#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing # --- UEFI GRUB Installation Strategy --- # # We explicitly install GRUB using '--no-nvram' to avoid modifying NVRAM entries inside the chroot environment, which is # unreliable and can break host firmware boot order. Instead of relying on '--removable', we manually copy the GRUB EFI binary # to the fallback location 'EFI/BOOT/BOOTX64.EFI'. This mirrors the behavior of '--removable', but gives us more control over # the bootloader ID and file paths. # Result: # - GRUB is available under 'EFI/debian/grubx64.efi' (for manual boot entries). # - GRUB is also available as 'EFI/BOOT/BOOTX64.EFI' (UEFI fallback path, no NVRAM needed). # This setup ensures compatibility with systems that do not retain NVRAM entries (e.g., removable drives, VM firmware). ####################################### # Installation and setup of the GRUB2 (backported) version. # The backported version MUST be installed for LUKS2 '/boot' encryption. # Globals: # TARGET # VAR_ARCHITECTURE # VAR_RECIPE_FIRMWARE # VAR_SETUP_PATH # grub_background_enable # grub_background_path # grub_latest # grub_prober # grub_skip # var_update_grub_required # Arguments: # None # Returns: # 0: on success # ERR_GRUB_BACKGROUND # ERR_GRUB_EFI_FORCE ####################################### update_grub() { ### Declare Arrays, HashMaps, and Variables. declare -g var_update_grub_required="false" grub_update_nvram=${grub_update_nvram:-false} declare -r var_logfile="/root/.ciss/cdi/log/4230_update_grub.log" declare var_background="" touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}" do_log "debug" "file_only" "4230() Detected firmware: '${VAR_RECIPE_FIRMWARE}', architecture: '${VAR_ARCHITECTURE}'" if [[ "${grub_skip,,}" != "true" ]]; then ### Install GRUB2 package if [[ "${grub_latest,,}" == "true" ]]; then ### Install the GRUB2 backported version from the Bookworm backports repository. if [[ "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then case "${VAR_ARCHITECTURE,,}" in amd64) do_log "debug" "file_only" "4230() Installing GRUB package variant: grub-efi-amd64" do_in_target_script "${TARGET}" " apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-efi-amd64 grub-efi-amd64-bin 2>&1 | tee -a ${var_logfile} echo ExitCode: \$? >> ${var_logfile} " ;; arm64) do_log "debug" "file_only" "4230() Installing GRUB package variant: grub-efi-arm64" do_in_target_script "${TARGET}" " apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-efi-arm64 grub-efi-arm64-bin 2>&1 | tee -a ${var_logfile} echo ExitCode: \$? >> ${var_logfile} " ;; i386) do_log "debug" "file_only" "4230() Installing GRUB package variant: grub-efi-ia32" do_in_target_script "${TARGET}" " apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-efi-ia32 grub-efi-ia32-bin 2>&1 | tee -a ${var_logfile} echo ExitCode: \$? >> ${var_logfile} " ;; *) do_log "emergency" "file_only" "4230() Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;; esac else do_log "debug" "file_only" "4230() Installing GRUB package variant: grub-pc-bin" do_in_target_script "${TARGET}" " apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-pc grub-pc-bin 2>&1 | tee -a ${var_logfile} echo ExitCode: \$? >> ${var_logfile} " fi else ### Install the GRUB2 stable version. if [[ "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then case "${VAR_ARCHITECTURE,,}" in amd64) do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-efi-amd64 grub-efi-amd64-bin ;; arm64) do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-efi-arm64 grub-efi-arm64-bin ;; i386) do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-efi-ia32 grub-efi-ia32-bin ;; *) do_log "emergency" "file_only" "4230() Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;; esac else do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-pc grub-pc-bin fi fi ### Enable booting from LUKS encrypted devices by default. cat << EOF >> "${TARGET}/etc/default/grub" # Enable booting from LUKS encrypted devices by default. GRUB_ENABLE_CRYPTODISK=y EOF var_update_grub_required="true" ### Install a boot menu background. if [[ "${grub_background_enable,,}" == "true" ]]; then var_background=$(basename "${grub_background_path}") install -m 0640 -o root -g root "${VAR_SETUP_PATH}${grub_background_path}" "${TARGET}/etc/default/grub.d/${var_background}" cat << EOF >> "${TARGET}/etc/default/grub" # Enable boot menu background. GRUB_BACKGROUND="/etc/default/grub.d/${var_background}" # The resolution used on graphical terminal # note that you can use only modes which your graphic card supports via VBE # you can see them in real GRUB with the command 'vbeinfo' GRUB_GFXMODE=1920x1080,1280x1024,1024x768,800x600 GRUB_GFXPAYLOAD_LINUX=keep EOF var_update_grub_required="true" fi ### Change the GRUB OS detection