lfg2025/archy
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases 33 Wiki Activity

fix: EFI Secure Boot chain with grub.cfg, fix non-free-firmware repo

Browse Source 
EFI boot fix:
- Shim needs grub.cfg in same directory to find the root partition
- Create minimal grub.cfg in /EFI/BOOT/ that chains to /boot/grub/grub.cfg
- Preserve unsigned GRUB as fallback for non-Secure-Boot systems
- Copy full chain to both /EFI/BOOT/ and /EFI/archipelago/ paths
- Log EFI directory contents for debugging

Firmware fix:
- DEB822 format sed was wrong — fix Components line replacement
- Add fallback sources.list entry to guarantee non-free-firmware repo
- Ensures firmware-realtek, intel-microcode actually get installed

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-25 19:25:55 +00:00
parent ec32b336a6
commit 17924c73d7
1 changed files with 33 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
image-recipe/build-auto-installer-iso.sh
View File

@@ -203,9 +203,13 @@ FROM debian:bookworm
ENV DEBIAN_FRONTEND=noninteractive
# Enable non-free-firmware repo for hardware firmware (Realtek NIC, Intel WiFi, etc.)
RUN sed -i 's/^deb \(.*\) bookworm \(.*\)/deb \1 bookworm \2 non-free-firmware/' /etc/apt/sources.list.d/debian.sources 2>/dev/null || \
sed -i 's/^Components: main$/Components: main non-free-firmware/' /etc/apt/sources.list.d/debian.sources 2>/dev/null || \
echo "deb http://deb.debian.org/debian bookworm main non-free-firmware" >> /etc/apt/sources.list
# Bookworm Docker uses DEB822 format in /etc/apt/sources.list.d/debian.sources
RUN if [ -f /etc/apt/sources.list.d/debian.sources ]; then \
sed -i 's/^Components: main$/Components: main non-free-firmware/' /etc/apt/sources.list.d/debian.sources; \
elif [ -f /etc/apt/sources.list ]; then \
sed -i 's/bookworm main$/bookworm main non-free-firmware/' /etc/apt/sources.list; \
fi && \
echo "deb http://deb.debian.org/debian bookworm non-free-firmware" >> /etc/apt/sources.list
# Install all packages we need including nginx, podman, tor, and openssl (for self-signed certs)
RUN apt-get update && apt-get install -y \
@@ -1460,9 +1464,9 @@ else
fi
fi
# Secure Boot chain: replace unsigned GRUB with signed shim+grub for Secure Boot compatibility
# Framework laptops and other Secure Boot-enabled machines need this chain:
# BOOTX64.EFI (shimx64, Microsoft-signed) → grubx64.efi (Debian-signed) → kernel
# Secure Boot chain: set up shim+signed-grub alongside unsigned GRUB for maximum compatibility
# Boot chain: BOOTX64.EFI (shim) → grubx64.efi (signed GRUB) → grub.cfg → kernel
# Non-Secure-Boot: falls through shim to grubx64.efi which finds grub.cfg
echo " Setting up Secure Boot chain..."
if [ "$ARCH" = "x86_64" ]; then
SHIM_SRC="/mnt/target/usr/lib/shim/shimx64.efi.signed"
@@ -1480,15 +1484,35 @@ fi
EFI_BOOT_DIR="/mnt/target/boot/efi/EFI/BOOT"
EFI_ARCHY_DIR="/mnt/target/boot/efi/EFI/archipelago"
if [ -f "$SHIM_SRC" ] && [ -f "$GRUB_SIGNED_SRC" ]; then
# Fallback path — what UEFI firmware checks when no boot entry exists
# Fallback path (/EFI/BOOT/) — what UEFI firmware checks when no boot entry exists
mkdir -p "$EFI_BOOT_DIR"
# Save the unsigned GRUB that grub-install created (works without Secure Boot)
if [ -f "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" ]; then
cp "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" "$EFI_BOOT_DIR/grub_unsigned.efi"
fi
# Shim becomes the primary boot binary
cp "$SHIM_SRC" "$EFI_BOOT_DIR/$EFI_BOOT_BINARY"
# Signed GRUB must be next to shim (shim loads it by name)
cp "$GRUB_SIGNED_SRC" "$EFI_BOOT_DIR/$GRUB_EFI_BINARY"
# Named entry path — for efibootmgr-registered entries
# GRUB needs to find its config — create a minimal grub.cfg that chains to the real one
cat > "$EFI_BOOT_DIR/grub.cfg" <<'GRUBCFG'
search.fs_uuid ${GRUB_ROOT_UUID} root
set prefix=($root)'/boot/grub'
configfile $prefix/grub.cfg
GRUBCFG
# Replace placeholder with actual root UUID
ROOT_UUID=$(blkid -s UUID -o value "$ROOT_PART")
sed -i "s/\${GRUB_ROOT_UUID}/$ROOT_UUID/" "$EFI_BOOT_DIR/grub.cfg"
# Named entry path (/EFI/archipelago/) — for efibootmgr-registered entries
mkdir -p "$EFI_ARCHY_DIR"
cp "$SHIM_SRC" "$EFI_ARCHY_DIR/$SHIM_EFI_BINARY"
cp "$GRUB_SIGNED_SRC" "$EFI_ARCHY_DIR/$GRUB_EFI_BINARY"
echo " ✅ Secure Boot chain installed (shim + signed GRUB)"
cp "$EFI_BOOT_DIR/grub.cfg" "$EFI_ARCHY_DIR/grub.cfg"
echo " ✅ Secure Boot chain installed (shim + signed GRUB + grub.cfg)"
echo " EFI contents:"
ls -la "$EFI_BOOT_DIR/"
else
echo " ⚠️ Signed shim/GRUB not found — Secure Boot machines must disable Secure Boot"
[ ! -f "$SHIM_SRC" ] && echo " Missing: $(basename $SHIM_SRC)"