grub_install.sh: Sign the GRUB/MM with the proper keys

Add the linux.mod file back Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
2026-05-04 19:56:32 +02:00 · 2024-01-03 21:19:23 +05:30 · 2024-01-03 21:19:23 +05:30 · 0479480ef1
commit 0479480ef1
parent b42e3ad58b
1 changed files with 19 additions and 11 deletions
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@ -58,7 +58,7 @@ case "${FLAGS_target}" in
        CORE_NAME="core.img"
        ;;
    x86_64-efi)
-	CORE_MODULES+=( serial efi_gop efinet pgp http tftp )
+	CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp )
        CORE_NAME="core.efi"
        ;;
    x86_64-xen)
@ -192,17 +192,25 @@ case "${FLAGS_target}" in
    x86_64-efi)
        info "Installing default x86_64 UEFI bootloader."
        sudo mkdir -p "${ESP_DIR}/EFI/boot"
-	# Use the test keys for signing unofficial builds
-	if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-            sudo sbsign --key /usr/share/sb_keys/DB.key \
-		--cert /usr/share/sb_keys/DB.crt \
-                    "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
+	    # Use the test keys for signing unofficial builds
+	    if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
+            # Sign the GRUB with the shim-embedded key
+            sudo sbsign --key /usr/share/sb_keys/shim.key \
+                --cert /usr/share/sb_keys/shim.pem \
+                "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
            sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \
-                "${ESP_DIR}/EFI/boot/grub.efi"
+                "${ESP_DIR}/EFI/boot/grubx64.efi"
+            # Sign the mokmanager(mm) with the shim-embedded key
+            sudo sbsign --key /usr/share/sb_keys/shim.key \
+                --cert /usr/share/sb_keys/shim.pem \
+                "/usr/lib/shim/mmx64.efi"
+            sudo cp "/usr/lib/shim/mmx64.efi.signed" \
+                "${ESP_DIR}/EFI/boot/mmx64.efi"
+
            sudo sbsign --key /usr/share/sb_keys/DB.key \
-                 --cert /usr/share/sb_keys/DB.crt \
-                 --output "${ESP_DIR}/EFI/boot/bootx64.efi" \
-                 "/usr/lib/shim/shim.efi"
+                --cert /usr/share/sb_keys/DB.crt \
+                --output "${ESP_DIR}/EFI/boot/bootx64.efi" \
+                "/usr/lib/shim/shim.efi"
        else
            sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
                "${ESP_DIR}/EFI/boot/grub.efi"
@ -211,7 +219,7 @@ case "${FLAGS_target}" in
 	fi
        # copying from vfat so ignore permissions
        if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
-            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grub.efi" \
+            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grubx64.efi" \
                "${FLAGS_copy_efi_grub}"
        fi
        if [[ -n "${FLAGS_copy_shim}" ]]; then