configuration accordingly. if [[ "${grub_prober,,}" == "true" ]]; then do_in_target "${TARGET}" apt-get install -y --no-install-recommends os-prober cat << EOF >> "${TARGET}/etc/default/grub" # If your computer has multiple operating systems installed, then you # probably want to run os-prober. However, if your computer is a host # for guest OSes installed via LVM or raw disk devices, running # os-prober can cause damage to those guest OSes as it mounts # filesystems to look for things. GRUB_DISABLE_OS_PROBER=false EOF var_update_grub_required="true" elif [[ "${grub_prober,,}" == "false" ]]; then cat << EOF >> "${TARGET}/etc/default/grub" # If your computer has multiple operating systems installed, then you # probably want to run os-prober. However, if your computer is a host # for guest OSes installed via LVM or raw disk devices, running # os-prober can cause damage to those guest OSes as it mounts # filesystems to look for things. GRUB_DISABLE_OS_PROBER=true EOF var_update_grub_required="true" fi else do_log "info" "file_only" "4230() GRUB2 setup skipped." fi ### Install grub on the specific device. if [[ "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then install_grub_uefi elif [[ "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then install_grub_bios fi [[ "${var_update_grub_required}" == "true" ]] && do_in_target "${TARGET}" update-grub ### Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. if [[ -f "${TARGET}/boot/grub/grub.cfg" ]]; then chown root:root "${TARGET}/boot/grub/grub.cfg" chmod 0640 "${TARGET}/boot/grub/grub.cfg" fi chmod -R 0700 "${TARGET}/etc/grub.d" return 0 } ####################################### # Installs GRUB to BIOS in BIOS mode. # Globals: # TARGET # grub_bootdev # var_update_grub_required # Arguments: # None # Returns: # 0: on success # ERR_GRUB_INSTALL ####################################### install_grub_bios() { ### Declare Arrays, HashMaps, and Variables. declare -a ary_bios_arg=() declare var_bios_mod="" ### Cryptographic modules. var_bios_mod+="cryptodisk gcry_rijndael gcry_sha256 gcry_sha512 gcry_whirlpool gcry_serpent gcry_twofish luks luks2 " ### Filesystem modules. var_bios_mod+="btrfs ext2 " ### Partitioning / Device / GPT var_bios_mod+="biosdisk mdraid1x part_gpt " ### Device / Terminal modules. var_bios_mod+="boot linux efi_gop efi_uga gfxterm gfxterm_background gfxterm_menu normal search search_fs_uuid search_label " ### Debug modules. var_bios_mod+="cat echo hexdump ls test terminfo" ary_bios_arg+=( --target=i386-pc --boot-directory=/boot "--modules=\"${var_bios_mod}\"" ) do_in_target "${TARGET}" grub-install "${ary_bios_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}" do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [BIOS]." var_update_grub_required="true" return 0 } ####################################### # Installs GRUB to ESP in UEFI mode. # Globals: # TARGET # grub_bootdev # grub_force_efi # grub_update_nvram # var_update_grub_required # Arguments: # None # Returns: # 0: on success # ERR_GRUB_INSTALL ####################################### install_grub_uefi() { ### Declare Arrays, HashMaps, and Variables. declare -a ary_uefi_arg=() declare var_uefi_mod="" var_modinfo_path="" case "${VAR_ARCHITECTURE,,}" in amd64) var_modinfo_path="/usr/lib/grub/x86_64-efi/modinfo.sh" ;; arm64) var_modinfo_path="/usr/lib/grub/arm64-efi/modinfo.sh" ;; i386) var_modinfo_path="/usr/lib/grub/i386-efi/modinfo.sh" ;; esac if ! [[ -x "${TARGET}${var_modinfo_path}" ]]; then do_log "emergency" "file_only" "4230() Missing: [${var_modinfo_path}]." return "${ERR_GRUB_INSTALL}" fi ### Cryptographic modules. var_uefi_mod+="cryptodisk gcry_rijndael gcry_sha256 gcry_sha512 gcry_whirlpool gcry_serpent gcry_twofish luks luks2 " ### Filesystem modules. var_uefi_mod+="btrfs ext2 " ### Partitioning / Device / GPT var_uefi_mod+="mdraid1x part_gpt " ### Device / Terminal modules. var_uefi_mod+="boot linux efi_gop efi_uga gfxterm gfxterm_background gfxterm_menu normal search search_fs_uuid search_label " ### Debug modules. var_uefi_mod+="cat echo hexdump ls test terminfo" ary_uefi_arg+=( --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --bootloader-id=debian "--modules=\"${var_uefi_mod}\"" ) [[ "${grub_update_nvram,,}" == "false" ]] && ary_uefi_arg+=( --no-nvram ) do_in_target "${TARGET}" grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}" do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI]." var_update_grub_required="true" if [[ "${grub_force_efi,,}" == "true" ]]; then mkdir -p "${TARGET}/boot/efi/EFI/BOOT" cp "${TARGET}/boot/efi/EFI/debian/grubx64.efi" "${TARGET}/boot/efi/EFI/BOOT/BOOTX64.EFI" do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI] on: Default EFI Boot-Path." fi return 0 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh