From 348f495c834baeebb5c8f105bea062db3b46ee20 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 26 Feb 2021 23:12:20 +0000 Subject: [PATCH 01/11] Implement shim fallback support. Signed-off-by: Oliver Calder --- gadget/gadget-amd64.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/gadget/gadget-amd64.yaml b/gadget/gadget-amd64.yaml index 4595853..afad6f2 100644 --- a/gadget/gadget-amd64.yaml +++ b/gadget/gadget-amd64.yaml @@ -28,9 +28,17 @@ volumes: edition: 2 content: - source: grubx64.efi - target: EFI/boot/grubx64.efi + target: EFI/ubuntu/grubx64.efi + - source: shim.efi.signed + target: EFI/BOOT/BOOTX64.efi + - source: fbx64.efi + target: EFI/BOOT/fbx64.efi + - source: mmx64.efi + target: EFI/BOOT/mmx64.efi + - source: BOOTX64.CSV + target: EFI/ubuntu/BOOTX64.CSV - source: shim.efi.signed - target: EFI/boot/bootx64.efi + target: EFI/ubuntu/shimx64.efi - name: ubuntu-boot role: system-boot filesystem: ext4 From 39cdb8208af6b74111d06a82f40f82308076832e Mon Sep 17 00:00:00 2001 From: Oliver Calder Date: Mon, 25 Sep 2023 00:23:23 -0500 Subject: [PATCH 02/11] Implement shim fallback support for aa64. Signed-off-by: Oliver Calder --- gadget/gadget-arm64.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/gadget/gadget-arm64.yaml b/gadget/gadget-arm64.yaml index 546b612..4b840f9 100644 --- a/gadget/gadget-arm64.yaml +++ b/gadget/gadget-arm64.yaml @@ -14,9 +14,17 @@ volumes: edition: 2 content: - source: grubaa64.efi - target: EFI/boot/grubaa64.efi + target: EFI/ubuntu/grubaa64.efi + - source: shim.efi.signed + target: EFI/BOOT/BOOTAA64.efi + - source: fbaa64.efi + target: EFI/BOOT/fbaa64.efi + - source: mmaa64.efi + target: EFI/BOOT/mmaa64.efi + - source: BOOTAA64.CSV + target: EFI/ubuntu/BOOTAA64.CSV - source: shim.efi.signed - target: EFI/boot/bootaa64.efi + target: EFI/ubuntu/shimaa64.efi - name: ubuntu-boot role: system-boot filesystem: ext4 From 0071be61522c67ea740fdd37f0817955576a24ed Mon Sep 17 00:00:00 2001 From: Oliver Calder Date: Mon, 25 Sep 2023 00:25:09 -0500 Subject: [PATCH 03/11] Add non-fallback grub*.efi in EFI/BOOT/ The fallback grub EFI asset is already in EFI/ubuntu/, but the non-fallback grub asset should be in EFI/BOOT/ as well. The sources for these grub assets are identical. This corresponds to work in snapd PR #13205. See the following for more details: - https://github.com/snapcore/snapd/pull/13205 Signed-off-by: Oliver Calder --- gadget/gadget-amd64.yaml | 2 ++ gadget/gadget-arm64.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/gadget/gadget-amd64.yaml b/gadget/gadget-amd64.yaml index afad6f2..7907619 100644 --- a/gadget/gadget-amd64.yaml +++ b/gadget/gadget-amd64.yaml @@ -27,6 +27,8 @@ volumes: update: edition: 2 content: + - source: grubx64.efi + target: EFI/BOOT/grubx64.efi - source: grubx64.efi target: EFI/ubuntu/grubx64.efi - source: shim.efi.signed diff --git a/gadget/gadget-arm64.yaml b/gadget/gadget-arm64.yaml index 4b840f9..8d73c83 100644 --- a/gadget/gadget-arm64.yaml +++ b/gadget/gadget-arm64.yaml @@ -13,6 +13,8 @@ volumes: update: edition: 2 content: + - source: grubaa64.efi + target: EFI/BOOT/grubaa64.efi - source: grubaa64.efi target: EFI/ubuntu/grubaa64.efi - source: shim.efi.signed From faf0d0e5703085ce39773aa72c6e5c3a45ec6e79 Mon Sep 17 00:00:00 2001 From: Oliver Calder Date: Mon, 25 Sep 2023 00:27:30 -0500 Subject: [PATCH 04/11] Bump ubuntu-seed edition number to 3, as content layout has changed Signed-off-by: Oliver Calder --- gadget/gadget-amd64.yaml | 2 +- gadget/gadget-arm64.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/gadget/gadget-amd64.yaml b/gadget/gadget-amd64.yaml index 7907619..4582ac3 100644 --- a/gadget/gadget-amd64.yaml +++ b/gadget/gadget-amd64.yaml @@ -25,7 +25,7 @@ volumes: type: C12A7328-F81F-11D2-BA4B-00A0C93EC93B size: 1200M update: - edition: 2 + edition: 3 content: - source: grubx64.efi target: EFI/BOOT/grubx64.efi diff --git a/gadget/gadget-arm64.yaml b/gadget/gadget-arm64.yaml index 8d73c83..6973635 100644 --- a/gadget/gadget-arm64.yaml +++ b/gadget/gadget-arm64.yaml @@ -11,7 +11,7 @@ volumes: type: C12A7328-F81F-11D2-BA4B-00A0C93EC93B size: 1200M update: - edition: 2 + edition: 3 content: - source: grubaa64.efi target: EFI/BOOT/grubaa64.efi From 1b0e1686f08f854da832faafc264dbbdc18320c2 Mon Sep 17 00:00:00 2001 From: Oliver Calder Date: Mon, 25 Sep 2023 21:43:08 -0500 Subject: [PATCH 05/11] sort EFI assets alphabetically by target Signed-off-by: Oliver Calder --- gadget/gadget-amd64.yaml | 8 ++++---- gadget/gadget-arm64.yaml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/gadget/gadget-amd64.yaml b/gadget/gadget-amd64.yaml index 4582ac3..692e4e9 100644 --- a/gadget/gadget-amd64.yaml +++ b/gadget/gadget-amd64.yaml @@ -27,18 +27,18 @@ volumes: update: edition: 3 content: - - source: grubx64.efi - target: EFI/BOOT/grubx64.efi - - source: grubx64.efi - target: EFI/ubuntu/grubx64.efi - source: shim.efi.signed target: EFI/BOOT/BOOTX64.efi - source: fbx64.efi target: EFI/BOOT/fbx64.efi + - source: grubx64.efi + target: EFI/BOOT/grubx64.efi - source: mmx64.efi target: EFI/BOOT/mmx64.efi - source: BOOTX64.CSV target: EFI/ubuntu/BOOTX64.CSV + - source: grubx64.efi + target: EFI/ubuntu/grubx64.efi - source: shim.efi.signed target: EFI/ubuntu/shimx64.efi - name: ubuntu-boot diff --git a/gadget/gadget-arm64.yaml b/gadget/gadget-arm64.yaml index 6973635..b786191 100644 --- a/gadget/gadget-arm64.yaml +++ b/gadget/gadget-arm64.yaml @@ -13,18 +13,18 @@ volumes: update: edition: 3 content: - - source: grubaa64.efi - target: EFI/BOOT/grubaa64.efi - - source: grubaa64.efi - target: EFI/ubuntu/grubaa64.efi - source: shim.efi.signed target: EFI/BOOT/BOOTAA64.efi - source: fbaa64.efi target: EFI/BOOT/fbaa64.efi + - source: grubaa64.efi + target: EFI/BOOT/grubaa64.efi - source: