#2166 PR merged: RAWDISK and TCG Opal 2 Self-Encrypting Disks: add Secure Boot support

Labels: enhancement, fixed / solved / done

OliverO2 opened issue at 2019-06-27 16:37:

Pull Request Details:

  • Type: New Feature

  • Impact: Normal

  • How was this pull request tested?

    • Tests were based on current ReaR master (d7b587cb5b7a14432e7c4f9e5f4d94e50abea740) on Ubuntu 18.04.2 LTS:
    • Tested booting recovery systems in these configurations:
      1. Legacy Boot
      2. EFI Boot via syslinux (Secure Boot disabled)
      3. EFI Boot via Grub 2 (Secure Boot disabled)
      4. EFI Boot via Grub 2 (Secure Boot enabled)
    • Tested TCG Opal 2 PBA disk unlocking with Secure Boot enabled.

  • Brief description of the changes in this pull request:

This PR adds Secure Boot support to the RAWDISK output format.

This in turn enables Secure Boot in conjunction with the PBA (pre-boot authentication) system required to unlock TCG Opal 2-compatible self-encrypting disks. (BTW: AFAIK there is no other solution available supporting Secure Boot with TCG Opal 2 SEDs on the market.)

As is the case with other output formats within ReaR, Secure Boot support has to be explicitly enabled. On Ubuntu, the following line must be added to the configuration:

SECURE_BOOT_BOOTLOADER="/boot/efi/EFI/ubuntu/shimx64.efi"

That's all.

OliverO2 commented at 2019-07-04 14:18:

Some remarks:

The proposed code change works as good as previous Grub 2 UEFI booting - it just adds the Secure Boot capability.

What I'm not yet entirely satisfied with is the Plymouth boot splash integration on desktops for the pre-boot authentication system asking for the disk unlock password. Ideally, Plymouth should present a centered password prompt and hide all startup console messages. However, Plymouth reacts differently depending on the boot loader (Grub 2 or syslinux) and the graphics hardware (Intel or nVidia) involved. With Grub 2, it resorts to just a simple text mode prompt and does not hide console log messages. It's all usable, but does not yet look as nice as it should.

I have experimented a bit but got mixed results so far, e.g. a nicer look but the password prompt only coming up after pressing ESC. Whenever a better solution comes up, I'll post an update.

jsmeix commented at 2019-07-05 07:56:

@OliverO2
thank you so much for your continuous improvements of ReaR!

OliverO2 commented at 2019-07-06 14:00:

Thanks to everyone for reviewing. I'll check the details and I'll push an update.

jsmeix commented at 2019-08-02 09:56:

@OliverO2
thank you for your enhancement!

Meanwhile it is merged so if you like to do an update
you would have to do it as another pull request.

OliverO2 commented at 2019-08-02 11:05:

@jsmeix Yes, I have noticed it, sorry for the delay on my side. When I get back to this, would it be OK to respond to your comments in this PR so that the discussion stays is in one place?

[Export of Github issue for rear/rear.]