sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
fd1820b7ea09e53e404d6f56bb8bc4b51a5dd83e
system76-edk2/OvmfPkg/AmdSev/Grub/grub.cfg
James Bottomley b261a30c90 OvmfPkg/AmdSev: add Grub Firmware Volume Package 
This is used to package up the grub bootloader into a firmware volume
where it can be executed as a shell like the UEFI Shell.  Grub itself
is built as a minimal entity into a Fv and then added as a boot
option.  By default the UEFI shell isn't built but for debugging
purposes it can be enabled and will then be presented as a boot option
(This should never be allowed for secure boot in an external data
centre but may be useful for local debugging).  Finally all other boot
options except grub and possibly the shell are stripped and the boot
timeout forced to 0 so the system will not enter a setup menu and will
only boot to grub.  This is done by copying the
Library/PlatformBootManagerLib into Library/PlatformBootManagerLibGrub
and then customizing it.

Boot failure is fatal to try to prevent secret theft.

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
Message-Id: <20201130202819.3910-4-jejb@linux.ibm.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
[lersek@redhat.com: replace local variable initialization with assignment]
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
[lersek@redhat.com: squash 'OvmfPkg: add "gGrubFileGuid=Grub" to
 GuidCheck.IgnoreDuplicates', reviewed stand-alone by Phil (msgid
 <e6eae551-8563-ccfb-5547-7a97da6d46e5@redhat.com>) and Ard (msgid
 <10aeda37-def6-d9a4-6e02-4c66c1492f57@arm.com>)]
2020-12-14 19:56:18 +00:00

47 lines
1.1 KiB
INI
Raw Blame History

## @file
# Execute a script to recover the SEV supplied secret and use it to
# decrypt a luks volume. For security, the kernel must be on an encrypted
# volume so reboot if none are found.
#
# Copyright (C) 2020 James Bottomley, IBM Corporation.
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
echo "Entering grub config"
sevsecret
if [ $? -ne 0 ]; then
echo "Failed to locate anything in the SEV secret area, prompting for password"
cryptomount -a
else
cryptomount -s
if [ $? -ne 0 ]; then
echo "Failed to mount root securely, retrying with password prompt"
cryptomount -a
fi
fi
set root=
for f in (crypto*); do
if [ -e $f/boot/grub/grub.cfg ]; then
set root=$f
set prefix=($root)/boot/grub
break;
fi
done
if [ x$root = x ]; then
echo "Failed to find any grub configuration on the encrypted volume"
sleep 5
reboot
fi
# rest of modules to get boot to work
set modules="
boot
loadenv
"
for f in $modules; do
insmod $f
done
echo "Transferring to ${prefix}/grub.cfg"
source $prefix/grub.cfg
Reference in New Issue View Git Blame Copy Permalink