Feat: provision: initial support for UEFI and SecureBoot

2 files changed, 66 insertions, 14 deletions

diff --git a/share/config/provision/tpc.conf b/share/config/provision/tpc.conf
index e65762c..a640d23 100644
--- a/share/config/provision/tpc.conf
+++ b/share/config/provision/tpc.conf
@@ -16,6 +16,9 @@ random_swap="n"                         # Random swap?
 arch="amd64"                            # System arch
 version="bullseye"                      # Distro version
 grub="y"                                # Setup GRUB?
+boot_mode="uefi"                        # Boot mode?
+secure_boot="y"                         # Use SecureBoot?
+uefi_update_nvram="y"                   # Set NVRAM boot variables for GRUB?
 initramfs="initramfs-tools"             # Initramfs
 mirror="http://http.debian.net/debian/" # Debian mirror
 ssh="n"                                 # Install openssh-server?
diff --git a/share/hydractl/provision b/share/hydractl/provision
index e0fa248..b205742 100755
--- a/share/hydractl/provision
+++ b/share/hydractl/provision
@@ -145,6 +145,16 @@ function hydra_provision_config {
   hydra_user_config   version           bullseye                         "Distro version"
   hydra_user_config   vg                $hostname                        "Install vg"
   hydra_user_config   grub              y                                "Setup GRUB? (y/n)"
+  hydra_user_config   boot_mode         uefi                             "Boot mode? (UEFI/BIOS)"
+
+  # Sanitize boot_mode param
+  boot_mode="`echo $boot_mode | tr '[:upper:]' '[:lower:]'`"
+
+  if [ "$boot_mode" == "uefi" ]; then
+    hydra_user_config secure_boot       y                                "Use SecureBoot? (y/n)"
+    hydra_user_config uefi_update_nvram y                                "Set NVRAM boot variables for GRUB? (y/n)"
+  fi
+
   hydra_user_config   initramfs         initramfs-tools                  "Initramfs manager? (initramfs-tools/dracut)"
   hydra_user_config   mirror            https://deb.debian.org/debian/   "Debian mirror"
   hydra_user_config   ssh               y                                "Install openssh-server? (y/n)"
@@ -248,30 +258,43 @@ else
   start="$((($optimal_size + $alignment_offset) / $block_size))"
   optimal_sector_size="$(($optimal_size / $block_size))"
 
-  # Sector size for a 1MB partition
+  # Sector size for a 1MB partition, BIOS mode
   bios_grub_size="$(($mebibyte/$block_size))"
   bios_grub_end="$(($start + $bios_grub_size - 1))"
 
+  # Sector size for a 300MB partition, UEFI mode
+  # See https://wiki.archlinux.org/title/Parted#UEFI/GPT_examples
+  uefi_grub_size="$(($mebibyte/$block_size*300))"
+  uefi_grub_end="$(($start + $uefi_grub_size - 1))"
+
   # Regular disk partitioning.
   hydra_sudo_run parted -s -- $device mklabel gpt
   #hydra_sudo_run parted -s -- $device unit   MB mkpart    non-fs 2  3
 
-  # See https://unix.stackexchange.com/questions/190317/gnu-parted-resizepart-in-script#202872
-  #     https://bugs.launchpad.net/ubuntu/+source/parted/+bug/1270203
-  #     https://techtitbits.com/2018/12/using-parteds-resizepart-non-interactively-on-a-busy-partition/
-  #     https://serverfault.com/questions/870594/resize-partition-to-maximum-using-parted-in-non-interactive-mode
-  hydra_sudo_run parted -s -- $device mkpart non-fs ${start}s ${bios_grub_end}s
-  #hydra_sudo_run parted -s ---pretend-input-tty -- $device mkpart non-fs ${start}s ${bios_grub_end}s Yes
-  #hydra_sudo_run parted $device mkpart non-fs ${start}s ${bios_grub_end}s Yes Ignore quit
-  #hydra_sudo_run parted -s ---pretend-input-tty $device <<EOF
+  if [ "$boot_mode" == "bios" ]; then
+    # See https://unix.stackexchange.com/questions/190317/gnu-parted-resizepart-in-script#202872
+    #     https://bugs.launchpad.net/ubuntu/+source/parted/+bug/1270203
+    #     https://techtitbits.com/2018/12/using-parteds-resizepart-non-interactively-on-a-busy-partition/
+    #     https://serverfault.com/questions/870594/resize-partition-to-maximum-using-parted-in-non-interactive-mode
+    #hydra_sudo_run parted -s ---pretend-input-tty -- $device mkpart non-fs ${start}s ${bios_grub_end}s Yes
+    #hydra_sudo_run parted $device mkpart non-fs ${start}s ${bios_grub_end}s Yes Ignore quit
+    #hydra_sudo_run parted -s ---pretend-input-tty $device <<EOF
 #mkpart non-fs ${start}s ${bios_grub_end}s
 #Yes
 #Ignore
 #quit
 #EOF
+    hydra_sudo_run parted -s -- $device mkpart non-fs ${start}s ${bios_grub_end}s
+
+    # Se GRUB flag
+    hydra_sudo_run parted -s -- $device set 1 bios_grub on
+  else
+    esp_device="${device}${partition_separator}1"
 
-  # Se GRUB flag
-  hydra_sudo_run parted -s -- $device set 1 bios_grub on
+    hydra_sudo_run parted -s -- $device mkpart "EFI System Partition" fat32 ${start}s ${uefi_grub_end}s
+    hydra_sudo_run parted -s -- $device set 1 esp on
+    hydra_sudo_run mkfs.vfat $esp_device
+  fi
 
   # Check alignment
   hydra_sudo_run parted -s -- $device align-check optimal 1
@@ -611,7 +634,30 @@ fi
 # Grub.
 if [ "$grub" == "y" ]; then
   echo "Setting up GRUB..."
-  $APT_INSTALL grub-pc -y
+
+  if [ "$boot_mode" == "bios" ]; then
+    $APT_INSTALL grub-pc -y
+  else
+    if [ "$arch" == "amd64" ]; then
+      grub_arch="x86_64"
+    else
+      grub_arch="$arch"
+    fi
+
+    if [ "$secure_boot" == "y" ]; then
+      grub_arch="${grub_arch}-signed"
+    fi
+
+    if [ "$uefi_update_nvram" == "n" ]; then
+      grub_uefi_nvram="--no-nvram"
+    fi
+
+    $APT_INSTALL grub-efi-${arch} -y
+
+    # Make UEFI partition available
+    hydra_sudo_run mkdir $WORK/boot/efi
+    hydra_sudo_run mount $esp_device $WORK/boot/efi
+  fi
 
   hydra_sudo_run sed -i -e 's/^GRUB_CMDLINE_LINUX_DEFAULT="quiet"$/GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"/' \
     $WORK/etc/default/grub
@@ -623,13 +669,16 @@ if [ "$grub" == "y" ]; then
     echo 'GRUB_ENABLE_CRYPTODISK=y'                       | $SUDO tee -a $WORK/etc/default/grub > /dev/null
     echo 'GRUB_PRELOAD_MODULES="lvm cryptodisk mdraid1x"' | $SUDO tee -a $WORK/etc/default/grub > /dev/null
     hydra_sudo_run chroot $WORK/ update-grub
-    hydra_sudo_run chroot $WORK/ grub-install --recheck --force $device
 
     # Fix menu entry
     hydra_sudo_run sed -i -e "s|root=/dev/mapper/provision-root|root=/dev/mapper/root|g"     $WORK/boot/grub/grub.cfg
     hydra_sudo_run sed -i -e "s|root=/dev/mapper/$hostname-unlocked|root=/dev/mapper/root|g" $WORK/boot/grub/grub.cfg
-  else
+  fi
+
+  if [ "$boot_mode" == "bios" ]; then
     hydra_sudo_run chroot $WORK/ grub-install --recheck --force $device
+  else
+    hydra_sudo_run chroot $WORK/ grub-install --target=${grub_arch} --efi-directory=/boot/efi $grub_uefi_nvram
   fi
 fi