diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2022-01-24 17:33:48 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2022-01-24 17:33:48 -0300 |
commit | a6ef76fd3ae81297dc453f106fbe4d826dec8fa5 (patch) | |
tree | 10f4540d55974689bfa93a63ba3792d56d98484f | |
parent | e5349fdb8e1d22bce8d7e6d6e2e39574b6085e05 (diff) | |
download | hydra-a6ef76fd3ae81297dc453f106fbe4d826dec8fa5.tar.gz hydra-a6ef76fd3ae81297dc453f106fbe4d826dec8fa5.tar.bz2 |
Feat: provision: initial support for UEFI and SecureBoot
-rw-r--r-- | share/config/provision/tpc.conf | 3 | ||||
-rwxr-xr-x | share/hydractl/provision | 77 |
2 files changed, 66 insertions, 14 deletions
diff --git a/share/config/provision/tpc.conf b/share/config/provision/tpc.conf index e65762c..a640d23 100644 --- a/share/config/provision/tpc.conf +++ b/share/config/provision/tpc.conf @@ -16,6 +16,9 @@ random_swap="n" # Random swap? arch="amd64" # System arch version="bullseye" # Distro version grub="y" # Setup GRUB? +boot_mode="uefi" # Boot mode? +secure_boot="y" # Use SecureBoot? +uefi_update_nvram="y" # Set NVRAM boot variables for GRUB? initramfs="initramfs-tools" # Initramfs mirror="http://http.debian.net/debian/" # Debian mirror ssh="n" # Install openssh-server? diff --git a/share/hydractl/provision b/share/hydractl/provision index e0fa248..b205742 100755 --- a/share/hydractl/provision +++ b/share/hydractl/provision @@ -145,6 +145,16 @@ function hydra_provision_config { hydra_user_config version bullseye "Distro version" hydra_user_config vg $hostname "Install vg" hydra_user_config grub y "Setup GRUB? (y/n)" + hydra_user_config boot_mode uefi "Boot mode? (UEFI/BIOS)" + + # Sanitize boot_mode param + boot_mode="`echo $boot_mode | tr '[:upper:]' '[:lower:]'`" + + if [ "$boot_mode" == "uefi" ]; then + hydra_user_config secure_boot y "Use SecureBoot? (y/n)" + hydra_user_config uefi_update_nvram y "Set NVRAM boot variables for GRUB? (y/n)" + fi + hydra_user_config initramfs initramfs-tools "Initramfs manager? (initramfs-tools/dracut)" hydra_user_config mirror https://deb.debian.org/debian/ "Debian mirror" hydra_user_config ssh y "Install openssh-server? (y/n)" @@ -248,30 +258,43 @@ else start="$((($optimal_size + $alignment_offset) / $block_size))" optimal_sector_size="$(($optimal_size / $block_size))" - # Sector size for a 1MB partition + # Sector size for a 1MB partition, BIOS mode bios_grub_size="$(($mebibyte/$block_size))" bios_grub_end="$(($start + $bios_grub_size - 1))" + # Sector size for a 300MB partition, UEFI mode + # See https://wiki.archlinux.org/title/Parted#UEFI/GPT_examples + uefi_grub_size="$(($mebibyte/$block_size*300))" + uefi_grub_end="$(($start + $uefi_grub_size - 1))" + # Regular disk partitioning. hydra_sudo_run parted -s -- $device mklabel gpt #hydra_sudo_run parted -s -- $device unit MB mkpart non-fs 2 3 - # See https://unix.stackexchange.com/questions/190317/gnu-parted-resizepart-in-script#202872 - # https://bugs.launchpad.net/ubuntu/+source/parted/+bug/1270203 - # https://techtitbits.com/2018/12/using-parteds-resizepart-non-interactively-on-a-busy-partition/ - # https://serverfault.com/questions/870594/resize-partition-to-maximum-using-parted-in-non-interactive-mode - hydra_sudo_run parted -s -- $device mkpart non-fs ${start}s ${bios_grub_end}s - #hydra_sudo_run parted -s ---pretend-input-tty -- $device mkpart non-fs ${start}s ${bios_grub_end}s Yes - #hydra_sudo_run parted $device mkpart non-fs ${start}s ${bios_grub_end}s Yes Ignore quit - #hydra_sudo_run parted -s ---pretend-input-tty $device <<EOF + if [ "$boot_mode" == "bios" ]; then + # See https://unix.stackexchange.com/questions/190317/gnu-parted-resizepart-in-script#202872 + # https://bugs.launchpad.net/ubuntu/+source/parted/+bug/1270203 + # https://techtitbits.com/2018/12/using-parteds-resizepart-non-interactively-on-a-busy-partition/ + # https://serverfault.com/questions/870594/resize-partition-to-maximum-using-parted-in-non-interactive-mode + #hydra_sudo_run parted -s ---pretend-input-tty -- $device mkpart non-fs ${start}s ${bios_grub_end}s Yes + #hydra_sudo_run parted $device mkpart non-fs ${start}s ${bios_grub_end}s Yes Ignore quit + #hydra_sudo_run parted -s ---pretend-input-tty $device <<EOF #mkpart non-fs ${start}s ${bios_grub_end}s #Yes #Ignore #quit #EOF + hydra_sudo_run parted -s -- $device mkpart non-fs ${start}s ${bios_grub_end}s + + # Se GRUB flag + hydra_sudo_run parted -s -- $device set 1 bios_grub on + else + esp_device="${device}${partition_separator}1" - # Se GRUB flag - hydra_sudo_run parted -s -- $device set 1 bios_grub on + hydra_sudo_run parted -s -- $device mkpart "EFI System Partition" fat32 ${start}s ${uefi_grub_end}s + hydra_sudo_run parted -s -- $device set 1 esp on + hydra_sudo_run mkfs.vfat $esp_device + fi # Check alignment hydra_sudo_run parted -s -- $device align-check optimal 1 @@ -611,7 +634,30 @@ fi # Grub. if [ "$grub" == "y" ]; then echo "Setting up GRUB..." - $APT_INSTALL grub-pc -y + + if [ "$boot_mode" == "bios" ]; then + $APT_INSTALL grub-pc -y + else + if [ "$arch" == "amd64" ]; then + grub_arch="x86_64" + else + grub_arch="$arch" + fi + + if [ "$secure_boot" == "y" ]; then + grub_arch="${grub_arch}-signed" + fi + + if [ "$uefi_update_nvram" == "n" ]; then + grub_uefi_nvram="--no-nvram" + fi + + $APT_INSTALL grub-efi-${arch} -y + + # Make UEFI partition available + hydra_sudo_run mkdir $WORK/boot/efi + hydra_sudo_run mount $esp_device $WORK/boot/efi + fi hydra_sudo_run sed -i -e 's/^GRUB_CMDLINE_LINUX_DEFAULT="quiet"$/GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"/' \ $WORK/etc/default/grub @@ -623,13 +669,16 @@ if [ "$grub" == "y" ]; then echo 'GRUB_ENABLE_CRYPTODISK=y' | $SUDO tee -a $WORK/etc/default/grub > /dev/null echo 'GRUB_PRELOAD_MODULES="lvm cryptodisk mdraid1x"' | $SUDO tee -a $WORK/etc/default/grub > /dev/null hydra_sudo_run chroot $WORK/ update-grub - hydra_sudo_run chroot $WORK/ grub-install --recheck --force $device # Fix menu entry hydra_sudo_run sed -i -e "s|root=/dev/mapper/provision-root|root=/dev/mapper/root|g" $WORK/boot/grub/grub.cfg hydra_sudo_run sed -i -e "s|root=/dev/mapper/$hostname-unlocked|root=/dev/mapper/root|g" $WORK/boot/grub/grub.cfg - else + fi + + if [ "$boot_mode" == "bios" ]; then hydra_sudo_run chroot $WORK/ grub-install --recheck --force $device + else + hydra_sudo_run chroot $WORK/ grub-install --target=${grub_arch} --efi-directory=/boot/efi $grub_uefi_nvram fi fi |