#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing ####################################### # --- UEFI GRUB Installation Strategy --- # # We explicitly install GRUB using '--no-nvram' to avoid modifying NVRAM entries inside the chroot environment, which is # unreliable and can break host firmware boot order. Instead of relying on '--removable', we manually copy the GRUB EFI binary # to the fallback location 'EFI/BOOT/BOOTX64.EFI'. This mirrors the behavior of '--removable', but gives us more control over # the bootloader ID and file paths. # Result: # - GRUB is available under 'EFI/debian/grubx64.efi' (for manual boot entries). # - GRUB is also available as 'EFI/BOOT/BOOTX64.EFI' (UEFI fallback path, no NVRAM needed). # This setup ensures compatibility with systems that do not retain NVRAM entries (e.g., removable drives, VM firmware). ####################################### ####################################### # Installation and setup of the GRUB2 (backported) version. # The backported version MUST be installed for LUKS2 '/boot' encryption. # Every 'apt-get install' command is invoked by adding 'export INITRD=No' # to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage: # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html # Globals: # TARGET # VAR_ARCHITECTURE # VAR_RECIPE_FIRMWARE # VAR_SETUP_PATH # grub_background_enable # grub_background_path # grub_bootdev # grub_force_efi # grub_prober # grub_skip # grub_update_nvram # var_update_grub_required # Arguments: # None # Returns: # 0: on success # ERR_GRUB_ARCHITECTURE: on failure ####################################### installation_grub() { ### Declare Arrays, HashMaps, and Variables. declare -g var_update_grub_required="false" grub_update_nvram=${grub_update_nvram:-false} declare -r var_logfile="/root/.ciss/cdi/log/4230_update_grub.log" declare var_background="" chroot_logger "${TARGET}${var_logfile}" get_grub_modinfo_path ensure_lowercase "grub_skip" ensure_lowercase "grub_background_enable" ensure_lowercase "grub_prober" ensure_lowercase "grub_update_nvram" ensure_lowercase "grub_force_efi" do_log "debug" "file_only" "4230() Preseeded firmware: '${VAR_RECIPE_FIRMWARE}', architecture: '${VAR_ARCHITECTURE}'" if [[ "${grub_skip}" != "true" ]]; then ### Install the GRUB2 backported version from the Bookworm backports repository. if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then case "${VAR_ARCHITECTURE}" in amd64) chroot_script "${TARGET}" " export INITRD=No [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh apt-get install -y --no-install-recommends grub2-common grub-efi-amd64 grub-efi-amd64-bin 2>&1 | tee -a ${var_logfile} " ;; arm64) chroot_script "${TARGET}" " export INITRD=No [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh apt-get install -y --no-install-recommends grub2-common grub-efi-arm64 grub-efi-arm64-bin 2>&1 | tee -a ${var_logfile} " ;; *) do_log "emergency" "file_only" "4230() Unsupported architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;; esac else chroot_script "${TARGET}" " export INITRD=No [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh apt-get install -y --no-install-recommends grub2-common grub-pc grub-pc-bin 2>&1 | tee -a ${var_logfile} " fi ### Enable booting from LUKS encrypted devices by default. cat << EOF >> "${TARGET}/etc/default/grub" # Enable booting from LUKS encrypted devices by default. GRUB_ENABLE_CRYPTODISK=y EOF var_update_grub_required="true" ### Install a boot menu background. if [[ "${grub_background_enable}" == "true" ]]; then var_background=$(basename "${grub_background_path}") mkdir -p "${TARGET}/boot/grub" install -m 0640 -o root -g root "${VAR_SETUP_PATH}${grub_background_path}" "${TARGET}/boot/grub/${var_background}" cat << EOF >> "${TARGET}/etc/default/grub" # Enable boot menu background. GRUB_BACKGROUND="/boot/grub/${var_background}" # The resolution used on graphical terminal # note that you can use only modes which your graphic card supports via VBE # you can see them in real GRUB with the command 'vbeinfo' # GRUB_GFXMODE=1920x1080,1280x1024,1280x720,1024x768,800x600,640x480 GRUB_GFXMODE=1280x720 GRUB_GFXPAYLOAD_LINUX=keep EOF var_update_grub_required="true" fi ### Change the GRUB OS detection configuration accordingly. if [[ "${grub_prober}" == "true" ]]; then chroot_exec "${TARGET}" export INITRD=No; apt-get install -y --no-install-recommends os-prober cat << EOF >> "${TARGET}/etc/default/grub" # If your computer has multiple operating systems installed, then you # probably want to run os-prober. However, if your computer is a host # for guest OSes installed via LVM or raw disk devices, running # os-prober can cause damage to those guest OSes as it mounts # filesystems to look for things. GRUB_DISABLE_OS_PROBER=false EOF var_update_grub_required="true" elif [[ "${grub_prober}" == "false" ]]; then cat << EOF >> "${TARGET}/etc/default/grub" # If your computer has multiple operating systems installed, then you # probably want to run os-prober. However, if your computer is a host # for guest OSes installed via LVM or raw disk devices, running # os-prober can cause damage to those guest OSes as it mounts # filesystems to look for things. GRUB_DISABLE_OS_PROBER=true EOF var_update_grub_required="true" fi else do_log "info" "file_only" "4230() GRUB2 setup skipped." return 0 fi ### Install grub on the specific device. if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then install_grub_uefi elif [[ "${VAR_RECIPE_FIRMWARE}" == "bios" ]]; then install_grub_bios fi [[ "${var_update_grub_required}" == "true" ]] && chroot_exec "${TARGET}" update-grub if [[ "${grub_force_efi}" == "true" ]]; then mkdir -p "${TARGET}/boot/efi/EFI/BOOT" cp "${TARGET}/boot/efi/EFI/debian/grubx64.efi" "${TARGET}/boot/efi/EFI/BOOT/BOOTX64.EFI" do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI] on: Default EFI Boot-Path." fi ### Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. if [[ -f "${TARGET}/boot/grub/grub.cfg" ]]; then chown root:root "${TARGET}/boot/grub/grub.cfg" chmod 0640 "${TARGET}/boot/grub/grub.cfg" fi chmod -R 0700 "${TARGET}/etc/grub.d" guard_dir && return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f installation_grub ####################################### # Installs GRUB to BIOS in BIOS mode. # Globals: # TARGET # VAR_MODINFO_PATH # grub_bootdev # var_update_grub_required # Arguments: # None # Returns: # 0: on success # ERR_GRUB_INSTALL: on failure ####################################### install_grub_bios() { ### Declare Arrays, HashMaps, and Variables. declare -a ary_bios_arg=() declare var_bios_mod="" if ! [[ -x "${TARGET}${VAR_MODINFO_PATH}" ]]; then do_log "emergency" "file_only" "4230() Missing: [${VAR_MODINFO_PATH}]." return "${ERR_GRUB_INSTALL}" fi ### Cryptographic modules. var_bios_mod+="cryptodisk gcry_rijndael gcry_sha256 gcry_sha512 gcry_whirlpool gcry_serpent gcry_twofish luks luks2 " ### Filesystem modules. var_bios_mod+="btrfs ext2 " ### Partitioning / Device / GPT var_bios_mod+="biosdisk mdraid1x part_gpt " ### Device / Terminal modules. var_bios_mod+="boot linux efi_gop efi_uga gfxterm gfxterm_background gfxterm_menu normal search search_fs_uuid search_label " ### Debug modules. var_bios_mod+="cat echo hexdump ls test terminfo" ary_bios_arg+=( --target=i386-pc --boot-directory=/boot "--modules=${var_bios_mod}" ) chroot_exec "${TARGET}" grub-install "${ary_bios_arg[@]}" "${grub_bootdev}" do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [BIOS]." var_update_grub_required="true" return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f install_grub_bios ####################################### # Installs GRUB to ESP in UEFI mode. # Globals: # TARGET # VAR_MODINFO_PATH # grub_bootdev # grub_update_nvram # var_update_grub_required # Arguments: # None # Returns: # 0: on success # ERR_GRUB_INSTALL: on failure ####################################### install_grub_uefi() { ### Declare Arrays, HashMaps, and Variables. declare -a ary_uefi_arg=() declare var_uefi_mod="" if ! [[ -x "${TARGET}${VAR_MODINFO_PATH}" ]]; then do_log "emergency" "file_only" "4230() Missing: [${VAR_MODINFO_PATH}]." return "${ERR_GRUB_INSTALL}" fi ### Cryptographic modules. var_uefi_mod+="cryptodisk gcry_rijndael gcry_sha256 gcry_sha512 gcry_whirlpool gcry_serpent gcry_twofish luks luks2 " ### Filesystem modules. var_uefi_mod+="btrfs ext2 " ### Partitioning / Device / GPT var_uefi_mod+="mdraid1x part_gpt " ### Device / Terminal modules. var_uefi_mod+="boot linux efi_gop efi_uga gfxterm gfxterm_background gfxterm_menu normal search search_fs_uuid search_label " ### Debug modules. var_uefi_mod+="cat echo hexdump ls test terminfo" ary_uefi_arg+=( --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --bootloader-id=debian "--modules=${var_uefi_mod}" ) [[ "${grub_update_nvram}" == "false" ]] && ary_uefi_arg+=( --no-nvram ) chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}" do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI]." var_update_grub_required="true" return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f install_grub_uefi ####################################### # Get the path of the required Grub modules. # Globals: # VAR_ARCHITECTURE # VAR_MODINFO_PATH # VAR_RECIPE_FIRMWARE # Arguments: # None # Returns: # 0: on success ####################################### get_grub_modinfo_path() { ### Declare Arrays, HashMaps, and Variables. declare -gx VAR_MODINFO_PATH="" # shellcheck disable=SC2249 case "${VAR_RECIPE_FIRMWARE}" in uefi) case "${VAR_ARCHITECTURE}" in amd64) VAR_MODINFO_PATH="/usr/lib/grub/x86_64-efi/modinfo.sh" ;; arm64) VAR_MODINFO_PATH="/usr/lib/grub/arm64-efi/modinfo.sh" ;; i386) VAR_MODINFO_PATH="/usr/lib/grub/i386-efi/modinfo.sh" ;; *) ;; esac ;; bios) VAR_MODINFO_PATH="/usr/lib/grub/i386-pc/modinfo.sh" ;; esac return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f get_grub_modinfo_path # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh