[secure boot]Fix mokutil check issue with ONIE version older than 202… (#14589)

…1.11 by using efivar tool instead #### Why I did it solution to BUG below/ https://github.com/sonic-net/sonic-buildimage/issues/14316 bug report also in this issue: backport: secureboot support #14246 #### How I did it When installing an image secure boot is checking if the UEFI have the secure boot flag enabled or disabled using a tool name `mokutil` this tool its not exist in ONIE version older than 2021.11 so its crasshing the install. To fix that we add a coded that checking secure boot enabled/disabled by using efivar tool that should exist in any UEFI system #### How to verify it Install the image in a device with ONIE version older than 2021.11 and check that the installation and boot succeed (all docker up).
2023-05-31 22:11:19 +03:00 · 2023-05-31 22:11:19 +03:00 · 7a2bb6d3f1
commit 7a2bb6d3f1
parent 6ebad6f8ed
1 changed files with 14 additions and 16 deletions
--- a/installer/default_platform.conf
+++ b/installer/default_platform.conf
@ -434,14 +434,23 @@ bootloader_menu_config()
        ${onie_bin} onie-support /tmp
        mv $onie_initrd_tmp/tmp/onie-support*.tar.bz2 $demo_mnt/$image_dir/

+        echo "firmware=$firmware"
        if [ "$firmware" = "uefi" ] ; then
-            secure_boot_state=$(mokutil --sb-state)
+            secure_boot_state=0
+            reg_sb_guid=""
+            ENABLED=1
+            echo "checking secure boot state"
+            reg_sb_guid=$(efivar -l | grep "SecureBoot$") || echo "Secure Boot GUID not found in efivar list"
+            echo "Secure Boot GUID=$reg_sb_guid"
+            if [ -n "$reg_sb_guid" ]; then
+                secure_boot_state=$(efivar -d --name $reg_sb_guid) || echo "Could not read Secure Boot state from efivar"
+            fi
            echo secure_boot_state=$secure_boot_state
-            if [ "$secure_boot_state" = "SecureBoot enabled" ]; then
-                echo "UEFI Secure Boot is enabled"
+            if expr "$secure_boot_state" : '[[:digit:]]\{1,\}' >/dev/null && [ "$secure_boot_state" -eq "$ENABLED" ]; then
+                echo "UEFI Secure Boot is enabled - Installing shim bootloader"
                demo_install_uefi_shim "$demo_mnt" "$blk_dev"
            else
-                echo "UEFI Secure Boot is disabled"
+                echo "UEFI Secure Boot is disabled - Installing regular grub bootloader"
                demo_install_uefi_grub "$demo_mnt" "$blk_dev"
            fi
        else
@ -561,7 +570,7 @@ echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX $extra_cmdline_linux"
 GRUB_CFG_LINUX_CMD=""
 GRUB_CFG_INITRD_CMD=""
-if [ "$firmware" = "uefi" ] ; then
+if [ "$firmware" = "uefi" ] &&  expr "$secure_boot_state" : '[[:digit:]]\{1,\}' >/dev/null && [ "$secure_boot_state" -eq "$ENABLED" ]; then
    # grub.cfg when BIOS is UEFI and support Secure Boot
    GRUB_CFG_LINUX_CMD="linuxefi"
    GRUB_CFG_INITRD_CMD="initrdefi"
@ -608,17 +617,6 @@ EOF
        cp $grub_cfg $onie_initrd_tmp/$demo_mnt/grub/grub.cfg
    fi

-    if [ "$secure_boot_state" = "SecureBoot enabled" ]; then
-        # Secure Boot grub.cfg support
-        # Saving grub_cfg in the same place where is grubx64.efi, 
-        # this grub_cfg file will be called by first grub.cfg file from: /boot/efi/EFI/debian/grub.cfg
-        if [ -f $NVOS_BOOT_DIR/grub.cfg ]; then
-            rm $NVOS_BOOT_DIR/grub.cfg
-        fi
-
-        cp $grub_cfg $NVOS_BOOT_DIR/grub.cfg
-    fi
-
    cd /

    echo "Installed SONiC base image $demo_volume_label successfully"