Grub file modifications for Debian signed UEFI installs

Initial delivery of UEFI system node installs did not use the signed boot loader. As a result Secure Boot of system nodes was not supported. This update changes that by swapping in the signed bootx64.efi boot loader in a puppet update ; see depends on. This update modifies to the pxe-network-installer and kickstart to support a robust UEFI system node install that supports Secure Boot. The first change creates and uses an stx template file from LAT grub file. This is done to avoid ongoing and difficult to implement LAT grub file hack changes from the kickstart. This new grub.cg.stx file is packaged in the pxe-network-installer. The kickstarts are modified to replace the LAT grub.cfg file with the new stx template file grub.cfg.stx. As far as this update goes, this template file is a null change from the LAT grub file and represents what the LAT grub file looked like at the time the template was created. Moving forward, further changes to the system node install grub file will be made to this new grub.cfg.stx template file. The second change is to modify existing stx unprovisioned default pxe-grub.cfg files to look for the new mac based config file with the '.cfg' extention. The system node install mac-based grub files are dynamically created with no signature file. To work around that, this update exports the LAT environment variable 'skip_check_cfg' which instructs LAT to 'skip' the grub menu signature 'check' for these dynamically created grub files. An additional change is made to handle timer reload on menu refresh if the new node remains unprovisioned after timeout. Test Plan: PASS: Verify the default LAT file is renamed and the new template file positioned in its place. PASS: Verify Debian pxe-network-installer package update PASS: Verify Debian AIO DX UEFI Install PASS: Verify CentOS kickstarts do not require the kickstart change PASS: Verify build and UEFI install - Debian - CentOS PASS: Verify unprovisioned grub menu reload handling with re-occuring timeout until node is provisioned. Regression: PASS: Verify host-delete and host-update install and unlock PASS: Verify host-reinstall and host-unlock PASS: Verify lock/unlock controller-1 and controller-0 PASS: Verify lock/delete/reinstall/unlock controller-1 PASS: Verify swact to controller-1 PASS: Verify lock/delete/reinstall/unlock controller-0 Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/863776 Story: 2009968 Task: 46701 Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com> Change-Id: Id073842ac1b29acf54c999022a9e37d4c2366031
2022-11-06 20:34:30 +00:00 · 2022-11-06 20:34:30 +00:00 · 0e7024f9a7
parent c9fbb076db
commit 0e7024f9a7
6 changed files with 150 additions and 4 deletions
--- a/installer/pxe-network-installer/debian/deb_folder/rules
+++ b/installer/pxe-network-installer/debian/deb_folder/rules
@ -22,6 +22,7 @@ override_dh_install:
 	install -v -m 644 default.static       $(ROOT)/var/pxeboot/pxelinux.cfg.files/default.static
 	install -v -m 644 pxe-grub.cfg         $(ROOT)/var/pxeboot/pxelinux.cfg.files/grub.cfg
 	install -v -m 644 pxe-grub.cfg.static  $(ROOT)/var/pxeboot/pxelinux.cfg.files/grub.cfg.static
+	install -v -m 644 grub.cfg.stx         $(ROOT)/var/pxeboot/pxelinux.cfg.files/grub.cfg.stx
 	install -p -D -m 700 pxeboot-update.sh $(ROOT)/usr/sbin/pxeboot-update-${platform_release}.sh