mmaa64.efi target: EFI/BOOT/mmaa64.efi - source: BOOTAA64.CSV target: EFI/ubuntu/BOOTAA64.CSV + - source: grubaa64.efi + target: EFI/ubuntu/grubaa64.efi - source: shim.efi.signed target: EFI/ubuntu/shimaa64.efi - name: ubuntu-boot From 3077f1d18a95b528e483989447a12a9cd57a3d88 Mon Sep 17 00:00:00 2001 From: Oliver Calder Date: Tue, 26 Sep 2023 09:58:46 -0500 Subject: [PATCH 06/11] Revert "Bump ubuntu-seed edition number to 3, as content layout has changed" This reverts commit faf0d0e5703085ce39773aa72c6e5c3a45ec6e79. Signed-off-by: Oliver Calder --- gadget/gadget-amd64.yaml | 2 +- gadget/gadget-arm64.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/gadget/gadget-amd64.yaml b/gadget/gadget-amd64.yaml index 692e4e9..87535dc 100644 --- a/gadget/gadget-amd64.yaml +++ b/gadget/gadget-amd64.yaml @@ -25,7 +25,7 @@ volumes: type: C12A7328-F81F-11D2-BA4B-00A0C93EC93B size: 1200M update: - edition: 3 + edition: 2 content: - source: shim.efi.signed target: EFI/BOOT/BOOTX64.efi diff --git a/gadget/gadget-arm64.yaml b/gadget/gadget-arm64.yaml index b786191..22dd5d3 100644 --- a/gadget/gadget-arm64.yaml +++ b/gadget/gadget-arm64.yaml @@ -11,7 +11,7 @@ volumes: type: C12A7328-F81F-11D2-BA4B-00A0C93EC93B size: 1200M update: - edition: 3 + edition: 2 content: - source: shim.efi.signed target: EFI/BOOT/BOOTAA64.efi From a6086eae081d103ec70fcf2789a2157f6c6ec437 Mon Sep 17 00:00:00 2001 From: Oliver Calder Date: Tue, 26 Sep 2023 10:34:22 -0500 Subject: [PATCH 07/11] set up `fb${arch}.efi`, `mm${arch}.efi`, and `BOOT${arch}.CSV` correctly Signed-off-by: Oliver Calder --- snapcraft.yaml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/snapcraft.yaml b/snapcraft.yaml index 85da8e3..ab78c21 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -51,27 +51,44 @@ parts: grub_target=x86_64 grub_bin=grubx64.efi.signed shim_bin=shimx64.efi.dualsigned + fb_bin=fbx64.efi + mm_bin=mmx64.efi + boot_csv=BOOTX64.CSV if [ "$CRAFT_TARGET_ARCH" = arm64 ]; then grub_target=arm64 grub_bin=grubaa64.efi.signed shim_bin=shimaa64.efi.dualsigned + fb_bin=fbaa64.efi + mm_bin=mmaa64.efi + boot_csv=BOOTAA64.CSV fi # Make sure we have signatures from the UC certificates shim_path="$CRAFT_PART_INSTALL"/usr/lib/shim/$shim_bin grub_path="$CRAFT_PART_INSTALL"/usr/lib/grub/"$grub_target"-efi-signed/$grub_bin + fb_path="$CRAFT_PART_INSTALL"/usr/lib/shim/$fb_bin + mm_path="$CRAFT_PART_INSTALL"/usr/lib/shim/$mm_bin + csv_path="$CRAFT_PART_INSTALL"/usr/lib/shim/$boot_csv sbverify --list "$shim_path" | grep -E 'Canonical Ltd. Secure Boot Signing \(Ubuntu Core' sbverify --list "$grub_path" | grep -E 'Canonical Ltd. Secure Boot Signing \(Ubuntu Core' + sbverify --list "$fb_path" | grep -E 'Canonical Ltd. Secure Boot Signing \(Ubuntu Core' + sbverify --list "$mm_path" | grep -E 'Canonical Ltd. Secure Boot Signing \(Ubuntu Core' - # Move shim/grub to the expected path + # Move