From c69aa69fc4a5dccb8033183461299dec4de9c503 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Tue, 25 Jan 2022 14:26:03 -0300
Subject: Fix: provision: UEFI: mount /sys/firmware/efi/efivars and use
 --uefi-secure-boot on grub-install

---
 share/hydractl/provision | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'share')

diff --git a/share/hydractl/provision b/share/hydractl/provision
index 26ed868..6d4dbaa 100755
--- a/share/hydractl/provision
+++ b/share/hydractl/provision
@@ -479,6 +479,10 @@ hydra_sudo_run mount -o bind /dev/    $WORK/dev
 hydra_sudo_run mount -o bind /dev/pts $WORK/dev/pts
 echo LANG=C | $SUDO tee $WORK/etc/default/locale > /dev/null
 
+if [ "$boot_mode" == "bios" ]; then
+  hydra_sudo_run mount none -t efivarfs $WORK/sys/firmware/efi/efivars
+fi
+
 # Resolver configuration.
 echo "domain $domain"            | $SUDO tee    $WORK/etc/resolv.conf > /dev/null
 echo "search $hostname.$domain"  | $SUDO tee -a $WORK/etc/resolv.conf > /dev/null
@@ -593,7 +597,7 @@ fi
 
 # LVM.
 if [ "$discards" == "y" ]; then
-  $SUDO sed -i -e 's/issue_discards = 0/issue_discards = 1' $WORK/etc/lvm/lvm.conf
+  $SUDO sed -i -e 's/issue_discards = 0/issue_discards = 1/' $WORK/etc/lvm/lvm.conf
 fi
 
 # Boot device must be available before installing kernel and initramfs.
@@ -667,6 +671,8 @@ if [ "$grub" == "y" ]; then
     fi
 
     if [ "$secure_boot" == "y" ]; then
+      grub_uefi_secure_boot="--uefi-secure-boot"
+
       $APT_INSTALL grub-efi-${arch}-signed -y
     else
       $APT_INSTALL grub-efi-${arch} -y
@@ -713,7 +719,9 @@ EOF
   if [ "$boot_mode" == "bios" ]; then
     hydra_sudo_run chroot $WORK/ grub-install --recheck --force $device
   else
-    hydra_sudo_run chroot $WORK/ grub-install --target=${grub_arch}-efi --efi-directory=/boot/efi $grub_uefi_nvram
+    hydra_sudo_run chroot $WORK/ grub-install --target=${grub_arch}-efi \
+                                              --efi-directory=/boot/efi \
+                                              $grub_uefi_nvram $grub_uefi_secure_boot
   fi
 fi
 
@@ -779,6 +787,7 @@ echo "Umounting installation device..."
 
 if [ "$boot_mode" == "uefi" ]; then
   hydra_sudo_run umount $WORK/boot/efi
+  hydra_sudo_run umount $WORK/sys/firmware/efi/efivars
 fi
 
 if [ "$grub" == "y" ] && [ "$encrypt" != "y" ]; then
-- 
cgit v1.2.3