 	# Add controller-0 pxeboot install grub menus and setup utility
--- a/installer/pxe-network-installer/pxe-network-installer/grub.cfg.stx
+++ b/installer/pxe-network-installer/pxe-network-installer/grub.cfg.stx
@ -0,0 +1,124 @@
+set default="0"
+set timeout=3
+set color_normal='light-gray/black'
+set color_highlight='light-green/blue'
+
+set boot_part="otaboot"
+set root_part="otaroot"
+set flux_part="fluxdata"
+set rollback_part="_b"
+set ab="1"
+set ostree_console="console=ttyS0,115200"
+set kernel=vmlinuz
+set kernel_rollback=vmlinuz
+set kernel_params=""
+set kernel_params_ext=""
+
+if [ "${legacy_bios}" != "1" ]; then
+    set boot_env_path=${prefix}
+fi
+
+if [ -e ${boot_env_path}/boot.env ]; then
+  load_env -s -f ${boot_env_path}/boot.env
+
+  if [ "${boot_tried_count}" -eq "0" ]; then
+    set boot_tried_count="1"
+  elif [ "${boot_tried_count}" -eq "1" ]; then
+    set boot_tried_count="2"
+  elif [ "${boot_tried_count}" -eq "2" ]; then
+    set boot_tried_count="3"
+  elif [ "${boot_tried_count}" -eq "3" ]; then
+    if [ "${default}" -eq "1" ]; then
+       set default="0"
+    else
+       set default="1"
+    fi
+    save_env -f ${boot_env_path}/boot.env default
+    set boot_tried_count="0"
+  fi
+  save_env -f ${boot_env_path}/boot.env boot_tried_count
+fi
+
+search --no-floppy --label --set=avol ${boot_part}${boot_mode}
+if [ -e ($avol)/1/kernel.env ] ; then
+  load_env -s -f ($avol)/1/kernel.env kernel
+fi
+if [ "$ab" = "1" ] ; then
+  search --no-floppy --label --set=bvol ${boot_part}${rollback_part}
+  if [ -e ($avol)/1/kernel.env ] ; then
+    load_env -s -f ($avol)/1/kernel.env kernel_rollback
+  fi
+else
+  if [ -e ($avol)/2/kernel.env ] ; then
+    load_env -s -f ($avol)/2/kernel.env kernel_rollback
+  fi
+fi
+
+get_efivar -f uint8 -s secured SecureBoot
+if [ "${secured}" = "1" ]; then
+    # Enable user authentication to make grub unlockable
+    set superusers="root"
+    password_pbkdf2 root grub.pbkdf2.sha512.10000.7C392DD2FFEA15F1E050CF88DB414F128724C55039614BFCF22D9F3AA775E534BEC0A0A2E6C49FE3CBBC7A1A9CE7546D11FD198197A375044EF96D189EC22141.712E252EC3009DD64C5157615DF84F46B3D4A7C6F40DF941CB62C8965B25AA3D62B0D2080545FCB7801A62A72244F87DC13FF26D740A32D96D5F85017BB4AB03
+else
+    get_efivar -f uint8 -s unprovisioned SetupMode
+    if [ "${unprovisioned}" = "1" ]; then
+        set timeout=0
+
+        menuentry "Automatic Certificate Provision" --unrestricted {
+            chainloader ${prefix}/LockDown.efi
+        }
+    fi
+fi
+
+menuentry "StarlingX ostree${boot_mode} ${kernel}" --unrestricted {
+    set fallback=1
+    if [ "${legacy_bios}" != "1" ]; then
+        efi-watchdog enable 0 180
+    fi
+    search --no-floppy --label --set=root ${boot_part}${boot_mode}
+    if [ -e /1/kernel.env ] ; then
+        load_env -s -f /1/kernel.env kernel_params_ext
+    fi
+    linux /1/${kernel} rw rootwait ostree_boot=LABEL=${boot_part}${boot_mode} ostree_root=LABEL=${root_part}${boot_mode} flux=${flux_part} ostree=/ostree/1 $ostree_console $kernel_params $kernel_params_ext
+    initrd /1/initramfs
+}
+
+if [ "$ab" = "1" ] ; then
+menuentry "StarlingX ostree ${kernel_rollback} rollback${rollback_part}" --unrestricted {
+    search --no-floppy --label --set=root ${boot_part}${rollback_part}
+    if [ -e /1/kernel.env ] ; then
+        load_env -s -f /1/kernel.env kernel_params_ext
+    fi
+    linux /1/${kernel_rollback} rw rootwait ostree_boot=LABEL=${boot_part}${rollback_part}  ostree_root=LABEL=${root_part}${rollback_part} flux=${flux_part} ostree=/ostree/1 $ostree_console $kernel_params $kernel_params_ext
+    initrd /1/initramfs
+}
+else
+menuentry "StarlingX ostree${boot_mode} ${kernel_rollback} rollback" --unrestricted {
+    set fallback=1
+    if [ "${legacy_bios}" != "1" ]; then
+        efi-watchdog enable 0 180
+    fi
+    search --no-floppy --label --set=root ${boot_part}${boot_mode}
+    if [ -e /2/kernel.env ] ; then
+        load_env -s -f /2/kernel.env kernel_params_ext
+    fi
+    linux /2/${kernel_rollback} rw rootwait ostree_boot=LABEL=${boot_part}${boot_mode} ostree_root=LABEL=${root_part}${boot_mode} flux=${flux_part} ostree=/ostree/2 $ostree_console $kernel_params $kernel_params_ext
+    initrd /2/initramfs
+}
+fi
+
+if [ -s ${prefix}/igrub.cfg ] ; then
+   source ${prefix}/igrub.cfg
+   search --no-floppy --label --set=avol ${boot_part}${boot_mode}
+   if [ "$ab" = "1" ] ; then
+     search --no-floppy --label --set=bvol ${boot_part}${rollback_part}
+     if [ ! -s ($avol)/1/${kernel} -a ! -s ($bvol)/1/${kernel_rollback} ] ; then
+       set default="2"
+     fi
+   else
+     if [ ! -s ($avol)/1/${kernel} -a ! -s ($avol)/2/${kernel_rollback} ] ; then
+       set default="2"
+     fi
+   fi
+fi
+
--- a/installer/pxe-network-installer/pxe-network-installer/pxe-grub.cfg
+++ b/installer/pxe-network-installer/pxe-network-installer/pxe-grub.cfg
@ -7,6 +7,10 @@ timeout=10
 GRUB_HIDDEN_TIMEOUT=0
 GRUB_TIMEOUT_STYLE='countdown'

