore, other modules such as terminal, video_* and efi_* are all + # already available. case $ARCH in arm64) chroot mountpoint apt-get -qqy install --no-install-recommends grub-efi-arm64 grub-efi-arm64-bin - grub_modules="part_gpt fat gzio ext2 normal chain boot configfile linux search_fs_uuid search_label terminal serial video video_fb efi_gop" + grub_modules="serial" efi_target=arm64-efi ;; amd64) chroot mountpoint apt-get install -qqy grub-efi-amd64-signed grub-efi-amd64 shim-signed - grub_modules="part_gpt fat ext2 normal chain boot configfile linux multiboot search_fs_uuid search_label terminal serial video video_fb video_bochs usb usb_keyboard efi_gop efi_uga" + grub_modules="multiboot serial usb usb_keyboard" efi_target=x86_64-efi ;; esac @@ -78,8 +83,9 @@ install_grub() { cat << EOF >> mountpoint/etc/default/grub.d/50-cloudimg-settings.cfg ${IMAGE_STR} # For Cloud Image compatability -GRUB_PRELOAD_MODULES="${grub_modules}" +GRUB_PRELOAD_MODULES="${GRUB_PRELOAD_MODULES:-$grub_modules}" EOF + chroot mountpoint grub-install "${loop_device}" \ --boot-directory=/boot \ --efi-directory=/boot/efi \ From 563abee70232ba196e8b93a799d6adc71cca5089 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Wed, 23 Aug 2017 20:23:32 -0400 Subject: [PATCH 2/2] Drop special handling of grub modules, adding a note. Modules should be included in the signed grub binaries when necessary. --- .../ubuntu-cpc/hooks/033-disk-image-uefi.binary | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/live-build/ubuntu-cpc/hooks/033-disk-image-uefi.binary b/live-build/ubuntu-cpc/hooks/033-disk-image-uefi.binary index 638c020c..33a19316 100755 --- a/live-build/ubuntu-cpc/hooks/033-disk-image-uefi.binary +++ b/live-build/ubuntu-cpc/hooks/033-disk-image-uefi.binary @@ -62,30 +62,21 @@ install_grub() { efi_boot_dir="/boot/efi/EFI/BOOT" chroot mountpoint mkdir -p "${efi_boot_dir}" - # The modules below only make sense on non-Secure Boot UEFI systems. - # Otherwise, with Secure Boot enabled GRUB will refuse to load them. - # Any modules already in debian/build-efi-images do not need to be listed. - # Furthermore, other modules such as terminal, video_* and efi_* are all - # already available. + # UEFI GRUB modules are meant to be used equally by Secure Boot and + # non-Secure Boot systems. If you need an extra module not already + # provided or run into "Secure Boot policy forbids loading X" problems, + # please file a bug against grub2 to include the affected module. case $ARCH in arm64) chroot mountpoint apt-get -qqy install --no-install-recommends grub-efi-arm64 grub-efi-arm64-bin - grub_modules="serial" efi_target=arm64-efi ;; amd64) chroot mountpoint apt-get install -qqy grub-efi-amd64-signed grub-efi-amd64 shim-signed - grub_modules="multiboot serial usb usb_keyboard" efi_target=x86_64-efi ;; esac - cat << EOF >> mountpoint/etc/default/grub.d/50-cloudimg-settings.cfg -${IMAGE_STR} -# For Cloud Image compatability -GRUB_PRELOAD_MODULES="${GRUB_PRELOAD_MODULES:-$grub_modules}" -EOF - chroot mountpoint grub-install "${loop_device}" \ --boot-directory=/boot \ --efi-directory=/boot/efi \