#3276 Issue open: Secure Boot with GRUB shim should work automatically¶

schlomo opened issue at 2024-07-12 09:03:¶

Currently one must set SECURE_BOOT_BOOTLOADER=(/boot/efi/EFI/*/shimx64.efi) or something like this on every system that uses secure boot.

I'd like to enhance ReaR to automatically detect secure boot and configure the shim.

schlomo commented at 2024-07-12 10:29:¶

I just notice that we already have code to read the EFI variables, added by @jsmeix in https://github.com/rear/rear/commit/9a31a5fa9a75a72bfb01eedabadc104400982667

Do you happen to remember why reading the EFI vars comes as a fallback solution instead of trying to do that first?

schlomo commented at 2024-07-12 10:46:¶

ReaR output for rear -v mkrescue:

Relax-and-Recover 2.7 / Git
Running rear mkrescue (PID 44344 date 2024-07-12 12:45:41)
Using log file: /tmp/rear_var/log/rear/rear-rear-ol9u3.log
Running workflow mkrescue on the normal/original system
Using UEFI Boot Loader for Linux (USING_UEFI_BOOTLOADER=1)
Secure Boot auto-configuration using '/boot/efi/EFI/redhat/shimx64.efi' as UEFI bootloader
Using autodetected kernel '/boot/vmlinuz-5.15.0-204.147.6.3.el9uek.x86_64' as kernel in the recovery system
Creating disk layout
...

Rescue system now also has mokutil to validate secure boot status:

pcahyna commented at 2024-07-12 11:21:¶

Hi @schlomo , I did some work to support this but never got around to complete it, so I am at least pushing it for public review as #3277 . IIRC, the code works on RHEL main thing missing was to check compatibility with all the possible conventions for naming the bootloader and shim for various distro versions.

schlomo commented at 2024-07-12 11:26:¶

Ah, great. I'll have a look. My approach is rather primitive in comparison

---

[Export of Github issue for rear/rear.]