assets to the expected paths install -m 644 "$shim_path" "$CRAFT_PART_INSTALL"/shim.efi.signed install -m 644 "$grub_path" "$CRAFT_PART_INSTALL"/${grub_bin%.signed} + install -m 644 "$fb_path" "$CRAFT_PART_INSTALL"/$fb_bin + install -m 644 "$mm_path" "$CRAFT_PART_INSTALL"/$mm_bin + install -m 644 "$csv_path" "$CRAFT_PART_INSTALL"/$boot_csv # Remove all the bits we do not need, keeping changelogs and copyrights # (using organize/prime is not possible due to different names per arch - x64/aa64) find "$CRAFT_PART_INSTALL"/ -type f,l \ -not -path "$SNAPCRAFT_PART_INSTALL"/shim.efi.signed \ -not -path "$SNAPCRAFT_PART_INSTALL"/${grub_bin%.signed} \ + -not -path "$SNAPCRAFT_PART_INSTALL"/$fb_bin \ + -not -path "$SNAPCRAFT_PART_INSTALL"/$mm_bin \ + -not -path "$SNAPCRAFT_PART_INSTALL"/$boot_csv \ -not -path "$SNAPCRAFT_PART_INSTALL"/usr/share/doc/grub-efi-$CRAFT_TARGET_ARCH-signed/'*' \ -and -not -path "$SNAPCRAFT_PART_INSTALL"/'usr/share/doc/shim-signed/*' \ -delete From 0176fdcf1551c8dadd05b3dc053dc82190197f0d Mon Sep 17 00:00:00 2001 From: Oliver Calder Date: Tue, 26 Sep 2023 10:49:34 -0500 Subject: [PATCH 08/11] assume snapd 2.61 for handling assets in /EFI/ubuntu Signed-off-by: Oliver Calder --- snapcraft.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/snapcraft.yaml b/snapcraft.yaml index ab78c21..ddb048f 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -24,9 +24,9 @@ hooks: # DO NOT check this API key into a publicly accessible VCS MODEL_APIKEY: "" -# Min version to support shim 15.7 and min-size +# Min version to support shim 15.7 and min-size and assets in /EFI/ubuntu assumes: - - snapd2.60.1 + - snapd2.61 parts: mbr: From 1336934713bd673987039c925542b92f5fbb09bf Mon Sep 17 00:00:00 2001 From: Oliver Calder Date: Tue, 26 Sep 2023 15:10:19 -0500 Subject: [PATCH 09/11] add `mm${arch}.efi` to `/EFI/ubuntu` as well as `/EFI/BOOT` Signed-off-by: Oliver Calder --- gadget/gadget-amd64.yaml | 2 ++ gadget/gadget-arm64.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/gadget/gadget-amd64.yaml b/gadget/gadget-amd64.yaml index 87535dc..f1c1fdd 100644 --- a/gadget/gadget-amd64.yaml +++ b/gadget/gadget-amd64.yaml @@ -39,6 +39,8 @@ volumes: target: EFI/ubuntu/BOOTX64.CSV - source: grubx64.efi target: EFI/ubuntu/grubx64.efi + - source: mmx64.efi + target: EFI/ubuntu/mmx64.efi - source: shim.efi.signed target: EFI/ubuntu/shimx64.efi - name: ubuntu-boot diff --git a/gadget/gadget-arm64.yaml b/gadget/gadget-arm64.yaml index 22dd5d3..d454ffc 100644 --- a/gadget/gadget-arm64.yaml +++ b/gadget/gadget-arm64.yaml @@ -25,6 +25,8 @@ volumes: target: EFI/ubuntu/BOOTAA64.CSV - source: grubaa64.efi target: EFI/ubuntu/grubaa64.efi + - source: mmaa64.efi + target: EFI/ubuntu/mmaa64.efi - source: shim.efi.signed target: EFI/ubuntu/shimaa64.efi - name: ubuntu-boot From 259601386e176596511910486434dc45bd8a298d Mon Sep 17 00:00:00 2001 From: Oliver Calder Date: Wed, 27 Sep 2023 12:20:26 -0500 Subject: [PATCH 10/11] remove `grub${arch}.efi` from `EFI/BOOT/` The only grub which should ever be run is `EFI/ubuntu/grub${arch}.efi`. In no case should `EFI/BOOT/grub${arch}.efi` ever be executed. The possible boot patterns are: 1. If EFI boot variables are set correctly, boot the desired asset correctly (namely, `EFI/ubuntu/shim${arch}.efi`). 