+# This is to tell LAT to skip the signature check
+# of the dynamic host mac based grub files.
+export skip_check_cfg
+
 mac=$net_default_mac

 # net_default_mac is the network interface that was used to load grub.
@ -34,7 +38,7 @@ conf=$conf-$new
 menuentry 'Waiting for this node to be configured.' {
   insmod net
   insmod efinet
-   configfile pxelinux.cfg/efi-01-$conf
+   configfile pxelinux.cfg/efi-01-$conf.cfg
 }
 menuentry ' ' {
   echo " "
@ -52,5 +56,5 @@ menuentry ' ' {
 menuentry 'Node not configured.' {
   insmod net
   insmod efinet
-   configfile grub.cfg
+   configfile pxelinux.cfg/grub.cfg
 }
--- a/installer/pxe-network-installer/pxe-network-installer/pxe-grub.cfg.static
+++ b/installer/pxe-network-installer/pxe-network-installer/pxe-grub.cfg.static
@ -7,6 +7,10 @@ timeout=10
 GRUB_HIDDEN_TIMEOUT=0
 GRUB_TIMEOUT_STYLE='countdown'

+# This is to tell LAT to skip the signature check
+# of the dynamic host mac based grub files.
+export skip_check_cfg
+
 mac=$net_default_mac

 # net_default_mac is the network interface that was used to load grub.
@ -34,7 +38,7 @@ conf=$conf-$new
 menuentry 'Waiting for this node to be configured.' {
   insmod net
   insmod efinet
-   configfile pxelinux.cfg/efi-01-$conf
+   configfile pxelinux.cfg/efi-01-$conf.cfg
 }
 menuentry ' ' {
   echo " "
@ -66,5 +70,5 @@ menuentry ' ' {
 menuentry 'Node not configured.' {
   insmod net
   insmod efinet
-   configfile grub.cfg
+   configfile pxelinux.cfg/grub.cfg
 }
--- a/kickstart/files/kickstart.cfg
+++ b/kickstart/files/kickstart.cfg
@ -2350,6 +2350,12 @@ set boot_tried_count="0" \
 save_env -f ${boot_env_path}/boot.env boot_tried_count \
 ' /boot/efi/EFI/BOOT/grub.cfg

+ilog "Override LAT grub file"
+GRUB_PATH_N_FILE="/boot/efi/EFI/BOOT/grub.cfg"
+if [ ! -e ${GRUB_PATH_N_FILE}.lat ] ; then
+    mv ${GRUB_PATH_N_FILE} ${GRUB_PATH_N_FILE}.lat
+    cp /var/pxeboot/pxelinux.cfg.files/grub.cfg.stx ${GRUB_PATH_N_FILE}
+fi

 ######################################################################
 # From post_system_aio
--- a/kickstart/files/miniboot.cfg
+++ b/kickstart/files/miniboot.cfg
@ -2495,6 +2495,13 @@ set boot_tried_count="0" \
 save_env -f ${boot_env_path}/boot.env boot_tried_count \
 ' /boot/efi/EFI/BOOT/grub.cfg

+ilog "Override LAT grub file"
+GRUB_PATH_N_FILE="/boot/efi/EFI/BOOT/grub.cfg"
+if [ ! -e ${GRUB_PATH_N_FILE}.lat ] ; then
+    mv ${GRUB_PATH_N_FILE} ${GRUB_PATH_N_FILE}.lat
+    cp /var/pxeboot/pxelinux.cfg.files/grub.cfg.stx ${GRUB_PATH_N_FILE}
+fi
+
 ######################################################################
 # From post_system_aio
 ######################################################################