#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing ####################################### # Installation and setup of the GRUB2 (backported) version. # The backported version MUST be installed for LUKS2 '/boot' encryption. # Globals: # ERR_GRUB_BACKGROUND # ERR_GRUB_EFI_FORCE # TARGET # VAR_RECIPE_FIRMWARE # VAR_RECIPE_TABLE # grub_background_enable # grub_background_path # grub_bootdev # grub_force_efi # grub_latest # grub_prober # grub_skip # Arguments: # None # Returns: # ERR_GRUB_BACKGROUND # ERR_GRUB_EFI_FORCE # 0: Successfully executed commands. ####################################### setup_grub() { declare var_update_grub_required="false" if [[ "${grub_skip,,}" != "true" ]]; then ### Install GRUB2 package if [[ "${grub_latest,,}" == "true" ]]; then ### Install the GRUB2 backported version from the Bookworm backports repository. do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common else ### Install the GRUB2 stable version. do_in_target "${TARGET}" apt-get install -y grub2 grub2-common fi ### Install grub on the specific device. if [[ "${grub_force_efi,,}" == "false" ]]; then if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt" var_update_grub_required="true" elif [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then do_in_target "${TARGET}" grub-install --target=i386-pc --boot-directory=/boot --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt" --recheck "${grub_bootdev}" var_update_grub_required="true" elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos" var_update_grub_required="true" elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then do_in_target "${TARGET}" grub-install --target=i386-pc --boot-directory=/boot --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos" --recheck "${grub_bootdev}" var_update_grub_required="true" fi elif [[ "${grub_force_efi,,}" == "true" ]]; then if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt" --force-extra-removable var_update_grub_required="true" else do_log "emergency" "true" "Unsupported combination of partition table: '${VAR_RECIPE_TABLE,,}' and setting: grub_force_efi '${grub_force_efi,,}'." return "${ERR_GRUB_EFI_FORCE}" fi fi ### Enable booting from LUKS encrypted devices by default. cat << EOF >> "${TARGET}/etc/default/grub" # Enable booting from LUKS encrypted devices by default. GRUB_ENABLE_CRYPTODISK=y EOF var_update_grub_required="true" ### Install a boot menu background. if [[ "${grub_background_enable,,}" == "true" ]]; then declare var_background var_background=$(basename "${grub_background_path}") cp --no-preserve=ownership "${grub_background_path}" "${TARGET}/etc/default/grub.d/${var_background}" || return "${ERR_GRUB_BACKGROUND}" chmod 0640 "${TARGET}/etc/default/grub.d/${var_background}" || return "${ERR_GRUB_BACKGROUND}" cat << EOF >> "${TARGET}/etc/default/grub" # Enable boot menu background. GRUB_BACKGROUND="/etc/default/grub.d/${var_background}" # The resolution used on graphical terminal # note that you can use only modes which your graphic card supports via VBE # you can see them in real GRUB with the command 'vbeinfo' GRUB_GFXMODE=1920x1080,1280x1024,800x600 GRUB_GFXPAYLOAD_LINUX=keep EOF var_update_grub_required="true" fi ### Change GRUB OS detection configuration accordingly. if [[ "${grub_prober,,}" == "true" ]]; then cat << EOF >> "${TARGET}/etc/default/grub" # If your computer has multiple operating systems installed, then you # probably want to run os-prober. However, if your computer is a host # for guest OSes installed via LVM or raw disk devices, running # os-prober can cause damage to those guest OSes as it mounts # filesystems to look for things. GRUB_DISABLE_OS_PROBER=false EOF var_update_grub_required="true" elif [[ "${grub_prober,,}" == "false" ]]; then cat << EOF >> "${TARGET}/etc/default/grub" # If your computer has multiple operating systems installed, then you # probably want to run os-prober. However, if your computer is a host # for guest OSes installed via LVM or raw disk devices, running # os-prober can cause damage to those guest OSes as it mounts # filesystems to look for things. GRUB_DISABLE_OS_PROBER=true EOF var_update_grub_required="true" fi else do_log "info" "true" "GRUB2 setup skipped." fi [[ "${var_update_grub_required}" == "true" ]] && do_in_target "${TARGET}" update-grub return 0 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh