ISO file builder for Rescue64 (UEFI) + GRUB #309
Conversation
This is a standalone set of files in images/isoFiles/ that adds a capability to take any
Rescue64 (nominally UEFI) .img.gz file created by the normal "./buildrescue Rescue64" and
turn it into a UEFI-bootable ISO image - no CSM required. The "xorriso" utility is used to
remaster the Rescue64 .img file into an ISO.
Primary reason for this was to allow Rescue images on CD for environments that avoid USB
and/or like to have dedicated media that can't get overwritten.
Secondary purpose was to test the ability of GRUB v2.04 to support Trusted Boot with built-in
"shim_lock" modules etc. and without requiring the user/sysadmin to perform additional
cryptographic/cert signing. That part is untested.
This set of scripts is tested against DTA SEDutil 1.15.1 and makes no changes to the normal
build process, but simply adds a "cd" then two additional steps after the Rescue64 image is built:
cd isoFiles
./buildgrub
./buildiso
|
The corresponding UEFI-bootable ISO file built from the unmodified DTA v1.15.1 source is here: |
|
On an AMD Ryzen system, I imaged this iso to a USB, and it hang on boot at loading: Loading bzImage... ok This image may require nomodeset in cfg to boot on Ryzen systems. |
|
@ChubbyAnt my pull request was against the vanilla/stock 1.15.1 source and the linked ISO was built using the Rescue64 img compiled from that source. It has all the flaws of the vanilla 1.15.1 build. (That's one of the reasons I left it with the ability to edit the GRUB command line, in case someone wanted to add kernel parameters etc. on the fly.) Apologies I wasn't more specific; for Ryzen, updated kernel, etc. please take a look at the ISO image I included here for an ISO built with the updated LTS buildroot, SHA512, and other patches in my "integ" tree as of 20191015. I'm testing an updated "beta" with additional minor changes but haven't pushed it out yet. |
|
@oom-is by adding acpi=off and nomodeset to the cfg files I was able to boot this ISO image... https://github.com/oom-is/sedutil/releases/download/1.15.1/sedutil-1.15.1-Rescue64UEFIgrub.iso ...on AMD Ryzen with Secure Boot disabled and CSM disabled. Unfortunately, with Secure Boot enabled, it does not pass the Secure Boot test in the BIOS. |
@oom-is The Resuce64 linked above boots to GRUB menu select, then allows selection of SEDutil, all with CSM disabled, but does not work with Secure Boot enabled on an AMD Ryzen system. Question: is the PBA loaded through this image the Syslinux PBA or a Grub-based PBA? |
|
PBA loaded through this image, at present time, is still Syslinux-based. For one of my target environments a UEFI-bootable ISO was a hard requirement, and this at least gives us something to start from as we sort out how to tweak and support Secure Boot without additional localized PKI certificates or re-signing. Syslinux 6.03 is still current-but-old, and I haven't found any magic dust to sprinkle on Grub 2.04 to actually/easily enable Secure Boot support. I'm starting to think that for my target environments I will simply deal with having a local CA sign the necessary EFI files and I'll get the corresponding keys/trust anchors enrolled in the TPMs. [Grub2Win discussion; Debian discussion] As another avenue of attack towards bootloaders that could reasonably support Secure Boot and/or converting the existing Rescue64 build to grub-2.0x, there are clearly ways to build a bootloader as part of the Buildroot build, instead of compiling Syslinux separately. I haven't looked more at those (or tried to figure out why r0m30 was building Syslinux separately); my next focus is sorting out how to actually fully support multiuser with a non-Admin user (e.g. allow User1 to be activated, have a "common name" and user-specific password set, and then lock/unlock Locking Range 0 but limit other powers.) From what I can tell, even with |
|
See also (for more "this is a headache" background): https://github.com/ipxe/shimdemo |
This is a standalone set of files in
images/isoFiles/that adds a capability to take anyRescue64 (nominally UEFI) .img.gz file created by the normal
./buildrescue Rescue64andturn it into a UEFI-bootable ISO image - no CSM required. The "xorriso" utility is used to
remaster the Rescue64 .img file into an ISO. (NOTE: "mtools" package also must be installed
on the host, to allow
mmdandmcopyutils to be used to manipulate theefiboot.imgfile.)Primary reason for this was to allow Rescue images on CD for environments that avoid USB
and/or like to have dedicated media that can't get overwritten.
Secondary purpose was to test the ability of GRUB v2.04 to support Trusted Boot with built-in
shim_lockmodules etc. and without requiring the user/sysadmin to perform additionalcryptographic/cert signing. That part is untested.
This set of scripts is tested against DTA SEDutil 1.15.1 and makes no changes to the normal
build process, but simply adds a "cd" then two additional steps after the Rescue64 image is built: