#3031 PR open: Secure Boot support for OUTPUT=USB

Labels: enhancement, waiting for info

jsmeix opened issue at 2023-07-25 12:03:

  • Type: Enhancement

  • Impact: Normal

  • Reference to related issue (URL):

https://github.com/rear/rear/pull/3025#issuecomment-1643774477

  • How was this pull request tested?

I tested it same (on same VMs) as I did in
https://github.com/rear/rear/pull/3025#issuecomment-1643774477
but now with the changes here
Secure Boot with OUTPUT=USB works for me.

  • Brief description of the changes in this pull request:

In output/USB/Linux-i386/100_create_efiboot.sh
add Secure Boot support for OUTPUT=USB by using
SECURE_BOOT_BOOTLOADER as first stage Secure Boot bootloader BOOTX64.efi
and using grub*.efi as second stage Secure Boot bootloader files
in the same way as already done for OUTPUT=ISO
in output/ISO/Linux-i386/250_populate_efibootimg.sh
see https://github.com/rear/rear/pull/3025#issuecomment-1643774477

My current implementation here is just a first step.
The whole code looks somewhat convoluted
and needs at least some more generic cleanup
to make it easier to further develop things in this area.

jsmeix commented at 2023-07-27 11:39:

First things first:
I will not clean up the whole UEFI and Secure Boot code
via this pull request.
Via this pull request only what is needed
to get Secure Boot support with OUTPUT=USB
in the current code environment
should be implemented.

Later - as needed and as time permits - I would like
to clean up step by step the whole UEFI and Secure Boot code.

In particular currently I do not like that
via SECURE_BOOT_BOOTLOADER
UEFI_BOOTLOADER is overwritten
because that makes it needlessly hard (at least for me)
to understand the UEFI and Secure Boot code
because it is not clear if in a particular piece of code
UEFI_BOOTLOADER means a non-Secure-Boot bootloader
OR
if UEFI_BOOTLOADER means a Secure Boot first stage bootloader
AND
in the latter case the user cannot configure
the Secure Boot second stage bootloader.
I would like to Keep Separated Items Separated - "KSIS" ;-)

jsmeix commented at 2023-07-27 11:41:

@pcahyna @rear/contributors
could you please -as time permits - have a look here?

I would very much appreciate it if you could test it
on non-SUSE Linux distributions, in particular RHEL
and perhaps also Ubuntu and Debian.

jsmeix commented at 2023-07-27 11:46:

@pcahyna @rear/contributors
I have a question regarding the
Secure Boot second stage bootloader files:

Currently those are (hardcoded) all files
that match the bash globbing grub*.efi
in the directory where SECURE_BOOT_BOOTLOADER is.

I wonder if it is more fail-safe to use all *.efi files
in the directory where SECURE_BOOT_BOOTLOADER is,
probably even all *.efi files with ignore case matching?

jsmeix commented at 2023-08-02 06:21:

@pcahyna @rear/contributors
I would like to merge it tomorrow (Thursday) afternoon
unless there are objections.

[Export of Github issue for rear/rear.]