2. If the system supports fallback, then `EFI/BOOT/fb${arch}.efi` is run, which searches for `BOOT${arch}.CSV`, finds it in `EFI/ubuntu/`, and thus boots the corresponding assets in `EFI/ubuntu/`. 3. If fallback is not supported, the system directly boots `EFI/BOOT/BOOT${arch}.efi`. Thus, `EFI/BOOT/grub${arch}.efi` should never be run, so it should be removed. Signed-off-by: Oliver Calder --- gadget/gadget-amd64.yaml | 2 -- gadget/gadget-arm64.yaml | 2 -- 2 files changed, 4 deletions(-) diff --git a/gadget/gadget-amd64.yaml b/gadget/gadget-amd64.yaml index f1c1fdd..95c2730 100644 --- a/gadget/gadget-amd64.yaml +++ b/gadget/gadget-amd64.yaml @@ -31,8 +31,6 @@ volumes: target: EFI/BOOT/BOOTX64.efi - source: fbx64.efi target: EFI/BOOT/fbx64.efi - - source: grubx64.efi - target: EFI/BOOT/grubx64.efi - source: mmx64.efi target: EFI/BOOT/mmx64.efi - source: BOOTX64.CSV diff --git a/gadget/gadget-arm64.yaml b/gadget/gadget-arm64.yaml index d454ffc..efdb95a 100644 --- a/gadget/gadget-arm64.yaml +++ b/gadget/gadget-arm64.yaml @@ -17,8 +17,6 @@ volumes: target: EFI/BOOT/BOOTAA64.efi - source: fbaa64.efi target: EFI/BOOT/fbaa64.efi - - source: grubaa64.efi - target: EFI/BOOT/grubaa64.efi - source: mmaa64.efi target: EFI/BOOT/mmaa64.efi - source: BOOTAA64.CSV From efb4ecfcb4f3196d59f97403e23696c76bceea28 Mon Sep 17 00:00:00 2001 From: Oliver Calder Date: Mon, 2 Oct 2023 14:18:10 -0500 Subject: [PATCH 11/11] Removed mok manager from `EFI/boot/` Since there is no grub binary in `EFI/boot/`, there is no need for mok manager binaries in `EFI/boot/` either. Signed-off-by: Oliver Calder --- gadget/gadget-amd64.yaml | 2 -- gadget/gadget-arm64.yaml | 2 -- 2 files changed, 4 deletions(-) diff --git a/gadget/gadget-amd64.yaml b/gadget/gadget-amd64.yaml index 95c2730..3efcf46 100644 --- a/gadget/gadget-amd64.yaml +++ b/gadget/gadget-amd64.yaml @@ -31,8 +31,6 @@ volumes: target: EFI/BOOT/BOOTX64.efi - source: fbx64.efi target: EFI/BOOT/fbx64.efi - - source: mmx64.efi - target: EFI/BOOT/mmx64.efi - source: BOOTX64.CSV target: EFI/ubuntu/BOOTX64.CSV - source: grubx64.efi diff --git a/gadget/gadget-arm64.yaml b/gadget/gadget-arm64.yaml index efdb95a..a5cc109 100644 --- a/gadget/gadget-arm64.yaml +++ b/gadget/gadget-arm64.yaml @@ -17,8 +17,6 @@ volumes: target: EFI/BOOT/BOOTAA64.efi - source: fbaa64.efi target: EFI/BOOT/fbaa64.efi - - source: mmaa64.efi - target: EFI/BOOT/mmaa64.efi - source: BOOTAA64.CSV target: EFI/ubuntu/BOOTAA64.CSV - source: grubaa64.efi