From 1f7c749b2d9693bf6a85bcbdea7b8dd4065a0924 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Wed, 6 Jan 2016 10:01:45 -0800 Subject: [PATCH 1/3] Add UEFI netboot support If grub's been netbooted, pull the uuid and serial number out of smbios and hit the API server to get the appropriate configuration. --- build_library/grub.cfg | 19 +++++++++++++++++++ build_library/grub_install.sh | 2 +- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/build_library/grub.cfg b/build_library/grub.cfg index 0e3b2ce0f0..a2df9f8d29 100644 --- a/build_library/grub.cfg +++ b/build_library/grub.cfg @@ -30,6 +30,25 @@ if [ "$grub_platform" = "efi" ]; then fi fi +if [ "$net_default_server" != "" ]; then + smbios --type 1 --get-uuid 8 --set uuid + smbios --type 1 --get-string 7 --set serial + set mac=$net_default_mac + # Re-DHCP as grub to get the API endpoint + net_bootp $net_default_interface + # This is awful, but grub doesn't support a nice way to do this + for i in "$net_efinet0_dhcp_boot_file" "$net_efinet1_dhcp_boot_file" "$net_efinet2_dhcp_boot_file" "$net_efinet3_dhcp_boot_file" "$net_efinet4_dhcp_boot_file" "$net_efinet5_dhcp_boot_file" "$net_efinet6_dhcp_boot_file" "$net_efinet7_dhcp_boot_file" "$net_efinet8_dhcp_boot_file" "$net_efinet9_dhcp_boot_file"; do + if [ "$i" != "" ]; then + set endpoint="$i" + break + fi + done + if [ "$endpoint" != "" ]; then + set url="${endpoint}?uuid=$uuid&serial=$serial&mac=$mac" + configfile $url + fi +fi + # Search for the OEM partition, load additional configuration if found. if [ "$secure_boot" = "0" ]; then search --no-floppy --set oem --part-label OEM --hint "$root" diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh index b84a35d6c0..4af866439d 100755 --- a/build_library/grub_install.sh +++ b/build_library/grub_install.sh @@ -43,7 +43,7 @@ case "${FLAGS_target}" in CORE_NAME="core.img" ;; x86_64-efi) - CORE_MODULES+=( serial linuxefi efi_gop getenv ) + CORE_MODULES+=( serial linuxefi efi_gop getenv smbios efinet http ) CORE_NAME="core.efi" ;; x86_64-xen) From b6792a5609fa97c73afa5e66de34161280f6da95 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Jan 2016 14:19:25 -0800 Subject: [PATCH 2/3] Fix platform testing for suffix configuration Grub doesn't seem happy with && tests in if statements, so replace it with a two stage check. --- build_library/grub.cfg | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/build_library/grub.cfg b/build_library/grub.cfg index a2df9f8d29..b41cb1beba 100644 --- a/build_library/grub.cfg +++ b/build_library/grub.cfg @@ -88,11 +88,13 @@ if [ -z "$linux_console" ]; then fi fi +set suf="" + # UEFI uses linuxefi/initrdefi instead of linux/initrd except for arm64 -if [ "$grub_platform" = efi ] && [ "$grub_cpu" != arm64 ]; then +if [ "$grub_platform" = efi ]; then + if [ "$grub_cpu" != arm64 ]; then set suf="efi" -else - set suf="" + fi fi # Assemble the options applicable to all the kernels below From 5fa41965016424044bd71764ebc82f4a404a9220 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Jan 2016 14:20:42 -0800 Subject: [PATCH 3/3] Verify netboot config fragments if there's an available gpg key If there's a gpg public key available in a system firmware variable, trust it and use it to verify netboot configuration fragments. --- build_library/grub.cfg | 7 +++++++ build_library/grub_install.sh | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/build_library/grub.cfg b/build_library/grub.cfg index b41cb1beba..99433f23c0 100644 --- a/build_library/grub.cfg +++ b/build_library/grub.cfg @@ -27,6 +27,10 @@ if [ "$grub_platform" = "efi" ]; then getenv -e SetupMode -g 8be4df61-93ca-11d2-aa0d-00e098032b8c -b setupmode if [ "$sb" = "01" -a "$setupmode" = "00" ]; then set secure_boot="1" + getenv -e NetBootVerificationKey -g b8ade7d5-d400-4213-8d15-d47be0a621bf -b gpgpubkey + if [ "$gpgpubkey" != "" ]; then + trust_var gpgpubkey + fi fi fi @@ -45,6 +49,9 @@ if [ "$net_default_server" != "" ]; then done if [ "$endpoint" != "" ]; then set url="${endpoint}?uuid=$uuid&serial=$serial&mac=$mac" + if [ "$gpgpubkey" != "" ]; then + set check_signatures="enforce" + fi configfile $url fi fi diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh index 4af866439d..a6913108a2 100755 --- a/build_library/grub_install.sh +++ b/build_library/grub_install.sh @@ -43,7 +43,7 @@ case "${FLAGS_target}" in CORE_NAME="core.img" ;; x86_64-efi) - CORE_MODULES+=( serial linuxefi efi_gop getenv smbios efinet http ) + CORE_MODULES+=( serial linuxefi efi_gop getenv smbios efinet verify http ) CORE_NAME="core.efi" ;; x86_64-xen)