blob: 6c02cbd48e98abdcd16ac93b1190378aa7127cfd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
--- a/util/grub-install.in
+++ b/util/grub-install.in
@@ -821,12 +821,39 @@ elif [ x"${grub_modinfo_target_cpu}-${gr
gettext "You will have to set \`SystemPartition' and \`OSLoader' manually." 1>&2
echo 1>&2
elif [ x"$grub_modinfo_platform" = xefi ]; then
+
+ # sign the efi file with the User SecureBoot key
+ _sign_grub_efi() {
+ local _image="${1}"
+ case "$host_os" in
+ linux*)
+ modprobe -q efivars 2>/dev/null || true ;;
+ esac
+
+ local _private="/boot/SecureBoot/user-private.key"
+ local _public="/boot/SecureBoot/user-public.crt"
+ if test -f "${_private}" && test -f "${_public}"; then
+ echo "SecureBoot signing ${_image}"
+ sbsign --key "${_private}" --cert "${_public}" \
+ --output "${_image}.signed" \
+ "${_image}" && \
+ mv "${_image}.signed" "${_image}"
+ else
+ echo "Cannot sign ${_image} for SecureBoot" 1>&2
+ echo "RogentOS keypair at $(basename ${_private}) not found" 1>&2
+ fi
+ }
+
cp "${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform/core.${imgext}" "${efidir}/${efi_file}"
+ _efi_grub_file="${efidir}/${efi_file}"
# For old macs. Suggested by Peter Jones.
if [ x$grub_modinfo_target_cpu = xi386 ]; then
cp "${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform/core.${imgext}" "${efidir}/boot.efi"
+ _efi_grub_file="${efidir}/boot.efi"
fi
+ _sign_grub_efi "${_efi_grub_file}"
+
# Try to make this image bootable using the EFI Boot Manager, if available.
efibootmgr="`which efibootmgr`"
if test "$removable" = no && test -n "$efi_distributor" && \
|