WIP: Create an unsigned UEFI image. (The configuration file for signed image...

WIP: Create an unsigned UEFI image. (The configuration file for signed image creation is kept for now as dracut.module/old.dracut.conf.

WIP: Create an unsigned UEFI image. (The configuration file for signed image...
WIP: Create an unsigned UEFI image. (The configuration file for signed image creation is kept for now as dracut.module/old.dracut.conf.
8bf0761f · Ophélie Gagnard · ecaa80d2 · 8bf0761f · 8bf0761f · 8bf0761f
Commit 8bf0761f authored Feb 03, 2022 by Ophélie Gagnard
4 changed files
--- a/Makefile
+++ b/Makefile
@@ -60,14 +60,14 @@ clean-no-dracut: uninstall-no-dracut

 include dracut.module/collect-sh-template.mk
 dracut.module/90metadata-collect/collect.sh:
-	echo "$${collect_sh}" >> 90metadata-collect/collect.sh
+	echo "$${collect_sh}" >> dracut.module/90metadata-collect/collect.sh
 dracut.module/90metadata-collect/flb.conf:
 	install -m 644 flb.conf dracut.module/90metadata-collect/flb.conf
-dracut.module/90metadata-collect/metadata-collect-agent:
+dracut.module/90metadata-collect/metadata-collect-agent: bin/metadata-collect-agent
 	install -m 744 bin/metadata-collect-agent dracut.module/90metadata-collect/metadata-collect-agent
-dracut.module/90metadata-collect/fluentbit_wendelin.so:
+dracut.module/90metadata-collect/fluentbit_wendelin.so: lib/fluentbit_wendelin.so
 	install -m 644 lib/fluentbit_wendelin.so dracut.module/90metadata-collect/fluentbit_wendelin.so
-dracut.module/90metadata-collect/fluent-bit:
+dracut.module/90metadata-collect/fluent-bit: bin/fluent-bit
 	install -m 744 bin/fluent-bit dracut.module/90metadata-collect-agent/fluent-bit

 dracut-module: dracut.module/90metadata-collect/collect.sh dracut.module/90metadata-collect/flb.conf dracut.module/90metadata-collect/metadata-collect-agent dracut.module/90metadata-collect/fluentbit_wendelin.so dracut.module/90metadata-collect/fluent-bit
@@ -87,9 +87,16 @@ uninstall-dracut-module:
 	rm -f dracut.module/90metadata-collect/fluentbit_wendelin.so
 	rm -f dracut.module/90metadata-collect/fluent-bit

-clean-dracut: uninstall-dracut-module
+clean-dracut-module: uninstall-dracut-module
 	rm -rf /usr/lib/dracut/module.d/90metadata-collect

+dracut-image: dracut-module install-dracut-module
+	mkdir -p build/
+	cp installation/unsigned-dracut-image.sh build/
+	cd build/ ;\
+	sudo ./unsigned-dracut-image
+
+
 uefi-keys/:
 	mkdir -p build/uefi-keys/ ;\
 	cp installation/mkkeys.sh build/uefi-keys/ ;\
@@ -103,7 +110,8 @@ uefi-keys/:
 	rm -f build/uefi-keys/mkkeys.sh
 	mv build/uefi-keys/* KEYS_to-save-elswhere-and-shred/

-# IMPORTANT: TO USE YOUR OWN KEYS (recommanded), CREATE THE uefi-keys/ DIRECTORY *BEFORE* USING MAKE
+# IMPORTANT: TO USE YOUR OWN KEYS (highly recommanded),
+# CREATE THE uefi-keys/ DIRECTORY *BEFORE* USING MAKE!
 # create the directory AT THE ROOT OF THE PROJECT (i.e. in the same place than this Makefile: metadata-collect-agent/uefi-keys/)
 generate-keys: uefi-keys/

@@ -125,4 +133,4 @@ clean-keys: uninstall-keys

 clean: clean-no-dracut clean-dracut clean-keys

-.PHONY: no-dracut install-no-dracut uninstall-no-dracut clean-no-dracut dracut-module install-dracut-module uninstall-dracut-module generate-keys install-keys uninstall-keys clean-keys
+.PHONY: no-dracut install-no-dracut uninstall-no-dracut clean-no-dracut dracut-module install-dracut-module uninstall-dracut-module clean-dracut-module generate-keys install-keys uninstall-keys clean-keys
--- a/dracut.module/dracut.conf
+++ b/dracut.module/dracut.conf
@@ -5,6 +5,4 @@ reproducible=yes
 compress=xz
 uefi=yes
 uefi_stub=/usr/lib/systemd/boot/efi/linuxx64.efi.stub
-uefi_secureboot_cert=/etc/uefi-keys/db.crt
-uefi_secureboot_key=/etc/uefi-keys/db.key
 add_dracutmodules="metadata-collect"
--- a/dracut.module/old.dracut.conf
+++ b/dracut.module/old.dracut.conf
+hostonly=no
+hostonly_cmdline=no
+kernel_cmdline="root=LABEL=ROOT ip=dhcp rd.neednet=1"
+reproducible=yes
+compress=xz
+uefi=yes
+uefi_stub=/usr/lib/systemd/boot/efi/linuxx64.efi.stub
+uefi_secureboot_cert=/etc/uefi-keys/db.crt
+uefi_secureboot_key=/etc/uefi-keys/db.key
+add_dracutmodules="metadata-collect"
--- a/installation/unsigned-dracut-image.sh
+++ b/installation/unsigned-dracut-image.sh
+rm -rf dracut_tmp
+mkdir dracut_tmp
+
+disk_info=$(/sbin/fdisk -l | grep '^/dev' | cut -d' ' -f1)
+disk_info_list=(${disk_info//' '/})
+/sbin/e2label ${disk_info_list[4]} ROOT
+#rm -rf /boot/efi/EFI/Linux/*
+mmv '/boot/efi/EFI/Linux/*.*' '/boot/efi/EFI/Linux/#1_1.#2'
+dracut --force  -c ./dracut.module/dracut.conf --confdir dracut_tmp
+
+cp -r /boot/efi/EFI /EFI
+# the following two lines are useful if one wants to enroll the keys from the BIOS GUI (and not from command-line as root) (??)
+#cp /etc/uefi-keys/db.cer /EFI/db.cer
+#cp /etc/uefi-keys/db.cer /boot/efi/db.cer
+uefi=$(echo $(ls -t /EFI/Linux/ | cut -d' ' -f1) | cut -d' ' -f1)
+
+efibootmgr --quiet --create --disk ${disk_info_list[3]} --label 'debian UEFI test_root' --loader /EFI/Linux/$uefi